Reader Question: Differences between Windows 10 Pro and Windows 10 Business
Hi Alex, I’m working on getting some of my clients over to M365 Business from O365 Business Premium. I’ve searched the web and I can’t seem to find a good explanation on the difference between Windows 10 Pro and Windows 10 Business. Is there a difference between Windows Defender in Windows Pro versus Windows Defender in Windows 10 Business? Especially if the new Edge is installed? Thank you for all you for us IT Pros!! Greatly appreciated! –Rich
Good question, Rich.
In short, yes. There is a difference between Windows 10 Pro and the upgraded capabilities using Windows 10 Business. I have had trouble piecing this together myself, but here is what we know for sure based on the service description and other resources: we have access to certain Windows-specific and Defender-specific features that are powered by Intune / Microsoft Endpoint Manager such as:
- Autopilot (low-touch or no-touch deployments)
- Enterprise State Roaming (settings sync and roam to new devices)
- Windows Information Protection (including the ability to selectively wipe company information from devices remotely)
- Windows Update for Business which allows you to centrally control the pace and deferral of feature and quality updates
- Pushing out software applications including Office and the new Edge, as well as MSI and other software packages
- Enforcing Conditional Access against managed Windows 10 devices
- Windows Virtual Desktop (see my opinion piece on this here)
- Centrally manage and control Defender features (with Pro you can turn some of these settings on for each PC individually, but with this solution you can manage centrally via Intune):
- Antivirus including Potentially Unwanted Applications (PUA) protection and more
- Application Guard which will isolate untrusted websites in a virtual container when browsing with Edge
- Exploit Guard, e.g. Attack surface reduction rules, Controlled folder access, and Network protection — NOTE: none of these features are available in Pro
So we have some nice goodies in there, but of particular interest: notice that we do not have the capabilities of Microsoft Defender ATP, and that means no feedback on any of the things that you can configure Defender to “do” for you via Intune.
Currently the reporting that we have on the “status” of Defender clients is dismal… Gee whiz, wouldn’t it be nice to know when some Office program attempted to launch a child process? Sure, I can block this bad behavior with Attack surface reduction rules, but if this actually did happen somewhere, I’d also want to know about it. Switching these to audit mode just means the events will be written to the local Windows event log on the endpoint itself–nowhere does this information flow back to the cloud for Microsoft 365 Business customers. And that’s a shame.
Or even something as simple as knowing when a malware scan has actually found and quarantined malware. That’s great if Defender AV did its job, but I may want to chase down that user and investigate a little further to learn what happened, and to ensure nothing else is amiss with the device, the account, etc., because that one event might be attended by some other bad news we need to follow up on.
This should be one of the top requested features, in my opinion: we need visibility into these kinds of events. I want to know and not guess that my environment is healthy, and that nothing weird has been spotted in the wild by Defender.
NOTE: I am not asking for all of the advanced hunting capabilities that exist in MDATP–I just want a basic feedback loop–a simple dashboard sure, but configurable email alerts would be huge as many MSP’s manage these smaller customers and need to generate tickets in their tracking system for follow-up with the client. That way, we can evaluate and take action against the potential threats in our environments. Call it MDATP lite if you want: it doesn’t have to be super fancy on day 1, but visibility is key for the SMB, who is still struggling to “get there.”
Okay, end of rant for today.
Screenshots from the current service description, at the time of this writing:
Comments (10)
Mdatp has just been released as a stand alone product :) good news for m365 business customers
Too bad it is not supported for use with Business (yet). Only compatible with Enterprise subscription at this time.
It’s compatible with business as well..
No, it is not. They do not officially support adding MDATP to the business subscription–if you have seen different please do show and tell.
Alex,
MDATP released as a standalone CSP product with prior requirements to purchase, the Enterprise requirement was removed.
you can purchase it for a M365 Business subscription.
Windows 10 Pro is supported for MDATP, it has always been so.
https://www.infusedinnovations.com/blog/secure-intelligent-workplace/microsoft-defender-atp-standalone-is-now-available?utm_source=reddit&utm_medium=organic&utm_campaign=blog&utm_term=mdatp-standalone
That is an interesting article but I don’t see it on MSFT’s site. Perhaps they just haven’t updated? I see that it does run on lower level versions of Pro, and know that this has been possible, but it is not the same as being licensed for all the features. For example, refer to this document. There are minimum OS requirements (Pro included) but the licensing requirements still show a SKU ending in a “5”–and if you go to this link, you will see that if you have lower level of OS you don’t actually get all of the features of MDATP. So yes, maybe we get MDATP, but do we actually get “E5” functionality in there? I think not??
I think because we’ve sku was just release at the beginning of March it has not been updated yet.
It doesn’t seem reasonable because the add-on was released to remove the E5 Security add-on requirement and the windows 10 E5 requirement as well.
We do have devices running windows pro with MDATP installed and it looks like all of the policy settings and features are applied via intune and work correctly.
You can test it on an M365 tenant with one M365 E5 license since it’s a tenant level.
service.
Thank you for posting this Alex. This is the best overall description I’ve read of what Windows Business has compared to Windows Pro as well as Windows Defender on each. Regarding the reporting of Defender Exploit Guard; I’m going to create alerts in my RMM with Event IDs found at the following Microsoft sites:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/event-views
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
I also found this blog post to be interesting. I’m by no means even halfway decent with scripts but maybe this can be used or modified. What are your thoughts on this:
https://www.verboon.info/2019/05/retrieving-windows-defender-exploit-guard-windows-event-logs-with-powershell/
Very nice. How about a follow up article on the difference between Office365 ProPlus and Office 365 Business ?
Hi Donal,
Use this link for the differences in Office versions
https://docs.microsoft.com/en-us/office365/servicedescriptions/office-applications-service-description/office-applications-service-description