Go to ...
RSS Feed

Secure Windows on a Secure Device

Recently my partner Ed and I posted about Microsoft’s hardware requirements for optimal security on Search Enterprise Desktop, a TechTarget site. Our conclusion, in brief, was that Microsoft’s goal seems to be to get enterprise customers to use Windows 10 S edition on secure devices from partner manufacturers (Dell, HP, Lenovo et al), along with Microsoft 365 subscription licenses and, finally, using Azure AD instead of local domain controllers.

Only days after that post, Thurrot.com, a “usually reliable source” for leaked Microsoft insider information, posted an exclusive story entitled Windows 10 S is Dead, Long Live S Mode. This article discloses that Microsoft is planning to abandon Windows 10 S and instead focus on a so-called “S Mode,” offered for all editions of Windows 10 and easily converted to full Home, Pro, Education or Enterprise.

Supposedly, the same restrictions will apply to the new S Mode that previously applied to Windows 10 S: no Win32 legacy applications except those pre-installed in manufacturing mode by the IT department. Furthermore, in corporate environments such PCs may use only Microsoft 365 device-only apps from a “company store” (an in-house version of the Windows Store, stocked only with items of the company’s choosing).

My next assertion is pure speculation: Be it Windows 10 S edition or S Mode, I see no reason to change what I said and posted earlier. To me, because Microsoft emphasizes that  Windows 10 S is presented as its preferred “secure” operating system in articles and posts about its new hardware security requirements, that positioning tells me a several important things. First, assuming S Mode will have same restrictions as the Windows 10 S edition, it can’t be joined to local domain. This limitation supports my belief that Microsoft wants corporate customers to move from local domains to Azure AD. The launch of Microsoft 365 subscription plans which include both Windows 10 and Office, Microsoft Intune and the relatively new AutoPilot further suggests Microsoft wants today’s volume licensing customers to move over entirely to subscription services.

That’s why I’ll make this bet: within a few years, we will see even enterprise giants moving from volume licensed Windows and Office with their own local domains and KMS activation servers switching over to Microsoft 365 subscription licenses and Azure AD, deployed using Intune and AutoPilot. This change will start out slowly, with small and midsize business moving over. But I have no doubt that bigger enterprises will follow suit within the next 12 to 18 months. From an IT decision maker’s point of view, this is entirely logical: such a move gains them easier and more cost-effective IT administration, clear and easy deployment, and makes the resulting environment easier and more manageable for IT department workers than do “legacy” deployment methods.

Mark my words: The future of Windows in enterprise environments will be in the form of Windows 10 S, be it Edition or Mode, on laptops bought from authorized, partner manufacturers. Deployment will come via Intune, users will sign in using Azure AD credentials instead of local domain credentials, and device setup will occur via Windows AutoPilot. After aninitial “I liked it better the old way” period, both end-users and enterprise IT administrators will love it. Only time will tell, of course, if I’m on the right track, but until I hear a definitive counter from Microsoft, I’m convinced this is how things will play out. Stay tuned!


Author: Kari Finn

A former Windows Insider MVP, Kari started in computing in the mid 80’s writing code for VAX / VMS systems. Since then, he’s worked in a variety of IT positions. He specializes in Windows image capture, customization, repair and deployment as well as Hyper-V virtualization. Kari is a proud Team Member at number #1 Windows site TenForums.com.

Leave a Reply