When it comes to Windows 10, there is a great number of new features and functionalities, new tools, new terminology, and new opportunities to advance the business world in security and in enabling a mobile workforce. Plus, that number does not include any of the things from the days of old and new things on the Windows 10 roadmap. It can be dizzying to remember it all. With a new generation of IT professional coming to market, I felt that it would be beneficial to have a single ‘glossary’ to reference.
The list below is a compilation of anything related to Windows 10 and systems management that I have either known myself, or have discovered along the way. I hope that the list, the brief descriptions, and resource links will prove to be helpful to both the IT professional and any business exploring Windows 10. Although it is not yet complete, it is a good starting point.
Are you an IT professional looking to learn more about Windows 10? The following links can be useful.
- Windows 10 for IT Pros
- Windows 10 IT Pro Essentials: Top 10 Tools
- What’s New in Windows 10
- Windows Blog
- Change Log of Windows
Last Update 10/9/2018
Version 1.4
- Action Center
- The action center is where to find app notifications, as well as quick actions, which give quick access to commonly used settings and apps.
- More info: https://blogs.msdn.microsoft.com/tiles_and_toasts/2015/07/08/toast-notification-and-action-center-overview-for-windows-10/
- See also: Toast Notifications
- Advanced Group Policy Management (AGPM)
- Part of the MDOP tool suite for customers with a Software Assurance agreement with Microsoft
- Client/server application. The AGPM Server stores Group Policy Objects (GPOs) offline in the archive that AGPM creates on the server’s file system. Group Policy administrators use the AGPM snap-in for the Group Policy Management Console (GPMC) to work with GPOs on the server that hosts the archive. Understanding the parts of AGPM and related items, how they store GPOs in the file system, and how permissions control the actions available to each user role can improve Group Policy administrators’ effectiveness with AGPM.
- More info: https://technet.microsoft.com/en-us/itpro/mdop/agpm/technical-overview-of-agpm
- Application Compatibility Toolkit
- Helps to assess the compatibility of applications, devices, and computers in an organization with newer versions of Windows.
- Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Some applications that interface with Windows at a low level, those that use undocumented APIs, or those that do not follow recommended coding practices could experience issues.
- More info: https://technet.microsoft.com/en-us/library/mt243973.aspx
- See also: Windows 10 compatibility
- AppLocker
- Feature of Windows 10 Enterprise that will control which applications and files are allowed to execute, which is often times referred to as “white-listing”
- More info: Manage Windows 10 Mobile devices by using the new AppLocker CSP
- More info: https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview
- See also: CSP, W10 Enterprise edition
- Application Virtualization (App-V)
- Part of the MDOP tool suite for customers with a Software Assurance agreement with Microsoft
- Microsoft Application Virtualization (App-V) 5.1 enables administrators to deploy, update, and support applications as services in real time, on an as-needed basis. Individual applications are transformed from locally installed products into centrally managed services and are available wherever you need, without the need to preconfigure computers or to change operating system settings.
- More info: https://technet.microsoft.com/en-us/itpro/mdop/appv-v5/getting-started-with-app-v-51
- Assigned Access (aka “kiosk mode”)
- Use assigned access to set up single-function devices, such as restaurant menus or displays at trade shows. If an account is configured for assigned access, a Windows app of your choosing runs above the lockscreen for the selected user account. Users of that account cannot access any other functionality on the device.
- From: https://msdn.microsoft.com/en-us/library/windows/hardware/mt620040.aspx
- Automated Deployment Toolkit (ADK)
- Tools for deploying Windows. Prerequisite software for ConfigMgr and/or MDT 2013 Update 2.
- Contains additional software for USMT and WICD.
- More info: https://msdn.microsoft.com/en-us/windows/hardware/dn913721.aspx#adkwin10
- Azure AD Join
- Part of Azure AD Premium, which is in Microsoft’s Enterprise Mobility Suite (EMS)
- Allows connection of Windows 10 to the corporate domain without actually having to be on the corporate network
- Replaces the “Workplace Join” that existed in Win8.x
- More info: http://blogs.technet.com/b/ad/archive/2015/05/28/azure-ad-join-on-windows-10-devices.aspx
- BitLocker Disk Encryption
- Full disk encryption that is available in the Enterprise editions of Vista and Win7, and the Professional/Enterprise editions of Win8.x and Win10.
