Windows 10 Overview (Updated)

Executive Summary

On January 30th, Microsoft announced a ‘free upgrade’ offer to incentivise adoption of Windows 10 and promote development of a universal ecosystem. Many organisations may be assessing renewal of Windows Enterprise under an active Enterprise Agreement (EA) and are awaiting clarification on both product features of ‘Enterprise Edition’ and drivers for renewal of Software Assurance (SA). This article will cover current announced information with an aim to support commercial decision making when evaluating renewal of Windows on an Enterprise Agreement (EA).

  • Customers running Windows 7 or Windows 8.1 , and Windows Phone 8.1 will be able to upgrade to Windows 10 for free for one year after launch.
  • Microsoft have announced “Qualified existing PCs running Windows 7 or greater” and that meet the hardware requirements for Windows 10 will be provided the opportunity to upgrade for free for up to one year after launch.
  • In every case, Microsoft will provide security and non-security fixes will continue for the supported life of Windows 10 on a monthly basis.
  • Consumers can receive latest feature updates and personal devices will stay current with the latest features, which are installed as they arrive via Windows Update.
  • SMBs are advised they may elect to opt-in to the consumer mechanism as well, or choose a level of support to delay innovation updates by up to 90 days so they can first be tested thoroughly in the market, or a “security and patches only” update model for long-term stability.
  • For enterprise customers, Windows Enterprise Edition is not included in ‘free’ 1st year offer http://bit.ly/1BHpvrW and would include Enterprise Features not included in other Editions. The upgrade path to new Editions is addressed in the Windows FAQs
  • Enterprise customers  will able to access enterprise-level support with a choice in how feature updates are adopted and delivered:
  •  CBB (Current Business Branch) Updates with market-tested updates, choosing to delay innovation updates by up to 90 days so they can first be tested thoroughly in the market. These will be accessible via Windows Update.
  •  LTSB (Long Term Servicing Branch) Updates without delivery of new features for the duration of mainstream support (5 years) and extended support (5 years). For organisations with complex change control processes, or mission critical systems, can elect to delay updates, only receiving security updates and critical fixes. These will be available via Windows Server Update Service (WSUS).
  • Software Assurance (SA) is expected to remain the primary commercial vehicle to enable extended software use rights for Windows and ongoing Windows 10 enterprise-specific support and feature updates.
  • Windows 10 will be released in “Summer” 2015  [http://goo.gl/zr8Z9p]

Current Business Branch (CBB)

  • Keep business users up-to-date while having flexibility to deploy updates after they have been tested in the market
  • Update user devices after features are validated in the consumer market but security updates continue as normal
  • IT can access even earlier for testing via Windows Insider Programme
  • Organisations can get access to the latest technology and value sooner
  • Importantly, also having time to plan and test the updates after they have been released to the broad market
  • IT can choose how  users’ devices are to be updated:
  • Windows Update for Business – validated updates delivered to professional systems after a deferral period, thus allowing admins to defer adoption of feature and security updates
  • WSUS (Windows Server Update Services) for control over how updates are deployed in your environment within the deferral time
  • Business that connect their devices to Windows Update for Business to see ‘reduction in management costs’, ‘quicker access to security updates’ and ‘critical fixes’ on an ongoing basis.

Long Term Servicing Branch (LTSB)

  • Long Term Servicing Branch (LTSB) provides long term support for mission critical systems. Now confirmed as available for Windows Enterprise Edition Only
  • Microsoft will declare a long term servicing branch (LTSB) wherein, customers will only receive security updates and critical fixes for duration of mainstream and extended support.
  •  LTSB provide security updates and critical fixes without delivery of new features for the duration of mainstream support (5 years) and extended support (5 years). For organisations with complex change control processes, or mission critical systems, can elect to delay updates, only receiving security updates and critical fixes. These will also available via Windows Server Update Service (WSUS).
  • Customers will also be able to move from upgrade from Long Term Servicing branch to new release via In Place Upgrade and even skip one release
  • Long Term Servicing Branches will be released periodically, including new features but less often than CBB releases.
  • Microsoft is committed to providing customers with reasonable notice before a Long Term Servicing branch is declared, in order to help with deployment planning.
  • Capability to move from back-and-forth Long Term Servicing branch (LTSB) to a Current Branch for Business (CBB) to stay up-to-date with latest feature updates; and alternatively, move back to LTSB
  • Microsoft plan to deliver their first Windows 10 LTSB in the same time frame as Windows 10 General Availability, but have not yet confirmed for the release date announced as 29th July 2015 

