The Enterprise version of Windows 10 is now available, offering the prospect of new features that Microsoft says will help with security and management of PCs and mobiles.
While businesses tend to lag far behind consumers when it comes to updating their machines, some analysts are already seeing Volume Licensing customers express interest in upgrading from earlier versions of Windows.
“What we’ve been a little surprised at is how aggressive a lot of our customer base is towards Windows 10,” Stephen Kleynhans, research VP with analyst house Gartner, said.
“There are a lot of customers who are coming to us and saying, ‘We’d like to move in early 2016’.
“They’re interested in going ahead with Windows 10 in much bigger numbers than we saw with Windows 7 six years ago, which has been a bit of a surprise for us.”
That eagerness to migrate can, in Kleynhans’ view, partly be put down to the stress organisations went through in moving from Windows XP when support ended last year.
“They ended up having to do a lot of work very quickly, really under the gun. That’s always expensive – and when you end up making mistakes, that’s when things go wrong,” he said.
“A lot of them are aware of that and say, ‘We don’t really want to do that again. Next time, let’s be a little more organised, let’s be a little more proactive, let’s not run into that wall’,” he said, adding that these companies want to move well ahead of support ending for Windows 7 in January 2020.
The other force driving businesses to make the switch will be the rise of convertible PCs, machines which can switch between being a tablet and a laptop, such as the Microsoft Surface. These devices can take advantage of Windows 10’s ability to adapts its interface to suit both mouse-keyboard and touchscreen controls.
“A lot of enterprises have some internal demand for some of these new cool devices. To meet that you either go with Windows 8, and deal with the whole set of issues that surround it, or you can just go with Windows 10, which looks like those issues are addressed.”
But not everyone agrees that upgrading will be a priority for businesses. Richard Edwards, principal research analyst for enterprise productivity and mobility at Ovum, said: “Clearly, there’s knowledge of Windows 10 within corporate and enterprise IT departments. But we’ve not heard from any of our enterprise customers just yet that they have plans to roll out Windows 10 any time soon.”
Here is a rundown of the key Windows 10 Enterprise edition features that Microsoft is hoping will persuade businesses to make the switch.
Windows 10’s new enterprise features
Enterprise Data Protection
Windows 10’s Enterprise Data Protection features, which are to be added to Windows 10 Enterprise at a later date, are designed to help prevent the accidental disclosure of sensitive information.
The system will use containerisation file techniques to keep personal and enterprise data separate – with “minimal” impact on the way employees work, according to Microsoft.
Additional safeguards will protect sensitive data when it is shared.
“It’s encrypting data as it moves around your organisation. If you send an email to the wrong person, with the wrong file attached and it escapes your organisation, it’s not going to be readable, it’s going to be encrypted. But someone inside your organisation would have no problem reading it,” Gartner’s Kleynhans said.
Microsoft has also highlighted Windows 10’s ability to wipe corporate data from devices and leave personal data untouched, as well as to use audit reports for tracking issues and remedial actions. It will also be able to be used with a mobile device management (MDM) system to protect corporate data inside Office universal apps.
This feature allows devices to be restricted to running only trusted software – whether it’s traditional desktop, Windows store or in-house apps.
It also makes it “much less likely”, according to Microsoft, that an attacker who seizes control of the Windows kernel will be able to run malicious code.
Device Guard uses the new virtualization-based security in Windows 10 Enterprise to isolate the Code Integrity service that controls the process from the Microsoft Windows kernel itself, letting the service use signatures defined by enterprise-controlled policy to determine what is trustworthy.
“You can lock the operating system to that piece of hardware, and nothing else could ever boot on that piece of hardware,” Gartner’s Kleynhans said.
“You can make it so that it would be very hard, if not impossible, to wipe and reload a machine with something else.”
Microsoft says this whitelisting approach will be effective in stopping malware from being run on machines, particularly software that alters its code to prevent detection by anti-virus software. Using technology embedded in the hardware and virtualization to sandbox the Code Integrity service will also help foil exploits that compromise Windows at the kernel level, and which can tamper with traditional virus and malware countermeasures.
Device Guard requires various hardware features and software settings: UEFI 2.3.1 or greater; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; TPM 2.0; BIOS lockdown.
