Unleashing the power of Windows 10 in the enterprise

Windows 10 continues on the fastest growth trajectory of any version of Windows, ever.

As of January 2016, Microsoft announced the latest operating system was active on more than 200 million devices. Enterprise and education customers were also reported to be exhibiting unprecedented demand with Windows 10 active on more than 22 million devices.

The enterprise version of Windows 10 offers a series of powerful features for both the user and the systems administrator. In this post we will explore these features and how to activate them.

Productivity and Accessibility in Windows 10

Windows 10 includes some significant enhancements to support the mobile workforce with improved productivity and accessibility features.

Enterprise Mode for Edge and IE 11 browsers

Microsoft Edge is now the default browser for Windows 10. There is however the option of selecting Internet Explorer 11, recommended if you’re running web apps that need ActiveX control. Regardless of your browser option, each has an inbuilt option known as Enterprise Mode.

It works by disabling some of the more modern features in the new browsers. This prevents compatibility issues with old corporate intranet sites which would otherwise not display correctly. Enterprise Mode is requires activation, as it is disabled by default. As a system admin, you will need to activate it using the Group Policy Editor (gpedit.msc) or Registry Editor (regedit.exe).

As a user, when implemented, you can activate Enterprise Mode by following these simple steps:

  1. Navigate to the menu bar (press the ALT key if you can’t see it)
  2. Click on ‘Tools’
  3. Select ‘Enterprise Mode’

DirectAccess

Originally available in Windows 8, but upgraded for Windows 10, DirectAccess is creates a remote connection in combination with Windows Server. It allows users to connect to company resources without the need for a VPN.

DirectAccess is great for administrators. Without the need for a VPN, you’ll no longer need to teach users how to set one up. Also, the employee device remains connected at all times, meaning whenever it is turned on and connected to the internet you can troubleshoot the device or lock it down in the event of theft.

Users also benefit with easy access to company resources without the need to create, connect or disconnect a VPN.

Activating DirectAccess is a lengthy process which varies depending on the version of Windows Server you are currently using. Thankfully, the TechNet library has a comprehensive guide to walk you through the setup.

Windows to Go

Windows To Go allows you to download a complete and managed Windows 10 system image to a USB. This can then be booted on any managed or unmanaged Windows 10 host computer to run a managed version of Windows 10 Enterprise.

This gives the user access to their desktop and company resources via any computer, anywhere in the world. Simultaneously, the system administrator can retain the same level of management and security features to protect the businesses data and systems.

To setup Windows To Go for a user, you’ll need a certified USB drive and Windows 10 Enterprise installed on your desktop with administration rights. Then all you need do is follow these simple steps:

  1. Insert the certified USB and ensure the .wim file (found via a network share, USB drive, or DVD) is accessible with a valid Windows 10 Enterprise image, generalised using sysprep
  2. Type ‘Windows To Go’ in the search box to discover the ‘Windows To Go Creator Wizard’ application which you will need to run.
  3. Upon being asked ‘Choose the drive you want to use’, select the inserted USB drive and click ‘Next’
  4. You then need to choose a Windows 10 image, select ‘Add Search Location’ and find the .wim file and click select folder.
  5. You can now select the Windows 10 Enterprise image, click next and then select ‘Create’ to begin building the Windows To Go workspace USB key. This typically takes 20-30 minutes to complete.
  6. Finally on the completion page, configure the Windows To Go startup options and configure your current computer as a Windows To Go host computer. Once complete, clickNo’ (unless you plan to boot from this key immediately) and then Save and Close

Windows Store for Business

Windows Store for Business is a fantastic new feature for system administrators to discover, purchase, manage and distribute applications across your business. To setup Windows Store for Business, follow these simple steps:

  1. Sign up your organisation here - https://www.microsoft.com/en-us/business-store
  2. Next, assign roles to employees so they can change account settings, purchase and distribute applications
  3. Select apps for your business whether they are line-of-business or standard Windows Store apps
  4. Choose a licensing model:
    1. Online licensing - requires users to connect to the store to download apps
    2. Offline licensing - your organisation can cache apps and licences to deploy within the network
  1. Choose your distribution model:
    1. Use Store for Business
    2. Use a third part management tool – this greater control over the distribution of apps

Security features in Windows 10

With the growing threat of cyber crime and the sophistication with which cyber attackers try to breach systems, Windows 10 Enterprise comes retrofitted with some significant security enhancements. Let’s take a closer look at them.

Microsoft Passport

Microsoft Passport is a Windows 10 feature that replaces your user passwords with strong two-factor authentication. Using an enrolled device in combination with Windows Hello (biometric) or a PIN, the feature prevents common phishing and brute force attacks.

As Microsoft Passport credentials are an asymmetrical key pair, this prevents server breaches and replay attacks. Remote credential authentication is also a far more cost effective and easy way to implement two-factor authentication

To activate Microsoft Passport on a Windows 10 device requires creating a Group Policy or Mobile Device Management (MDM) policy at server level. Once activated, users can setup Microsoft Passport with these simple steps:

  1. Log in as normal using your username and password
  2. You’ll then be prompted to create and confirm a work pin
  3. Done, your device is now registered and authenticated meaning you can now login using your Microsoft Passport

Microsoft Device Guard

Microsoft Device Guard is a great way to tackle malware with Windows 10. This feature is another that requires activation at the server level and works by protecting the core kernel from malware. This is crucial in preventing malicious code from permanently compromising a Windows 10 system.

Device Guard works to make enterprise-wide application whitelists easier to administer and enforce. You can effectively lock down company devices so they can only run trusted applications. This is done using a combination of hardware and software security features. Another complicated feature to activate, we can again turn to Microsoft’s TechNet library for a comprehensive guide on how to deploy Microsoft Device Guard in your organisation.

Enterprise management for Windows 10 devices

In the latest version of Windows, Microsoft has continued advancing the enterprise level management features in order make life easier for IT Managers and System Admins.

This is applied using advancements to mobile device management (MDM) capabilities in Windows 10 which allow enterprise-level management of corporate-owned and personal devices including PCs, laptops, tables and phones. The most interesting features include:

Mobile Device Management Support

Advancements to MDM policies available in Window 10 allow for even more enterprise scenarios. You can now apply full control over the Windows Store, manage multiple users with Azure AD accounts or lock down devices and reset pins should a user forget or lose a device.

Automatic enrolment to MDM policies for corporate-owned using Azure AD can also be pretty handy. For the full range of policies available, you can check out the Configuration service provider reference for Windows 10.

Control over updates

There is now much greater flexibility when applying operating system updates in Windows 10. Using MDM policies it is possible to control and manage updates to any devices running Windows 10 Enterprise. You can apply updates immediately when they become available, or schedule them for specific requirements.

For example, you can set it so that all security patches and bug fixes are applied immediately, minimising the time a device is vulnerable should any weakness be found.

Just scratching the surface…

As comprehensive and exciting as some of these features are, we are only scratching the surface here. A quick trip to TechNet library and a look at ‘What's new in Windows 10’ is somewhat eye opening. If you’re a system admin looking to get to grips with Windows 10 for your enterprise, you might consider some Windows 10 training.

Microsoft offer a series of official certification tracks including a Specialist certification in Windows 10 and the MCSA: Windows 10. Both aim to provide you with the skills to configure, manage and maintain a Windows 10 enterprise system.

You’ll learn all about the new features in Windows 10 and how to use them. Covering topics like enterprise wide installation and upgrade scenarios , application management and the management of data security. Not to mention all the new integration features with Azure and Windows Server 2012.

So what are you waiting for? Get exploring…

Image source: Shutterstock/Stanislaw Mikulski