Enterprise guide to Windows 10
- 03 August, 2015 20:06
Windows 10 is now available for consumers, but for IT executives thinking about enterprise deployments, here's what the upgrade path from Window 7 or Windows 8/8.1 looks like.
The first step is to launch pilot projects this summer. For power users or bleeding edge companies that don't want to wait for the full complement of Windows 10 enterprise features, there will be a fall release of Windows 10 Enterprise and Professional Editions.
If you're waiting for the full-featured version, we're talking fourth quarter of this year. And if you're like many enterprises and typically wait until after the first patches and updates, then you're looking at the first quarter of next year.
This review covers Windows 10 Professional, Enterprise and Educational versions. The Educational edition is much like an "Ultimate" release, with all of the features of the Enterprise Edition in a single user-form.
+ See all the Windows 10 stories on Network World +
For IT execs, the two big questions are whether a migration to Windows 10 will break anything and whether it has enough new features to make a migration worthwhile.
We installed Windows 10 Pro and Enterprise on a number of different installations, ranging from Windows 7 through 8.1 either as in-place upgrades to bare metal installations or upgrades to VMs. We found that there can be problems if your infrastructure isn't currently rock-solid. If there are current activation problems (usually found on BYOD devices), then you can't upgrade.
Strong pilot tests in an organization's sample of platforms -- especially hosting platforms such as Citrix XenServer upgrade hosts, VMware Horizon View upgraded hosts, and HTML5 remote consoles is strongly suggested prior to an organizational rollout.
One potential problem centers around the browser. If you must use prior editions of Internet Explorer for captive corporate apps, stop here, and do not upgrade as IE11 is mandated -- and the newly added Edge browser, while lovely and fast, is unlikely to suit you and is devoid of plug-ins at this time.
For many, IE11 use is not a problem, but for a handful of organizations with wide-spread IEX apps, changes are needed and piloting IE11 is recommended. Keep in mind that for all Windows 10 Versions, there is no backgrade/uninstall.
Unless you're using the Enterprise Edition, Microsoft's push of fixes, which can include default device drivers, could break user installations. That's why we recommend the Professional Version, which gives IT control over updates.
Otherwise, you need to trust Microsoft's ability to prevent large swaths of scorched PCs. Updates are already out for all versions of Windows 10, and instead of a "Patch Tuesday", they'll arrive quickly.
Windows 10 is mated to Active Directory in the same old ways -- but with new client-side twists, we found in testing. No new roadblock or obstacles towards interoperability with MacOS or Linux have been introduced. Even your VMs can be updated with surprisingly little drama or inconvenience, whether on Citrix Xen, Hyper-V, or VMware. We could not find any difficulties with mating Windows 10 Professional and Enterprise with our two Active Directory sources, and so feel this is another green light.
Microsoft introduces significant business-focused security features, better encryption of data in-place as well as in transit, and adds Microsoft's Azure Active Directory as a member of its Windows as a Service "team".
Group Policy Objects that work for Windows 7 and 8 clients appear to work for Windows 10 Professional and Enterprise. Microsoft is in the process of adding specific templates for features found in Windows 10 business editions and will be added server-side, rather than client side for group rather than local control.
Cortana is Microsoft's audio query tool, and it's good. Voice commands get fast answers. Permitting Cortana adds voice interaction, and additionally creates sources of asked/answered data profiles somewhere managed by somebody. The actual privacy of these is unknown, as is whether they can be mined, or must be in some way audited or are in other ways regulated.
The use of Siri is uncontroversial for many organizations, but such voice queries can be business or personally related, and this is new ground to break in terms of legal discovery processes, international regulatory authority, and policy determination. Organizations need to decide the practicality of permitting Cortana.
Windows 10 includes constant updating, an approachable, more Windows-like UI (than Windows 8), and the promise of a cross-device operability. If Windows 8 was about tablets, Windows 10 is about PowerUsers, a Microsoft spokesperson told us.
Users are unlikely to be dismayed by Windows 10 combination of tiling and Start Menu. Windows 10 will also remember Wi-Fi passwords. As we don't recommend browser password cache in IE, we didn't test this function. Firefox, Google Chrome, and other browsers we tested work unaided.
Then, there is the question of utilization of the Microsoft Store, and its business store variants (yes, you can arrange your own groupings of apps and make it an authorized store for users).
Rapid self-provisioning of licensed/approved/vetted apps is heaven-sent to many organizations, but specific licensing details, approved payloads, metadata in the form of ancilliary data files, organizational templates, and other customizations require time and the usual licensing, legal, audit controls, language-specific choices.