- More info: https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview
- See also: Protecting Your Data with Windows 10 BitLocker on IT Showcase
- See also: Device Encryption, TPM
- See also: Set up MDT for BitLocker
- See also: Protecting your data with Windows 10 BitLocker
- BranchCache
- BranchCache is a feature of Windows that allows peer-to-peer network sharing of business related data.
- For Windows 10, BranchCache functionality for BITS, HTTP, and SMB is only available to the Enterprise and Education editions. However, support for BITS is available to Windows 10 Professional edition.
- More info: BranchCache in Windows Server 2016 (currently in tech preview)
- See also: BranchCache experts at 2Pint Software
- Compact OS
- Windows 10 includes tools to help you use less drive space. You can now compress the files for the entire operating system, including your preloaded desktop applications.
- Compact OS lets you run the operating system from compressed files (similar to WIMBoot in Windows 8.1 Update 1), and single-instancing helps you run your pre-loaded Windows desktop applications in compressed files.
- From https://msdn.microsoft.com/en-us/library/windows/hardware/dn940129.aspx
- Companion Devices
- Part of the Windows Hello framework, unlock Windows 10 through multifactor authentication using a device.
- More info: https://msdn.microsoft.com/en-us/windows/uwp/security/companion-device-unlock
- Company Portal
- The Company Portal is a Universal application for Windows 8.x and newer that allows user to view and install software from System Center ConfigMgr.
- This contrasts with the Company Portal application for mobile devices (not just Windows) that are managed by Microsoft Intune. However, in Windows 10 and the CSP, we do have the option to manage Windows as a device with CSP.
- More info: https://www.microsoft.com/en-us/download/details.aspx?id=40795
- See also: Universal Apps, CSP
- Configuration Service Provider (CSP)
- Win10 supports CSP version 2
- Uses a WMI “bridge”
- More info: https://msdn.microsoft.com/en-us/library/windows/hardware/dn920025.aspx
- See also: OMA-DM
- Connected Standby
- More info: https://msdn.microsoft.com/en-us/library/windows/hardware/dn481238.aspx
- See also: Device Encryption
- Continuum
- Use your phone just like a PC!! Windows 10 Mobile (or Mobile Enterprise) allows you to run and use your phone or tablet like a full computer.
- More info: https://msdn.microsoft.com/en-us/library/windows/hardware/dn917883.aspx
- More info: http://www.microsoft.com/en-us/windows/Continuum
- Cortana
- Personal assistant in Win10 to help “get things done”
- More info: https://support.microsoft.com/en-us/help/17214/windows-10-what-is
- More info: https://privacy.microsoft.com/en-US/windows-10-cortana-and-privacy
- More info: https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-cortana
- Cortana Analytics
- Integration with Power BI to deliver big data
- More info: https://powerbi.microsoft.com/en-us/blog/announcing-power-bi-integration-with-cortana-and-new-ways-to-quickly-find-insights-in-your-data/
- Credential Guard
- Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them
- Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket
- Can’t be accessed by debug tools
- Isolation occurs with Win10 Enterprise + TPM 2.0 + UEFI 2.3.1 + supported processor virtualization extensions (Intel VT-x or AMD-V)
- More info: https://technet.microsoft.com/en-us/library/mt483740.aspx
- Credential Locker
- Credential Locker is a service that creates and maintains a secure storage area on the local computer that stores user names and passwords the user saved from websites and Windows universal apps. Credential Locker is accessed through Credential Manager in Control Panel as part of the local User Account management feature.
- More info: https://technet.microsoft.com/en-us/library/jj554668.aspx
- Data Execution Prevention (DEP)
- Started in WinXP
- DEP can help protect your computer by monitoring your programs to make sure that they use system memory safely. If DEP notices a program on your computer using memory incorrectly, it closes the program and notifies you.
- From http://windows.microsoft.com/en-US/windows-vista/What-is-Data-Execution-Prevention
- Data Loss Prevention (DLP)
- Provide file-level data protection (encryption), separation of personal and business data, and app control (i.e. defining which apps have access to business data and VPN).
- From http://blogs.technet.com/b/in_the_cloud/archive/2015/05/04/ignite-keynote-demo-recap-enhanced-data-protection-with-windows-10.aspx
- Device Encryption
- Device encryption enforcement (in Azure AD Premium)
- Encrypt and recover your device with Azure Active Directory. In addition to using a Microsoft Account, automatic Device Encryption can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online.
- Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. The following list outlines the way this is accomplished
- More info: https://technet.microsoft.com/library/dn306081.aspx#BKMK_Encryption
- See also: BitLocker, TPM
- Device Guard
- Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies.
- More info: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide
- Device Health Attestation Service
- More info: https://technet.microsoft.com/en-us/library/mt592023.aspx
- More info: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices
- White paper that details an end-to-end solution helping to protect high-value assets by enforcing, controlling, and reporting the health of devices running Windows 10: https://www.microsoft.com/en-us/download/details.aspx?id=49121
- Diagnostic and Recovery Toolset (DaRT)
- Part of the MDOP tool suite for customers with a Software Assurance agreement with Microsoft
- DaRT helps troubleshoot and repair Windows-based computers. This includes those computers that cannot be started. DaRT is a powerful set of tools that extend the Windows Recovery Environment (WinRE).
- By using DaRT, you can analyze an issue to determine its cause, for example, by inspecting the computer’s event log or system registry. DaRT supports the recovery of basic hard disks that contain partitions, for example, primary partitions and logical drives, and supports the recovery of volumes.
- More info: https://technet.microsoft.com/en-us/itpro/mdop/dart-v10/overview-of-the-tools-in-dart-10
- More info: Creating the DaRT 10 Recovery Image
- DirectAccess
- DirectAccess is like an always-on, always-connected VPN solution. Although it’s a role of Windows Server, it will allow Windows 10 Enterprise (including LTSB) systems to automatically connect and authenticate to the on-premises domain.
- More info: https://technet.microsoft.com/en-us/library/dn636118.aspx
- Example step-by-step setup of DirectAccess: http://blogs.technet.com/b/canitpro/archive/2014/01/06/step-by-step-enabling-directaccess-in-windows-server-2012.aspx
- Dynamic Provisioning
- A new concept and deployment scenario of Windows 10 devices. The idea is that rather than having to “reimage” a computer with a deployment tools (like SCCM or MDT) in order to achieve an specific configuration of the device, we can now approach it as just an in-place conversion of Windows 10.
- More info: https://technet.microsoft.com/en-us/library/mt282208.aspx#dynamic_provisioning
- Dynamic Updates
- During an unattended setup of Win10, Dynamic Updates search for new Windows Setup files, including drivers and other files, to be used to install the Windows operating system.
- More info: Using Dynamic Updates in a Managed Environment
- Edge (Internet browser)
- Microsoft Edge is a modern browser experience for Windows 10, offering organizations modern web standards (HTML 5), better performance, improved security, and increased reliability.
- More info: https://technet.microsoft.com/en-us/itpro/microsoft-edge
- More info: http://www.microsoft.com/en-us/windows/microsoft-edge
- Feature Roadmap: https://dev.windows.com/en-us/microsoft-edge/platform/status/
- See also: Enterprise Mode and Enterprise Site Discovery Toolkit (for IE11)
- See also: Site compatibility scanner tool
- Editions
- Windows is provided with varying levels of ‘editions’ that deliver different sets of features and functionalities. For Windows 10 specifically in the business, either the Professional or Enterprise edition is desired. Or the Education edition, if in that industry sector.
- More info: Compare Windows 10 Editions
- More info: https://technet.microsoft.com/en-us/library/mt605190.aspx
- Elliptic curve cryptography (ECC)
- ECC is an alternate to NIST algorithms and is considered to be stronger than RSA
- Windows 10 will allow for a business to “bring your own cryptography”
- More info: http://research.microsoft.com/en-us/projects/ecc/
- Enhanced Mitigation Experience Tools (EMET)
- EMET helps protect against new and undiscovered threats even before they are formally addressed through security updates or antimalware software.
- EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques.
- More info: https://technet.microsoft.com/en-us/security/jj653751
- Enterprise Mode and Site Discovery (for IE 11)
- Web app compatibility can be a significant cost to upgrading browsers because web apps need to be tested and upgraded before adopting a new browser.
- Improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to the latest version of IE.
- In particular, IE11 benefits from modern web standards, increased performance, improved security, and better reliability.
- More info: https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode
- Enterprise State Roaming
- With Windows 10, Azure Active Directory (Azure AD) users gain the ability to securely synchronize their user settings and application settings data to the cloud. Enterprise State Roaming provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new device.
