Reader Question: Differences between Windows 10 Pro and Windows 10 BusinessAlex Fields
Hi Alex, I’m working on getting some of my clients over to M365 Business from O365 Business Premium. I’ve searched the web and I can’t seem to find a good explanation on the difference between Windows 10 Pro and Windows 10 Business. Is there a difference between Windows Defender in Windows Pro versus Windows Defender in Windows 10 Business? Especially if the new Edge is installed? Thank you for all you for us IT Pros!! Greatly appreciated! –Rich
Good question, Rich.
In short, yes. There is a difference between Windows 10 Pro and the upgraded capabilities using Windows 10 Business. I have had trouble piecing this together myself, but here is what we know for sure based on the service description and other resources: we have access to certain Windows-specific and Defender-specific features that are powered by Intune / Microsoft Endpoint Manager such as:
- Autopilot (low-touch or no-touch deployments)
- Enterprise State Roaming (settings sync and roam to new devices)
- Windows Information Protection (including the ability to selectively wipe company information from devices remotely)
- Windows Update for Business which allows you to centrally control the pace and deferral of feature and quality updates
- Pushing out software applications including Office and the new Edge, as well as MSI and other software packages
- Enforcing Conditional Access against managed Windows 10 devices
- Windows Virtual Desktop (see my opinion piece on this here)
- Centrally manage and control Defender features (with Pro you can turn some of these settings on for each PC individually, but with this solution you can manage centrally via Intune):
- Antivirus including Potentially Unwanted Applications (PUA) protection and more
- Application Guard which will isolate untrusted websites in a virtual container when browsing with Edge
- Exploit Guard, e.g. Attack surface reduction rules, Controlled folder access, and Network protection — NOTE: none of these features are available in Pro
So we have some nice goodies in there, but of particular interest: notice that we do not have the capabilities of Microsoft Defender ATP, and that means no feedback on any of the things that you can configure Defender to “do” for you via Intune.
Currently the reporting that we have on the “status” of Defender clients is dismal… Gee whiz, wouldn’t it be nice to know when some Office program attempted to launch a child process? Sure, I can block this bad behavior with Attack surface reduction rules, but if this actually did happen somewhere, I’d also want to know about it. Switching these to audit mode just means the events will be written to the local Windows event log on the endpoint itself–nowhere does this information flow back to the cloud for Microsoft 365 Business customers. And that’s a shame.
Or even something as simple as knowing when a malware scan has actually found and quarantined malware. That’s great if Defender AV did its job, but I may want to chase down that user and investigate a little further to learn what happened, and to ensure nothing else is amiss with the device, the account, etc., because that one event might be attended by some other bad news we need to follow up on.
This should be one of the top requested features, in my opinion: we need visibility into these kinds of events. I want to know and not guess that my environment is healthy, and that nothing weird has been spotted in the wild by Defender.
NOTE: I am not asking for all of the advanced hunting capabilities that exist in MDATP–I just want a basic feedback loop–a simple dashboard sure, but configurable email alerts would be huge as many MSP’s manage these smaller customers and need to generate tickets in their tracking system for follow-up with the client. That way, we can evaluate and take action against the potential threats in our environments. Call it MDATP lite if you want: it doesn’t have to be super fancy on day 1, but visibility is key for the SMB, who is still struggling to “get there.”
Okay, end of rant for today.
Screenshots from the current service description, at the time of this writing: