What are the new security features in Windows 10?
I am aware of the following features:
Windows Hello - A new authentication system, which will replace passwords with a combination of biometrics and public key crypto. This will eliminate "pass the hash" attacks. Private keys will be stored on the TPM. Biometric authentication to the local device can use fingerprint or facial scanning. The facial scanning will use a new 3D infra-red technique, which is supposedly greatly improved.
Device Guard - Anti-malware features. This includes a hypervisor, so even if the kernel is compromised, the hypervisor should stay secure. There will also be "mobile like" application segregation.
Enterprise Data Protection - Allows separate data containers in a system, with the ability to restrict apps to certain containers, and features like per-app VPN. Similar to Good Technologies, but integrated with OS.
Windows Update for Business - A new update system, making it easier to keep all systems patched. This includes "deployment rings" allowing you to test patches on a subset of users before full roll-out. Also has peer-to-peer patch downloads.
Just Enough Administration - A mechanism to restrict admin access to the minimum required to do the job.
Windows 10 contains many new features and many existing features from previous versions of Windows that have been expanded on or improved such as Windows Defender, Windows Firewall and Bitlocker.
Windows 10 also includes the following new features:
When enabled, Device Guard checks to ensure that every application is signed by Microsoft as a trusted binary before it is allowed to execute. Device Guard operates in its own environment, meaning that even if the Windows kernel is compromised, Device Guard still (theoretically*) cannot be compromised to allow unauthorized code to run.
* It's not like such systems have never been defeated.
Windows Hello is a biometric technology that uses facial recognition to unlock your Windows machine.
An alternative to Windows Hello, Windows Passport allows you to use a PIN to unlock a specific device attached to a Microsoft account. This PIN will unlock the machine without the use of your Microsoft account credentials but not provide access to do anything with your Microsoft account or other devices attached to it.
Windows Update for Business
Windows Update for Business brings features such as maintenance windows and distribution rings to Windows update to allow for easier management and deployment of Windows Updates within a business environment.
Enforcing Windows Update for non-business end users
In Windows 10 when running in a non-domain environment, Windows updates are now automatically installed (with an option to defer updates in the Professional edition of Windows). This should mean no more out of date machines being compromised by vectors that have already been patched, but ignored by the user.
Trusted Apps in Windows Store
Trusted Apps are vetted by Microsoft, probably not to the same extent as Apple but certainly to a greater extent than many other application stores. Trusted Apps are applications signed by Microsoft, available through the Windows store.
This was introduced in Windows 8 but turned off by default, Windows 10 ships with Secure Boot enabled by default.
Time will tell on whether the new browser turned out to be better than Internet Explorer, but lack of plugin support and extension support prevents the browser being exploited as a result of third party code.
Virtual Secure Mode
Virtual Secure Mode (or VSM) is essentially a virtualized container that isolates the lsass.exe process responsible for authentication from the rest of the Windows 10 environment, reducing the risk of credentials being exposed in the event the machine is compromised.