Microsoft’s long awaited Windows 10 is feature rich and has many impressive opportunities for the enterprise. It is far and away better than Windows 8 and despite some shortcomings its powerful and feature packed. Herein I’ll address some opportunities the enterprise will enjoy in deploying Windows 10.
In Windows 10 Hello introduces improved authentication through biometrics. Biometrics allow you to authenticate with some unique physiological aspect of yourself: i.e. something you uniquely are like your face, fingerprint or iris. Effectively, you are the password. It’s critical to note that systems must meet the hardware specifications of a fingerprint reader, illuminated IR Sensor or other biometric sensor to function. Facial recognition currently works on devices with Intel RealSense 3D Camera technology but the list of supported hardware will likely dramatically expand in the near future. A bevy of hardware vendors are extending this feature through the Windows Biometric Framework bringing a wave of opportunities to deploy biometrics at ever affordable price-points. Microsoft’s membership in the FIDO alliance shows a clear commitment to phasing out the old single factor password. Government, defense, financial, health care, and other will see dramatic improvement in authentication technology with this feature.
Passport is a key element of Microsoft Hello that works alongside it. Passport allows secure & easy to use authentication without all the hassle of having to remember passwords. Unlike traditional passwords which are notoriously easy to steal and crack, Passport doesn’t store a password on that falls prey to the traditional authentication. Currently passport supports Windows AD, Azure Active Directory and servers, network resources and websites.
Passport uses public/private key pair where the private key can be protected via TPM (Trusted Platform Module). This is a quite a step forward in combating phishing and brute force attacks so common these days. Passport and Hello show promise for a password-less world that is much more secure than todays single factor password technologies. The two together will also push these technologies into the mainstream which is a very welcome development.
Device guard allows Windows 10 systems advanced security features to block known & unknown malware and APT’s (Advanced Persistent Threats). It does so by only allowing apps that are signed (trusted apps) to be run on a system. These can be signed by software vendors, the Windows store of even your own organization. A trusted binary will run in its own memory space with its own instance of Windows and is protected by IOMMU features in the PC’s process and motherboard chipset. Even low level malware will be walled off from the system by these IOMMU features. IOMMU is requirement for using Device Guard but most modern systems have this baked in (Intel VT-d/AMD/AMD-Vi). In today’s world of endless malware, APT’s and cybercriminal network assaults this is a very welcome addition to a defense and depth strategy.
For quite some time there has been a move in the enterprise toward more mobile friendly devices. Smartphones, tables, or hybrid devices (think Microsoft Surface). Continuum mode makes your user interface experience optimized for the device you are using. If you are using a hybrid device like a Microsoft Surface it makes it easy to switch between two optimized user interface experiences.
So, for example, switching between desktop and Metro on a device like the Surface it is as easy as plugging in the keyboard and your UI adjusts to work more optimally for that configuration. Regardless of input device, device type or otherwise – the user experience is optimized for each device individually. This is quite a bit better than the experience (or nightmare) of Windows 8. With the move toward unifying the user experience across multiple devices (convergence) being the trend of the day – continuum mode is a welcome advance in usability.
Virtual desktops is a great feature that allows you improve your productivity by splitting up or grouping your open applications in different desktops. This feature allows you to keep things up, open and ready to use while keeping each distinct task in its own “desktop.” For example, you could create a desktop for a task like your email and another for your critical business application. Each is open and available but they are in different desktops. Features like this are helpful for productivity and will be welcomed by users.
Windows Update for Business
WUB or Windows Update for Business will be an update service available for users of Windows 10 Pro and Enterprise. This will be a great option for small businesses that might not afford another patch management option. Customers can subscribe to a “ring” which will subscribe them to a specific software update schedule that meets their needs. For larger enterprises that need more granular control over updates there is Windows Update Services (WSUS), Microsoft System Center or a multitude of 3rd party patch management options. Although it isn’t quite as advanced today as other commercial offering Microsoft has indicated that their goal is to make it a technical equivalent of WSUS and Config Manager) without the internal infrastructure requirement (i.e. cloud based.) This welcome feature should make patch Tuesday a bit less painful.
Enterprise Data Protection
EDP is Microsoft’s DLP (Data Loss Prevention) solution baked into Windows 10.
EDP controls and prevents employees from distributing sensitive company data. EDP gives administrators control over which apps can access critical company data while minimizing the treat of exfiltration of data from internal or external users. EDP securely encrypts data (at rest and in motion) identified as protected by this feature set. In this time of BYOD (Bring Your Own Device) and cloud computing this is extremely pertinent and useful. Instead of singularly focusing on securing the system we can secure that data from exfiltration. It protects data both at rest and in transit and works on removable devices (USB thumb drives) as well. Administrators can even remotely wipe data with this EDP feature set. This powerful feature will be welcome in enterprises of all size.
Mobile Device Management
Windows MDM is a powerful framework for managing mobile devices in a Windows enterprise. Todays enterprises have a myriad of devices such as smartphones, tablets, laptop and hybrid devices. The modern IT organization needs a way of managing these disparate, multi-platform techologies in a unified way. Further complicating the issue is that often these are employee owned devices which need to be managed. Today’s IT environment have PC’s, tablets, smartphones and IoT. Windows MDM will give a wealth of features to manage this multi-platform environment.
Credential guard uses virtualization technology to improve the security of credentials (tokens) on a Windows 10 system. This features uses technology from Hyper-V to segment and defend a Windows 10 system from malware or authentication attacks by placing in its own encrypted and protected container segmented away from the kernel and user mode OS. As long as the hardware supports hardware virtualization one can utilize this security feature. VSM is another improvement that will be a welcome in any enterprise.
Azure Active Directory
Windows 10 expands its offerings to integrate even further with its Azure cloud with Azure Active Directory. Azure AD is a cloud based version of Active Directory offering directory and identity management services in a cloud enabled world. This provides single sign on for 1000’s of SaaS applications such as Office365, DropBox, Salesforce.com ,etc. This connects an ordinary Windows AD account and extends its a capabilities to the cloud and a variety of websites.
Windows 10 has quite a few powerful features to meet the needs of today’s enterprise. Like any other major upgrade, it requires testing and planning for proper deployment. All in all, Windows 10 is a powerful and promising release.