Windows 10 Update Options


Windows 10 Deployment Options

Whether electing to adopt Current Branch for Business (CBB) and Long Term Servicing Branch (LTS), decision choices required. Microsoft recommend to start profiling both user devices for these deployment options prior to announced General Availability (GA) expected in Q3 2015 [Ref: http://goo.gl/zr8Z9p]

Microsoft have announced the following deployment models available for Windows 10:

  • Managed In-Place Upgrade to avoid complex ‘wipe and reload’ deployment model.
  • Wipe and Load via Assessment and Deployment Kit (ADK), Microsoft Deployment Toolkit (MDT), and SCCM
  • Runtime Configuration that allows customisation of new devices without Imaging, i.e. Wi-Fi, VPN, and Email Profiles; Installation of Apps, Language Packs, Security Updates and certificates; and enforcement of Security Policies, MDM auto enrollment including Intune and 3rd Party MDM

Windows 10 Deployment


Windows Features and Editions

Microsoft have used Windows 10 as a strategic opportunity to provide a universal and consistent operating system across device form factors, and a consistent security platform, in what Microsoft consider as ‘fundamental’ features to respond to modern security threats. Microsoft are expected to deliver enterprise-specific features within Windows 10 ‘Enterprise’ Edition, but importantly, Microsoft will seek to enable business with Windows 10 integrated and connecting with Azure and Office 365 services.

Increasingly, Windows and Office are becoming a ‘traffic light’ that are ‘switched on’ with enterprise-grade features via subscription based cloud services. The announcement of LTSB and CBB update and support services are likely to underpin the business case for Software Assurance (SA) for enterprise customers. Windows Pro would likely be adopted by SMBs, who would be incentivised to upgrade to Windows 10 Pro for ‘free’ within the first year after General Availability (GA). SMBs are advised they may elect to opt-in to the consumer mechanism as well, or choose a level of support to delay innovation updates by up to 90 days so they can first be tested thoroughly in the market, or a “security and patches only” update model for long-term stability.

In March 2014, Microsoft updated their channel policies with the implication that SA is only available when purchased with Windows Enterprise. After July 2014, organisations were unable to purchase Software Assurance (SA) and retrospectively assign to Windows OEM or retail purchases within 90 days, In addition, organisations are unable to purchase Windows Enterprise stand alone without SA under the Enterprise Agreement or MPSA volume licensing programmes.

[Ref: Windows Enterprise Upgrade Licensing FAQs, February 10, 2014]

Microsoft have not yet confirmed all the features of Windows Enterprise, but it should likely include the following features (to be confirmed):

