A Windows for the Cloud
by Mary Branscombe
Windows 10 is Microsoft’s solution for conducting business in the cloud, as Mary Branscombe demonstrates.
HardCopy Issue: 68 | Published: February 26, 2016
Windows 10 is destined to be the last version of Windows; not because Microsoft doesn’t believe in its new operating system, but because it does. Instead of a one-off version of Windows that will get replaced after a few years, this is Windows as a Service: Windows that’s developed like cloud software, with new features appearing alongside frequent updates when they’re ready.
It’s also a version of Windows that’s more closely integrated with Microsoft’s cloud services than ever before; not just for file storage and the synchronisation of settings through OneDrive (an option inherited from Windows 8), but also for a range of services from authentication to device management to Office document security. Features like Windows Passport, Workplace Join and Mobile Office build on Azure Active Directory (Azure AD), Enterprise Mobility Suite (EMS) and Office 365, as well as on the upcoming Windows Server 2016.
In short, Windows 10 is the visible surface of Microsoft’s cloud strategy, which underlies the new operating system like a very deep iceberg.
The combination of cloud integration and continual development in Windows 10, together with the need to wean users away from Windows XP and its more familiar interface, seems to be appealing to businesses. There are now 200 million users of Windows 10 including 22 million devices in enterprise and education, and 75 percent of Microsoft enterprise customers already have a Windows 10 pilot. In many cases this is driven by the security improvements in Windows 10, and associated cloud features.
Windows is far from the only platform Microsoft cares about: its cloud strategy covers everything from Mobile Device Management (MDM) and remote apps for iOS and Android phones, to Office on Mac OS, to Linux VMs on Azure, and to information analysis and visualisation in the cloud with Power BI. The Power BI Desktop companion app is Windows only, but this is a rare holdout in the new cross-platform world of Microsoft software. That said, Windows is where Microsoft can integrate its services most deeply and showcase them best across multiple different devices.
That shows up in a wide range of features, from live tiles driven by push notifications coming from Azure services, to the Cortana assistant integrated into the Start menu search box. Cortana searches both Bing and your PC, as well as OneDrive; tracks the topics you mark as interests on Bing; integrates with your calendar in Outlook and on Outlook.com; monitors your email for events that you want to track; and uses the cloud to sync reminders that you schedule on your PC or Windows Mobile phone. You can also integrate Cortana with business systems like Power BI, or the Cortana Analytics data analysis service, which uses machine learning.
The OneDrive integration in Windows 10 shifts from the emphasis in Windows 8 on convenience to offer much more control to the business. Your personal Wi-Fi and website passwords, Windows settings like your Start screen layout, your custom dictionary for Office, your desktop background and app settings all sync through OneDrive, which makes setting up a new PC so much easier. However they also sync between managed accounts that are joined to Azure AD, so users now get the same convenience for work resources. As well as being backed up on OneDrive, the BitLocker recovery key for each Windows 10 system is also backed up to Azure AD.
Similarly, the built-in sync client that lets you choose folders on OneDrive to be synced to your local PC now works with both a personal Microsoft account and a OneDrive for Business (ODB) account, giving the same convenient access to work files in the cloud. ODB is a cloud storage service with similar sharing tools to OneDrive or Dropbox, including business-friendly options like setting expiration dates on file sharing. Furthermore it’s built on top of SharePoint and so includes IT management and security features like auditing and data loss prevention.
The unified sync client removes some of the more annoying limitations from OneDrive for Business, as well as making it far more reliable. However it’s still a work in progress: the new client doesn’t let you sync SharePoint or Office 365 Groups libraries yet, and it still doesn’t let you see folders that other users have shared with you without visiting the website.
The Universal Windows Platform
Windows 10 brings the same cloud integration strategy to desktop, notebook, tablet and smartphone devices, as well as to consoles, wall-sized computing with Surface Hub and (eventually) holographic computing with HoloLens, IoT devices and even in-car computing, using the same Continuum capability that lets you plug a keyboard and monitor into a Windows 10 Mobile phone, or have your phone power the display tucked away behind the wheel of your car.
Windows 10 simplifies this with Universal Windows Platform (UWP) apps that can run on as many different Windows 10-powered devices as the developer chooses, all through common APIs. The Windows Store apps in Windows 8 could be built in the same project as a Windows Phone app, but while they might share code, they were still separate apps. UWP apps for Windows 10 are the same code, running on different platforms, with responsive interfaces and features that adapt to the features of different devices.
