Windows 10 29th July 2015

Now, you have probably heard a lot of chatter about Windows 10 being a free upgrade. And for many of you that will be true for the first year.  Windows 7 and 8.1 Enterprise Edition is not included in the free upgrade offer.  Additionally, to apply the free upgrade the device must be connected to Windows Update.

Windows 10 Pro is sold only as an upgrade license in Volume Licensing and does require a qualifying underlying Operating System license, typically a professional version of Windows.

This means that Windows 10 Pro will be primarily purchased in Volume Licensing by customers who are looking to move their existing PCs running either Windows XP Professional, Windows 7 Professional or Windows 8.1 Pro to Windows 10 Pro.  Although many commercial customers will take advantage of the limited-time free-upgrade offer for Windows 10 Pro, any customers on Windows versions prior to Windows 7 will need to purchase an upgrade license.

You can get standalone upgrade licenses through the Open and Select Plus programs.

Some organizations do need additional functionality that Pro does not provide.  This is where Windows 10 Enterprise can be beneficial, so let’s take a look at what the Enterprise edition includes.

Software Assurance can be added to any Windows 10 Enterprise upgrade purchase in VL and is automatically included in agreement programs like EA and Open Value.

Note that benefits are valid while SA coverage is active and that you can move your Enterprise upgrade license to a new device while you have active SA.

You can acquire the Enterprise edition as a standalone upgrade in the Open License and Select Plus VL programs: this option ONLY provides access to the LTSB, and does not provide the Enterprise Edition Current Branch/Current Branch for Business.

Granular UX Control, in which IT is able to customize and lock down the user experience of a Windows device for task-workers, kiosks, IoT/ embedded type functions (including education settings  for EDU  organizations) using device management policies in order to perform a specific task (ie check in kiosk at the airport).

Hardware Credential Protection (using hardware based isolation): Ability to store derived credentials (i.e.: NTLM hashes and Kerberos tickets) and the process that manages them (i.e.: Local Security Authority Subsystem Service (LSASS)), in a Hyper-V protected environment that is called a “Virtual Secure Mode (VSM)”. The VSM provides hardware based isolation and protection of derived credentials and prevents them from being stolen or misused even in the event that the Windows kernel is fully compromised. This capability prevents Pass the Hash (PtH) attacks which enable an attacker to impersonate a user on the network.

Device Guard: Device Guard offers game changing malware defense on devices running the Windows desktop operating system. Device Guard is a hardware and Windows based configuration that that locks down the device such that it can only run trustworthy executable code (e.g.: .exe, .dll) which means that they are signed by a trusted authority. Apps signed by Microsoft and made available from the Windows store are inherently considered trustworthy however organizations add any signature to the devices trust list.  Device Guard can be used in combination with AppLocker. In this case Applocker can be used to define which apps from a vendor who’s signature has been added to the trust list can be run on a device.

MDOP
SA now includes the full features and capabilities of MDOP.  MDOP is a set of products to help with virtualization, management and restore capabilities.  With the Windows 10 launch, MDOP is now included as an SA benefit, and is no longer a separate add-on.

Companies can enable users to change their device while keeping their experience by implementing a user state virtualization solution that delivers a personal Windows experience, is easy to deploy, and integrates into existing infrastructure with Microsoft User Experience Virtualization (UE-V).  Microsoft Application Virtualization (App-V) helps businesses provide their end-users with access to virtually any application, anywhere without installing applications directly on their computers, while Microsoft Enterprise Desktop Virtualization (MED-V) virtualizes Windows removing the barriers to Windows upgrades by resolving application incompatibility with Windows 7.

Additionally, MDOP helps manage, monitor, and deploy key Windows features.  Microsoft BitLocker Administration and Monitoring (MBAM) simplifies BitLocker deployment and key recovery, centralizes provisioning, and minimizes support costs, while Microsoft Advanced Group Policy Management (AGPM) enhances governance and control over Group Policy through change management reducing the risk of widespread outages due to policy based misconfigurations.

Finally, the Microsoft Diagnostics and Recovery Toolset (DaRT) helps shift desktop repair planning from reactive to proactive, saving time associated with troubleshooting and repairing system failures.

Flexibility and foundational benefits
SA also provides greater flexibility for how customers use Windows.  SA provides exclusive access to the Enterprise Edition Current Branch/Current Branch for Business.  SA can be purchased per user, expanding access to Enterprise edition and SA benefits across all of a user’s devices.

Finally, all of this comes with the core Readiness and Support Resources to allow customers to better plan, deploy, and manage their use of Windows – through things like, 24×7 Support, Extended Hotfix Support, and end user and IT training through E-Learning and Training Vouchers.

The Mobile Enterprise product provides control over timing of updates: Mobile Enterprise gives customers the ability to switch off automatic updates and use a management tool to apply updates.

In most organizations we usually see two types of devices used, PC’s and Thin Clients.  PC’s are typically licensed with Enterprise and SA as we have talked about and have a qualified OS on them and need local install rights.  The thin client on the other hand has no qualified OS and you don’t need local install rights as these devices will typically be used to connect to a VDI infrastructure.  For these devices we offer the VDA license.

Key Points

Windows SA per User puts users at the center of their devices and offers them a premium Windows Experience across their devices

There are a few aspects of Windows SA that are worth highlighting:

• All of the user’s devices are covered through Windows SA per User – including those running iOS and Android operation systems
• Only the user’s primary PC needs to be running a qualified OS (i.e. Windows Pro)
• Windows Enterprise Edition can be delivered across the user’s devices
• You have flexibility to deliver Windows Enterprise across devices through local install, Virtual Desktop Infrastructure (VDI), or Windows To Go
• This provides simpler license management by allowing you to count just users with primary PCs, instead of every single device and enable new scenarios