  • Start Control | Application and layout control management via Group Policy
  • Windows To Go Creator | Allows the creation of Windows Enterprise on a bootable USB. Use of Windows To Go is enabled with active Software Assurance (SA)
  • DirectAccess |Allows remote users to  access  corporate network resources without launch of a separate VPN
  • BranchCache | Local user cache of files, websites and content  from central servers, to avoid repeated content downloads across the WAN
  • VDI Enhancements | Support for RemoteFX technology with Windows Server 2012 R2 to provide users a high definition RemoteApp and desktop experience, adjust screen resolution and orientation on demand, and Quick Reconnect to desktop quickly across LAN or WAN for different VDI scenarios.
  • AppLocker |Enables IT to specify what software is allowed to run on user devices through Group Policy
  • Windows App Store for Business | Support for enterprise side-loading of corporate LoB Apps in a private business store portal. Microsoft also promise a curated line up of business applications for Windows 10, Volume Licensing purchasing, with support for license reclaim.
  • Device Guard | Provides organisations with the ability to lock down devices, providing advanced malware protection against new and unknown malware variants as well as Advanced Persistent Threats (APT). This forms part of Microsoft’s strategy to deliver better security against malware and zero day attacks for Windows 10 with trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization. You’re in control of what sources Device Guard considers trustworthy and it comes with tools that can make it easy to sign Universal or even Win32 apps that may not have been originally signed by the software vendor. [Ref: https://goo.gl/1Rfvw3]
  • MDOP Microsoft Desktop Optimization Pack  suite of technologies available as a subscription for Software Assurance customers. Now essentially ‘bundled’ for Enterprise EA/EAS or even MPSA customers who purchase Software Assurance for Windows Enterprise.

Windows 10 Feature Overview

Microsoft’s strategy is to establish Windows 10 as a universal and consistent platform across the PC, smart phone, tablet and a new Internet of Things (IoT) ecosystem. Upon review of announced features, this would support displacement of  competitors in key aspects of end user computing, across Communications (Skype for consumers will be included with Windows 10) MDM, Security,VPN, Identity, IRM and Access Management. The requirement to ensure consistent offering and user experience across consumer, industry,  and corporate devices will drive consistent fundamental features across Windows Editions (to be confirmed updated below) :

  • App Security | A security feature that protects application functions running in system memory that can block vulnerability exploits
  • Trusted Boot | A component of the start up process that protects against rootkit attacks by protecting the core kernel and system drivers from malware
  • Windows and IE Smart Screen | A cloud connected service that will detect and block malicious sites and applications
  • NGC | Microsoft recently announced Windows 10 will support Next Generation Credentials (NGC) for Two Factor Authentication access https://t.co/xmvaedEit1
  • Enterprise Data Protection | Corporate Data Separation and Containment with persistent file level encryption and ‘basic’ information rights management. EDP is integrated, without segregated containers, folders or partitions with Windows 10 as ‘broker’ to gate user or app access at data level based on policies. Microsoft Enterprise Data Protection will identify, separate and protect corporate data without the need (in most cases) for ‘App Wrapping’. This will be enabled and integrated with Azure AD and  Rights Management Services. All Windows Devices will also benefit by support for full ‘Device Wipe
  • Microsoft continue to invest in the legacy support capabilities, termed ‘Enterprise Investments for IE 11’ reflected in prior ‘Enterprise Mode’ for IE 11 to support legacy web Apps that relied in IE8 behaviours
  • BitLocker | Full disk encryption, now enabled with SSO (Single Sign On) and protection from cold boot attacks. The need for a PIN has been removed. While BitLocker in Windows 7 was a driver for Enterprise Edition, BitLocker was strategically moved to Windows Pro, with MBAM remaining as part of MDOP
  • Windows Defender| Anti-Virus provided by Microsoft. If 3rd Party Anti-Virus is disabled by Anti-Malware or end of a subscription, Microsoft will remind the user for three days before switching on Windows Defender (ensuring security and displacing a competitor). Windows Defender is isolated to protect the configuration state from malware.

Microsoft have not yet recently confirmed all editions of Windows 10, my previous view was based on available options in Windows Imaging and Configuration Designer  (Windows ICD) this would include four flavours of Windows 10. Windows 10 Enterprise and Windows Mobile Enterprise targeted at large enterprise customers, while Windows Professional aimed at SMB. (There was also a Windows Home Edition and Windows Mobile firmly placed at Consumers). Microsoft have stepped up their game against Google with Windows Education to win with the next generation of millennials.

Windows Editions (Commercial)

Windows 10 Core and Industry offerings could represent an important strategic bet for Microsoft to entrench the Windows OS across the Internet of Things (IoT) connecting into Cloud Services.

