The Pro and Enterprise versions of Windows 10 come with security and management improvements that will be appealing to enterprises, but the new approach to licences and keeping Windows 10 current is a major shift.
For consumers and small businesses, the way Windows 10 gets security updates and new features without ever having to upgrade to a new version of Windows is ideal. Larger businesses may need more control, especially for devices that have critical functions, so with Windows 10 enterprises get a choice of how to keep Windows up to date which also includes the choice of how you want to pay for it.
Windows Enterprise is the only edition that includes the option of the Long Term Servicing Branch (LTSB) – a version of Windows that won't get changes other than security updates and will be supported for five years. If you want to stay on the same LTSB version, you don't need to have Software Assurance, but if you do buy SA then you will be able to get a new LTSB version every two or three years – and you get ten years of support for each version.
For most PCs in the office, Windows Enterprise with the Current Branch for business that gets regular feature updates the way Windows 10 Home and Pro do (just some months after they've been released to Windows Insiders and consumers) is the right choice. To get that, you'll need both a Windows Enterprise volume licence and Software Assurance – without SA, the Current Branch of Enterprise edition won't stay current and if you want to get the new features that come with Windows as a Service, you'll have to buy a new licence to update.
Windows 8 pushed the idea of logging into Windows with a cloud account that could link multiple devices, but many enterprises were uncomfortable with that being a consumer Microsoft account. For Windows 10, as well as local and domain accounts, users can log in with Azure Active Directory accounts. And if they log in with both an Azure AD and an AD domain account, they'll get the single sign-on to services like Office 365 and Windows Store without having to type in their password every time.
The new FIDO-compliant credentials in Windows 10 should be a lot more secure than passwords – they're a key pair or a certificate that you can provision from Active Directory or Azure Active Directory, stored securely on the PC that users unlock with a PIN or, better yet, with biometrics like fingerprints or face and iris logon using Windows Hello.
They can also use a phone as a mobile credential for two-factor authentication – just having the phone nearby on Wi-Fi or Bluetooth makes it work like a smartcard, without the expense of a physical smartcard.
The user access tokens that are generated once users authenticate using their credentials are also protected; the logon process in Windows Enterprise runs in a Hyper-V container so hackers can't extract them to impersonate your users on other systems.
- Read more about Windows 10 migration on our sister website, ITProPortal.com