HP, Acer, Lenovo, Toshiba, Fujitsu and others will manufacture systems designed for the new Microsoft security controls.
This feature allows Window 10 machines to be set up more simply than earlier versions of the OS.
IT admins can configure provisioning-package rules that determine the look of the OS, what apps and certificates should be installed, that enroll devices with an MDM suite, set out user rights and more.
The same provisioning-package rules can be used to configure multiple machines and can be applied to either a Windows image or running Windows machine via SD card, USB drive or network share.
Packages are created using the Imaging and Configuration Designer, part of the new Windows 10 Assessment and Deployment Kit.
Microsoft Passport provides a system for allowing users to log into Windows 10 using biometrics, such as their fingerprint or facial scan or PIN.
This same scan or PIN can then be used to log into Microsoft, Active Directory or Azure Active Directory accounts, as well as many non-Microsoft services that support Fast ID Online authentication – including Office365 Exchange Online, Salesforce, Citrix, Box and Concur.
Microsoft says Passport provides both convenience, in that the user has to remember fewer credentials, and security, because no passwords are used.
Credential Guard will offer additional security for login details by storing derived credentials – NTLM hashes and Kerberos tickets and the process that manages them in a secured isolated container that uses Hyper-V and virtualization-based security.
It will require UEFI 2.3.1 or greater; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; TPM 2.0; BIOS.
Sideloading allows certain Windows Store apps, which firms don’t want to publish and make publicly available, to be installed on Windows machines.
This practice of sideloading is useful when a firm wants to deploy line-of-business apps internally. Sideloading is a built-in capability with Windows 10 for Home, Pro and Enterprise users.
“If an organisation is developing its own set of corporate apps that it wishes to push out to employees, clearly there is some inherent business value in Windows 10,” said Ovum’s Edwards.
Mobile Device Management
Phones, tablets and other devices running Windows 10 can be centrally managed by IT. Windows 10 machines can connect to a Mobile Device Management (MDM) server that will enroll and configure the devices, as well as applying updates and enforcing the latest in-house policies governing usage.
An MDM package can be used both to manage Windows 10 phones as well as desktop PCs and laptops – allowing IT pros to use the same tools to look after fixed and mobile devices. Microsoft’s own MDM offering, Intune, or a third-party alternative, can be used.
There are various new MDM features in Windows 10. Azure Active Directory integration allows MDM tools to be used to manage network Domain-joined devices. MDM services can also be used to install apps directly from the Windows Store and to deploy non-store line-of-business apps.
New device management options include the ability to update policies automatically, retrieve device compliance information and to specify a per-device update approval list.
Microsoft is also promising improved support for managing multiple users and VPN configuration.
Windows 10 allows users and devices to be managed by various services, providing a choice between Active Directory, Group Policy, and System Center Configuration Manager for corporate-owned devices that are frequently connected to the corporate network, or Azure Active Directory and MDM for devices that are typically mobile and internet-connected.
“What we see here are elements of the desktop operating system being managed with MDM-like capabilities and/or with Group Policy, which has been the traditional manner of controlling and managing desktops. Microsoft suggests they are very complementary,” said Ovum’s Edwards.
Business Store for Windows 10
Microsoft is planning to launch Windows Store for Business, an app store designed to make it easier for firms to deploy apps to staff.
Organisations will be able to create private sections of the Windows Store that offer a bespoke list of pre-approved apps, and admins will be able to assign apps to specific employees.
Businesses will also be able to acquire apps in bulk. Users will sign in via the Azure Active Directory.
Azure Active Directory features
Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud-based directory and identity management service that provides single sign-on access to thousands of SaaS applications such as Office365, Salesforce.com, DropBox, and Concur.
Microsoft is integrating Azure AD with Windows more deeply to reduce the amount of passwords users need to remember. By linking Windows 10 devices to Azure AD, users will be able to sign into Windows using their Azure AD account and password. The same devices can be automatically enrolled in a mobile device management service at the same time.
Users will also be able to gain single sign-on access to in-house services from personal Windows devices by linking that Windows machine to a work account managed with Azure Active Directory.
Free access to Microsoft Desktop Optimization Pack
The Microsoft Desktop Optimization Pack (MDOP) is a suite of technologies previously available as a subscription to Microsoft Software Assurance customers.
