Key features of Windows 11 Enterprise

The Enterprise edition of any Windows version is aimed directly and more or less exclusively at businesses and other organizations of some scale, often with thousands or tens of thousands of PCs. It isn’t normally available for retail purchase (though you can find some retailers online willing to sell single-copy licenses). Normally, Windows 11 Enterprise must be acquired through some kind of licensing agreement with Microsoft or one of its partners, such as through the company’s Windows 11 Enterprise website.

What does Windows 11 Enterprise offer businesses?

In general, Windows 11 Enterprise offers additional or enhanced features designed specifically for business use. These items fall into three broad categories:

  • Security
  • Productivity
  • Management

Let’s examine each category in turn to understand their differences from the Windows Home and Pro editions that are aimed primarily at consumers, individual professionals, and small businesses.

Windows 11 Enterprise security features and functions

Microsoft identity protection and authentication technology has changed dramatically in Windows 11. It relies on Windows Hello for biometric authentication — mostly via Hello-compatible fingerprint readers and webcams for facial recognition. (Hello-capable devices with supporting drivers are required.)

It also supports SmartCards and various other forms of two-factor authentication (usually abbreviated 2FA). In addition, the company offers a Microsoft Authenticator app to handle logins to a variety of services (such as Visual Studio subscriptions, the Microsoft Volume Licensing Center, Microsoft Live Login, and more) as a means of smartphone-based authentication.

Organizations that deploy Windows 11 Enterprise should also find the company’s Windows Hello for Business (WHFB) compelling. It enforces use of 2FA instead of account/password logins on covered devices, and thus helps to increase overall security by bypassing passwords and integrating tightly with Active Directory or Entra logins. Indeed, WHFB also works with third-party identity providers or relying third-party services that support the public key cryptography-based FIDO Authentication standard. (FIDO = “Fast ID Online”; find more info at the FIDO Alliance website.)

To configure WFHB, organizations use GPOs (Group Policy Objects) or MDM (Mobile Device Management) policies that rely entirely on certificate-based authentication. Thus, WFHB adds secure, passwordless sign-in to Windows, Azure, and other services to Windows Hello’s already-strong biometrics and 2FA support. Essentially, it brings a modern SSO (single sign-on) capability to Windows 11 Enterprise.

Hardware and virtualization-based security

Windows 11 Enterprise also supports a technology called Windows Defender Credential Guard, which is designed to isolate credential information so that only privileged system software can access such data. When Credential Guard is active (for versions 22H2 and newer, it’s enabled by default), Windows credentials are stored in a special facility called the Credential Manager, which keeps such data in special secure folders called vaults under the control of the Trusted Platform Module (TPM). Windows and applications (including web browsers) can pass credentials from the vault to other computers and websites safely and securely.

One important aspect of Credential Guard in Windows 11 Enterprise used to be called Device Guard; now it’s more likely to be called code integrity or memory integrity. It combines security features for both hardware and software to lock devices down so they will only run trusted applications. If an app or application isn’t trusted, it can’t run. Even if a protected device becomes compromised, an attacker won’t be able to run anything except authorized software on that device. This technology uses virtualization-based security in Windows 11 Enterprise to isolate the Code Integrity service from the OS kernel, where the service uses signatures defined in an enterprise policy to determine what is trustworthy. Thus, this service runs alongside the Windows kernel in a hypervisor-protected container.

Windows 11 Enterprise also supports a special trusted boot service that uses the Secure Boot facility along with UEFI version 2.3.1 (or newer versions). In this kind of environment, the firmware setup is locked to prevent other OSes from booting, to prevent unauthorized changes to UEFI settings, and to block alternate boot devices (such as USB flash drives, which might otherwise be able to override the designated boot disk). This prevents rootkits and other boot-related malware from finding a foothold on protected systems. Of course, authorized admins can override these settings by supplying a special password at boot time to apply UEFI updates, make configuration changes, or perform other routine maintenance (e.g firmware updates or changes).

Data Loss Protection (DLP), encryption, and more

For separation and containment of organizational data, Windows 11 Enterprise includes a facility called Windows Information Protection (WIP). When enabled, WIP prevents accidental or malicious data disclosure via apps or services (e.g., email, social media, or cloud-based code). WIP stymies data leakage, especially on employee-owned devices such as tablets or smartphones (BYOD use cases).

WIP protection comes from policies defined for enterprise data sources and data-handling applications. Thus, it remains transparent to users. However, Microsoft has announced a “sunset” for WIP in future Windows Enterprise versions as of July 2022, though it remains present in versions up to and including 23H2.

The technologies that are replacing WIP are named Microsoft Purview Information Protection and Microsoft Purview Data Loss Prevention. These tools help organizations discover, classify, and safeguard sensitive data when it is accessed or shared. They offer sensitive data detection, labeling for sensitivity, and policy-based protection against data loss or leakage. These tools are integrated with Microsoft 365 Cloud Services, apps, and endpoint devices running Windows and Edge, with centralized DSP controls that include Chrome and macOS endpoints, cloud apps, and more.

With the introduction of version 22H2, Windows 11 gained Personal Data Encryption (PDE). Working alongside other Microsoft encryption methods such as BitLocker, PDE brings added data encryption to Windows 11. In fact, PDE can encrypt individual files and content items rather than whole volumes and disks. It uses Windows Hello for Business to link encryption keys to user credentials so that users need only one set of credentials to encrypt or decrypt PDE files or items (BitLocker requires two sets).

