5 New Security Features with Windows 10 Enterprise: What does it mean for you?

The newest child of the Windows family is almost upon us, slated for a still “on track” Summer Release. As a CIO, what should you prepare yourself and your enterprise for?

In a couple of months from now, we expect to get our hands on the final build of Windows 10. For the enterprise, the edition is called “Windows 10 Enterprise”. Just like earlier version of Windows aimed at business users, that had specific features built in for organizational needs, Windows 10 Enterprise also comes with a host of special features for those special needs. We see familiar features like VPN, Direct Access, and group policy based centralized management, ability to “sysprep” and deploy images, and all of that good stuff from yesteryears continue. However, we have a whole set of new ones too. You may have come across some of these as announcements or even demos. Here, we take a look at what these mean to you and your organization.

Information about these features is quite sketchy at this point of time, so we are using the information that is available through presentations and demos as best we can.

Data Protection Policies

Back in 2007 when Windows Vista was released, it included a new feature called UAC (User Account Control) that resulted in a lot of headache for both the IT user and the out-there consumer. Security within Windows has come a long way since then. Windows 10, includes a whole set of security features.

Some, you are already familiar with, like TPM-based file encryption and BitLocker. We already saw an evolution of BitLocker, called “BitLocker To Go” that let users keep files under BitLocker protection on USB sticks and the like. Windows 10 takes this to the next level with Data Protection Policies. This allows IT administrators define corporate security boundaries, enforced at Active Directory level, and configure enterprise applications homed to these boundaries. This will not just let organizations prevent sharing of files across these boundaries, but also track deeply ingrained operations like Cut/Copy/Paste. Each attempt for these action is logged to the Windows Audit Log, opening it up for forensic investigation.

hen users attempt to move data across defined organizational boundaries ata rotection olicy configuration like shown on this icrosoft ntune screen allows  adminstrators to control if they want this action to be blocked be overridable with a prompt to the user silent or not monitoredWhen users attempt to move data across defined organizational boundaries, Data Protection Policy configuration (like shown on this Microsoft Intune screen) allows IT adminstrators to control if they want this action to be blocked, be overridable (with a prompt to the user), silent or not monitored


What it means for you: With Windows 10 Data Protection Policies applied, your organization’s data is safe on a Windows 10 machine, regardless of what the user does with it. At this point of time, it is not clear if Microsoft will ship updates to enable this on Windows 8.1 or earlier operating systems and what happens to this data when it is taken to a non-Windows system (like a Mac or Linux) or to a mobile device (phone).

Device Guard

Another security feature is called “Device Guard” and this aims to prevent malware from gaining control of the deepest levels of the operating system (the kernel). The way this works is that Microsoft is shipping Windows 10 Enterprise with Hyper V turned on by default. This lets them run a tiny and walled off VM within that Hyper V called the “Virtual Secure Mode”. This VM runs in parallel to the actual OS you are using. Since the Hyper V layer sits beneath the kernel layer, it will intercept all attempts to run various commands, route them to the VSM. The VSM will then approve or reject a program from running, thus safeguarding the system. Since the VSM is a heuristic application, it is possible your enterprise LOB (Line of Business) application is flagged and rejected. You can circumvent this by submitting a hash of your application to Microsoft for “code signing” (the process of digitally certifying that your code is safe to run) and this will then allow VSM to run your app.

  runs as a microvirtual machine within the yper  layer sitting between the  kernel and the  he yper  layer for  has been configured to route attempts to run programs to the   for approval before running them VSM runs as a micro-virtual machine within the Hyper V layer, sitting between the OS kernel and the CPU. The Hyper V layer for VSM has been configured to route attempts to run programs to the VSM VM for approval before running them.


What it means for you: This is a relatively new way of doing things on a PC platform, though it has existed and has been broken a few times on the phone platform. While it is hard to say at this point of time what the impact would be on your client systems, it is expected that you would need to go for a little bit higher spec machine than you would normally because of the intrinsic overhead the VSM and ever-present Hyper V module would need. Also, this would allow all of your users to now have Hyper V VMs – something your IT administrators must be ready to flag out with group policy.

Beyond passwords: Biometrics

Microsoft says that passwords and PINs are things of the past, and says “Hello” (Microsoft Hello, that is). This is a biometric way of getting into your system. With both camera-based facial recognition to finger-print to gesture-based secondary authentication, the way to login to a PC is going to change. Hang on a minute, all of this has been around a long time. The difference with Hello, is that it is supported by Microsoft Passport that constructs and manages the password tokens in an on-the-machine virtual machine (yes, again you need that Hyper V to be ever present!). This in theory should also thwart the “Pass the Hash” attack. Microsoft claims that its new facial recognition program cannot be fooled using pictures and images from other devices because it uses infrared instead of visible light to detect a face. However, how fool-proof is this really? And what does the camera have to support? How would this work with systems where you are changing cameras or image resolutions? We will have to wait and see.

What it means for you: Not all organizations are permissive of using biometric security for logging into systems. The reason is, it is all too hard to manage this security and it has considerable hardware overheads (you need to get systems with cameras or fingerprint sensors, etc). However, where it is allowed, enterprises should be able to take advantage of all the new protections for that credential and roll it out on more sensitive devices.

Windows Updates

Updates. While sometimes necessary to get around that nasty bug that prevents your application from running, almost all users hate updates. And so do IT administrators. Updates not only create an additional chore because they come down with installation deadlines and requirements to reboot and such, but they also introduce uncertainty on the impact it would have on the applications on the machine. With Windows 10, Microsoft has introduced a new cadence and system of doing updates. Enterprises will, for the first time be able to define their own cadence, schedule and machine-level priority to put in updates. And this is aimed at business customers, purely because this feature depends on having things like Active Directory and a centralized updates management system (like WSUS or System Center) for it to work. Each type of user or department could be categorized into “rings” and each ring could be assigned a deadline from the original release of the update for it to be installed.

 ith indows 10 icrosoft lets business  administrators define multiple rings to receive and roll out updates to their users hey can create as many rings as they need with custom roll out timelines hese rings will sit even farther out from the rings created by icrosoft for the retail consumer users With Windows 10, Microsoft lets business IT administrators define multiple rings to receive and roll out updates to their users. They can create as many rings as they need, with custom roll out timelines. These rings will sit even farther out from the rings created by Microsoft for the retail consumer users.




What it means for you: This will surely elicit a huge sigh of relief from all the IT administrators out there. This also means that smaller teams get to pick out inconsistencies and problems with updates before the whole organization gets it. I can already see a few of you putting your boss’s machine in the final ring!

Windows store for Business

The Windows Store is a great way for Windows users to get apps from. But it is cluttered with all kinds of apps, including fake apps that play off the names of well-known ones. And, obviously you would not want your employees playing Candy Crush Saga or Second Life on their work machine. Enter the “Windows Store for Business”. This is a tightly controlled marketplace where Microsoft approves only business-oriented applications to be placed online. Organizations can also use their DevCenter subscription to place their own LOB apps on the Windows Store for Business. The way that your users would get their apps from the WSB is also unique. The designated administrators for your organization will need to go into the WSB, get the app, and assign an online or an offline license to it. This information then flows into your licensing system (System Center). You can then assign it for deployment from there to a single user or a group of users or everyone in the organization the same way as you do for other applications.

What it means for you: WSB allows your business to create and share applications not just internally, but across your own locations and with other organizations as well. Also, WSB apps can be free or cost money which can open up avenues to monetize your IP and capabilities.

Have a feature of Windows 10 you would like us to deep dive for you? Let us know and we will cover it as soon as we can.

Nike Air Max 270

Add new comment