Windows 10, version 2004 for IT

Although Microsoft's 2004 release (April 2020) of Windows 10 has been held up on several issues for months, causing many to see the 'Not ready' message (including Surface users), it now finally seems to be gathering stream and ready for prime time.

Most users of 1903 and 1909 are finally able to get hold of this update by selecting the 'Check for updates' option - and this an update, already late, and initially labelled 2003 it was changed to 2004 to avoid confusion with the Server OS, of the same name.

The update itself is probably more interesting to IT professionals than it is to most users, with many of the improvements being in the Security aspects and new features added to Fast Identity Online (FIDO2) authentication, and the use of multifactor for hybrid joined devices and Windows Hello PIN for Safe mode.

Passwords

Microsoft for most of its existence has not been particularly praise worthy when it comes to security, but the 'new' Microsoft are surprisingly now the largest IT security company in the world, investing over a billion dollars a year and detecting 5 billion cybersecurity threats a month. The various threat protection services offered under a fairly confusing array of titles, Azure Advanced Threat Protection, Windows Defender Advanced Threat Protection, Office 365 Advanced Threat Protection are excellent but Microsoft still has a many bridges to build with those who remember the Microsoft of old.

So one of the focusses for Microsoft is to migrate its billion plus users to a world without passwords. The primary vector for most hacking attempts is the discovery of the password, either by cracking it (SMB1 and Wannacry) or Social engineering (tricking a user into giving it out).

Modern biometrics, like your face or fingerprint, or a PIN number associated only with your PC and not your account - are significantly more secure. A password in these situations only goes to weaken the security, as it becomes something that can be discovered, either because you reuse it elsewhere or are tricked into releasing it. Microsoft have been gradually changing their security to one which focusses on the firewalls (either at the edge of the network, or the edge of your PC) - and instead creating end point trusts which go directly from a user to a service.

It's first foray into this - was the strong adoption of multifactor with Office 365 accounts. O365 documents can restrict printing, visibility, sharing to only trusted users - whose trust and access have been confirmed with multi-factor credentials. The AD P2 licensing on Azure goes one step further and analyses the behaviour of those users to detect suspicious behaviour, evaluate risk, leaked credentials, and automatically block or re-challenge the authentication of anything suspicious.

On-Prem is the Poor Cousin

Microsoft's traditional business user though, is still for the most part - an on-premise user, with a domain joined device authenticating to an Active Directory Controller on a local network - with local group policies and tools like SCCM and WSUS dishing out governance/patches to end-points. The on-prem experience is mostly unchanged from the way it was ten years ago. A user logs on - and the domain controller authenticates the password - and the expectation is that this device is deserving of greater trust because its physically on the network.

As Microsoft pushed business to adopt its new Azure cloud, Microsoft seemed to struggle with its existing toolsets that previously addressed remote access, things like ADFS, VPNs and the use of third party companies like Okta (Gartner magic quadrant leaders for Access Management) to access edge servers. These have remained largely unchanged - and for many companies have turned cloud and on-prem services into a weird sort of mash-up of corporate systems they can pick from through a web browser.

Newer Access

Intune in this newest 2004 release - allows computers to be hybrid joined over a VPN. That's pretty remarkable. That's staff being able to self-service a rebuild of their entire operating system from factory reset back to being company compliant with all their apps/configs, entirely from their home networks. This seems to be a Microsoft with an eye on the impacts of Covid and the massive increase in home working.

In addition - Microsoft seem to be bringing some of those multifactor/biometric goodies, which they'd saved for the cloud, and for personal computers - to the traditional business network, on-prem user.

Two or three years ago - Microsoft was single-mindedly pushing everything and everyone into the cloud. The tools Microsoft produced seemed to be focussed exclusively on assisting that migration, or offering incentives (licensing, extended support) to go in one direction.... into their money making data centres before Amazon snapped you up.

Tools like the WAC Gateway, Bastion, Sentinel are cloud first. Recently however it feels as though Microsoft have tired of that effort, after all most companies still have too much legacy equipment and code to go all in, unless you're a start-up. The new Microsoft seems to be much more accommodating and happy to invest on on-prem improvements instead of using a stick to beat us all into the cloud.

What we see instead is inclusion of Windows Hello into hybrid joined machines, Intune that will let staff build their own hybrid work PCs with minimal impact on their support departments. Moving virtual machines around from cloud back to on-prem no longer seems like a backward step, as long as the same security and tools, and resilience support both locations.

We also see the recent introduction of Windows Virtual Desktops (WVD) in the cloud. This also seems like a perfect Covid inspired solution but has been much longer in development. Microsoft traditionally left desktop hosting to its partners like Rackspace or Citrix and all of its virtual hosting in Azure was for servers. With the recent introduction of WVD - and with organizations who already have WAN to Azure gateways setup - the use of WVD provides a way for remote staff to securely access on-prem systems in a much more secure way.

Microsoft have used their expert knowledge of their own Windows 10 operating system, to tweak the virtual experience to provide load balancing, and allow multiple users on a single cloud Windows 10 instance. This is a sort of simplified Windows Terminal Server but one which is scalable and is immediately accessible over a secure HTTP site, or a Microsoft client remotely.

So with all these great tools - what do we get.

Well we get a business where it doesn't matter at all where your staff are. It's not a question of establishing a VPN to get to your company systems, it's not a question of typing in passwords multiple times on different websites or even having a password.

Your identity to your machine is established with your biometrics and your multifactor - and after that your services are running over the internet. Newer services are entirely cloud first and tied to your Azure credentials, legacy systems or specific apps are accessible not by terminal servers, but by scalable Windows virtual desktops which either expose the entire desktop or the app - via a browser or store client.

Your computer doesn't even need to be on the corporate network. The corporate device is at all times treated with the same suspicion as though you were on an internet coffee shop network, and trojan software can't breach your corporate firewall and move sideways across your estate, because your endpoints are all standalone.

The trust moves away from edge firewalls (either your firewall or your company one) - and moves to your device and the thing you are talking to.

This has always been Microsofts strategy for O365 and cloud only joined devices. but Windows 10 2004 release shows Microsoft turning that same attention onto those organizations (in fact most organizations) - who are stuck with one foot in the cloud and one foot in the legacy on-prem