- Author and member of the year 2019 – Why DevOps still doesn't rule the IT world - Wed, Jan 1 2020
- Results of the 4sysops member and author competition in 2018 - Tue, Jan 8 2019
- Why Microsoft is using Windows customers as guinea pigs - Reply to Tim Warner - Tue, Dec 18 2018
Microsoft published a table that compares Windows 10 Home, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. I don’t cover the Home edition in this article. As in previous Windows versions, the main feature that the Home edition lacks is the support for Active Directory.
It is interesting to note that, in Windows 10, Microsoft further separates the Pro edition from the Enterprise edition with additional security features.
Direct Access ^
Direct Access was introduced in Windows 7. It allows users to connect securely through the public Internet to the corporate network. The main advantage compared to conventional VPN solutions is that the connection is automatically initiated before users log on. It is also relatively easy to set up.
Windows To Go Creator ^
Windows To Go is a Windows edition that can boot from a USB device. It enables users to use their Windows workspace on multiple computers. On Windows 10, you can launch the Windows To Go Creator by just typing “Windows To Go” in Start Search. Windows To Go was first introduced in Windows 8.
Windows To Go creator
With AppLocker, administrators can whitelist and blacklist applications. With the help of Group Policy, you can restrict the programs that can be executed in your Active Directory domain.
BranchCache is a caching technology that was introduced in Windows 7 and Windows Server 2008 R2. Branch offices that are connected over a slow WAN link to central servers can cache content from web and file servers. In Windows 10, BranchCache logging has been improved.
Start Screen Control with Group Policy ^
Even though Microsoft’s comparison table calls the feature Start Screen Control, the proper name for this feature in Windows 10 is Start Layout because the Start screen is no more. You can export the Start layout with the help of a PowerShell command and then deploy the configuration via Group Policy.
Windows 10 Start Layout
Granular UX Control ^
I wasn’t able to find any official information about this new Windows 10 feature. Some sites describe it as a method to lock down the user interface so that the machine only serves a specific task, such as a kiosk computer. However, it appears to be something different from Assigned Access because the latter is also supported by Windows 10 Pro. Please let me know if you have better information.
Credential Guard ^
Another new feature in Windows 10 Enterprise is Credential Guard. It uses the Hyper-V hypervisor to isolate the Local Security Authority (lsass.exe) process, which enforces security policies. The task of Credential Guard is to protect domain credentials (not local accounts). Johan Arwidmark describes the feature in detail and explains how to configure it.
Device Guard ^
Credential Guard Group Policy
Device Guard ^
Device Guard is yet another new security feature in Windows 10 Enterprise. Like AppLocker, it allows admins to restrict the execution to trusted applications. The main difference between AppLocker and Device Guard seems to be that Device Guard uses virtualization technology to isolate the process that determines whether apps are trusted or not. In addition, it leverages Secure Boot, User Mode Code Integrity, and new kernel code integrity rules to make the life of malware programmers harder.
Long Term Servicing Branch ^
The Long Term Servicing Branch (LTSB) edition of Windows 10 Enterprise only receives security updates and hotfixes (not feature updates) through Windows Update. Microsoft will periodically release new LTSB builds that will contain new features. You could say, the LTSB edition handles feature updates in a way that is similar to how previous Windows versions did so. Another difference in the common Windows 10 Enterprise edition is that it comes without provisioned Windows apps (except Edge and Cortana). Note that no LTSB edition exists for Windows 10 Education, whereas all other enterprise features are also available for educational institutions.
Granular UX, Credential Guard, and Device Guard are new security-related features in Windows that small and mid-sized businesses will have to live without. Direct Access and AppLocker are also security features that Windows Pro lacks. I wonder if it is really true that only enterprises have higher security needs these days.
Which Windows 10 edition will you deploy in your network, and why?