  • Consistent UX, Universal App Platform and Enterprise Tools for managing and deploying across PCs,  Kiosks, Mobile Terminals, PoS, ATMs, Digital Signs, Thin Clients, Industry Tablets, Industry Robotics, Industry Medical Devices
  • APIs published for Developers for Networking Industry Standards and GPIO, I2C, SPI Support
  • ‘Granular’ control of User Experience (UX) on IoT devices for Line of Business (LoB) Applications including control of App Launching, ‘Write Filter’ to create read-only devices, supporting dedicated experience on User Role(s), and access to background access for running tasks, and APIs to control common system settings like Power Settings, Bluetooth.
  • Peripheral Support for Retail Including: MSR, Receipt Printer, Cash Drawer, Payment Terminal 3rd Party Support with UAP Drivers for Enterprise Customers to use a range of PoS devices, with continued legacy support for Unified PoS (.Net, OPoS, JavaPoS) for Win32 Apps 
  • For Example: PayPal Here for Surface http://goo.gl/TkIAv4
  • Supported by Microsoft Azure IoT Services (Event Hubs, Stream Analytics,, Machine Learning Studio, Notification Hubs, HD Insight) and PowerBI Pro

Windows SA Per User

Prior to General Availability of the Enterprise Cloud Suite and Windows SA Per User licensing Windows Client OS on any device under a per-user model was not an option. Microsoft have sought to align the commercial licensing vehicle to support a subscription model for Windows.

Microsoft now provide four new licensing options, a ‘full’ Windows SA Per User Subscription, a ‘full’ Windows VDA Per User Subscription and an Windows SA Per User ‘Add On’ Subscription and Windows SA Per User Migration 

Windows Per User

With the Windows SA Per User Subscription, organisations can license Windows Software Assurance on a per user basis. When the license is assigned primary user, the associated primary device must be licensed with a ‘qualifying OS’.

The Windows SA Per User ‘Add On’, provides the benefit of Windows Software Assurance per User, or Windows VDA per User, at a price point that recognizes existing ongoing investment. When the license is assigned to a primary user of a primary device that is already covered with active Software Assurance, the Windows Software Assurance per User Add-on grants the licensed user with all of the benefits of Windows Software Assurance per User. When you license the primary user of a primary device that is already covered with Windows VDA, the Windows Software Assurance per User Add-on grants the licensed user with all of the benefits of Windows VDA per User.

These Windows VDA Per User Subscription allows an organisation license Windows on a per user basis, and may be assigned to any user. Each licensed user has access to Windows Enterprise without the need to track the operating system license(s) on the user’s device(s), except for devices where the software is installed locally. This provides a user-centric licensing model, providing flexible options for organisations to deploy and access Windows across devices, and does provide improved license management for Windows.

The Windows SA Per User Migration  maintains the SA Only price point that is available to customers who own perpetual licenses with Software Assurance in an Enterprise Agreement (EA) or Select Agreement. Customers with active SA will receive special pricing for transition continuity, recognizing their equity investment in previous fully paid perpetual licenses. This is now available for existing renewal customers.

[Ref: Microsoft Price List Guide, December 2014]

Per Device vs. User Comparison

Enterprise Agreement Requirements

The Windows SA Per User Subscription for customers with an Enterprise Agreement (EA) should acquire Windows SA Per User for all “Qualified Users”

  • The “Qualified User” is defined in the Enterprise Agreement enrollment as “”‘Qualified User” means a person (e.g., employee, consultant, contingent staff) who: (1) is a user of a Qualified Device, or (2) accesses any server software requiring an Enterprise Product Client Access Licenseor any Enterprise Online Service. It does not include a person who accesses server software or an Online Service solely under a License identified in the Qualified User exemptions in the Product List.” [Ref: Enterprise Agreement Enrollment 2014]
  • “To understand what “user of a Qualified Device” means, “Qualified Device” means any device that is used by or for the benefit of Enrolled Affiliate’s Enterprise and is: (1) a personal desktop computer, portable computer, workstation, or similar device capable of running Windows Professional locally (in a physical or virtual operating system environment), or (2) a device used to access a virtual desktop infrastructure (“VDI”).
  • Qualified Devices do not include any device that is: (1) designated as a server and not used as a personal computer, (2) an Industry Device, or (3) not managed (as defined in the Product List at the start of the applicable initial or renewal term of the Enrollment) as part of Enrolled Affiliate’s Enterprise. At its option, the Enrolled Affiliate may designate any device excluded above (e.g., Industry Device) that is used by or for the benefit of the Enrolled Affiliate’s Enterprise as a Qualified Device for all or a subset of Enterprise Products or Online Services the Enrolled Affiliate has selected.”