Microsoft can make use of TPM 2.0 platforms, an onboard encryption system and extends UEFI Secure Boot security potential. The Trusted Platform Module 2.0 secure boot feature can also be used in conjunction with UEFI and Microsoft's Hyper-V, where hardware supports all three, to also enable Virtual Secure Mode. This scheme is an application sandboxing method that's lighter-weight than running a full VM on a Windows 10 host, much like other container methods we've seen, but not really similar to Docker or Kubernetes.
Because Windows 10 clients cannot run Hyper-V when they're already hypervised, features using Hyper-V run only on bare metal or adjunct where Hyper-V is native. You can't spawn this, therefore, in virtualized sessions of Windows 10 to sandbox applications.
UEFI Secure boot support helps prevent boot-time malware and viruses from changing kernels, or otherwise infecting them, although it's the source of criticism from other OS vendors and their fans. For some hosts, it requires BIOS selection changes best not left to civilian users, but we recommend using UEFI for its protection. TPM BIOS settings had to be cleared to make TPM and TPM-related apps work in test versions of Windows 10, but we didn't have a problem with it in the RTM-and-first-patched version we used.
+ ALSO ON NETWORK WORLD How to get the most out of Windows 10 enterprise security features +
Microsoft will also allow third party application direct VPN connections, rather than creating a host-level circuit between hosts. This means that several secure circuits can be managed without user intervention, or exposing two networks to each other without safeguards. This wasn't tested because it's new and applications using this technique could not be found at press time.
To achieve an additional sense of security, Microsoft has changed how applications can work securely, although some of the big changes -- policy-driven changes towards dividing business and personal apps and data -- won't appear until the fall update.
This said, Windows 10 is ready to be managed under the MDM constraints of Microsoft's InTune skills today; we tested basic functionality and it works.
Versions: Pick The Enterprise Edition
The Business Editions are limited. There are three salient business versions, culminating with an Education version that is perhaps the equivalent of prior Windows "Ultimate" editions.
Choosing Enterprise over Professional Editions gives IT and organizations more flexibility and choice:
Professional Edition gets updates for as long as the device exists, but it can't be meaningfully transferred to another device and receive updates. Professional Edition gets its updates and payloads from Microsoft using push-methods, where organizations licensing (usually through Microsoft's Software Assurance Agreements) gain control over what's delivered and when.
Professional updates therefore create a periodic event, and organizations might not be able to dependency-check updates prior to delivery, this potentially rendering apps/updates/patches/fixes that might break things, where Enterprise licensees of organizations (perhaps not individual Enterprise licensees) can pilot, then roll-out organizationally-vetted packages under their own auspices when distribution makes sense, perhaps with organizational credentials signing.
Caveats and summary
Windows 10 has plenty of eye candy and is approachable for users. Some already have the nagware compelling them to upgrade. Long time Windows followers warn to not do this until the first set of patches and fixes arrive, and we agree. For pioneers, self-supporting power users, and test personnel, the time is ripe.
The fall (Spring in the southern hemisphere) update will enable both patches and fixes but also a new set of untested features, so for some organisations, this is a four-step rollout, pilot, first-update, data-protection features pilot, and data protection features roll out.
Backwards and broad compatibility to Windows 7 helps Microsoft, instead of hindering it, this round. Much attention has been paid to homogenising and paying attention to the needs of Microsoft's elite flyers. They are unlikely to upgrade immediately, yet have compelling reasons to do so in the fall.
How We Tested Windows 10
We used six different desktops and notebooks, and five new or upgraded test VMs to upgrade or bare-metal install Windows 10 Professional and Enterprise updated RTM builds. Notebooks included Lenovo and Samsung models, E-Fun Nextbook and Microsoft Surface 2 tablets, and two HP all-in-one desktops. None were rejected by the upgrade applications, although we encountered a few head-scratchers relating to processor rejection messages.
In place upgrades of VMs from Windows 7 or 8.1 were unremarkable, save the speed of update was faster, owing to the base platform resources of the VMs. Hyper-V3, VMWare ESXi 5.5, and Parallels for Mac were used to test VM upgrades.
We tested IE11 vs Edge on all of the desktops we generated, and did not use extensive or weird connected devices to test USB/peripheral device identification. However, all appropriate machines easily discovered our Epson WF-2530 Wi-Fi Printer, and loaded its drivers satisfactorily. Upgrades ranged from 14 minutes on bare metal hardware (Lenovo notebook with minimal installation and Core i5 CPU) to 41 minutes (Nextbook table with quad-core Atom CPU and SSD over IEEE 802.11g Wi-Fi).
These were tested with our local Active Directory Network, and our broadband VPN-connected branch network into our NOC at Expedient in Carmel, Ind.
Tom Henderson runs ExtremeLabs, in Bloomington, Ind. He can be reached at firstname.lastname@example.org.