With the Windows 10 November update, Microsoft IT enabled several enterprise features for its global user base, including Windows Hello for Business, Credential Guard, and Enterprise State Roaming. In addition, implementing Azure Active Directory Join across the enterprise extended cloud capabilities to users with Windows 10 devices. With the update, users saw security enhancements and immediate improvements to productivity. Microsoft enabled Azure Active Directory Join and other Windows 10 features that enhance security and productivity, including Windows Hello for Business, Credential Guard, and Enterprise State Roaming.
The Windows 10 November update offers two new features for improving security. A combination of cryptographic keys that are uniquely tied to a user and device, and facial or fingerprint recognition, provide a more convenient way to sign in with strong authentication.
The Windows Hello for Business helps Microsoft employees and other corporate network users to securely sign in to their PCs. Windows Hello for Business simplifies signing in to on-premises and cloud resources without using a password. Using Windows Hello, our network users can sign in to their Windows 10 devices with just a look or a touch if the device is equipped with compatible hardware.
Windows Hello for Business creates a certificate-based credential on a device, which is unlocked by a PIN or biometric (fingerprint or facial recognition). This is more secure than a password, because the PIN is tied to the device, and only the user knows the PIN. With Windows Hello for Business, we have a convenient and secure authentication method. Other benefits include:
- Easy certificate renewal. Microsoft corporate network users receive a prompt to verify their PIN when their certificate needs renewal. The certificate is renewed in the background rather than the cumbersome certificate renewal process that existed before.
- Single sign-on. Windows Hello for Business reduces the number of requests for credentials and gives users a single sign-on experience. Microsoft users saw a significant decrease in the number of times they had to sign in during their daily work.
- Simplified remote access. When Microsoft network users use their PIN, they can connect remotely using the Microsoft IT VPN client without the need for a smart card.
- Biometric sign in. With compatible biometric hardware, Microsoft corporate network users can set up Windows Hello and sign in with only a swipe of their finger or a quick look at the device’s camera. This enterprise-grade security meets the requirements of Microsoft IT.
Credential Guard increases the security of derived domain credentials by using platform security features, including Secure Boot and virtualization. Securing derived domain credentials with virtualization-based security blocks the credential theft attack techniques and tools used in many targeted attacks. Credential Guard uses Virtual Secure Mode to store hashes and tokens in a way that makes unauthorized access difficult. At Microsoft, we added Credential Guard to take advantage of this additional security protection and deployed it using a phased approach. After testing it in our hardware lab to ensure compatibility, the feature was enabled globally using group policy. There were no related help desk calls, validating a seamless adoption. More details about Credential Guard are described in Protect derived domain credentials with Credential Guard.
Azure Active Directory Join
Azure AD Join will register za device in our directory and enroll it in the Mobile Device Management (MDM) solution and Microsoft Intune, which is part of the Enterprise Mobility Suite. In addition to PCs and Windows devices, any mobile device can be joined, allowing users to work on the device of their choice. With the combination of Azure AD Join and Microsoft Intune, we have more control over corporate data on the device, and user data is no longer controlled by us. This has reduced resistance by users and encouraged wider adoption.
As an example of the benefits of Windows 10 integration with Azure AD Join, Microsoft rolled out virtual private network (VPN) settings. For non-domain-joined PCs to access corporate resources, the process is greatly simplified. With Windows 10 and Azure AD Join, the PC is enrolled automatically with Microsoft Intune in a matter of seconds and the user is presented with a number of configurations, including VPN settings. Previously, users had to install a VPN client from IT Manager, and then use a smart card or other device to do strong authentication and connect to VPN. Now, with Azure AD Join, users automatically get a VPN connection along with Windows Hello for Business and security settings.
Data geolocation and privacy concerns are addressed through points of presence in data centers around the world using MDM and Microsoft Intune. An added benefit of enabling Azure AD Join is the ability to use Enterprise State Roaming.
Enterprise State Roaming
With the Windows 10 November update on Azure AD Premium, Microsoft wanted to take advantage of the Enterprise State Roaming (ESR) feature, which synchronizes our users’ corporate Windows and application data settings to Microsoft Azure. With this feature, their settings roam across all Windows devices, reducing the time needed for configuring a new device. And it provides a separation between personal and corporate user settings, protecting user privacy. In addition, Azure Rights Management Services (RMS) encrypts settings on the Windows 10 device and stays encrypted in the cloud providing added security.