[Ref: Enterprise Agreement Enrollment 2014]

  • The Microsoft define a ‘Primary User’ must be assigned to a License Device
  • The “Primary User” is defined as  “the user who uses a Windows Software Assurance, Windows Embedded Industry Software Assurance, or Windows VDA Licensed Device more than 50% of the time in any 90 day period.

[Ref: Product Use Rights, January 2015, Page 75]

Product Licensing Requirements

  • The Licensed Device must be ‘already licensed’ for a ‘Qualified Operating System‘ of Windows as defined in the Product List
  • The Windows SA Per User Subscription does not require Software Assurance for an assigned to the Licensed Device
  • Microsoft clarify that Windows can be locally installed in a Physical OSE on Windows Pro and Enterprise devices and additionally on “integrated” screens with a size of 10.1″ diagonally or less
  • The Windows SA Per User Add On does require Active Software Assurance or active VDA Subscription Per Device License for the Licensed Device
  • The Windows SA Per User Add On can only be purchased for the maximum number of available SA or Windows VDA Subscription
  • The ongoing software use rights acquired through the purchase of Add-on User Subscription Licenses will expire with the the expiration of the SA coverage for the Qualifying License(s), or at the end of the subscription term for the Add-On USLs.
  • The VDA Subscription License is recommended  for User Profiles without a primary work device, or not considered a “Primary User” under the Product Use Rights 

Decision Tree Windows SA

[Ref: Product List –  January 2015, Page 33–35][Ref: Product List –  January 2015, Page 34]

This diagram below provides an overall view of the licensing options for Windows Per User. (As always, please refer directly to binding documentation for confirmation), but this diagram attempts to capture different device profiles and respected software use rights:

Windows Per User Graphic


Final Summary

  • Microsoft have provided options for business to adopt new innovations, while balancing the need for notification and testing. Organisation can now choose a level of support to delay innovation updates by up to 90 days so they can first be tested thoroughly in the market, or a “security and patches only” update model for long-term stability.
  • The Windows 10 time limited upgrade offer will drive rapid adoption of Windows 10 in the short term, by removing initial cost of upgrade for the first year. Organisation should be aware that they may require an ongoing level of support, or ongoing access to new feature updates within CBB/LTSB releases that would require ongoing commitment to Software Assurance (SA).
  • Microsoft  will continue to leverage Software Assurance (SA) as a strategic tool to drive customer behaviors toward subscription purchasing, reflected in the CBB and LTSB update services and channel restrictions limiting procurement of Windows Enterprise with Software Assurance (SA) for EA and MPSA customers
  • Software Assurance (SA) is expected to remain the primary commercial vehicle to enable extended software use rights for Windows, and ongoing enterprise support and feature updates.
  • If an organisation is currently deploying Windows 8.1 , Microsoft recommend an in-place upgrade to Windows 10. For any devices running Windows 7, tablets are recommended to upgrade to Windows 8.1, while non-touch devices are upgraded to Windows 10.
  • The Windows SA USL licensing model secures the OEM business model by maintaining a licensing dependency on underlying device profile and ‘qualifying OS’.
  • Microsoft are incentivising adoption via the ‘free; upgrade offer, but provide some assurance that consumers will receive ongoing patches and security updates and that in every case, Microsoft will provide “security and non-security fixes” to continue for “the supported life of Windows 10” on a monthly basis. The cost of ‘free’ upgrade for the first year must be balanced by the ‘traffic light’ approach to Windows 10, connecting consumers to cloud services like Cortana, OneDrive, Office365, Skype, Outlook.com, Xbox Live, Xbox Music and Office Online, and Windows Store. It is worth reviewing the Windows FAQs prior to committing to upgrade by 29th July 2016
  • Windows 10 will be enabled for enterprise by advanced MDM features within System Center and Intune. Microsoft see a strategic advantage in a ‘single pane of glass’ admin console for both solutions, across user and device profiles, while ensuring support for competitor MDM solutions.
  • Windows 10 are making a strategic move into identity, with support for MSA, Active Directory and Azure AD. Microsoft will aim to drive adoption of Azure AD by offering Single Sign On (SSO) and identity and app data sync across devices.
  • Microsoft importantly are offering a hybrid approach to identity, recommending profiling of users and devices to assess utilisation of AD Group Policy and SCCM for some devices, while another group of devices will leverage Azure AD and Microsoft Intune, enabled by support for NGC and two factor authentication in Windows 10.
  • Organisations that want to enable IT users on personal devices, will be able to set up trusted device and conditional access policies, combined with ‘device registration’ to allow access to workplace services, enabled by Microsoft Intune and Azure AD.  ‘Azure AD Join’ enables users to join personal devices to Azure AD, accessing single sign on and management capabilities outside the core network.
  • Microsoft is making a critical strategic bet to drive rapid adoption, and a bold objective to have a universal OS and Universal Application platform across a wide range of device profiles, looking to capitalize on the rise of IoT, consumer and professional hybrid devices (via  new features line continuum and tablet mode) as well as win back core consumer and tech enthusiast support for the traditional desktop experience.
  • Organisations should be aware that the procurement decision on Windows will be connected to critical decisions around Updates, Management, Security,  Enterprise Mobility, including Identity, Access, IRM and MDM and whether solutions are on premise or integrated or connecting with cloud service offerings on Azure and Office 365, that will create further vendor “lock in”.
  • For wider review of Windows 10 and announcements, It’s also worth following

About

This website is a way to give back to the licensing community and as an information resource for all customers that work with Microsoft software and licensing. I hope you find it of value.

Tony Mackelworth is Microsoft Advisory Services – Practice Lead at SoftwareONE

As always, If you would like to reach out for a coffee or a meeting under NDA, Email or connect via Twitter or LinkedIn

Tony lives with his wife in Oxford, England.


Disclaimer

  • The objective of this article is to review the publicly available documentation available on Windows 10
  • This will look at the publicly announced information as of March 2015.
  • This article is not intended to replace the Product Use Rights or Product List or Online Service Terms or other binding contractual documents
  • The Software Use Terms for each Product or Version are available within the Product Use Rights
  • Further Product-Specific conditions, transition terms, or limitations on use of products, including soft benefits are in the Product List
  • Please be aware that any licensing, or product information could be subject to change.
  • This document confers no rights and is provided for information purposes only.
  • Please be aware, my own emphasis may have been added to quotations and extracts from 3rd party sources.
  • This is not official guidance from Microsoft or its subsidiaries.
  • The following article is based on open information shared with Licensing Solutions Providers (LSPs) and based on  personal inference and understanding.
  • This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. This document does not provide you with any legal rights to any intellectual property in any Microsoft product.
  • Please be aware that nothing in this document constitutes specific technical advice. Some of the material in this document may have been prepared some time ago and therefore may have been superseded. Specialist advice from the vendor should be taken in relation to specific circumstances.
  • The contents of this document are for general information purposes only. Whilst the author(s) endeavour to ensure that the information on this document is correct, no warranty, express or implied, is given as to its accuracy and the primary author or it’s contributing Authors do not accept any liability for error or omission.
  • The contributing authors and owner of this document shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of, or inability to use, this website or any material contained in it, or from any action or decision taken as a result of using this website or any such material.
  • This Disclaimer is not intended to and does not create any contractual or other legal rights.