So far for those that have been part of the windows insider preview, most have been caught up with the GUI, which of course is an important aspect on how user friendly the operating system has become.
And some have been speculating on what Microsoft actually are doing since the GUI has been coming along pretty slow, but most haven’t looked at how much is new in Windows 10, so therefore I decided to write this post. So no I not gonna dive into Cortana and Microsoft Edge… this is pretty much covered on every windows blog.
Now lets start with some of the pretty known facts:
Which is modern type appliations (which started in Windows 8) but is rewamped in Windows 10 which pretty much allows developers to create the same application for all Windows 10 platforms, so like Office Preview which is in the Windows Store will appear the same on mobile as on a desktop computer. Since the universal apps are from the modern application framework they are bound to the same lifecycle which I will cover in a bit.
Now problem with modern applications when it came in Windows 8 was that the ones that microsoft created werent that great, now they made some other examples which actually shows how great they are!
Microsoft has already created some examples like
Mail & Calender
Microsoft Edge (Which will be the standard Browser in Windows 10)
Also announced that Dropbox will be created a universal appliation which will be released late this year as well.
Now modern applications are actually a pretty good idea, problem is that it was “forced” upon us in Windows 8 but for those that aren’t familiar with it, the applications are bound within a lifecycle which defines how an app applications is going to happen. They don’t do any registry writes and therefore do not clutter your registry, they are isolated and run within a container.
you cannot run an modern application as administrator so you cannot elevate the level of integrity of the application. The applications need to be signed and can only be installed either via the Store or sideloaded using for instance System Center.
Problem is that most buisnesses still use regular Win32 based applications, which cannot be pushed via the Store. Microsoft is working on a solution which is called Project Centennial which allows us to convert Win32 based application and force them to work within the boundaries of a modern application, kinda like a app-v based application. Which will in essence allow Microsoft to bridge existing applications to modern applications, read more here –> https://dev.windows.com/en-us/uwp-bridges
Windows update for buisness & Windows As a Service
One of the most known factors is that Windows 10 will be the last Windows desktop version, since the last 30 years, Windows has been shipped in the same way. Microsoft creates a new operating system ships it with OEM, sells physical media like floppy, cd, dvd and so on. With Windows 10 all with be with Windows 10 and Microsoft will be constantly created new builds of it and shipping it using Windows update. Which will be like most mobile users are familiar with on Android and IOs.
And also with this Microsoft also created a cloud based update solution called Windows update for buisness which is in essence a smaller cloud based WSUS. Which will allow buisnesses to control updates and builds going to their computers.
Moving forward all new builds will be first tested internally in Microsoft, then it will be moved out to those who have signed up on the Windows Insider program and then be pushed out to the consumers using Windows update and then come to the first branch on Windows Update for Buisness.
So I essence Windows As a Service is a pretty nifty Update sequence set in motion actually. And Windows Update for Buisness is a cloud based service to actually control it. Now it will have some other features as well such as.
Peer-to-Peer seeding (Meaning that a client can share binaries with other clients within a network for instance)
Maintance time (When can we ship updates)
Deployment Rings (Who gets the builds first for instance, based on Computer Groups)
Important to note that this will be offered as a free service, but will be most likely aimed at users of Windows Enterprise.
Also as a part of this Microsoft is also releasing a new private store which as aimed at the same type of buisnesses, called Windows Store for Buisness.
Windows Store for Buisness
Now this will be a private section within the Microsoft Store where users can authenticate with their Azure Active Directory user and get access to LoB application which for instance their IT-guy have published. This is also a free service which can eventually be accessed from https://businessstore.microsoft.com
At first release it will only support Azure Active Directory users, but it will also allow for licens management and offlice access meaning that users dont have to download large applications from the internet, but be redirected to a internal network share to get an application, and with the coming of project centennial we can also eventually published Win32 applications within the store as well. But as with all the other stuff it will be possible to manage it using System Center or Intune.
Now this is where things get interesting, and where many have actually havent paid attention on what Microsoft has been doing with Windows 10.
There are many new enhancements here but Im going to name some of them and what they can do.¨
VSM (Virtual Secure Mode)
Im guesing that most have heard about pass-the-hash and Mimikats ? NTLM has some known security issues which allows some fortune ones to get access to a NTLM hash of a administrator user.
When a hacker has access to this hash well, we can pretty much enter everyone. This is because of the LSA service. In Windows 10 Microsoft did something creative, with VSA what they actually do is isolate the LSA service within a virtual machine running a coreOS subset on Hyper-V. This means that a regular Windows user is not able to gain access to the hash of a user since they arent allowed to communicate with the LSA service.
Now this is the same engine as Security Essentials, Endpoint Protection and so on. This is not a new feature in Windows 10 but it has a huge number of improvements.
First of it now has an network IDS feature which will analyze the network traffic, because if your system is already infected and defender cannot spot it, the only way it can is to check the traffic.
Windows Defender will also now become an isolated process, because in the previous versions, defender was a regular service which if a system was defected it could be turned off. Now as an isolated service a virus/malware or something cannot turn of the service.
Also Microsoft has stated that if a user has another type of security software installed like Symantec or trend for instance and that software expires, after 3 days Microsoft will activate Windows defender again. Also Defender has been included in WinRE (Recovery Enviroment) which allows us to run malware scans without starting the actuall operatingsystem.
Which is a builtin biometric authentication system, this allows us to authenticate using who we are, for instance it can be facial recognition, iris scan or fingerprint. This is not something new, but this is the first time that Microsoft has built-in this features into the operatingsystem. This is also a framework which will allow users to authenticate to other resources using biometric.
Now the problem with todays infrastructure is that authentications are based upon username and passwords. Where it can be easy for hackers or someone else to be able to snif out the username and password and use it to gain access to resources.
With Next-generation credentials, Microsoft is creating a two-factor authentication system, where YOU is one of the factors (Windows Hello) and another factor might be the device itself, using either an asymmetric key which is stored in the TPM or can be a traditional certificate on the device. This essentially means that in order for a hacker to get your info he needs to steal your device and yourself…
This will also be allowed to be used as a SSO provider against different services, but will be first implemented in Azure AD where this will allow for a secure authentication process.
Enterprise Data Protection
Which is a security feature which will be able to sort between buisness data and private data. It allows for data to be automatically be encrypted on a end users device. And yes this is a feature which is coming for mobile and desktops
We will be able to define 4 different levels of security.
- Block (We can say that users are NOT allowed to share data from a buisness file to for instance social media)
- Override (Users get a warning but are allowed to override, events are logged)
- Audit (Everything is logged)
So this in coop with for instance Azure RMS opens to some pretty interesting stuff.
Ever tried Applocker ? Is was a good idea to be able to lock down what kind of applications a user were able to execute, problem was that is was only running in software meaning that you could bypass it, shut down the service and so on. Therefore Microsofot decided to take it to the next level by creating Device guard, which is a hardware assisted application locker, which only allows signed applications to run on a system. This feature will only be in Windows Enterprise and requires UEFI and Intel VT-X or AMD-V and also requires some specific hardware but many OEM partners like Lenovo, Dell and HP are creating new devices which will support this feature. Microsoft is also creating tools which allow us to sign application to be trusted with Device guard.
Health Attestation Service
This is a feature that came with Windows 8.1 but is improved vastly in Windows 10, this is a feature which allows Windows 10 to do a health check to the cloud before gaining access to internal resources. This will check features like SecureBoot, DEP, Bitlocker, AV status, Patch level and so on. You can see the OMA URL CSP set here –> https://msdn.microsoft.com/en-us/library/windows/hardware/dn920025(v=vs.85).aspx
And regarding MDM, Microsoft has done alot already in preperation for Windows 10, and for those wondering, yes Intune supports Windows 10 now and can already now push OMA URI settings for Windows 10, all the settings can be found in the same list –> https://msdn.microsoft.com/en-us/library/windows/hardware/dn920025(v=vs.85).aspx
So what else is new that isn’t that known ?
DirectX 12 support
Print to PDF support
Azure AD Domain join support
Packet Manager with Powershell v5
Here is also an upgrade Matrix for those that are wondering what options you have