UWP apps can be native apps, or they can be HTML apps with access to native APIs built on tools like Apache Cordova. Just like any app they can call web services, whether that’s a Facebook login, Salesforce data, Microsoft’s own Bing Maps, Office 365 APIs and the Microsoft Graph API for connecting to a wide range of Microsoft services, Azure storage, Azure AD authentication, or Azure Mobile Engagement usage analytics and push notification services powering live tiles that update the Windows Start menu. But they also use Microsoft’s cloud to store information like settings, that is automatically synced to the user’s other Windows 10 devices, whether that’s your high score in a game or the font settings you prefer in your Twitter client. That’s the same cloud settings sync built into the OS itself, available to any developer.
Another advantage of UWP apps is that when you use the Continuum feature of Windows 10 Mobile and plug in a larger screen and keyboard, instead of the mobile interface designed for small screens, you see the same interface as when you’re running the app on a desktop PC.
Microsoft is building all of its own apps as universal apps, from Remote Desktop to the Mobile Office apps, although not all are ready yet – Skype for Business is a notable omission at this stage.
And to get the unified sync client for both personal and business cloud storage, Microsoft has sacrificed one of the more powerful features in Windows 8.1, namely the placeholders that allowed you to see and search files stored in OneDrive, even if they weren’t synced locally, and even when you’re offline. A replacement is promised, but a year has passed since the feature was removed from a preview build and there’s still no sign of it.
Instead, at least as long as you’re online, there is deep integration into Microsoft apps. The Photos app, for instance, automatically shows images from your OneDrive account, as well as pictures stored locally. The Groove Music client does the same, streaming music stored in your OneDrive cloud storage to PCs and phones. Office 2016 and the Mobile Office apps included with Windows 10 let you browse your OneDrive folders to open and save files, even if they’re not folders that you’re syncing. Similarly, Cortana can search files stored on OneDrive directly from the Start menu.
Storing a file on OneDrive or OneDrive for Business enables live editing of Office documents by multiple users. Microsoft is also adding OneDrive for Business support to its Windows 10 apps, albeit gradually.
Neither OneDrive nor OneDrive for Business is intended as a backup service, but the File History feature in Windows 10 that works with local and network drives can also integrate with the Azure Backup service. That’s not intended for full system backups, but for modern PCs that you’re managing well and that back up their settings to OneDrive or Azure, backing up files and personal information such as contacts is a better strategy in that it’s less intrusive for users and still protects the documents they need.
Managing Windows 10 also means changing your attitude to managing updates. Windows as a Service means regular feature updates as well as security patches: a future update to the Edge browser will add Chrome-style extensions, for instance. Security threats move too quickly for you to delay patches, but you still want to manage changes to functionality.
With Windows 10 you can use the Insider Preview to get new features as soon as they come out, while limiting other systems to the Current Branch for Business build, which gets new features some months later. Use the new Windows Update for Business cloud service to manage this. It also lets you manage update and restart schedules, making sure that restarts don’t disrupt Monday mornings. You can do that by roles and groups as well, so you can stop the accounting team being interrupted by updates while they’re compiling quarterly figures. There are definite advantages; if you let users schedule updates then they’ll never again have to watch their PC restart in the middle of a presentation, but you can still track how many machines are up to date. To make it work well, though, you do need to invest the time to set the system up and monitor it.
Getting comfortable with continuous updates is part of changing how you think about managing PCs in that you need to start treating them more like smartphones and tablets than desktops controlled by Group Policy. Don’t think in terms of locking down a PC that never leaves the network, or keeping files behind the firewall. Instead you need role-based, context-sensitive security where you manage the user and the information they have access to, rather than the devices.
Windows 8 and 8.1 had a number of MDM-style management features, especially workplace join which marked a PC as a known device for Active Directory in the same way as you would a smartphone or tablet, only allowing it to access email and files if it meets minimum security requirements. Windows 10 adds extended MDM support that goes beyond that kind of BYOD (Bring Your Own Device) scenario, and it also gives you much more coherent choices between using Group Policy, System Center and Microsoft’s Azure AD and Intune cloud services for managing devices.
Azure CTO Mark Russinovich calls Azure AD “the heart of Microsoft’s cloud platform,” pointing out that “all Microsoft cloud services, including Microsoft Azure, Microsoft Xbox Live, and Microsoft Office 365, use Azure AD as their identity provider.” The Azure AD integration in Windows 10 is a key part of its cloud integration. That doesn’t have to be something you pay for as there’s a free tier of Azure AD that enables the key features. If you want the more powerful features like multiple-factor authentication, self-service BitLocker recovery, MDM auto-enrolment and advanced reports, then you can pay for Azure AD Premium on its own, or as part of EMS.
You don’t want your CEO using a PC in a hotel business centre to have automatic access to confidential files if his IP address is part of a botnet. A cloud security service like Azure AD or EMS is far more likely to detect such a situation than your on-premise remote access gateway.
Azure AD Premium lets users set up their company PC for management themselves, as part of the standard Windows setup process, without you needing to provision them individually: just give them the details of their Azure AD or Office 365 account and they can use it as their Windows account. That gives them single sign-on, both to company applications that you configure for single sign-on, and to cloud services. And that’s not just Office 365: it covers over 2,500 cloud apps from Box to Salesforce to Workday and Zoho.
Single sign-on isn’t just about convenience, although it does mean fewer passwords for people to forget and have to reset. With Azure AD, you can assign cloud service accounts to specific users, which gives you a level of management across multiple services. You can revoke access to those services if someone leaves the company, or you can give multiple people access to a shared service, such as the company Twitter account, and use multi-factor authentication and single sign-on to ensure that they never know the password for the cloud service they’re using, which makes those accounts much more secure against accidental or deliberate compromise.
Windows 10 also includes some major new protections for passwords and credentials. Windows Hello lets you log in to your account using biometrics, such as fingerprint, facial or iris recognition, or with a PIN. Businesses can set the length of the PIN and a numeric PIN can actually be more secure than a password because the credential is stored in the Trusted Platform Module (TPM) and doesn’t roam from system to system.
The logon credentials that the PIN or biometric unlocks are also better protected against the pass-the-hash attacks that have compromised so many companies recently. The entire logon service runs in a separate container – a very small virtual machine that takes very few resources, doesn’t run as admin and does nothing but issue a token that doesn’t leave the secure execution environment, so is much harder for a hacker to extract.
And when you log on to a known device using biometrics, the PC itself effectively becomes a second factor in the authentication process. That means it’s secure enough to unlock a store of credentials, known as Windows Passport, for single sign-on, and for authenticating to apps and services that use the emerging cross-platform FIDO standards. Eventually, FIDO could replace passwords with authentication that’s both secure and easy to use, because you just have to look at the screen or swipe your finger to sign in to everything from your email to your online banking. It’s a standard you can expect to use on your phone and with add-on devices like the Yubikey, but the fact that Microsoft is building it directly into Windows 10 means it’s ready to use out of the box.
If you use Windows Hello to sign in to a Windows 10 PC today, then it uses Passport to sign you in to Microsoft properties such as outlook.com. If you’re using Office 365 or Azure AD, Hello and Passport also signs you in to Office 365 and any cloud services that are set up for single sign-on through Azure AD. Enabling FIDO access for your own line-of-business apps means either using the Azure AD Application Proxy for single sign-on, or waiting until Windows Server 2016 is available and you can run a domain controller on it.
Using Azure AD, you can also manage the Windows Store for Windows 10 users. Instead of asking them to set up their own Microsoft account to get business apps, you can have them use Azure AD accounts to get Store apps, including ones you’ve volume licensed and allocated to specific users. You can also use the Windows Store for Business cloud service to build your own portal from which you can offer apps to users – initially free apps that you can select from the Store and a private catalogue of your own line-of-business apps, but the ability to charge is coming in the future.
If you want the option of locking down what software can run even further, the Device Guard option in Windows 10 uses code integrity and hardware-based virtualisation to run only trusted and signed applications. That gives you some of the ‘trust nothing’ approach of smartphone apps with full desktop executable files. For now you manage that with Group Policy, System Center or PowerShell, but future versions of Intune and EMS will be able to deploy and manage code integrity policies.
Windows Server 2016
Despite all the cloud integration, Windows Server 2016 has a place in your Windows 10 environment, whether it’s for management tools like Config Manager, Active Directory, or private cloud. This next version, due in the second half of 2016, will be one of the most important updates to Microsoft’s server OS, with significant refactoring to create the Nano Server deployment option, making it more secure and more serviceable.
Although it’s a very ‘thin’ OS, designed for agile deployment (think containers and package managers rather than traditional server GUI applications), that doesn’t mean Nano Server isn’t capable. It can already run IIS, the DNS role or a workload like OpenStack as well as hosting both Docker-style and Hyper-V containers, and Microsoft is working on having Nano capable of supporting all the key Microsoft workloads.
Alongside improvements in traditional virtualisation such as nested virtualisation, support for containers and microservices (whether Docker or the more isolated Hyper-V containers), gives you a cloud-consistent model for development, so you can have a workload that’s the same on Azure or on your own servers. Windows Server is what Azure runs on after all, and with the Datacenter Edition of Windows Server 2016 you will get far more of the Azure code for your own data centre. This includes the shielded VMs that make it safer to run untrusted code; the code that runs Azure storage (tuned to run on much smaller amounts of storage as Storage Spaces Direct); and the network stack from Azure, including the same network load balancer.
You also get Azure Stack. Unlike the Windows Azure Pack which Microsoft called ‘Azure consistent’ for delivering IaaS and websites, Azure Stack gives you the actual code that runs a selection of the IaaS and PaaS services from Azure, plus an implementation of the Azure portal for working with them.
Alongside Windows Server 2016 there will be a new version of System Center to manage all those features. The Technical Preview already includes Windows 10 management options, like showing the health of PCs, including the state of the BIOS and the TPM which security features like Passport and Hello depend on.
The close alignment with Windows 10 is why Config Manager is adopting the same ‘as a service’ development model, and the same goes for Office 365. Cloud services like Exchange and SharePoint already get regular new features, but the Office 2016 desktop clients will now get frequent updates too. Windows 10 is the way Microsoft is highlighting its cloud model, but this new world of previews, updates and continuous development applies to almost everything Microsoft does, whether it’s in the cloud, on the phone or on the desktop.
You also get conditional access controls with Azure AD and EMS so that, for example, a Windows 10 PC that doesn’t have the latest Windows Update security patches and hasn’t run a malware scan recently won’t get access to company resources until it’s secured.
Provisioning is less work with Windows 10 as well. Joining a Windows 10 device, which can be a PC, a tablet or a smartphone – or, in future, other devices like a Surface Hub – to Azure AD can automatically enroll it in your MDM solution, whether that’s Intune or another MDM system, using the built-in MDM client.
One of the most interesting scenarios involving MDM and Windows 10 moves into the Mobile Application Management space with Enterprise Data Protection containers, which will let you protect individual business files – both Office documents and other formats – in the same way as encrypted containers do on mobile devices. That feature will be part of the built-in MDM support in Windows 10 but isn’t currently available – although you can manage Office and Office files through MDM on Windows and other platforms if you’re using Microsoft Intune.
What the MDM agent in Windows 10 does let you manage today is still very useful, from VPN configuration and application whitelisting, to remote device wipe, to handling multiple users, and users with multiple online profiles.
MDM doesn’t replace Active Directory, Group Policy and System Center for devices that spend most of their time on your office network. Instead it offers a lighter touch approach for devices that are usually connected to the Internet and used in a lot of different environments.
Windows 10 lets personal and work accounts co-exist, not just on the same PC but in the same user login, so a Windows login can be associated with both a personal Microsoft account for OneDrive, Hotmail, News, Weather and other useful services, and an AD or Azure AD account that gives access to Office 365, business email, encrypted documents and single sign-on. And you can make that work either way round, so you can add a Microsoft account to a PC that’s already joined to a domain, or an Azure AD account to a PC where users already signs on with their own Microsoft accounts.
That makes the ‘dual use’ option in EMS, Intune and Office 365 more useful in Windows 10 because users are more likely to have those two sets of credentials side by side. In this way you can manage the Office apps for work documents, limiting copy and paste and save locations to prevent data leakage, for example, while still allowing users to do personal things in Word or Excel, copying and pasting from their personal email and saving those files wherever they want, without the business having to worry about seeing personal or private information.