One of the fundamentals of MS licensing has been changed. It’s always been the case that:
“the only way to get Windows Enterprise is to buy Pro + SA”
Well not anymore!
As of March 2014, there is a standalone Windows 8.1 Enterprise SKU available via Volume Licensing.
Why?
This means organizations who can’t/won’t enter into an agreement with Software Assurance can now benefit from things such as:
Direct Access
AppLocker
Windows To Go
and more
Other SA benefits are not effected so things such as:
New Version Rights
MDOP
Virtualization
etc. are still only available with SA.
What else has changed?
It is now ONLY possible to attached SA to the Enterprise Upgrade SKU.
This takes away one relatively common practise. Organizations would often buy machines with Windows Pro OEM and then attach Windows SA within 90 days. This is no longer possible as SA can be attached only to Enterprise – and that won’t come pre-loaded on machines.
If you bought the OEM devices before July 1st 2014, you still have the 90 days to purchase SA. Once that date passes, it will no longer be possible.
Applocker allows you to prevent programs from executing on desktop machines, through central administration. It is one of the many new features of Windows 7, although it is only included in the Enterprise version of the OS.
It is similar to the “Software Restriction Policies” (SRP) from previous incarnations of Windows but much improvement with more power and greater flexibility.
How does it work?
There are 3 kinds of rules available with Applocker:
Path Rules: Allows you to restrict program execution to certain directory paths, such as Program Files etc but is only effective if users are unable to install their own applications. Monitoring and tracking allowed folders can be time consuming and difficult.
Hash Rules: Uses cryptographic hashes of executables to identify them. Very secure but can be time consuming as the hash must be updated after any updates to the program.
Publisher Rules: Identify applications based on digital signatures issued by the publisher. While these are similar to “Certificate Rules” in SRP, they are more sophisticated. You can restrict execution to the:
Publisher (I.e. Microsoft)
Product name (such as Office 2007)
File name (office2007.exe)
File version (14.0.1.1 for example)
All 3 rules can be applied to:
Executables (.exe)
Installer Files (.bat, .cmd etc)
System Libraries (.dll etc)
and all three rules allow the creation “exceptions” such as:
“Allow Publisher “Microsoft” except file name mediaplayer.exe”
In the Windows 7 deployment I’m working on, and I’m sure many, many more, AppLocker is if great interest to System Administrators. It’s ability to block programs will lead not only to increased security but could also be used for increased productivity-particularly in schools.
You can see Microsoft’s Paul Cooke talking about AppLocker here.
For a great look at the technical aspects of using and setting up Applocker-head over to 4Sysops here.
A number of Windows 7 features have been announced today (28/10/08) at the Microsoft PDC 2008. The vast majority of the features we saw today were for the consumer but fear not, Microsoft promise there are numerous Enterprise related additions too! These include:
Federated Search: Deliver a consistent experience finding file across PCs, networks, and Microsoft Office SharePoint Server systems.
DirectAccess: To link users to corporate resources from the road without a virtual private network.
BranchCache: To make it faster to open files and Web pages from a branch office.
Bitlocker ToGo: Data protection for removable devices.
Refined Universal Access Control: To give fewer prompts for users and more flexibility for IT.
PowerShell and group policy management.
Client virtualization: With virtual desktop infrastructure enhancements, to improve memory utilization and user experience.
Device Center: To provide a single place to access all connected and wireless devices with Device Stage, to see status and run common tasks from a single window.
HomeGroup: To make it easier to share media, documents, and printers across multiple PCs in offices without a domain.
Direct Access:
“DirectAccess in Windows 7 and Windows Server 2008 R2 enhances the productivity of mobile workers by connecting them seamlessly and more securely to their corporate network any time they have Internet access—without the need to VPN.”
Anything that means we don’t need to use VPN’s is brilliant! I find they rarely work as well as end users need them to and they can make a System Admin’s life difficult, so removing VPN’s could be enough to make the detractors forget all about Vista!
“With DirectAccess, IT administrators can manage mobile computers by updating Group Policy settings and distributing software updates any time the mobile computer has Internet connectivity, even if the user is not logged on.”
