Microsoft Windows 10/Windows 11 Enterprise E3 Subscription
The Windows 10/Windows 11 Enterprise E3 subscription builds on Windows 10 or Windows 11 Pro by delivering enterprise-grade security, management, and control features for large or mid-sized companies, or any size business that processes sensitive data, operates in regulated industries, or develops intellectual property that must remain secured. The increased security helps protect your sensitive data, identities, and devices from cybersecurity threats, and provides enhanced deployment and software and device management options.Credential Guard
To take advantage of this offering, you must have the following:
Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded
Azure Active Directory (Azure AD) available for identity management
Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro.
When you purchase Windows 10 Enterprise E3, you get the following benefits:
Windows 10 Enterprise edition.
Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB).
Deploy on up to five devices.
For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices.
Roll back to Windows 10 Pro at any time.
When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 90 days).
Monthly, per-user pricing model.
This makes Windows 10 Enterprise E3 affordable for any organisation.
Move licenses between users.
Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
Windows 10 Enterprise features not found in Windows 10 Pro
This feature uses virtualization-based security to help protect security secrets (for example, NTLM password hashes, Kerberos Ticket Granting Tickets) so that only privileged system software can access them. This helps prevent Pass-the-Hash or Pass-the-Ticket attacks.
Credential Guard has the following features:
Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.
Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.
Improved protection against persistent threats.
Credential Guard works with other technologies (e.g., Device Guard) to help provide further protection against attacks, no matter how persistent.
Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.
Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)
This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.
Device Guard does the following:
Helps protect against malware
Helps protect the Windows system core from vulnerability and zero-day exploits
Allows only trusted apps to run
This feature makes applications available to end users without installing the applications directly on users’ devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.
User Experience Virtualization (UE-V)
With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
UE-V provides the ability to do the following:
Specify which application and Windows settings synchronize across user devices
Deliver the settings anytime and anywhere users work throughout the enterprise
Create custom templates for your third-party or line-of-business applications
Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state
Managed User Experience
This feature helps customize and lock down a Windows device’s user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:
Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands
Removing Log Off (the User tile) from the Start menu
Removing frequent programs from the Start menu
Removing the All Programs list from the Start menu
Preventing users from customizing their Start screen
Forcing Start menu to be either full-screen size or menu size
Preventing changes to Taskbar and Start menu settings