Windows 10 Enterprise
Windows 10 Enterprise is designed to address the needs of large and midsize organizations by providing IT professionals with
Windows 10's new enterprise features
The system will use containerisation file techniques to keep personal and enterprise data separate - with "minimal" impact on the way employees work, according to Microsoft.
Additional safeguards will protect sensitive data when it is shared.
"It's encrypting data as it moves around your organisation. If you send an email to the wrong person, with the wrong file attached and it escapes your organisation, it's not going to be readable, it's going to be encrypted. But someone inside your organisation would have no problem reading it," Gartner's Kleynhans said.
Microsoft has also highlighted Windows 10's ability to wipe corporate data from devices and leave personal data untouched, as well as to use audit reports for tracking issues and remedial actions. It will also be able to be used with a mobile device management (MDM) system to protect corporate data inside Office universal apps.
It also makes it "much less likely", according to Microsoft, that an attacker who seizes control of the Windows kernel will be able to run malicious code.
Device Guard uses the new virtualization-based security in Windows 10 Enterprise to isolate the Code Integrity service that controls the process from the Microsoft Windows kernel itself, letting the service use signatures defined by enterprise-controlled policy to determine what is trustworthy.
"You can lock the operating system to that piece of hardware, and nothing else could ever boot on that piece of hardware," Gartner's Kleynhans said.
"You can make it so that it would be very hard, if not impossible, to wipe and reload a machine with something else."
Microsoft says this whitelisting approach will be effective in stopping malware from being run on machines, particularly software that alters its code to prevent detection by anti-virus software. Using technology embedded in the hardware and virtualization to sandbox the Code Integrity service will also help foil exploits that compromise Windows at the kernel level, and which can tamper with traditional virus and malware countermeasures.
Device Guard requires various hardware features and software settings: UEFI 2.3.1 or greater; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; TPM 2.0; BIOS lockdown.
HP, Acer, Lenovo, Toshiba, Fujitsu and others will manufacture systems designed for the new Microsoft security controls.
IT admins can configure provisioning-package rules that determine the look of the OS, what apps and certificates should be installed, that enroll devices with an MDM suite, set out user rights and more.
The same provisioning-package rules can be used to configure multiple machines and can be applied to either a Windows image or running Windows machine via SD card, USB drive or network share.
Packages are created using the Imaging and Configuration Designer, part of the new Windows 10 Assessment and Deployment Kit.
This same scan or PIN can then be used to log into Microsoft, Active Directory or Azure Active Directory accounts, as well as many non-Microsoft services that support Fast ID Online authentication - including Office365 Exchange Online, Salesforce, Citrix, Box and Concur.
Microsoft says Passport provides both convenience, in that the user has to remember fewer credentials, and security, because no passwords are used.
It will require UEFI 2.3.1 or greater; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; TPM 2.0; BIOS.
This practice of sideloading is useful when a firm wants to deploy line-of-business apps internally. Sideloading is a built-in capability with Windows 10 for Home, Pro and Enterprise users.
"If an organisation is developing its own set of corporate apps that it wishes to push out to employees, clearly there is some inherent business value in Windows 10," said Ovum's Edwards.
An MDM package can be used both to manage Windows 10 phones as well as desktop PCs and laptops - allowing IT pros to use the same tools to look after fixed and mobile devices. Microsoft's own MDM offering, Intune, or a third-party alternative, can be used.
There are various new MDM features in Windows 10. Azure Active Directory integration allows MDM tools to be used to manage network Domain-joined devices. MDM services can also be used to install apps directly from the Windows Store and to deploy non-store line-of-business apps.
New device management options include the ability to update policies automatically, retrieve device compliance information and to specify a per-device update approval list.
Microsoft is also promising improved support for managing multiple users and VPN configuration.
Windows 10 allows users and devices to be managed by various services, providing a choice between Active Directory, Group Policy, and System Center Configuration Manager for corporate-owned devices that are frequently connected to the corporate network, or Azure Active Directory and MDM for devices that are typically mobile and internet-connected.
"What we see here are elements of the desktop operating system being managed with MDM-like capabilities and/or with Group Policy, which has been the traditional manner of controlling and managing desktops. Microsoft suggests they are very complementary," said Ovum's Edwards.
Organisations will be able to create private sections of the Windows Store that offer a bespoke list of pre-approved apps, and admins will be able to assign apps to specific employees.
Businesses will also be able to acquire apps in bulk. Users will sign in via the Azure Active Directory.
Microsoft is integrating Azure AD with Windows more deeply to reduce the amount of passwords users need to remember. By linking Windows 10 devices to Azure AD, users will be able to sign into Windows using their Azure AD account and password. The same devices can be automatically enrolled in a mobile device management service at the same time.
Users will also be able to gain single sign-on access to in-house services from personal Windows devices by linking that Windows machine to a work account managed with Azure Active Directory.