The Enterprise version of any Windows model is aimed immediately and kind of completely at companies and different organizations of some scale, typically with 1000’s or tens of 1000’s of PCs. It isn’t usually accessible for retail buy (although yow will discover some retailers on-line prepared to promote single-copy licenses). Normally, Windows 11 Enterprise have to be acquired by means of some sort of licensing settlement with Microsoft or one among its companions, corresponding to by means of the corporate’s Windows 11 Enterprise web site.What does Windows 11 Enterprise provide companies?In common, Windows 11 Enterprise presents extra or enhanced options designed particularly for enterprise use. These objects fall into three broad classes:
Security
Productivity
Management
Let’s look at every class in flip to grasp their variations from the Windows Home and Pro editions which can be aimed primarily at customers, particular person professionals, and small companies.Windows 11 Enterprise safety features and featuresMicrosoft identification safety and authentication expertise has modified dramatically in Windows 11. It depends on Windows Hello for biometric authentication — largely through Hello-compatible fingerprint readers and webcams for facial recognition. (Hello-capable units with supporting drivers are required.)It additionally helps SmartCards and numerous different types of two-factor authentication (normally abbreviated 2FA). In addition, the corporate presents a Microsoft Authenticator app to deal with logins to quite a lot of providers (corresponding to Visual Studio subscriptions, the Microsoft Volume Licensing Center, Microsoft Live Login, and extra) as a method of smartphone-based authentication.Organizations that deploy Windows 11 Enterprise also needs to discover the corporate’s Windows Hello for Business (WHFB) compelling. It enforces use of 2FA as a substitute of account/password logins on lined units, and thus helps to extend total safety by bypassing passwords and integrating tightly with Active Directory or Entra logins. Indeed, WHFB additionally works with third-party identification suppliers or relying third-party providers that help the general public key cryptography-based FIDO Authentication normal. (FIDO = “Fast ID Online”; discover extra data on the FIDO Alliance web site.) To configure WFHB, organizations use GPOs (Group Policy Objects) or MDM (Mobile Device Management) insurance policies that rely solely on certificate-based authentication. Thus, WFHB provides safe, passwordless sign-in to Windows, Azure, and different providers to Windows Hello’s already-strong biometrics and 2FA help. Essentially, it brings a contemporary SSO (single sign-on) functionality to Windows 11 Enterprise.Hardware and virtualization-based safetyWindows 11 Enterprise additionally helps a expertise known as Windows Defender Credential Guard, which is designed to isolate credential data in order that solely privileged system software program can entry such information. When Credential Guard is lively (for variations 22H2 and newer, it’s enabled by default), Windows credentials are saved in a particular facility known as the Credential Manager, which retains such information in particular safe folders known as vaults beneath the management of the Trusted Platform Module (TPM). Windows and functions (together with net browsers) can cross credentials from the vault to different computer systems and web sites safely and securely. One essential facet of Credential Guard in Windows 11 Enterprise was once known as Device Guard; now it’s extra more likely to be known as code integrity or reminiscence integrity. It combines safety features for each {hardware} and software program to lock units down so they may solely run trusted functions. If an app or utility isn’t trusted, it could actually’t run. Even if a protected system turns into compromised, an attacker received’t have the ability to run something besides licensed software program on that system. This expertise makes use of virtualization-based safety in Windows 11 Enterprise to isolate the Code Integrity service from the OS kernel, the place the service makes use of signatures outlined in an enterprise coverage to find out what’s reliable. Thus, this service runs alongside the Windows kernel in a hypervisor-protected container.Windows 11 Enterprise additionally helps a particular trusted boot service that makes use of the Secure Boot facility together with UEFI model 2.3.1 (or newer variations). In this type of surroundings, the firmware setup is locked to stop different OSes from booting, to stop unauthorized adjustments to UEFI settings, and to dam alternate boot units (corresponding to USB flash drives, which could in any other case have the ability to override the designated boot disk). This prevents rootkits and different boot-related malware from discovering a foothold on protected programs. Of course, licensed admins can override these settings by supplying a particular password at boot time to use UEFI updates, make configuration adjustments, or carry out different routine upkeep (e.g firmware updates or adjustments).Data Loss Protection (DLP), encryption, and moreFor separation and containment of organizational information, Windows 11 Enterprise features a facility known as Windows Information Protection (WIP). When enabled, WIP prevents unintentional or malicious information disclosure through apps or providers (e.g., electronic mail, social media, or cloud-based code). WIP stymies information leakage, particularly on employee-owned units corresponding to tablets or smartphones (BYOD use instances).WIP safety comes from insurance policies outlined for enterprise information sources and data-handling functions. Thus, it stays clear to customers. However, Microsoft has introduced a “sunset” for WIP in future Windows Enterprise variations as of July 2022, although it stays current in variations as much as and together with 23H2. The applied sciences which can be changing WIP are named Microsoft Purview Information Protection and Microsoft Purview Data Loss Prevention. These instruments assist organizations uncover, classify, and safeguard delicate information when it’s accessed or shared. They provide delicate information detection, labeling for sensitivity, and policy-based safety towards information loss or leakage. These instruments are built-in with Microsoft 365 Cloud Services, apps, and endpoint units working Windows and Edge, with centralized DSP controls that embody Chrome and macOS endpoints, cloud apps, and extra.With the introduction of model 22H2, Windows 11 gained Personal Data Encryption (PDE). Working alongside different Microsoft encryption strategies corresponding to BitLocker, PDE brings added information encryption to Windows 11. In truth, PDE can encrypt particular person information and content material objects quite than entire volumes and disks. It makes use of Windows Hello for Business to hyperlink encryption keys to person credentials in order that customers want just one set of credentials to encrypt or decrypt PDE information or objects (BitLocker requires two units).In addition, the Windows Device Health Attestation cloud service helps organizations defend information and mental property by imposing, controlling, and reporting the well being of Windows 11-based units. It additionally works with Microsoft Endpoint Manager and different appropriate MDM providers to ship what’s known as “conditional access services.” These verify on the well being and standing of units making an attempt to entry organizational networks. Based on the outcomes of these checks, this service can forestall untrustworthy or unrecognized units from acquiring entry to organizational sources and networks.Readers also needs to take word that the Windows Enterprise E5 subscription plan contains the whole lot within the E3 plan, but additionally brings Microsoft Defender for Endpoint into the combo. This platform delivers AI-based endpoint safety to Windows, macOS, Linux, Android, iOS, and IoT units. It’s designed to cease ransomware and different cyberattacks lifeless, and to allow safety groups to profit from cloud- and device-based functions, apps, and providers. Thus, it additionally contains international risk intelligence and assault floor monitoring, and it makes use of risk prevention practices to maintain endpoints secure and safe. AI additionally helps Defender ship automated detection and response at machine speeds to foil intruders and assaults. Windows 11 Enterprise productiveness options and featuresThe Windows 11 person interface supplies a begin menu structure with built-in search, together with taskbar and notification areas. Users aware of Windows 10 (or earlier variations of Windows) can leap proper in and begin getting issues accomplished on Windows 11. It’s been designed to make the person expertise each pleasant and acquainted and features a slew of productivity-boosting options corresponding to Focus classes, voice typing, Snap Layouts, and extra. See “8 ways to be more productive in Windows 11” for particulars.In Windows 11 Enterprise and different variations, Microsoft has amped up its Edge browser with AI-driven Copilot (previously known as Bing Chat), plus every kind of extensions and controls to offer an enhanced net expertise for customers. A legacy Internet Explorer mode stays accessible for entry to older-style IE-based net functions (IE 11). Organizations also needs to take into account deploying Microsoft Edge for Business into their Windows Enterprise pictures; it supplies a tailor-made and safe net browser throughout all person units (managed and unmanaged) with clearly separated work and private shopping content material, controls, and domains.Microsoft and third-party widgets present prepared entry to helpful always-on desktop instruments and monitoring capabilities. (Click the “weather” icon on the taskbar to open the widget panel.) The determine beneath exhibits desktop widgets for Memory, CPU, GPU, and Network (à la the Performance tab in Task Manager) accessible through Microsoft’s the Dev Home (Preview) app. Ed Tittel / IDG
From the Dev Home app in Windows 11, customers can pin numerous system monitoring widgets for straightforward entry. (Click picture to enlarge it.)
Windows 11 Enterprise administration options and featuresManagement is an area wherein Windows 11 Enterprise notably shines. It supplies help for dynamic provisioning and in-place upgrades. The former permits creation of provisioning packages that could be put in utilizing detachable media corresponding to flash drives or SD playing cards, delivered as electronic mail attachments, or downloaded from community drives or by means of Windows Update for Business. The latter is a sure-fire technique for Windows restore and restoration — see Step 3 in our Windows restore information for more information and particulars.With a easy set of written directions, customers can deploy provisioning packages themselves to provision and configure their very own units. A single provisioning bundle can be utilized to configure a number of units, together with employee-owned units, even when an MDM infrastructure might not be current or community connectivity accessible. In-place improve additionally makes it easy and easy to improve from Windows 10 to 11 whereas preserving information and settings and updating all appropriate functions and drivers. (A pre-upgrade set up advisor warns customers about incompatibilities prematurely.)Windows 11 Enterprise even lets organizations handle the code base for Windows immediately and explicitly. Most companies and organizations elect to obtain updates for some particular Windows Enterprise construct (e.g., model 23H2, launched in October 2023, or model 22H2, launched in September2022). Whereas shopper variations of Windows 11 (Home and Pro) have two-year lifecycles, Enterprise variations go for 36 months (3 years).This provides IT departments time to guage and validate updates earlier than they’re utilized. It additionally lets them management how and when updates propagate into manufacturing networks (normally on some sort of common upkeep schedule). The Windows Update for Business service supplies an replace distribution and monitoring mechanism that companies and organizations can use internally to handle safety updates in-house, or to deal with your complete Windows Update regime, all beneath their full management and timing.Using Windows 11 EnterpriseWindows 11 Enterprise is commonly utilized in live performance with quite a lot of different instruments and applied sciences. While third-party alternate options for any and all of them do exist, particular related Microsoft applied sciences designed to assist with imaging, administration, deployment, and upkeep of Windows 11 Enterprise embody the next:
Microsoft Intune (known as Microsoft Endpoint Manager from 2019 to 2022) covers a set of Microsoft administration merchandise beneath a single account umbrella and login. It encompasses user-, device-, and app-management instruments and integrates with Configuration Manager, Endpoint Analytics, Windows Autopilot, Windows Autopatch, and different Microsoft providers. All could also be accessed and managed by means of the Intune admin heart. This toolset could also be used to deploy and handle Windows 11 Enterprise pictures, functions, updates, and upgrades, together with Android- and iOS-based cellular units, and even Macs.
The Windows Assessment and Deployment Kit (ADK) supplies instruments to customise and deploy Windows 11 pictures.
Windows Update for Business supplies a means to make use of Group Policy Objects in order that a corporation’s directors can train full management over how Windows 11-based units get up to date. This contains help for deployment and validation teams, means to specify replace waves and membership, and peer-to-peer supply for managed propagation inside department places of work and at distant websites.
Active Directory (AD) and Entra ID (previously Azure Active Directory) provide built-in or cloud-based listing providers, together with wealthy, advanced group coverage controls to handle OS and utility deployments, updates, entry, and use. All of the policy-based controls talked about earlier on this article could also be dealt with by means of one or the opposite of those mechanisms.
Overall, Microsoft presents a wealthy supporting infrastructure to help deployment, administration, and use of Windows 11 Enterprise in a managed and safe setting. Further investigation of Windows 11 Enterprise, particularly on the safety and administration fronts, exhibits it to be extraordinarily well-suited for enterprise use.
Copyright © 2024 IDG Communications, Inc.