Key features of Windows 10 Enterprise

From security to productivity to management, the Enterprise edition of Windows 10 packs a whole lot of business punch.

The Enterprise edition of any Windows version is aimed directly and more or less exclusively at businesses and other organizations of some considerable scale. It isn’t normally available for retail purchase (though you can find some retailers online willing to sell single copies). Usually, Windows 10 Enterprise must be acquired through some kind of licensing agreement with Microsoft or one of its partners, such as through the company’s Volume Licensing Service Center.

What’s for business in Windows 10 Enterprise?

In general, Windows 10 Enterprise offers additional or enhanced features designed specifically for business use. These items fall into four broad categories – namely the following:

  • Security
  • Productivity
  • Management

Let’s take a look at each category in turn to understand their differences with the Home and Pro editions that are aimed primarily at consumers, individuals and small businesses.

Windows 10 Enterprise security features and functions

The Microsoft Passport technology is supported in Windows 10 Enterprise, and makes it simple to deploy two-factor alternatives to password-based logins. If combined with Windows Hello, the second factor can be a biometric characteristic of some kind. Available hardware for Windows Hello currently supports fingerprint scans, facial recognition, or iris scans but also requires that PCs be outfitted with compatible cameras or scanners to supply such data.

Microsoft Passport also supports use of a cellphone as a second authentication factor, so that a user must input a string sent to a cellphone number as a proof of identity. Use of Personal Identification Numbers, or PINs, often goes hand-in-hand with Hello- or Passport-based authentication in Windows 10 Enterprise. It all adds up to more secure, verifiable logins.

[Related: CIOs cautiously embrace Windows 10]

Windows 10 Enterprise also supports a technology called Credential Guard, which is designed to isolate credential information so that only privileged system software can access such data. When Credential Guard is active, Windows credentials are stored in a special facility called the Credential Manager, that keeps such data in special secure folders called vaults. Windows and programs (including Web browsers) can pass credentials from the vault to other computers and websites safely and securely.

Another new feature in Windows 10 Enterprise is called Device Guard. It combines security features for both hardware and software to lock devices down so they will only run trusted applications. If an app or application isn’t trusted, it can’t run. Even if a protected device becomes compromised, an attacker won’t be able to run anything except authorized software on that device. Device Guard uses virtualization-based security in Windows 10 Enterprise to isolate the Code Integrity service from the OS kernel, where the service uses signatures defined in an enterprise policy to determine what is trustworthy. Thus, this service runs alongside the Windows kernel in a hypervisor-protected container.

Windows 10 Enterprise also supports a special trusted boot service, that uses the Secure Boot facility along with UEFI version 2.3.1 (or newer versions). In this kind of environment, the firmware setup is locked to prevent other OSes from booting, to prevent unauthorized changes to UEFI settings, and to block alternate boot devices (such as USB flash drives, which might otherwise be able to override the designated boot disk). This prevents rootkits and other boot-related malware from finding a foothold on protected systems. Of course, authorized admins can override these settings by supplying a special password at boot time to enable UEFI updates to be applied, configuration changes made, or other routine maintenance to occur.

To provide data separation and containment of organizational data, Windows 10 Enterprise will also provide a facility called Enterprise Data Protection (EDP; this facility is still under development). When EDP is enabled, it acts to prevent accidental or malicious data disclosure via apps or services such as email, social media, or cloud-based code. It’s designed to prevent data leakage, especially on employee-owned devices such as tablets or smartphones, often in the context of BYOD usage.

EDP protection comes from policies defined for enterprise data sources and/or applications that handle such data, so that it remains transparent to users. It helps those users keep personal and corporate data separate and distinct, without requiring users to be responsible for tracking what’s what. EDP also confers administrators the ability to wipe corporate data on remote devices, while leaving personal data untouched. Access is audited and issues and remedial actions may be easily monitored and tracked. EDP integrates with existing management platforms, such as Microsoft InTune, SCCM, or compatible Mobile Device Management (MDM) platforms.

Finally, the Windows Device Health Attestation cloud service enables organizations to protect data and intellectual property by enforcing, controlling, and reporting the health of Windows 10-based devices. It also works with InTune or other compatible MDM services to deliver what’s called “conditional access services.” These check on the health and status of devices attempting to access organizational networks, and can prevent untrustworthy or unrecognized devices from obtaining access to organizational resources.

