Microsoft's Windows 10: More on the 'under the covers' security, Store features

Microsoft's Windows 10 will include more than just user interface tweaks. Here are some of the expected security, manageability and Store changes coming to the next version of Windows client.
Written by Mary Jo Foley, Senior Contributing Editor

Now that the Windows 10 preview bits are available for any interested parties to test, many -- but not all -- of the coming new features in the operating system have come to light.


On October 1, Microsoft officials blogged in a fairly vague way about some of the coming features of potential interest to enterprise users. But these "under the covers" features were not explained or analyzed in detail -- at least up until now.

A quick aside, because I've been asked this question a few times: Microsoft made two different preview versions of Windows 10 available for download this week: The Technical Preview and the Technical Preview for Enterprise. The latter includes some enterprise-specific SKU features, such as Windows To Go, DirectAccess, BranchCache and AppLocker, that are not in the plain-old Tech Preview. Not all of the features mentioned in this post are part of either of these preview builds yet, but it sounds like they are on the Windows 10 roadmap.

Oliver Niehus, a Microsoft Principal Application Development Manager for Windows and Security, posted about some of the Windows 10 security, privacy and management features on his MSDN blog on October 1. By October 2, that post had been removed. But not before I got to do a little cutting and pasting.

According to Niehus, Microsoft is doing a lot of work on the security front with Windows 10. Microsoft has made Azure Active Directory a "first class citizen" with Windows 10, so that customers can use Azure AD identities to log into their devices "so users can get the same benefits as using an MSA (Microsoft Account) such as Store access, settings, sync and live tiles." Business also can use their existing Active Directory, federated in the cloud with Azure Active Directory, no Microsoft Account needed. Windows 10 also includes "next generation user credentials," like password alternative, which enables single sign-in everywhere.

"Threshold (Windows 10) builds data protection into the natural flow (and) integrates data protection at the platform level," Niehus blogged. It also enables per-application VPN, meaning it only allows specific apps to be on the VPN. Administrators will be able to restrict remote access to specific applications and/or with specific port/IP addresses. He cited as an example that IT will be able to allow IT access over the VPN, but restrict that access to specific ports or IP addresses. He also noted that IT can use the same list of apps for Enterprise Data Protection and allow them to access the VPN. Existing inbox VPN clients or Windows Store VPN clients for Windows Phone 8.1, or Windows Store VPN clients for Windows Phone 8.1 will all work with this functionality.

With Windows 10, there will be a unified store for Windows, Windows Phone and Xbox One, Microsoft officials said this week. But the new single Store will include a number of changes and improvements, according to Niehus. From his blog post:

"The (new) Windows Store will also support more than just modern apps. It will add desktop apps, as well as other types of digital content. We will provide many different ways to pay for apps. And we'll provide an organization store within the public Windows Store, where an org can place their own curated list of public apps as well as specific line-of-business apps that their employees need."

Microsoft is creating a new volume-purchasing program that will allow companies to buy apps in bulk, deploy those apps and manage the licenses, meaning reclaiming and re-using licenses when an employee leaves a company, for example. Microsoft will support using Azure Active Directory accounts to acquire organizational apps, and Microsoft Accounts for personal apps. Microsoft will give users the option to continue to sideload apps, if they'd prefer to continue to do so, or to deploy apps from the Windows Store by using new mobile-device-management controls to interact with the volume purchase program.

Organizations will have the option of using a mobile-device-management (MDM) service like Intune. The MDM service will communicate with the Volume Purchase Program so that Windows Store will do the "heavy lifting," Niehus blogged, meaning it will install the apps and acquire a license for the user.

Speaking of MDM, Microsoft is bringing MDM capabilities to traditional desktops and laptops with Windows 10. Additionally, Microsoft will allow third-party MDM offerings to manage both Windows and Windows Phone VPN-based remote access. Any VPN service provider will be able to create a remote-access app, and third-party VPN client apps will be distributable through the Windows 10 Store.

A couple of other enterprise-focused Windows 10 tidbits that weren't in Niehus' post: Windows 10's fast-updating feature is an opt-in thing, as Rod Trent of Windows IT Pro noted. There will be a locked-down version which will allow businesses to throttle how quickly their users get the regular updates to Windows 10 by using Windows Server Update Services. 

Microsoft is starting to communicate about its System Center management plans for Windows 10. It also made available on October 1 a first technical preview version of System Center vNext via MSDN and TechNet.

Editorial standards