Encrypted files on Windows 10 will also be stored in containers, but unlike mobile devices where all business documents are in one container – and are only protected if you choose to save them there – each file will be in its own container.
"Our container is different," Hallum explains. "It's a container at the file level so every single file – every document, any content item, the files for your app – they will be protected with an encryption container and then Windows becomes a broker of access control between them."
Windows 10 will also work out which files to encrypt, based on where the file comes from or what app you create or open it with, using policies you set.
"You'll be able to set locations on the network and say 'we consider these to be corporate – this is the corporate mail server, these are the corporate file servers on these IP address ranges, using these DNS addresses.
"When content comes from those locations, the system knows where it comes from and we can say 'let's go ahead and encrypt that at the file level'. In real time, as you're bringing content to your device, Windows knows what's corporate and what's personal, but it happens transparently behind the scenes and you don't have to think about it."
You can set policy to mark apps as business apps and all files created with them will be encrypted. You can use policy to mark some apps as personal and they won't be able to open encrypted business files. "We want to make sure apps that shouldn't have access to corporate networks can be gated," says Hallum. "These are the apps on the device I trust and will allow to connect to my VPN."
And for apps like Office that are used for both, there will be an option in the Save dialog to say whether a file saved on your PC is a business document that should be encrypted or a personal document that shouldn't.
Containers not constrainers
He suggests that's more convenient than the style of containers used in Samsung Knox or Good Technologies, which he calls 'constrainers'. "I'm constrained – I have to move to a secure place to access content. I need to use a specific application, maybe not the one I use on my PC, to access email. A container that contains the apps that contain the data is very effective at securing things but I have to change my behaviour, I have to stop using apps like Office.
"When we move the technology down the stack into the platform itself rather than building a protective solution that sits on top of the platform, as the others are, we can do a lot of the heavy lifting behind the scenes, where we don't have to interfere with the user experience to the same degree."
And yes, encrypted files will be usable on other devices. Hallum says OS X, iOS and Android will all be supported, either through Office or using readers. You'll be able to manage this with any MDM, not just Microsoft management tools like System Center.
There are other Windows 10 security features still in development and Hallum thinks security will make Windows 10 a compelling upgrade. "Every previous release of Windows has delivered defence in depth, but we've just made it harder. If you didn't deploy a release, you always had the excuse of plausible deniability; you could say 'it just made it harder, it wasn't the solution'. Once there's an OS available that you can deploy that will eliminate most of these attacks, there are no more excuses. You're making a choice to be vulnerable."
- You might also want to read our Windows 10 hands on review.