- More info: https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview
- Entitlement
- Digital entitlement is act of automatically registering a device for a Windows 10 license
- Explanation: http://www.thewindowsclub.com/digital-entitlement-activation-methods-windows-10
- More info: http://windows.microsoft.com/en-us/windows-10/activation-in-windows-10
- Fast Startup
- Fast startup mode is available to start a computer in less time than is typically required for a traditional, cold startup. A fast startup is a hybrid combination of a cold startup and a wake-from-hibernation startup. Frequently, kernel-mode device drivers need to distinguish fast startups from wake-from-hibernation so that that their devices behave as users expect.
- From: https://msdn.microsoft.com/en-us/library/windows/hardware/jj835779.aspx
- Granular user experience customizations
- Capability of Windows 10 editions Enterprise, Education, and Pro (beginning in Win10 1703)
- Advanced granular UX control empowers IT, using device management policies, to customize and lock down the Windows device user experience for task-workers, kiosks, and IoT functions, so only a specific task can be performed.
- More info: Desktop Customizations
- More info: Enterprise Desktop Customizations
- Group policy templates for Windows 10
- Download (8/5/16): https://www.microsoft.com/en-us/download/details.aspx?id=53430
- GPO Settings Reference (10/18/16): https://www.microsoft.com/en-us/download/details.aspx?id=25250
- See also: GPOs that only apply to Win10 Enterprise and Education
- Holo Lens
- High-definition holographic computer, built to run on Windows 10
- Learn more: https://www.microsoft.com/microsoft-hololens/en-us
- Kiosk mode
- See: Assigned Access
- KMS / MAK licensing
- KMS and MAK are methods for organizations with a Microsoft volume licensing agreement to license their computers
- KMS – Key Management Server
- MAK – Multiple Activation Key
- More info: https://www.microsoft.com/en-us/Licensing/existing-customer/FAQ-product-activation.aspx
- Local Administrator Password Solution (LAPS)
- Provides a centralized storage of secrets/passwords in Active Directory (AD) – without additional computers.
- Each organization’s domain administrators determine which users, such as helpdesk admins, are authorized to read the passwords.
- More info: https://technet.microsoft.com/en-us/mt227395.aspx
- LayoutModification XML
- Customizes the Start menu layout; settings can be applied through
- More info: https://msdn.microsoft.com/en-us/library/windows/hardware/mt171092.aspx#layoutmodification_xml
- See also: Runtime Provisioning Package, WICD
- Lockdown XML
- Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.
- For example, the enterprise can lock down a device so that only applications and settings in an allow list are available.
- From: https://technet.microsoft.com/en-us/itpro/windows/manage/lockdown-xml
- Microsoft BitLocker Administration & Monitoring (MBAM)
- Part of the MDOP tool suite for customers with a Software Assurance agreement with Microsoft
- Microsoft BitLocker Administration and Monitoring (MBAM) provides enterprise management capabilities for BitLocker and BitLocker To Go.
- MBAM simplifies deployment and key recovery, provides centralized compliance monitoring and reporting, and minimizes the costs associated with provisioning and supporting encrypted drives
- More info: https://technet.microsoft.com/itpro/mdop/mbam-v25/about-mbam-25
- Microsoft Desktop Optimization Pack (MDOP)
- Set of additional tools to enhance the Windows desktop computing experience,
- Includes technologies listed in the glossary, such as App-V, UE-V, and DaRT
- Available to customers with a Microsoft Enterprise Agreement (EA) + Software Assurance (SA)
- More info: https://technet.microsoft.com/en-us/windows/mdop.aspx
- Microsoft Deployment Toolkit (MDT)
- Free Windows deployment tool from Microsoft. Also integrates with ConfigMgr for additional features.
- Download MDT 2013 Update 2: https://www.microsoft.com/en-us/download/details.aspx?id=50407
- Microsoft Passport
- Replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN
- Provisioning occurs post OOBE
- The TPM can store a “container” of various credentials
- Support Azure AD, on-premises AD, and hybrid scenarios
- More info: https://technet.microsoft.com/en-us/library/dn985839.aspx
- Passport for Work (feature of Microsoft Intune): https://technet.microsoft.com/en-us/library/mt445510.aspx
- Microsoft Secure Boot
- Requires UEFI
- Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer.
- When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are good, the PC boots, and the firmware gives control to the operating system.
- From: https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview
- Mobile Device Management (MDM)
- Windows 10 allows a simpler approach to device management that lets businesses take advantage of cloud-based MDM solutions (such as Microsoft Intune of the Enterprise Mobility Suite) to manage all your devices with a single console.
- More info: https://msdn.microsoft.com/en-us/library/windows/hardware/dn914769.aspx
- MSIX
- MSIX is the Windows app package format that provides a modern packaging experience to all Windows apps. The MSIX package format preserves the functionality of existing app packages and/or install files in addition to enabling new, modern packaging and deployment features to Win32, WPF, and WinForm apps.
- More info: https://docs.microsoft.com/en-us/windows/msix/overview
- Open Mobile Alliance and Device Management (OMA-DM)
- Technology uses messages to configure CSPs
- The “WMI bridge” providers all technologies such as ConfigMgr and Intune to set the CSPs
- ConfigMgr can do some of these CSPs today
- Project Sienna
- Helps a business to quickly build the type of mobile application that they need
- More info: https://www.microsoft.com/en-us/projectsiena/default.aspx
- Provisioning Package
- Quick Assist
- Microsoft Quick Assist is an app in Windows 10 that enables two people to share a computer over a remote connection so that one person can help solve problems on the other person’s computer. Here’s how it works: The person who needs help requests assistance from a helper (either a friend or Microsoft Support). Both start Quick Assist and the helper sends a security code to the person who needs help. The person who needs help enters the code and gives permission to the helper who is then able to take control of that person’s computer and provide assistance over the remote connection.
- From: What is Quick Assist?
- More info: Quick Assist FAQ
- Raspberry Pi
- The Raspberry Pi is a tiny and affordable computer that you can use to learn programming through fun, practical projects.
- Runs Windows 10 IoT
- More info: https://www.raspberrypi.org/
- Recovery image
- Built-in capability of Windows to be able to reinstall Windows without needing media.
- More info for IT: Capture and Apply Windows, System, and Recovery Partitions
- Recovery boot menu
- In prior versions of Windows (such as Win7), pressing the F8 key during startup of the Windows would give the ‘safe mode’ startup menu. It’s now pressing the shift key, while restarting Windows at the login screen.
- Remote wipe
- Rings
- Secure desktop
- UAC background process that is isolated and protected
- Security auditing
- Security auditing is one of the most powerful tools that can be used to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment.
- More info: https://technet.microsoft.com/en-us/library/mt431897.aspx
- See also: Windows 10 Security Auditing and Monitoring Reference
- Security policy settings
- Security policy settings are rules that administrators configure on a computer or multiple devices for the purpose of protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in allows you to define security configurations as part of a Group Policy Object (GPO).
- More info: https://technet.microsoft.com/en-us/library/mt634226.aspx
- Servicing Branches
- More info: http://windowsitpro.com/windows-10/update-servicing-branches-available-each-windows-10-edition
- More info: Windows 10 current supported versions
- More info: Windows 10 Servicing Options
- More info: Navigating the Windows 10 Servicing Options
- More info: Windows 10 servicing options for updates and upgrades
- Servicing Branch: Current Branch
- Full set of apps such as the Windows Store, Edge browser, and Cortana
- Security and feature updates delivered in real time
- Servicing Branch: Current Branch for Business (CBB)
- Full set of apps such as the Windows Store, Edge browser, and Cortana
- Security updates delivered in real time
- Feature updates delivered after they have been tested by consumers/insiders
- Some number of months after the release of a new feature upgrade, security updates will be dependent on that new feature upgrade.
- Servicing Branch: Long Term Servicing Branch (LTSB)
- LTSB will get security, bug, and reliability fixes, but no DCRs or other changes in functionality or features
- It’s likely going to be 18-24 months between LTSB releases
- Ideal for situations that need a stable and consistent operating systems, like in manufacturing with equipment running Windows 10 Internet of Things
- More info: https://technet.microsoft.com/itpro/windows/plan/windows-10-servicing-options#long-term-servicing-branch
- Software Assurance
- Includes a core set of benefits to help improve workforce productivity, streamline software deployment, and reduce costs in a variety of ways across devices.
- Provides the greatest flexibility for how your organization uses the Windows operating system because it includes access to enterprise offerings and use rights that are not available through other licensing programs.
- More info: https://www.microsoft.com/en-us/Licensing/licensing-programs/software-assurance-by-product.aspx#tab=2
- System Center Configuration Manager (ConfigMgr)
- ConfigMgr is the best-of-class, enterprise-grade systems management platform
- Features include things like software distribution, inventory, security update management, OS deployment
- Support for Windows 10 is included with ConfigMgr 2012 SP2, ConfigMgr 2012 R2 SP1, and ConfigMgr “2016” (such as version 1511)
- More info: https://www.microsoft.com/en-us/server-cloud/products/system-center-configuration-manager/
- See also: ConfigMgr Support for Windows 10
- See also: Technical Documentation for SCCM (current branch)
- See also: Manage Office 365 ProPlus with Configuration Manager
- Trial download: https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection?i=1
- Surface Hub
- Surface Pro / Surface Book
- Toast Notifications
- These are the “balloon” or pop-up messages that are temporarily displayed above the taskbar. One way to help remember this is that they pop-up like bread out of a toaster. Make sense??
- If the user happens to be looking away, or even at another monitor, they may never see these notifications. In Windows 10, these toast notifications are archived in the Action Center.
- More info: https://blogs.msdn.microsoft.com/tiles_and_toasts/2015/07/08/toast-notification-and-action-center-overview-for-windows-10/
- See also: Action Center
- Telemetry
- Telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services
- More info: https://technet.microsoft.com/library/mt577208.aspx
- See also: https://technet.microsoft.com/itpro/windows/manage/disconnect-your-organization-from-microsoft
- See also: http://windows.microsoft.com/en-US/windows-10/windows-privacy-faq
- Trusted Boot
- Trusted Boot is a Windows feature that secures the entire Windows boot process. It prevents malware from hiding and taking up permanent residence within the PC by ensuring none of the Windows components loaded during boot have been tampered with.
- Ensures that anti-malware software is loaded before any third-party drivers and applications using its Early Launch Anti-Malware (ELAM) capability. This prevents malware from inserting itself in front of the anti-malware engine so that it can compromise the anti-malware engine’s ability to protect the system. In the event that malware was able to successfully compromise the any of the Windows boot process, Trusted Boot will attempt to automatically remediate the issue.
- More info: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/bitlocker-countermeasures#protection-during-startup
- Trusted Platform Module (TPM)
- Technology designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations.
- More info: https://technet.microsoft.com/en-us/library/mt431893.aspx
- Schema extension for AD (if doing BitLocker recovery key escrow to AD): https://technet.microsoft.com/en-us/library/mt431885.aspx
- See also: BitLocker
- Two-factor authentication
- Unified Extensible Firmware Interface (UEFI)
- When the devices starts, the firmware interface controls the booting process of the PC, and then passes control to Windows or another operating system.
- UEFI is a replacement for the older BIOS firmware interface and the Extensible Firmware Interface (EFI) 1.10 specifications.
- More than 140 leading technology companies participate in the Unified EFI Forum, including AMD, AMI, Apple, Dell, HP, IBM, Insyde, Intel, Lenovo, Microsoft, and Phoenix Technologies.
- From: https://msdn.microsoft.com/en-us/windows/hardware/commercialize/manufacture/desktop/uefi-firmware
- Universal Apps
- Update Rings
- User Account Control (UAC)
- User Account Control helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
- More info: https://technet.microsoft.com/en-us/library/mt437606.aspx
- User Experience Virtualization (UE-V)
- Part of the MDOP tool suite for customers with a Software Assurance agreement with Microsoft
- Capture and centralize your users’ application settings and Windows OS settings by implementing Microsoft User Experience Virtualization (UE-V). Then, apply these settings to the devices users access in your enterprise, like desktop computers, laptops, or virtual desktop infrastructure (VDI) sessions.
- With UE-V you can: 1) Specify which application and desktop settings synchronize, 2) Deliver the settings anytime and anywhere users work throughout the enterprise, 3) Create custom templates for your third-party or line-of-business applications, 4) Recover settings after hardware replacement or upgrade, or after reimaging a virtual machine to its initial state
- More info: https://technet.microsoft.com/itpro/mdop/uev-v2/index
- User State Migration Tool (USMT)
- Provides a highly customizable user-profile migration experience for IT professionals
- More info: https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-technical-reference
- Virtual Secure Mode
- Virtual TPM
- VPN – profile options
- VPN – Per App
- VPN profile that is triggered upon start of an application
- Traffic filters give additional control
- Per-app VPN can be forced or split-tunnel
- Works for both traditional and universal apps
- More info: http://blogs.technet.com/b/microsoftintune/archive/2015/02/03/how-to-set-up-per-app-vpn-using-microsoft-intune.aspx
- More info: https://technet.microsoft.com/en-us/library/mt210942.aspx#app-triggered_vpn
- VPN – Lock down
- For security-cautious organizations where traffic control needs to be all or nothing
- Users cannot disconnect or modify
- More info: https://technet.microsoft.com/en-us/library/mt210942.aspx#lockdown_vpn
- Wi-Fi Sense
- Windows Analytics
- Data-driven insights that reduce the cost of deploying, servicing, and supporting Windows 10
- As of July 2017, comprised of 3 tools:
- Upgrade Readiness (general availability) – provides powerful insights and recommendations about the computers, applications, and drivers in your organization. This service guides you through upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects.
- Upgrade Compliance (public preview) – provides a unified view of Windows Update and Windows Defender Antivirus compliance for Windows 10 devices
- Device Health (public preview) – provides proactive insights to help detect and remediate end-user impacting issues, thereby enabling you to reduce support costs and improve efficiency
- See also: Microsoft Mechanics’ Intro to Windows Upgrade Analytics (now called Upgrade Readiness)
- Windows AutoPilot
- IT use has evolved. The modern workplace encompasses multiple device platforms, user- and business-owned devices, and the ability for users to work anywhere. Transforming the process for deploying new Windows 10 PCs is an important part of Microsoft’s vision for modern IT.
- More info: https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot
- See also: Webinar – Modernize the deployment process with Windows AutoPilot
- Windows Ink
- Windows 10 for Education
- Windows 10 Internet of Things (IoT)
- Previously known as Windows “embedded”
- Included editions:
- IoT Core/Core Pro
- IoT Enterprise (same as LTSB but for licensed for OEMs)
- IoT Mobile Enterprise
- More info: https://www.microsoft.com/en-us/WindowsForBusiness/windows-iot
- See also: Managing Embedded Devices with ConfigMgr 2012
- See also: Build and Deploy and IoT Core image
- See also: Lockdown Features from Win8.1 Embedded Industry
- Windows 10 Mobile / Mobile Enterprise
- Windows as a Service
- With Windows 10, a new model is being adopted. Instead of new features being added only in new releases that happen every few years, the goal is to provide new features two to three times per year, continually providing new capabilities while maintaining a high level of hardware and application compatibility.
- This new model, referred to as Windows as a service, requires organizations to rethink how they deploy and upgrade Windows. It is no longer a project that happens “every few years”; it is a continual process.
- More info: https://technet.microsoft.com/en-us/itpro/windows/plan/windows-10-servicing-options
- See also Managing WaaS in ConfigMgr
- Windows Biometric Framework
- Windows Defender Antivirus
- Built-in, anti-malware protection, now with enterprise-level management capabilities
- More info: https://technet.microsoft.com/en-us/library/mt622091.aspx
- See also: Windows Defender AV evaluation guide – provides guidance for a standalone evaluation of WDAV outside of SCCM. Has additional good tips and recommendations.
- See also: Setup of SCCM for WDAV management – includes instructions for both server and clients, but does not include common instructions such as using collections, reporting, or setup of RBAC
- See also: Windows Defender Antivirus Testground – The following demo scenarios will help you learn more about the capabilities of Windows Defender Antivirus. None of the sample files are actually malicious, they are all harmless demonstration files.
- See also: How MSIT uses WDAV, (and in downloadable .docx format here)
- Windows Defender Advanced Threat Protection (WDATP)
- New service that helps our enterprise customers to detect, investigate, and respond to advanced and targeted attacks on their networks.
- Provides a new post-breach layer of protection to the Windows 10 security stack.
- More info: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-advanced-threat-protection
- See also: https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp
- Windows/Device Health Attestation Service
- Even managed devices can be compromised and become harmful. Organizations need to detect when security has been breached and react as early as possible in order to protect high-value assets. As Microsoft moves forward, security investments are increasingly focused on security preventive defenses and also on detection and response capabilities. Windows 10 is an important component of an end-to-end security solution that focuses not only on the implementation of security preventive defenses, but adds device health attestation capabilities to the overall security strategy.
- Enables enterprise IT managers to assess the health of managed devices and take enterprise policy actions.