In addition, the Windows Device Health Attestation cloud service helps organizations protect data and intellectual property by enforcing, controlling, and reporting the health of Windows 11-based devices. It also works with Microsoft Endpoint Manager and other compatible MDM services to deliver what’s called “conditional access services.” These check on the health and status of devices attempting to access organizational networks. Based on the results of those checks, this service can prevent untrustworthy or unrecognized devices from obtaining access to organizational resources and networks.

Readers should also take note that the Windows Enterprise E5 subscription plan includes everything in the E3 plan, but also brings Microsoft Defender for Endpoint into the mix. This platform delivers AI-based endpoint security to Windows, macOS, Linux, Android, iOS, and IoT devices. It’s designed to stop ransomware and other cyberattacks dead, and to enable security teams to make the most of cloud- and device-based applications, apps, and services. Thus, it also includes global threat intelligence and attack surface monitoring, and it uses threat prevention practices to keep endpoints safe and secure. AI also helps Defender deliver automated detection and response at machine speeds to foil intruders and attacks.

Windows 11 Enterprise productivity features and functions

The Windows 11 user interface provides a start menu layout with integrated search, along with taskbar and notification areas. Users familiar with Windows 10 (or earlier versions of Windows) can jump right in and start getting things done on Windows 11. It’s been designed to make the user experience both friendly and familiar and includes a slew of productivity-boosting features such as Focus sessions, voice typing, Snap Layouts, and more. See “8 ways to be more productive in Windows 11” for details.

In Windows 11 Enterprise and other versions, Microsoft has amped up its Edge browser with AI-driven Copilot (formerly called Bing Chat), plus all kinds of extensions and controls to provide an enhanced web experience for users. A legacy Internet Explorer mode remains available for access to older-style IE-based web applications (IE 11). Organizations should also consider deploying Microsoft Edge for Business into their Windows Enterprise images; it provides a tailored and secure web browser across all user devices (managed and unmanaged) with clearly separated work and personal browsing content, controls, and domains.

Microsoft and third-party widgets provide ready access to handy always-on desktop tools and monitoring capabilities. (Click the “weather” icon on the taskbar to open the widget panel.) The figure below shows desktop widgets for Memory, CPU, GPU, and Network (à la the Performance tab in Task Manager) available via Microsoft’s the Dev Home (Preview) app.

dev home app widgets Ed Tittel / IDG

From the Dev Home app in Windows 11, users can pin various system monitoring widgets for easy access. (Click image to enlarge it.)

Windows 11 Enterprise management features and functions

Management is an arena in which Windows 11 Enterprise particularly shines. It provides support for dynamic provisioning and in-place upgrades. The former enables creation of provisioning packages that may be installed using removable media such as flash drives or SD cards, delivered as email attachments, or downloaded from network drives or through Windows Update for Business. The latter is a sure-fire method for Windows repair and recovery — see Step 3 in our Windows repair guide for more info and details.

With a simple set of written instructions, users can deploy provisioning packages themselves to provision and configure their own devices. A single provisioning package can be used to configure multiple devices, including employee-owned devices, even when an MDM infrastructure may not be present or network connectivity available. In-place upgrade also makes it simple and straightforward to upgrade from Windows 10 to 11 while preserving data and settings and updating all compatible applications and drivers. (A pre-upgrade installation advisor warns users about incompatibilities in advance.)

Windows 11 Enterprise even lets organizations manage the code base for Windows directly and explicitly. Most corporations and organizations elect to receive updates for some specific Windows Enterprise build (e.g., version 23H2, released in October 2023, or version 22H2, released in September2022). Whereas consumer versions of Windows 11 (Home and Pro) have two-year lifecycles, Enterprise versions go for 36 months (3 years).

This gives IT departments time to evaluate and validate updates before they’re applied. It also lets them control how and when updates propagate into production networks (usually on some kind of regular maintenance schedule). The Windows Update for Business service provides an update distribution and tracking mechanism that businesses and organizations can use internally to manage security updates in-house, or to handle the entire Windows Update regime, all under their full control and timing.

Using Windows 11 Enterprise

Windows 11 Enterprise is often used in concert with a variety of other tools and technologies. While third-party alternatives for any and all of them do exist, specific relevant Microsoft technologies designed to help with imaging, management, deployment, and maintenance of Windows 11 Enterprise include the following:

  • Microsoft Intune (called Microsoft Endpoint Manager from 2019 to 2022) covers a suite of Microsoft management products under a single account umbrella and login. It encompasses user-, device-, and app-management tools and integrates with Configuration Manager, Endpoint Analytics, Windows Autopilot, Windows Autopatch, and other Microsoft services. All may be accessed and controlled through the Intune admin center. This toolset may be used to deploy and manage Windows 11 Enterprise images, applications, updates, and upgrades, along with Android- and iOS-based mobile devices, and even Macs.
  • The Windows Assessment and Deployment Kit (ADK) provides tools to customize and deploy Windows 11 images.
  • Windows Update for Business provides a way to use Group Policy Objects so that an organization’s administrators can exercise complete control over how Windows 11-based devices get updated. This includes support for deployment and validation groups, means to specify update waves and membership, and peer-to-peer delivery for controlled propagation within branch offices and at remote sites.
  • Active Directory (AD) and Entra ID (formerly Azure Active Directory) offer built-in or cloud-based directory services, including rich, complex group policy controls to manage OS and application deployments, updates, access, and use. All of the policy-based controls mentioned earlier in this article may be handled through one or the other of these mechanisms.

Overall, Microsoft offers a rich supporting infrastructure to support deployment, management, and use of Windows 11 Enterprise in a controlled and secure setting. Further investigation of Windows 11 Enterprise, especially on the security and management fronts, shows it to be extremely well-suited for business use.

Copyright © 2024 IDG Communications, Inc.

#Key #features #Windows #Enterprise