Windows 10 Enterprise productivity features and functions

The Windows 10 user interface returns to the start menu layout and functions, so that users familiar with Windows 7 and earlier versions of Windows can jump right in and start getting things done on Windows 10. It’s been designed to make the user experience both friendly and familiar, thereby boosting productivity. In Windows 10 Enterprise and other versions, Microsoft offers its new Edge browser along with Internet Explorer version 11, one to provide an enhanced web experience (Edge), the other to provide secure, reliable support for an enterprise’s web-based applications (IE 11). The new Continuum display handling technology lets apps and content move seamlessly among large format displays all the way down to the smallest mobile devices, while a new Windows 10 Universal App interface lets developers build apps that deploy with aplomb across devices of all kinds in similar fashion.

Windows 10 Enterprise management features and functions

Management is an arena in which Windows 10 Enterprise particularly shines. It provides support for dynamic provisioning and in-place upgrade. The former enables creation of provisioning packages that may be installed using removable media such as flash drives or SD cards, delivered as e-mail attachments, or download from network drives.

With a simple set of written instructions, users can deploy them themselves to provision and configure their own devices. The same provisioning package can be used to configure multiple devices, including employee-owned devices, even when an MDM infrastructure may not be present, or network connectivity available. In-place upgrade makes it simple and straightforward to upgrade from Windows 7 or 8 version, while preserving data and settings, and updating all compatible applications and drivers (an pre-upgrade installation advisor will warn users about any incompatibilities in advance).

Windows 10 Enterprise also lets organizations manage the code base for Windows directly and explicitly. Most corporations and organizations elect to receive updates for the Current Branch for Business, a Windows version that tracks about four months behind the leading edge Current Branch release and its updates.

This gives IT departments time to evaluate and validate updates before they’re applied, and lets them control how and when updates get propagated into production networks (usually on some kind of regular maintenance schedule). The Windows Update for Business service provides an update distribution and tracking mechanism that businesses and organizations can use internally to manage security updates in-house, or to handle the entire Windows Update regime, all under their full control and timing.

Windows 10 Enterprise supports an in-house, internal version of the Microsoft Store, called the Windows store for Business. It lets organizations set up, maintain, and manage their own distribution mechanism for Windows Store apps under their complete control, along with any private line-of-business apps they may wish to provide to their user bases.

[Related: 12 powerful Windows 10 tools that hardcore PC enthusiasts will love]

Using Windows 10 Enterprise

Windows 10 Enterprise is often used in concert with a variety of other tools and technologies. While third-party alternatives for any and all of them do exist, specific relevant Microsoft technologies designed to help with imaging, management, deployment and maintenance of Windows 10 Enterprise include the following;

  • Microsoft System Center, most particularly Microsoft System Center Configuration Manager (SCCM), used to deploy and manage Windows 10 Enterprise images, applications, updates, and upgrades.
  • The Windows Assessment and Deployment Kit (ADK) for Windows 10, Version 1511: tools to customize and deploy Windows 10 images.
  • Microsoft InTune: an environment that provides mobile device management (MDM), mobile application management, and PC management capabilities from the cloud (usually used for remote locations, branch offices, and remote/traveling users in an enterprise environment; SCCM will be more typically used on the organization’s premises or primary sites).
  • Windows Update for Business: provides a mechanism to use Group Policy Objects so that an organization’s administrators can exercise complete control over how Windows 10-based devices get updated. Includes support for deployment and validation groups, to specify update waves and membership, and peer-to-peer delivery for controlled propagation to branch offices and remote sites.
  • Active Directory and Azure Active Directory, which offer built-in or cloud-based directory services, including rich, complex group policy controls to manage OS and application deployments, updates, access and use. All of the policy-based controls mentioned earlier in this article may be handled through one or the other of these mechanisms.

Overall, Microsoft offers a rich supporting infrastructure to support deployment, management and use of Windows 10 Enterprise in a controlled and secure setting. Further investigation of Windows 10 Enterprise, especially on the security and management fronts, shows it to be extremely well-suited for business use.

Copyright © 2016 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon