Teardown: Windows 10 Pro vs. Enterprise. Enterprise виндовс 10


Windows 10 Enterprise Edition по подписке

Сегодня я буду выступать перед тысячами наших партнёров на Всемирной партнёрской конференции (WPC) в Торонто. В этом году на WPC приехало более 15 000 человек со всего земного шара – их объединяет стремление повысить эффективность нашего сотрудничества и ускорить рост своего бизнеса. Каждый из них обладает огромным зарядом творческой энергии, и мы рады рассказать им о новых возможностях, среди которых использование Windows по подписке.

Сегодняшняя ситуация уникальна для каждого из нас, и она требует новых решений. Мы находимся в самом эпицентре цифровой революции – мы перегружены данными и возрастающим количеством угроз информационной безопасности, мы заперты внутри двухмерного мира мониторов и пикселей, в то время как технологии подчиняют себе каждый аспект нашего бизнеса и частной жизни. Цифровая революция создаёт возможности для цифровой трансформации бизнеса, которая станет возможной благодаря множеству совершенно новых способов привлечения покупателей, поддержки сотрудников, оптимизации операций и совершенствования продуктов.

Мы поможем осуществить цифровую трансформацию, предоставляя больше персональных цифровых технологий для Windows и устройств. Новая волна развития вычислений дает нашим партнёрам доступ к инновационным возможностям, в основе которых Windows, Surface, Surface Hub и Microsoft HoloLens.

Представляем Windows 10 Enterprise E3 для поставщиков облачных решений

Сегодня операционная система Windows 10 установлена на более чем 350 миллионах устройств, и наши корпоративные клиенты переходят на неё быстрее, чем когда-либо прежде, при этом более 96% из них являются активными пользователями. Сотрудники компаний, работающие с Windows 10, отмечают увеличение производительности и снижение расходов, а также повышение окупаемости до  188% в первые 13 месяцев.

В большинстве случаев компании быстро переходят на Windows 10, поскольку сталкиваясь с ростом угроз безопасности, они выбирают лучшую в индустрии защиту, реализованную в Windows 10, и она действительно работает. Компании всех размеров сталкиваются с реальными угрозами безопасности со стороны профессиональных хакеров и кибертеррористов, одна атака которых в среднем обходится в $12 миллионов. Только в США работает более 56 миллионов компаний малого и среднего бизнеса. Им необходим тот же уровень защиты, что и крупным корпорациям, которые приобретают его вместе с целыми томами лицензионных соглашений. Это особенно актуально для компаний, работающих в жизненно важных областях, таких как здравоохранение, юридические и финансовые сервисы.

Сегодня мы анонсируем запуск Windows 10 Enterprise E3 для поставщиков облачных решений (CSP). Начиная с этой осени, они впервые смогут предложить компаниям безопасность и управляемость корпоративного уровня по подписке.

Партнёры CSP смогут предлагать подписку на Windows 10 Enterprise Edition наряду с другими своими услугами. Это идеальное решение для компаний, у которых нет больших ИТ-бюджетов и целого штата ИТ-специалистов и которые хотят, чтобы их потребности в лицензионном ПО и сервисах были удовлетворены компетентной и надёжной компанией-поставщиком.

Теперь наши партнёры могут предлагать своим клиентам «ИТ как комплексный сервис» от Microsoft, включающий все необходимые компоненты: Windows 10, Office 365, Dynamics Azure и CRM на условиях ежемесячной подписки в расчете на одного пользователя. Компании-клиенты смогут увеличивать или уменьшать объём приобретаемых услуг в зависимости от того, как меняются их потребности.

Ключевые особенности  сервиса:

  • Усиленная безопасность. Усовершенствованные характеристики безопасности Windows 10, которые помогут компаниям защитить конфиденциальные данные и персональную информацию, обеспечить защиту всех устройств от угроз кибербезопасности, предоставить сотрудникам свободу и гибкость доступа к конфиденциальным данным на различных устройствах, а также контролировать доступ к строго секретным данным.
  • Упрощённое лицензирование и использование. Эти возможности помогут компаниям снизить капитальные расходы, исключив необходимость инвентаризации и аудита устройств, и позволят легко управлять лицензиями при использовании модели лицензирования по подписке в расчёте на одного пользователя. Это новое предложение позволит компаниям перейти от Windows 10 Pro к Windows 10 Enterprise E3 без перезапуска систем.
  • Управление IT через партнера. Настраивать ваше оборудование и управлять им может ваш партнёр, обладающий экспертными знаниями в использовании Windows 10 и развёртывании облачных сервисов. Партнёр может также помогать клиентам формировать стратегию обеспечения безопасности и стратегию управления устройствами, с помощью уникальных особенностей Windows 10. Компании-клиенты смогут проверять данные об использовании подписок на Windows 10 Enterprise и другие приобретённые облачные сервисы Microsoft с помощью веб-интерфейса на портале своего поставщика. Упрощённое управление будет осуществляться по одному контракту, через одну пользовательскую учётную запись, один контакт для взаимодействия с технической поддержкой и с одним упрощённым счётом для оплаты услуг.

Windows 10 Enterprise остаётся доступной для приобретения в рамках наших стандартных программ лицензирования, а также в качестве элемента только что анонсированных пакетов Secure Productive Enterprise E3 и E5, которые будут выпущены позже в этом году.

Возможности Microsoft HoloLens

Современные устройства вместе с новыми возможностями персонифицированных вычислений обеспечивают развитие совершенно новых способов человеко-компьютерного взаимодействия. Смешанная реальность позволит нам лучше поддерживать связь друг с другом, так чтобы люди – а не устройства – оставались в центре, а слишком сложные технологии не препятствовали реализации замыслов и самовыражению. К 2020 году будет производиться более 80 миллионов устройств для смешанной, виртуальной и дополненной реальности ежегодно. Поэтому мы запустили Windows Holographic – решение, которое облегчит строительство новой экосистемы для наших партнёров.

Microsoft HoloLens уже сейчас поддерживает работу в смешанной реальности, меняя способ проектирования автомобилей в Volvo, процесс обучения студентов-медиков в университете Кейс Вестерн Резерв (Case Western Reserve) или помогая учёным исследовать поверхность Марса.

Наши партнёры по всему миру создают самые невероятные варианты дополненной реальности, используя Microsoft HoloLens. С самыми удивительными их работами вы можете ознакомиться в этом видео.

https://youtu.be/37HcSPKJk6k

Сегодня директор по информационным технологиям PGA TOUR Стив Эванс и вице-президент по цифровым технологиям Скотт Гаттерман присоединились ко мне, чтобы показать, как PGA TOUR применяет Windows 10 и Microsoft HoloLens. Благодаря Microsoft Partner CDW, PGA TOUR стал одним из первых покупателей Windows 10 и использует систему более чем на 60% своих устройств, планируя к концу лета довести эту цифру до 100%. Они создали настраиваемые приложения на базе универсальной платформы Windows, чтобы позволить всем желающим получать данные о подсчёте очков и статистическую информацию по каждому удару в каждую лунку, а для поклонников гольфа – приложение Windows 10 Tournament Companion, предоставляющее данные о ходе турнира в реальном времени и помогающее глубже погрузиться в эту увлекательную игру. В сотрудничестве с Taqtile PGA TOUR создала решение на базе Microsoft HoloLens для мастеров, любителей и поклонников гольфа.

«Microsoft HoloLens – это великолепный инструмент для моделирования поля для гольфа и планирования масштабных событий на каждом поле. Игроки и поклонники этого спорта получают уникальную возможность планировать свои действия, визуально определять лучшие локации для удара, а также оценивать возможные риски и анализировать каждый удар после окончания раунда. Наконец, использование HoloLens даёт отличную возможность для обучения гольфу, позволяя изучить приёмы игры на различных полях и в различных условиях».

— Стив Эванс, старший вице-президент и директор по информационным технологиям PGA TOUR

Windows 10 отлично стартовала, и мы с радостью наблюдаем, как наши корпоративные клиенты внедряют ее быстрее, чем когда-либо прежде. Использование совершенно новых способов продаж Windows 10 и Surface, а также невероятное количество инноваций – всё это позволяет нам создавать абсолютно новые возможности для партнёров. И нам не терпится увидеть, что же будет дальше.

Brian Hall / General Manager, Microsoft Devices Marketing

Updated July 14, 2016 2:46 am

blogs.windows.com

Windows 10 Enterprise E3 in CSP

  • 08/24/2017
  • 16 minutes to read
  • Contributors

In this article

Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following:

  • Windows 10 Pro, version 1607 (also known as Windows 10 Anniversary Update) or later installed on the devices to be upgraded
  • Azure Active Directory (Azure AD) available for identity management

Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro.

Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.

When you purchase Windows 10 Enterprise E3 via a partner, you get the following benefits:

  • Windows 10 Enterprise edition. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB).

  • Support from one to hundreds of users. Although the Windows 10 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations.

  • Deploy on up to five devices. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices.

  • Roll back to Windows 10 Pro at any time. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 90 days).

  • Monthly, per-user pricing model. This makes Windows 10 Enterprise E3 affordable for any organization.

  • Move licenses between users. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.

How does the Windows 10 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance?

  • Microsoft Volume Licensing programs are broader in scope, providing organizations with access to licensing for all Microsoft products.

  • Software Assurance provides organizations with the following categories of benefits:

    • Deployment and management. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits.

    • Training. These benefits include training vouchers, online e-learning, and a home use program.

    • Support. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server.

    • Specialized. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums.

    In addition, in Windows 10 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses.

In summary, the Windows 10 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to Windows 10 Enterprise edition.

Compare Windows 10 Pro and Enterprise editions

Windows 10 Enterprise edition has a number of features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management.

Table 1. Windows 10 Enterprise features not found in Windows 10 Pro

Feature Description

Credential Guard*

This feature uses virtualization-based security to help protect security secrets (for example, NTLM password hashes, Kerberos Ticket Granting Tickets) so that only privileged system software can access them. This helps prevent Pass-the-Hash or Pass-the-Ticket attacks.

Credential Guard has the following features:

  • Hardware-level security.  Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.

  • Virtualization-based security.  Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.

  • Improved protection against persistent threats.  Credential Guard works with other technologies (e.g., Device Guard) to help provide further protection against attacks, no matter how persistent.

  • Improved manageability.  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.

For more information, see Protect derived domain credentials with Credential Guard.

* Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)

Device Guard

This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.

Device Guard does the following:

  • Helps protect against malware

  • Helps protect the Windows system core from vulnerability and zero-day exploits

  • Allows only trusted apps to run

For more information, see Introduction to Device Guard.

AppLocker management

This feature helps IT pros determine which applications and files users can run on a device (also known as “whitelisting”). The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

For more information, see AppLocker.

Application Virtualization (App-V)

This feature makes applications available to end users without installing the applications directly on users’ devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.

For more information, see Getting Started with App-V for Windows 10.

User Experience Virtualization (UE-V)

With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.

UE-V provides the ability to do the following:

  • Specify which application and Windows settings synchronize across user devices

  • Deliver the settings anytime and anywhere users work throughout the enterprise

  • Create custom templates for your third-party or line-of-business applications

  • Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state

For more information, see User Experience Virtualization (UE-V) for Windows 10 overview.

Managed User Experience

This feature helps customize and lock down a Windows device’s user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:

  • Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands

  • Removing Log Off (the User tile) from the Start menu

  • Removing frequent programs from the Start menu

  • Removing the All Programs list from the Start menu

  • Preventing users from customizing their Start screen

  • Forcing Start menu to be either full-screen size or menu size

  • Preventing changes to Taskbar and Start menu settings

Deployment of Windows 10 Enterprise E3 licenses

See Deploy Windows 10 Enterprise licenses.

Deploy Windows 10 Enterprise features

Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in Table 1?

The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10 Enterprise edition features.

Credential Guard*

You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods:

  • Automated. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices.

  • Manual. You can manually turn on Credential Guard by doing the following:

    You can automate these manual steps by using a management tool such as System Center Configuration Manager.

For more information about implementing Credential Guard, see the following resources:

* Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)

Device Guard

Now that the devices have Windows 10 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps:

  1. Optionally, create a signing certificate for code integrity policies. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you will need to create a code signing certificate.

  2. Create code integrity policies from “golden” computers. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up “golden” computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each “golden” computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually.

  3. Audit the code integrity policy and capture information about applications that are outside the policy. We recommend that you use “audit mode” to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed.

  4. Create a “catalog file” for unsigned line-of-business (LOB) applications. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy.

  5. Capture needed policy information from the event log, and merge information into the existing policy as needed. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies.

  6. Deploy code integrity policies and catalog files. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly.

  7. Enable desired hardware security features. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.

For more information about implementing Device Guard, see:

AppLocker management

You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices.

For more information about AppLocker management by using Group Policy, see AppLocker deployment guide.

App-V

App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that the you must have are as follows:

  • App-V server. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server.

  • App-V sequencer. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app.

  • App-V client. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10 Enterprise E3 devices.

For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources:

UE-V

UE-V requires server- and client-side components that you you’ll need to download, activate, and install. These components include:

  • UE-V service. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices.

  • Settings packages. Settings packages created by the UE-V service store application settings and Windows settings. Settings packages are built, locally stored, and copied to the settings storage location.

  • Settings storage location. This location is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings.

  • Settings location templates. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by using the UE-V template generator. Settings location templates are not required for Windows applications.

  • Universal Windows applications list. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications.

For more information about deploying UE-V, see the following resources:

Managed User Experience

The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain.

Table 2. Managed User Experience features

Feature Description
Start layout customization You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.For more information on these settings, see Customize Windows 10 Start and taskbar with Group Policy.
Unbranded boot You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it cannot recover.For more information on these settings, see Unbranded Boot.
Custom logon You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.For more information on these settings, see Custom Logon.
Shell launcher Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.For more information on these settings, see Shell Launcher.
Keyboard filter You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This is not desirable on devices intended for a dedicated purpose.For more information on these settings, see Keyboard Filter.
Unified write filter You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.For more information on these settings, see Unified Write Filter.

Windows 10 Enterprise Subscription Activation Connect domain-joined devices to Azure AD for Windows 10 experiences Compare Windows 10 editions Windows for business

docs.microsoft.com

Deploy Windows 10 Enterprise licenses

  • 10/18/2017
  • 8 minutes to read
  • Contributors

In this article

This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with Windows 10 Enterprise Subscription Activation or Windows 10 Enterprise E3 in CSP and Azure Active Directory (Azure AD).

Note: Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.

Enabling Subscription Activation with an existing EA

If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:

  1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:a. AAA-51069 - Win10UsrOLSActv Alng MonthlySub Addon E3b. AAA-51068 - Win10UsrOLSActv Alng MonthlySub Addon E5
  2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
  3. The admin can now assign subscription licenses to users.

Use the following process if you need to update contact information and retrigger activation in order to resend the activation email:

  1. Sign in to the Microsoft Volume Licensing Service Center.
  2. Click on Subscriptions.
  3. Click on Online Services Agreement List.
  4. Enter your agreement number, and then click Search.
  5. Click the Service Name.
  6. In the Subscription Contact section, click the name listed under Last Name.
  7. Update the contact information, then click Update Contact Details. This will trigger a new email.

Also in this article:

Active Directory synchronization with Azure AD

You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD.

You might ask why you need to synchronize these identities. The answer is so that users will have a single identity that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.

Figure 1 illustrates the integration between the on-premises AD DS domain with Azure AD. Microsoft Azure Active Directory Connect (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.

Figure 1. On-premises AD DS integrated with Azure AD

For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:

Preparing for deployment: reviewing requirements

Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see Review requirements on devices, later in this topic.

Assigning licenses to users

Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:

The following methods are available to assign licenses:

  1. When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 or E5 licenses to users.
  2. You can sign in to portal.office.com and manually assign licenses:

  3. You can assign licenses by uploading a spreadsheet.

  4. A per-user PowerShell scripted method of assigning licenses is available.
  5. Organizations can use synchronized AD groups to automatically assign licenses.

Explore the upgrade experience

Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, version 1703 edition to Windows 10 Enterprise edition. So what will the users experience? How will they upgrade their devices?

Step 1: Join Windows 10 Pro devices to Azure AD

Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703.

To join a device to Azure AD the first time the device is started

  1. During the initial setup, on the Who owns this PC? page, select My organization, and then click Next, as illustrated in Figure 2.

    Figure 2. The “Who owns this PC?” page in initial Windows 10 setup

  2. On the Choose how you’ll connect page, select Join Azure AD, and then click Next, as illustrated in Figure 3.

    Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup

  3. On the Let’s get you signed in page, enter the Azure AD credentials, and then click Sign in, as illustrated in Figure 4.

    Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup

Now the device is Azure AD joined to the company’s subscription.

To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up

Important

Make sure that the user you're signing in with is not a BUILTIN/Administrator. That user cannot use the + Connect button to join a work or school account.

  1. Go to Settings > Accounts > Access work or school, as illustrated in Figure 5.

    Figure 5. Connect to work or school configuration in Settings

  2. In Set up a work or school account, click Join this device to Azure Active Directory, as illustrated in Figure 6.

    Figure 6. Set up a work or school account

  3. On the Let’s get you signed in page, enter the Azure AD credentials, and then click Sign in, as illustrated in Figure 7.

    Figure 7. The “Let’s get you signed in” dialog box

Now the device is Azure AD joined to the company’s subscription.

Step 2: Verify that Pro edition is activated

Windows 10 Pro must be successfully activated in Settings > Update & Security > Activation, as illustrated in Figure 7a.

Figure 7a - Windows 10 Pro activation in Settings

Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled.

Step 3: Sign in using Azure AD account

Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in Figure 8. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.

Figure 8. Sign in by using Azure AD account

Step 4: Verify that Enterprise edition is enabled

You can verify the Windows 10 Enterprise E3 or E5 subscription in Settings > Update & Security > Activation, as illustrated in Figure 9.

Figure 9 - Windows 10 Enterprise subscription in Settings

If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the Activation panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.

Virtual Desktop Access (VDA)

Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another qualified multitenant hoster.

Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See Enable VDA for Enterprise Subscription Activation.

Troubleshoot the user experience

In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:

  • The existing Windows 10 Pro, version 1703 operating system is not activated.

  • The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed.

Use the following figures to help you troubleshoot when users experience these common problems:

  • Figure 9 (above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.

  • Figure 10 (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active.

  • Figure 11 (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.

  • Figure 12 (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed.

Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings

Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings

Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings

Review requirements on devices

Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.

To determine if a device is Azure Active Directory joined:

  1. Open a command prompt and type dsregcmd /status.

  2. Review the output under Device State. If the AzureAdJoined status is YES, the device is Azure Active Directory joined.

To determine the version of Windows 10:

  • At a command prompt, type: winver

    A popup window will display the Windows 10 version number and detailed OS build information.

    If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.

docs.microsoft.com

Windows 10 Professional vs. Enterprise

Are you still one of the XP holdouts? You’re not alone. The 16-year-old operating system that Microsoft stopped supporting a year ago still maintains a market share of nearly 10 percent. Perhaps your organization is still running Windows 7 or Windows 8/8.1. Again, you’re not alone. Those two operating systems have a combined market share of nearly 60 percent.

What this attests to is the fact that reliability is a key factor in customer decisions of operating systems and often overrides the need to upgrade to higher versions. Unlike what happened at the end of “Transformers II: The Revenge of the Fallen” when Jetfire and the Autobots realize Optimus Prime needs to upgrade using Jetfire’s parts, knowledge, and power to defeat The Fallen. Prime needed an upgrade, but sometimes you and your version of Windows may not, at least not immediaitely.

Which brings us to Windows 10. Microsoft’s newest OS has swiftly reached a market share of more than 25 percent within a mere couple of years of its launch. It clearly is the future.

So, if you’re among the majority of users who still haven’t upgraded to Windows 10, chances are you will -- and shortly. For you OS-upgrade slackers, consider this: Migrating to Windows 10 from Window 7 or 8 is relatively simple and painless. (This is not the case if you are running XP, unfortunately.)

When it’s time to move to Windows 10, organizations have two realistic choices: Windows 10 Professional or Windows 10 Enterprise. Both versions are popular, and both have a lot of features in common in terms of productivity and user experience, security, and core features. So which should you choose? We have looked at this issue before,  but some questions may remain. Let’s take a deep dive and tear down your choices.

Windows 10 Professional

Windows 10 Professional is an excellent solution for small businesses that are looking to upgrade their existing operating system platform to one with leading-edge features. The Professional version provides a number of features ranging from easy migration capability to increased security.

Deployment, upgradation, and migration are really easy and can be executed using the Windows 10 Microsoft Deployment Toolkit (MDT), or Assessment and Deployment Toolkit (ADK). These can be employed to create reference images through Windows Imaging or as a full deployment platform via a domain controller and server.

The productivity- and management-related features are also attractive with Windows 10 Professional. One of the most critical pieces of functionality is the Universal Windows app functionality, which allows for apps to be accessed from multiple device platforms.

Critical pieces of functionality including the Business Store, Group Policy Management, and Microsoft Azure Active Directory all run off a single login.

On the security side of things, Windows 10 Pro comes equipped with several new features including virtualization-based security, which helps to isolate specific parts of the OS from being modified by malware or viruses.

In addition, Microsoft still builds in the popular encryption application, BitLocker. BitLocker permits users to encrypt both removable storage devices and hard drives using several modes of authentication. Microsoft also includes Windows Hello, which employs biometric data along with a pin code to grant access to the OS and associated applications for local use.

There are several other security tools provided including passport for single sign on, Credential Duard, which protects user credentials and authentication broker credentials, Device Guard, which provides protection for scripts and applications, and enterprise data protection, which provides basic rights management and persistent file level encryption.

The key feature set of Windows 10 Professional is as follows for various categories:

  • Productivity and user experience:
    • Continuum for phones
    • Cortana
    • Windows Ink
    • Voice, touch, pen, and gesture
    • Start Menu and Live Tiles
    • Tablet mode
  • Management and deployment
    • Group policy
    • Mobile device management
    • Enterprise state roaming with Azure Active directory
    • Windows store
    • Assigned Access
    • Dynamic provisioning
    • Shared PC configuration
  • Security
    • Windows Hello
    • Windows Hello companion devices
    • Windows Information Protection
    • Device encryption
    • BitLocker
    • Trusted Boot
    • Windows Device Health Attestation service
  • Windows fundamentals
    • Domain Join
    • Azure Active Directory Domain Join, with single sign on capability for cloud-hosted apps
    • Enterprise mode Internet Explorer
    • Remote Desktop
    • Client Hyper-V

Windows 10 Enterprise

Windows 10 Enterprise comes with all the features that are available with Windows 10 Professional and many more. It is targeted at medium and large businesses. It can only be distributed via Microsoft’s Volume Licensing Program and requires a base installation of Windows 10 Pro. Enterprise offers several additional value-added features.

One important feature is DirectAccess, which permits remote users to access internal networks over a VPN-like system that establishes a bidirectional Internet connection. Enterprise also includes AppLocker, which permits administrators to restrict app access on mobile devices. This feature is particularly useful for companies with regards to meeting their device management and IT infrastructure management requirements.

There are a couple of other enhanced management features aimed at helping management and deployment. While Managed User Experience permits you to manage all aspects related to connection settings for user accounts, Microsoft Application Virtualization manages functionality related to app virtualization and streaming. Microsoft User Environment Virtualization-related capability supports the migration of virtual devices using the existing OS settings.

The key features of Windows 10 Enterprise that are available in addition to the feature set available with Windows 10 Professional are as follows:

  • Management and deployment
    • DirectAccess
    • AppLocker
    • Managed user experience
    • Microsoft Application Virtualization (App-V)
    • Microsoft User Environment Virtualization (UE-V)
  • Security
    • Credential Guard
    • Device Guard
  • Windows fundamentals

Which one to choose?

If you are running a small business, Windows 10 Professional will work fine for you. Both Professional and Enterprise are strong on all the basic features that are required for running a business as long as you do not run your business like Bobby Pellit did in “Horrible Bosses.” That is probably not going to work out too well for you!

These include key management and deployment-related features such as the management of group policies, mobile device management, enterprise roaming with active directory and dynamic provisioning. Core security-related features such as device encryption, BitLocker, and Trusted Boot are supported in both versions.

Windows 10 Enterprise scores higher than its counterpart with advanced features such as DirectAccess, AppLocker, Credential Guard, and Device Guard. Enterprise also allows you to implement application and user environment virtualization. If you are looking for your environment to have advanced features, you would be well advised to press the button for Windows 10 Enterprise. Sort of like Keanu Reeves chooses the right weapons in “John Wick: Chapter 2”!

 

Photo credit: Microsoft

Post Views: 1,089

Read Next

techgenix.com


Смотрите также