Windows 10: Five Reasons You Need UEM more than Ever!
*This post originally appeared on the AppSense blog prior to the rebrand in January 2017, when AppSense, LANDESK, Shavlik, Wavelink, and HEAT Software merged under the new name Ivanti.
Windows 10 is now available but, so far, lacks enterprise features and has bugs that break enterprise use cases (see link and link). Assuming those fixes and the other enterprise features are coming soon, it’s time to ask the question whether Windows 10 means you no longer need third party solutions to enhance the user experience and protect your endpoints? Here are five things to consider:
1. Is Personalization Free Now?
Windows 10 has a built-in “Sync your settings” feature that suggests that it provides personalization “built in” at first glance. Its goal is that, as a user roams between computers, their desktop and application settings roam with them. It provides some basic control on which settings follow the user (Theme, Web browser, Passwords, Language Preferences, Ease of Access and “Other”) but no control over what those mean and what is included. This is a great feature for consumers, because these settings are synced to the Microsoft cloud using your Microsoft account. Whenever you sign onto a new Windows 10 device using that Microsoft account, many of your key settings will be automatically synchronized. For IT though, there are several problems:
- First, the fact that all this is tied to a Microsoft account means that the settings, including sensitive info like passwords, are now stored outside of your control, which might have security, privacy and regulatory implications. If a user leaves the company then they still keep their Microsoft account. You can associate a federated (ADFS) AD account to a Microsoft account, but if the association is broken the Microsoft account still contains the settings.
- Also consider that some applications lock their settings except at logon/logoff time, and so Personalization of the Windows desktop settings is the only way to capture them. Examples are things like cookies in Internet Explorer, and other apps that store settings using a service that holds a secure database. Without flexibility to control which settings are captured from the desktop there is no way to personalize these apps.
- Speaking of apps, “sync your settings” can also synchronize settings for applications, but only for Windows Store aka Universal Apps (i.e. not Windows Desktop aka Win32 apps), and only if the app developer explicitly enables this capability. In other words, none of your existing Windows Line-of-Business apps is going to be personalized by Windows 10, unless you go through the not-yet-released “Project Centennial” process of wrapping those apps into Universal Apps, using something like App-V technology, and then delivering them from the Windows Store.
OK, so what about Office 365? It has a separate “roaming settings” feature that captures common Office settings in the Microsoft cloud. This is very cool for consumers but once again poses problems for IT. Like Windows 10 “sync settings”, it requires use of a Microsoft Account to associate settings with a federated AD account. Sensitive information like Most Recently Used lists and custom dictionaries are then stored in the Microsoft cloud. There is no control over which settings are stored, and there is no rollback or archive control. It also cannot be extended to any other Win32 applications.
This is where third party solutions are as valuable as ever: total, flexible coverage of all Windows desktop and application settings, with complete IT control and data privacy.
2. Security at the Endpoint.
Windows 10 is the most secure ever, and technologies like DeviceGuard and CredentialGuard mean I can do away with third party tools, right? DeviceGuard details are still emerging (DeviceGuard overview and DeviceGuard deployment guide) because it is not yet available in Windows 10. When it is available it will essentially turn your PC into a phone or Apple/Android-style tablet, only able to run apps from the Windows Store or that have been explicitly sanctioned by IT by creating signatures for them (which need recreating every time the app changes). You could also try to convert existing Win32 apps into a Universal App (see Project Centennial above). In other words, DeviceGuard is an extreme form of application execution control, preventing unwanted executables from running, but also making it very hard to run your existing estate of Line-of-Business apps, and requiring IT overhead every time one of them changes.
CredentialGuard secures the LSA (Local Security Authority) Windows subsystem in a hardware-protected Hyper-V virtual machine – a concept not unlike Bromium’s micro-VMs. Of course, it comes with demanding hardware requirements, and could cause third party apps that interact with the LSA to break until they are updated for Windows 10. In principle it should make Windows 10 more secure to identity theft, but could cause app compatibility issues until the software vendors catch up.
Third party vendors still provide far easier management of problems like user privilege elevation and local administrator control, browser and application network access as well as more flexible application execution control using file metadata and other pattern-matching capabilities, so that there is no IT overhead every time an app goes through a minor update. Windows 10 doesn’t erode the value of any of these solutions.
3. Data storage.
OneDrive is wonderful for the consumer, and Windows 10 and Office 365 take integration with OneDrive to new levels of ease. OneDrive for Business gives IT more control over user files and folders synced to the Microsoft cloud, but many organizations still require that user data is kept within their own devices and datacenter. Where on-premises storage is a necessity, and Offline Folders is not good enough, then third party solutions allow selective sync, granular control over file types and background transfers, complete auditing of file distribution, and the same cross-platform access benefits of OneDrive.
Another technology emerging from Microsoft is Work Folders, which provides controlled access to data on Windows file servers. Introduced in Windows Server 2012 with improvements coming in Windows Server 2016, it is expected to interact with Windows 10’s forthcoming Enterprise Data Protection (EDP) to provide tight protection over data leakage for apps that support EDP. This looks like a great solution to provide file protection for Office apps, and any others that are modified to support EDP. The only alternatives to this are to use third party file sync solutions that come with a secured viewer or reader, but it takes the app and OS vendor (Microsoft) to work together to provide true data leakage protection.
4. Migration and Roaming between Windows 7 and 10, Windows Server 2008 and 2016.
Most organizations skipped Windows 8 and 8.1, and because of the Windows 8-style desktop experience, many also skipped 2012 and 2012 R2 for RDSH/XenApp/Terminal Server deployments. Now that most XP to 7 migrations are nearing completion they are now considering Windows 10 because Windows 7 end of support is less than 5 years away and we don’t want to get caught out twice. But here’s the catch: Windows 10 is going to creep into the enterprise in the form of Surface Pro 3 and 4 (Oct 6 launch?) tablets, and consumer response to Windows 10 has been strong.
My prediction: within 6 months you’re going to be supporting departments and executives with Windows 10, and users will expect a Windows 10 desktop experience which is going to lead to Windows Server 2016 with RDSH or XenApp. The result of this is that there are going to be users moving back and forth between version 2 (Windows 7) and version 5 (Windows 10 and 2016) profiles, not to mention x86 and x64 CPU architectures. Roaming profiles out-of-the-box with Windows just won’t handle that. Without a third-party tool that enables roaming between profile versions then users aren’t going to get a clean experience. My colleague Stephen Orwat did a great job of explaining this here.
5. How are you going to track adoption?
Here’s a fun question: who on your domain is using Windows 10? You might be able to get something out of Active Directory tools, but how about a lightweight, zero-reboot way to monitor usage of devices, operating systems, devices, applications, administrator privilege use and other user experience metrics as you migrate to Windows 10?
You can check it out here!
Summary
Windows 10 contains many great features and enhancements, but many of them are primarily focused on consumer use cases, not IT. In enterprises of any size where IT wants to control and protect the user security and experience, third party solutions are still essential for:
- Roaming and recovery of desktop and application settings
- Application control and least privilege security
- Data sync and recovery
- Roaming between Windows 10/2016 and earlier Windows versions
- Tracking adoption and spread of Windows 10