- Essentially a new form of conditional access that is used to access cloud features
- Locks out the user if malicious changes occur, such as a jailbreak
- Has a configuration service provider (CSP)
- From https://msdn.microsoft.com/en-us/library/windows/hardware/dn934876.aspx
- Windows Hello
- Enterprise-grade capability for a user to securely login using their face, fingerprint, or the iris of the eye.
- Windows Hello is a more personal way to sign in to your Windows 10 devices with just a look or a touch. You’ll get enterprise-grade security without having to type in a password. Biometrics include a facial recognition, iris scan, and fingerprint scan.
- More info: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/manage-identity-verification-using-microsoft-passport
- See also: http://windows.microsoft.com/en-us/windows-10/getstarted-what-is-hello
- See also: http://windows.microsoft.com/en-us/windows-10/windows-hello-privacy-faq
- See also: Microsoft Passport
- Windows Information Protection
- Formerly named Enterprise Data Protection (EDP)
- Essentially “containerization” of what is enterprise managed data and applications, versus personal data/apps
- This is not the same as the EMS features for Microsoft Application Management (MAM), Azure Rights Management Service (RMS), or Azure Information Protection
- Protected applications can trigger a VPN connection
- Can be used to restrict the VPN interface and filters
- More info: https://technet.microsoft.com/en-us/library/dn985838.aspx
- See also: https://technet.microsoft.com/itpro/windows/whats-new/edp-whats-new-overview
- See also: List of Enlightened Apps
- Windows Imaging and Configuration Designer (WICD)
- Tool that is part of the Win10 ADK that can be used to create provisioning packages
- See also: ADK, Provisioning Packages
- More info: https://technet.microsoft.com/en-us/library/mt203963.aspx
- Customizations for enterprise desktop devices
- WICD Settings Reference: https://msdn.microsoft.com/en-us/library/windows/hardware/dn965990.aspx
- Windows Insider for Business
- For many IT pros, gaining visibility into feature updates early—before they’re available to the Semi-Annual Channel — can be both intriguing and valuable for future end user communications as well as provide additional prestaging for Semi-Annual Channel machines.
Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
More info: https://docs.microsoft.com/en-us/windows/deployment/update/waas-windows-insider-for-business
- For many IT pros, gaining visibility into feature updates early—before they’re available to the Semi-Annual Channel — can be both intriguing and valuable for future end user communications as well as provide additional prestaging for Semi-Annual Channel machines.
- Windows provisioning framework
- The Windows Provisioning framework exposes the customizable OS settings that OEMs and Enterprise IT Pros can set to modify the UI for various Windows editions, connectivity settings, and user experience to better fit their product market or production environment needs.
- This can include adding apps, wallpapers, modifying icons and layouts, configuring network settings using device management, changing defaults in configuration settings, and adding brand-specific art and sounds to the OS.
- More info: https://msdn.microsoft.com/en-us/library/windows/hardware/dn898375.aspx
- See also: WICD, Provisioning Package, Dynamic Provisioning
- Windows servicing
- Support lifecycles on all the various branches of Windows 10
- More info: https://technet.microsoft.com/en-us/library/mt598226.aspx
- Windows spotlight (lock screen)
- Windows Store for Business
- Windows Store apps that are acquired through the new Store portal can be displayed within private company portal, with API-level integration between management tools and the Windows Store to obtain full details of the apps, including descriptions, requirements, icons and more.
- A business can create their own private section within the Windows Store for their apps – apps that have been acquired for members of the organization through the Store portal, or their own uploaded custom line of business apps.
- Within this private section of the Store, an end user can easily browse a customized Windows Store and install only the apps they want, from the selection chosen for them by their corporation.
- From: https://blogs.windows.com/business/2014/11/20/windows-10-a-store-thats-ready-for-business/
- More info: Windows Store for Business Overview
- More info: Getting Started with Windows Store for Business
- See also: WSfB on TechNet
- More info: Distribute apps using your private store
- Windows To Go
- Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs.
- More info:https://technet.microsoft.com/itpro/windows/plan/windows-to-go-overview
- See also: Deploy Windows to Go with System Center Configuration Manager
- Windows Update for Business (WUfB)
- For environments that do not have an enterprise-class systems management platform, such as ConfigMgr, WUfB provides a way for businesses to control the rollout of new Windows updates and features
- More info: https://technet.microsoft.com/en-us/library/mt622730.aspx
- See also: Windows Update Delivery Optimization (FAQ)