Fall Created Update (2017 RS3 1709) will be removing some more security holes. I wonder if some of these are in response to the SMB1 fiasco (WannaCry for example).
- TLS RC4 ciphers.
- The SCCM Windows Hello deployed feature which has been replaced with the Registration Authority of Active Directory Federation Services
- SysKey.exe gone in favor of Bitlocker
- Enhanced Mitigation Experience Toolkit (EMET) is being removed for Windows Defined Exploit Guard (WDEG) feature
- PowerShell 2.0 is very security holey – Twitter Tears Shed – Jeffery Snover
- For example you can invoke PoSH 2.0 if it is installed. Since it lacks logging you will have no idea what happened. Most companies I work with just remove it from 1703.
Posted July 20th 2017 a list of features that are being depreciated or Removed from 1709.
Windows PowerShell 2.0
Applications and components should be migrated to PowerShell 5.0+.
Will be available through the Windows Store. Functionality integrated into Paint 3D.
RSA/AES Encryption for IIS
We recommend that users use CNG encryption provider.
System Image Backup (SIB) Solution
We recommend that users use full-disk backup solutions from other vendors.
TLS RC4 Ciphers
To be disabled by default. For more information, see the following Windows IT Center topic:
Enhanced Mitigation Experience Toolkit (EMET)
Use will be blocked. Consider using the Exploit Protection feature of Windows Defender Exploit Guard as a replacement.
Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see the following Knowledge Base article:
4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3
TCP Offload Engine
Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see the following PFE Platform Blog article: