Windows 10 Enterprise

Description

Windows 10 Enterprise is designed to address the needs of large and midsize organisations by providing IT professionals with Advanced protection against modern security threats, Flexible deployment, update, and support options, Comprehensive device and app management and control.

Windows 10's new enterprise features

ENTERPEISE DATA PROTECTION

Windows 10's Enterprise Data Protection features, which are to be added to Windows 10 Enterprise at a later date, are designed to help prevent the accidental disclosure of sensitive information.

The system will use containerisation file techniques to keep personal and enterprise data separate - with "minimal" impact on the way employees work, according to Microsoft.

Additional safeguards will protect sensitive data when it is shared.

"It's encrypting data as it moves around your organisation. If you send an email to the wrong person, with the wrong file attached and it escapes your organisation, it's not going to be readable, it's going to be encrypted. But someone inside your organisation would have no problem reading it," Gartner's Kleynhans said.

Microsoft has also highlighted Windows 10's ability to wipe corporate data from devices and leave personal data untouched, as well as to use audit reports for tracking issues and remedial actions. It will also be able to be used with a mobile device management (MDM) system to protect corporate data inside Office universal apps.

DEVICE GUARD

This feature allows devices to be restricted to running only trusted software - whether it's traditional desktop, Windows store or in-house apps.

It also makes it "much less likely", according to Microsoft, that an attacker who seizes control of the Windows kernel will be able to run malicious code.

Device Guard uses the new virtualisation-based security in Windows 10 Enterprise to isolate the Code Integrity service that controls the process from the Microsoft Windows kernel itself, letting the service use signatures defined by enterprise-controlled policy to determine what is trustworthy.

"You can lock the operating system to that piece of hardware, and nothing else could ever boot on that piece of hardware," Gartner's Kleynhans said.

"You can make it so that it would be very hard, if not impossible, to wipe and reload a machine with something else."

Microsoft says this white listing approach will be effective in stopping malware from being run on machines, particularly software that alters its code to prevent detection by anti-virus software. Using technology embedded in the hardware and virtualisation to sandbox the Code Integrity service will also help foil exploits that compromise Windows at the kernel level, and which can tamper with traditional virus and malware countermeasures.

Device Guard requires various hardware features and software settings: UEFI 2.3.1 or greater; Virtualisation Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; TPM 2.0; BIOS lockdown.

HP, Acer, Lenovo, Toshiba, Fujitsu and others will manufacture systems designed for the new Microsoft security controls.

PROVISIONING PACKAGES

This feature allows Window 10 machines to be set up more simply than earlier versions of the OS.

IT admins can configure provisioning-package rules that determine the look of the OS, what apps and certificates should be installed, that enrol devices with an MDM suite, set out user rights and more.

The same provisioning-package rules can be used to configure multiple machines and can be applied to either a Windows image or running Windows machine via SD card, USB drive or network share.

Packages are created using the Imaging and Configuration Designer, part of the new Windows 10 Assessment and Deployment Kit.

MICROSOFT PASSPORT

Microsoft Passport provides a system for allowing users to log into Windows 10 using biometrics, such as their fingerprint or facial scan or PIN.

This same scan or PIN can then be used to log into Microsoft, Active Directory or Azure Active Directory accounts, as well as many non-Microsoft services that support Fast ID Online authentication - including Office365 Exchange Online, Salesforce, Citrix, Box and Concur.

Microsoft says Passport provides both convenience, in that the user has to remember fewer credentials, and security, because no passwords are used.

CREDENTIAL GUARD

Credential Guard will offer additional security for login details by storing derived credentials - NTLM hashes and Kerberos tickets and the process that manages them in a secured isolated container that uses Hyper-V and virtualisation-based security.

It will require UEFI 2.3.1 or greater; Virtualisation Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; TPM 2.0; BIOS.

Deployment features

SIDE-LOADING APPS

Side-loading allows certain Windows Store apps, which firms don't want to publish and make publicly available, to be installed on Windows machines.

This practice of side-loading is useful when a firm wants to deploy line-of-business apps internally. Side-loading is a built-in capability with Windows 10 for Home, Pro and Enterprise users.

"If an organisation is developing its own set of corporate apps that it wishes to push out to employees, clearly there is some inherent business value in Windows 10," said Ovum's Edwards.

MOBILE DEVICE MANAGEMENT

Phones, tablets and other devices running Windows 10 can be centrally managed by IT. Windows 10 machines can connect to a Mobile Device Management (MDM) server that will enroll and configure the devices, as well as applying updates and enforcing the latest in-house policies governing usage.

An MDM package can be used both to manage Windows 10 phones as well as desktop PCs and laptops - allowing IT pros to use the same tools to look after fixed and mobile devices. Microsoft's own MDM offering, Intune, or a third-party alternative, can be used.

There are various new MDM features in Windows 10. Azure Active Directory integration allows MDM tools to be used to manage network Domain-joined devices. MDM services can also be used to install apps directly from the Windows Store and to deploy non-store line-of-business apps.

New device management options include the ability to update policies automatically, retrieve device compliance information and to specify a per-device update approval list.

Microsoft is also promising improved support for managing multiple users and VPN configuration.

Windows 10 allows users and devices to be managed by various services, providing a choice between Active Directory, Group Policy, and System Centre Configuration Manager for corporate-owned devices that are frequently connected to the corporate network, or Azure Active Directory and MDM for devices that are typically mobile and internet-connected.

"What we see here are elements of the desktop operating system being managed with MDM-like capabilities and/or with Group Policy, which has been the traditional manner of controlling and managing desktops. Microsoft suggests they are very complementary," said Ovum's Edwards.

BUSINESS STORE FOR WINDOWS 10

Microsoft is planning to launch Windows Store for Business, an app store designed to make it easier for firms to deploy apps to staff.

Organisations will be able to create private sections of the Windows Store that offer a bespoke list of pre-approved apps, and admins will be able to assign apps to specific employees.

Businesses will also be able to acquire apps in bulk. Users will sign in via the Azure Active Directory.

AZURE ACTIVE DIRECTORY FEATURES

Azure Active Directory (Azure AD) is Microsoft's multi-tenant, cloud-based directory and identity management service that provides single sign-on access to thousands of SaaS applications such as Office 365, Salesforce.com, Drop Box, and Concur.

Microsoft is integrating Azure AD with Windows more deeply to reduce the amount of passwords users need to remember. By linking Windows 10 devices to Azure AD, users will be able to sign into Windows using their Azure AD account and password. The same devices can be automatically enrolled in a mobile device management service at the same time.

Users will also be able to gain single sign-on access to in-house services from personal Windows devices by linking that Windows machine to a work account managed with Azure Active Directory.

Minimum System Requirements

• Processor: 1 GHz or faster
• RAM: 1 GB (32-bit) / 2 GB (64-bit)
• Free harddrive space: 16 GB (32-bit) or 20 GB (64-bit)
• Graphics card: DirectX 9 or later
• Display: 800x600 resolution or more