“To keep data safer as it travels public networks, DirectAccess uses IPv6-over-IPsec to encrypt communications transmitted across the Internet. DirectAccess can use split-tunnel routing, which reduces unnecessary traffic on the corporate network by sending only traffic destined for the corporate network through the DirectAccess server (running Windows Server 2008 R2)…”
Bitlocker To Go:
With all the lost data flying around these days, BitLocker To Go extends the proven BitLocker technology to removable USB devices, securing them with a passphrase. “In addition to having control over passphrase length and complexity, IT administrators can require users to apply BitLocker protection to removable drives before being able to write to them”.
Administrators can still allow unsecured USB devices to be used in a Read-Only mode and policies are also available to require appropriate passwords, smart card, or domain user credentials to utilize a protected removable storage device.
A related addition is AppLocker which is “a flexible, easy-to-use mechanism that enables IT professionals to specify exactly what is allowed to run on user desktops.” It uses “publisher rules” that are based on digital signatures so, with correctly structured rules, you can deploy updates etc without having to create new rules.
Virtualization Enhancements
Virtual Desktop Infrastructire (VDI) in Windows 7 is closer to the experience of a local PC now with support for Aero, video viewing in Media Player 11 and multiple monitor configurations. New microphone support enables remote desktops running WIndows 7 Enterprise to provide VOIP & speech recognition functionality. Last, but by no means least, is Easy Print which allows users to print to local printers without installing drivers on the server.
The guys over at ActiveWin have got a great, in-depth review of the Windows 7, M3 Preview which contains any number of screenshots and a whole host of info. Some of the bits that caught my eye were:
Location Aware Printing:
In Windows 7, you no longer need to select the printer to match your location. When you change network locations, such as taking your work laptop home for the evening, the default printer setting can change to reflect the best printer for that new location. When you print at work, Windows 7 will print to your work printer. When you print at home, Windows 7 will automatically select and use your home printer.
Media Player 12 will ship with Windows 7 and according to ActiveWin: “this new version features radical changes to its menu structure, with some menus positioned on the left and right sides of the interface…and features two thick toolbars of controls, the second one focusing on traditional features such as Organization, Sharing, Playlist and Search…Common media formats supported include WMV, WMA, MPEG-4, AAC and AVC/H.264.”
Ultra Wideband (UWB) and Wireless USB (WUSB):
UWB and WUSB are new technologies that provide wireless alternatives to USB cables. Support for UWB and WUSB in Windows 7 lets you take advantage of new wireless devices and wireless USB hubs.
Libraries also seem like a really cool multimedia feature. I’m forever duplicating files as I can’t find where I saved them, creating numerous folders in different places all with the same names and finally just keeping stuff on my desktop so I don’t lose it. None of this leads to a brilliant user experience at home or at work and this is where Windows 7 libraries come in.
“With Libraries, you can not only organize, but view and manage files that that are stored in more than once place. This reduces the need to view files even when they are stored in different folders. Libraries are so powerful that they even span different disk drives and/or PCs on your home network. There are a range of options for organizing and browsing, by type, date taken or genre depending on the file type.”
On top of this, there is the already well known addition of touch and multi touch capabilities to Windows 7. If you’ve got a touchscreen monitor, or more likely a Tablet PC, you can open things from the Start Menu etc by pressing them. MultiTouch will let you zoom in and out on images by moving 2 fingers together/apart as needed and more..
Another new feature of Windows 7 will be the ability to re-order applications on the taskbar…I think this is awesome! This is one of those little things that has annoyed me for years and will finally be gone. I have a certain order that I like my applications to be in and I always have Outlook as the first program. However at the minute if I have to re-start Outlook it ends up buried on my Taskbar between to IE windows or something..and then it takes me a little while each time I need to go back Outlook.
I’ve asked around the office and this addition is met with unanimous approval!
Something else I’ve just seen on pcworld.com is that you can schedule desktop background changes with WIndows 7, I think that’s quite a neat touch!
Over at ZDNet, Ed Bott has got a great gallery of Windows 7 Screenshots which you can find here. Below is a shot of the desktop which shows another new feature, that gadgets are no longer confined to that bar on the right hand side..now they can reside anywhere on the desktop 🙂
Cloudy with a chance of Licensing 