Enterprise Data Protection
Windows 10's Enterprise Data Protection features, which are to be added to Windows 10 Enterprise at a later date, are designed to help prevent the accidental disclosure of sensitive information.
The system will use containerisation file techniques to keep personal and enterprise data separate - with "minimal" impact on the way employees work, according to Microsoft.
Additional safeguards will protect sensitive data when it is shared.
"It's encrypting data as it moves around your organisation. If you send an email to the wrong person, with the wrong file attached and it escapes your organisation, it's not going to be readable, it's going to be encrypted. But someone inside your organisation would have no problem reading it," Gartner's Kleynhans said.
Microsoft has also highlighted Windows 10's ability to wipe corporate data from devices and leave personal data untouched, as well as to use audit reports for tracking issues and remedial actions. It will also be able to be used with a mobile device management (MDM) system to protect corporate data inside Office universal apps.
This feature allows devices to be restricted to running only trusted software - whether it's traditional desktop, Windows store or in-house apps.
It also makes it "much less likely", according to Microsoft, that an attacker who seizes control of the Windows kernel will be able to run malicious code.
Device Guard uses the new virtualization-based security in Windows 10 Enterprise to isolate the Code Integrity service that controls the process from the Microsoft Windows kernel itself, letting the service use signatures defined by enterprise-controlled policy to determine what is trustworthy.
"You can lock the operating system to that piece of hardware, and nothing else could ever boot on that piece of hardware," Gartner's Kleynhans said.
"You can make it so that it would be very hard, if not impossible, to wipe and reload a machine with something else."
Microsoft says this whitelisting approach will be effective in stopping malware from being run on machines, particularly software that alters its code to prevent detection by anti-virus software. Using technology embedded in the hardware and virtualization to sandbox the Code Integrity service will also help foil exploits that compromise Windows at the kernel level, and which can tamper with traditional virus and malware countermeasures.
Device Guard requires various hardware features and software settings: UEFI 2.3.1 or greater; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; TPM 2.0; BIOS lockdown.
HP, Acer, Lenovo, Toshiba, Fujitsu and others will manufacture systems designed for the new Microsoft security controls.
This feature allows Window 10 machines to be set up more simply than earlier versions of the OS.
IT admins can configure provisioning-package rules that determine the look of the OS, what apps and certificates should be installed, that enroll devices with an MDM suite, set out user rights and more.
The same provisioning-package rules can be used to configure multiple machines and can be applied to either a Windows image or running Windows machine via SD card, USB drive or network share.
Packages are created using the Imaging and Configuration Designer, part of the new Windows 10 Assessment and Deployment Kit.
Microsoft Passport provides a system for allowing users to log into Windows 10 using biometrics, such as their fingerprint or facial scan or PIN.
This same scan or PIN can then be used to log into Microsoft, Active Directory or Azure Active Directory accounts, as well as many non-Microsoft services that support Fast ID Online authentication - including Office365 Exchange Online, Salesforce, Citrix, Box and Concur.
Microsoft says Passport provides both convenience, in that the user has to remember fewer credentials, and security, because no passwords are used.
Credential Guard will offer additional security for login details by storing derived credentials - NTLM hashes and Kerberos tickets and the process that manages them in a secured isolated container that uses Hyper-V and virtualization-based security.
It will require UEFI 2.3.1 or greater; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; TPM 2.0; BIOS.