It is designed to help enterprises set up and run virtual Windows desktops and applications, to manage Windows users with features such as encryption and to recover systems more rapidly.
From the launch of Windows 10, MDOP is included free with Software Assurance for new customers and renewal customers.
Current branch for Business
For work devices that are not mission-critical but which require a bit more control over updates than consumer machines, there is the Current branch for Business (CBB) update path. This option allows PCs to receive feature updates several months after they have been pushed to consumer versions of Windows 10, allowing additional time to validate their quality and application compatibility. Security updates will be delivered as normal.
CBB will allow users to choose between Windows Update, Windows Update for Business or Windows Server Update Services (WSUS) to push these updates to users.
Long Term Servicing Branch (LTSB)
Unlike other Windows 10 versions, Enterprise will offer a Long Term Servicing Branch (LTSB), which allows Windows updates, not related to security or fixes, to be deferred for 10 years.
Ovum’s Edwards said the ability to use the LTSB and CBB update model on different machines is appealing to businesses.
“Some of our clients have responded to this model very positively. They think it gives them a kind of flexibility they’ve not really felt as though they’ve had in the past.”
Granular UX Control
This feature allows IT managers to customize and lock down the user interface of a Windows device to restrict the machine to performing a specific task, such as acting as a check-in kiosk at an airport.
Enterprise Mode Internet Explorer
Old corporate intranet sites will often not render or behave as intended in more recent browsers.
To address this Internet Explorer (IE) 11, which ships with Windows 10, has Enterprise mode – which provides an experience more akin to IE8. It allows newer browser features that could cause errors to be disabled, such as tab-switching, and provides tools for management and monitoring of compatibility.
As in Windows 8.1, if Device Encryption is enabled, all a machine’s drives are automatically encrypted and can only be unlocked by someone who knows the user account’s password.
Basing encryption on the password is designed to make it both simple for users to log in and use the system, while stopping a malicious third party from accessing the data.
Device Encryption used BitLocker and 128-bit AES symmetric encryption. It also supports a recovery mechanism whereby the recovery key can be stored in an organization’s Active Directory Domain Services.
Group policy management
Like earlier Windows operating systems, Windows 10 physical and virtual machines and devices can be managed using Group Policy settings, which allow IT professionals to configure user and computers across the business. Microsoft says Group Policy settings offer more that 30,000 ways to configure machines and devices.
Windows 10 adds new features and settings that can be managed using Group Policy – such as about 20 settings related to Microsoft’s new Edge browser, the ability to restrict a user’s application data to always stay on system volumes and to disable the deployment of Windows Store apps to non-system volumes. There will also be various options for customising the Start Menu layout.
BitLocker allows drives to be encrypted with 128-bit or 256-bit encryption, to protect data should the computer be lost or stolen.
While guarding data against access by third parties, BitLocker also provides tools that allow network admins to access a recovery key to retrieve data from a drive when a machine fails.
Assigned Access 8.1
This feature allows Windows 10 to be set up to only run a single Windows Store app in fullscreen mode, barring access to settings or the ability to quit that app.
It is designed to allow the OS to be run on a kiosk or self-service terminal, where you only want users to access the kiosk app and not the OS underneath. It requires support for InstantGo.
As the name suggests, the Remote Desktop client allows the operating system to connect to a remote PC and access its files, applications and networked devices.
DirectAccess allows desktop PCs to connect to a server to access in-house systems without the need for a Virtual Private Network (VPN).
Windows to Go
Also found on Windows 8 Enterprise edition, Windows to Go allows for the creation of a bootable desktop image identical to the one the business uses to set up its PCs.
Users can then boot into this desktop from USB on any PC that meets Windows 7 or later certification requirements.
There are some differences between a Windows To Go workspace and a standard Windows desktop, including not being able to access the machine’s internal drives.
Present in from Windows 7 onwards, AppLocker allows admins to specify which users or groups can run particular applications, based on the unique identities of files. Rules can also be created to control which versions of software are used within the business.
Also a fixture since Windows 7, BranchCache allows for the creation of local caches of information that is stored on a remote server. The information is usually cached on a local server but can also be stored on a Windows 7, 8 or 10 machine. The feature is designed to make it easier to access information and reduce strain on a Wide Area Network.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays