Microsoft 365 Enterprise: What Windows 10 goodies are included that you don’t get with Pro/Business?Alex Fields
In this article, I wanted to highlight some of the key differences between Windows 10 editions, which are available through subscription in Microsoft 365 Enterprise SKU’s. Small business admins and consultants are going to be interested in some, but not all, of these features. There may be others I’m not really calling out here, I’m just trying to get some relevant info out there for the SMB, to help them evaluate their options.
Windows LTSC access
The Long Term Servicing Channel supports fall releases for 30 months. This is contrasted with the spring releases, and with all non-Enterprise/Education customers who are supported for only 18 months (Windows 10 Pro, Home and Office customers must move up the chain, to a newer build within 18 months).
So many people have criticized Microsoft on this Windows-as-a-Service update strategy. Mary Jo Foley, for example, has called it unsustainable. And I agree–even for smaller businesses, there is only so much change we can handle and manage in a given time frame. With recent snafus in the 1809 update, some of us have even wondered if Microsoft can really keep up with the pace they themselves have set.
Nevertheless, as of right now, it appears that this distinction is here to stay–on Windows 10 you must continue to update at least every 18 months, or be left behind in no-man’s land. This is true regardless of how you get Windows 10, and regardless of what version: OEM, subscription or whatever. The only reprieve is LTSC, which is held hostage in the Enterprise editions.
Windows Virtual Desktops on Azure
The announcement was made at Ignite, and here is a Microsoft blog article on the same. Although this feature is not available yet, I see a few pretty interesting items here. Obviously this implies you can run Windows 10 desktops on Azure, but of special interest to some, you can also choose to run Windows 7 Enterprise–and to top it off: the Windows 7 desktops would be covered by extended security updates through 2023.
This may provide some extra incentive to customers who may be considering upgrading from Office 365 E3 to Microsoft 365 E3. This is one way they could maintain legacy applications a little bit longer on Windows 7 desktops. Other relevant details:
- Requires an Azure subscription:
- Must still pay for VM run time and storage separately (licensing and virtualization rights are covered by the license)
- Run Windows 7 Enterprise, Windows 10 Enterprise and Windows Server 2012+
- Deploy apps only or the full desktop; Note: Based on literature available right now, I am not clear whether this applies to apps published on Windows 7/10 or just via RDS RemoteApp on Windows Server
- The only multi-user Windows 10 experience; previously multi-user required RDS Server
- Windows 7 Extended Security Updates included
- Microsoft has promised simple, quick deployment (I’ll test this and report back when it comes to preview)
- Partner opportunities are mentioned, e.g. CSP, and they also specifically call out Citrix, but there isn’t much available as to the details yet
This feature is available on both E3 and E5 versions of Windows 10 via Microsoft 365 E3 or E5 respectively.
Disclaimer: this next part is my opinion only… My own experience with hosted desktop solutions (not this one) has not been great–in almost every case when I have been involved in moving customers from a hosted desktop solution back to a local copy of Windows on a workstation or laptop computer, they are overjoyed and relieved. I’ll be curious to see how/if this product is any better than others I’ve seen.
“FINALLY! It works like normal again!!!”
— Every end user who ever experimented with VDI
Windows Defender ATP
The Windows Defender suite of software provides several security-related services for all versions of Windows, such as Antivirus. But anytime you see ATP (acronym for Advanced Threat Protection): this means there is some machine-learning being employed to make “intelligent” decisions about potential threats or risky events. For example, consider the ATP subscription add-on for Office 365, which I have been recommending for a couple of years now, and which also comes bundled in Microsoft 365 Business or Enterprise E5; that subscription provides intelligent scanning of attachments, web links and some advanced analysis against emails for phishing attacks and spoofing attempts.
Likewise, on Windows 10, Windows Defender ATP looks for activity and behaviors from the perspective of the endpoint OS, which could indicate a compromised user or device, even if no virus or malware has been detected. The Windows Defender ATP features get activated only in the Enterprise E5 subscription.
