Introduction and beyond passwords
The Pro and Enterprise versions of Windows 10 come with security and management improvements that will be appealing to enterprises, but the new approach to licences and keeping Windows 10 current is a major shift.
For consumers and small businesses, the way Windows 10 gets security updates and new features without ever having to upgrade to a new version of Windows is ideal. Larger businesses may need more control, especially for devices that have critical functions, so with Windows 10 enterprises get a choice of how to keep Windows up to date which also includes the choice of how you want to pay for it.
Windows Enterprise is the only edition that includes the option of the Long Term Servicing Branch (LTSB) – a version of Windows that won't get changes other than security updates and will be supported for five years. If you want to stay on the same LTSB version, you don't need to have Software Assurance, but if you do buy SA then you will be able to get a new LTSB version every two or three years – and you get ten years of support for each version.
For most PCs in the office, Windows Enterprise with the Current Branch for business that gets regular feature updates the way Windows 10 Home and Pro do (just some months after they've been released to Windows Insiders and consumers) is the right choice. To get that, you'll need both a Windows Enterprise volume licence and Software Assurance – without SA, the Current Branch of Enterprise edition won't stay current and if you want to get the new features that come with Windows as a Service, you'll have to buy a new licence to update.
Windows 8 pushed the idea of logging into Windows with a cloud account that could link multiple devices, but many enterprises were uncomfortable with that being a consumer Microsoft account. For Windows 10, as well as local and domain accounts, users can log in with Azure Active Directory accounts. And if they log in with both an Azure AD and an AD domain account, they'll get the single sign-on to services like Office 365 and Windows Store without having to type in their password every time.
The new FIDO-compliant credentials in Windows 10 should be a lot more secure than passwords – they're a key pair or a certificate that you can provision from Active Directory or Azure Active Directory, stored securely on the PC that users unlock with a PIN or, better yet, with biometrics like fingerprints or face and iris logon using Windows Hello.
They can also use a phone as a mobile credential for two-factor authentication – just having the phone nearby on Wi-Fi or Bluetooth makes it work like a smartcard, without the expense of a physical smartcard.
The user access tokens that are generated once users authenticate using their credentials are also protected; the logon process in Windows Enterprise runs in a Hyper-V container so hackers can't extract them to impersonate your users on other systems.
MDM and volume licences
Group Policy is the traditional way of managing PCs in the enterprise, but with the shift to BYOD, apps rather than desktop programs, and cloud services, controlling the settings on a PC is less important than managing what users have access to.
The phone-style Mobile Device Management that's built into Windows 10 is cheaper and simpler to manage, and less annoying for users. Instead of controlling specific Windows features, it lets you check that a device has all the necessary security updates, including anti-virus protection, and it allows you to control the Windows Store, limit which apps can connect over VPN, put confidential company information in encrypted containers and prevent it from being copied to unmanaged apps – and manage multiple users on a device.
And unlike Group Policy, MDM lets you remote wipe a device. You need to use an MDM service like Windows Intune, but you can manage PCs from the cloud wherever they are – not just when they're on the office network.
No more imaging?
When you deploy PCs in an enterprise today, you wipe the operating system they come with and install your own image – it's a chance to customise the setup and pre-install software. It's a lengthy process, even with tools like the Microsoft Deployment Kit and System Centre Configuration Manager (you'll need the new version of SCCM or System Centre 2010 R2 Configuration Manager with the new service pack to deploy Windows 10; SCCM 207 will manage Windows 10 but not deploy it).
Windows 10 has a new in-place upgrade system that can keep existing apps, data and configuration, and Microsoft is promising new tools that will let enterprises configure Windows 10 systems during that upgrade – adding apps, certificates, language packs, Wi-Fi, VPN and email profiles and enforcing security policies – rather than doing the usual wipe and reload process. You can even set up MDM on devices at the same time.
Volume licences in the Windows Store
Windows 10 comes with plenty of universal apps – including the touch-friendly version of Office – that need to be updated from the Windows Store. But enterprises want more control over the Store, and Windows 10 gives them a range of options.
If you want to assign apps to specific users and send them a link they can install from – or put those apps in a private company portal that uses APIs to pull the app details from the Store – you can do that through a new web-based Store portal, using an Azure AD account. Or you can create a private area in the public Windows Store for apps you've got volume licences for, or for your own apps that you upload to the Store.
If you don't want to send users to the Store to install their own apps, you can also install, update and uninstall Store apps on user devices through System Center Configuration Manager, Microsoft Intune and other MDM tools, including managing and reassigning app licences, and adding apps to custom Windows images so you can install them on PCs that aren't connected.