Other Enterprise-specific features
- Desktop Analytics Device Health – Identify systemic issues impacting users and provide tools for proactive remediation
- Microsoft Application Virtualization (App-V) – Delivery of win32 apps as virtual apps within a self-contained virtualization package
- User Environment Virtualization (UE-V) – Centrally store and manage Windows and app settings for use across variety of devices
- Windows Defender Credential Guard – Virtual isolation of secrets so that only admins can view them
- Windows Defender Application Guard – Protection in Edge from malware and hacking threats
- Windows Defender Application Control – Ability to block malware and untrusted apps
- Branch Cache – Ability to provide local file cache at remote sites using client computers
- DirectAccess – This is a private virtual network (VPN) solution which has been made obsolete with the introduction of Always-On VPN, which also works with the Pro edition of Windows
Conclusion: I’m not that jazzed about Enterprise
A subset of SMB’s will be driven to adopt Enterprise editions of the Microsoft 365 SKU’s for one reason or another, but in practice I think we will find that the Windows 10-related enhancements will probably be the last consideration. If anything, the LTSC access might be the most appealing feature here. Not that the other items aren’t “cool” or desirable, especially from a security standpoint, but when you consider the price tag of Pro/Business edition alongside that of Enterprise, I don’t know if virtual desktops, App-V or Windows Defender ATP is going to turn any heads in the SMB. Most of the features that end users care about, especially in the SMB, are found within Office 365 anyway–and even the Business track includes basically all the important Office apps these days: Outlook, Excel, Word, Access, OneNote, OneDrive, Teams, etc.
The other major barrier to adoption in the SMB is the fact that partners are not incented toward the Enterprise products. Microsoft provides some really cool security tools and analytics in their Enterprise lineup, but they provide no way for CSP partners/consultants to manage their customers at scale. For an Enterprise IT team, they will get great visibility and control over their endpoints–for example the ability to visualize an attack with timeline and see where in the kill chain the attack was caught/stopped, quarantine the affected device(s) and then update other endpoints with the “need to know” information before they become impacted. Depending on other subscriptions in your bundle which you configure, you can also see various reports on risky sign-ins, malware, ATP threats, spoofing attempts, etc., and make decisions and adjustments based on that data.
But a partner who is managing 50, 100, 200, 300+ customers? In that case, we have to set all these features up 300+ times, which is hard enough, especially as things within the subscription change and morph over time (policy/version control). And then on top of that, it is not scalable to watch over all those separate dashboards, review the reports, and take action. What we would require in order to adopt these more advanced technologies and apply them at scale (and really it would be good to have these features even for the Business products–since those are also managed by Partners at scale):
- a way to apply and update baseline configurations across all customers for some of the products, e.g. ATP policies, etc.
- dashboard displaying service health for various areas:
- Exchange Online, SharePoint, Skype/Teams, etc.
- Azure AD Connect health
- Secure Score
- Risky sign-ins
- Other events we should check out/take action on
- real-time alerts for critical events from any customer who is under management
Since we don’t have that, we are often left looking at third-party options for security features which could be covered, maybe, by Microsoft (if we only had the ability to scale across tenants). Security log ingestion/aggregation, alerting, health status, endpoint antivirus, backups, OS and third party app updates, etc., etc.–all being done with third party tools right now. Some day we may get there, and I hope it is sooner than later–again, it should work regardless of subscription level–I do think some of the Enterprise features today give us the best data/feedback/alerts which are available–I’m just not incented to use them for my customers right now. Remember: any subscription, even Business editions, throw off useful & actionable data. But with so many more Enterprise bells and whistles to manage, it is just way too unruly to tackle for partners taking care of the SMB. Is it too much to ask? I just want this stuff in one place, not 100 places.
Do you know if all the GPO options that are available for Office 365 Pro Plus are also available for Office 365 Business? I’m concerned that I won’t be able to use GPO functions for managing OneDrive unless its the ProPlus suite. Specifically these: https://docs.microsoft.com/en-us/onedrive/redirect-known-folders. Thanks!
The GPO options that are not supported are in relation to the Office ADMX templates. From this document, it sounds like the requirement for these OneDrive settings is more around the version of client. I have not used this GPO setting yet personally. I do wonder if there is not some way with Intune to configure these settings (most likely, assign the app to the device, then deploy a PowerShell script to configure it). See for example this article. And this one–as of yet they do not mention KFM. But if you can configure other aspects with PowerShell I do not wonder if KFM is not also possible. I’ll have to put this on my research list!