Since Windows Vista in 2007, Microsoft has had two main versions of Windows for commercial use, Professional and Enterprise, with Software Assurance (SA) adding further features such as Virtual desktop access and the Desktop optimisation pack.
Recently Microsoft announced what looked like two new versions, Windows 10 E3 and Windows 10 E5.
This is part of a new branding exercise for Microsoft’s commercial offerings so that another premium offering can be added to Windows, Office 365, and Enterprise Mobility Suite. The previous versions of Windows and EMS are renamed as E3, with the introduction of a new top offering called E5.
E3 is the new name for Windows with Software Assurance
With Windows OS, E3 refers to what was previously called Windows 10 Enterprise with SA, so there’s no change for purchases via all volume license programs from Open to Enterprise. With the E3 and E5 names Windows will also now be available via CSP as Software-as-a-Service, with some caveats.
So if E3 is the same, what’s in E5 and do you need it?
E5 adds a new security service called Windows Defender Advanced Threat Protection (ATP). This is a cloud service that takes behavioural data from sensors built into Windows 10 and provides insights, detections and recommended responses. No matter what anti-malware product is installed on a PC, it’s only as good as the known threats it has been designed to block, the ATP service looks at behaviour and reduces the impact of a compromise either of a device itself or a user interaction.
While this can work with third party anti-malware tools, it can also be used to provide a complete Microsoft security system, effectively allowing replacement of other vendors as designed to integrate with the built-in Windows Defender anti-malware in Windows 10.
What are the key features of Windows Defender Advanced Threat Protection (ATP)?
- Designed to protect physical endpoints, limited use with Virtual desktops
- Only supports Windows 10 Pro or Enterprise, so E5 is no use until Windows 10 is your primary OS
- Requires Azure Active Directory as this is how users are assigned to the service
- Can be used with either built-in Windows Defender, or Third Party Anti-malware (Not both)
- ATP data stored in either USA or Europe
- SIEM compatibility: Splunk or HP ArcSight
- Configure endpoints via Group policy, SCCM or Intune
How is Windows Enterprise E3 or E5 licensed (except CSP – see below)?
- Device upgrade license from OEM Pro Operating system of Win 7 or above (XP Pro / Apple or above for some agreements)
- OR User Subscription, allowing install on unlimited devices, User must have a primary device with OEM Pro OS of Win 7 or above
- Installation method unchanged, MLK or KMS key
- Access to virtual desktops
- Run on USB with Windows to Go
- Downgrade rights
How is Windows E3 or E5 licensed via CSP?
CSP, which stands for Cloud Solution Provider, is a way of purchasing Windows Enterprise via Software-as-a-Service with monthly billing for SMB customers. While you get the same Windows 10 Enterprise software as on any other licensing agreement, CSP does not provide software assurance benefits, so you get the latest version of Windows Enterprise for installation on a physical device, but no virtual access rights, or rights to run on a USB key via Windows to go.
- User Subscription limited to 5 devices upgrade from Windows 10 Pro only, or 10 Enterprise not under SA
- Installation via Azure Active Directory only
- No Virtual desktop rights, Windows to Go rights, or downgrade rights.
- Current Branch or Current Branch for Business only, no LTSB
Lastly, what about MDOP?
Microsoft Desktop Optimization Pack (MDOP) is a suite of utilities for Microsoft Windows customers who have subscribed to Software Assurance (SA). According to Microsoft MDOP aims at bringing easier manageability and monitoring of enterprise desktops, emergency recovery, desktop virtualization and application virtualization.
Two of the features of MDOP are now built-in to Windows Enterprise as of the August 2016 Anniversary update, APP-V and UE-V so these are available to E3/E5 customers on all programs. The other components of MDOP (MED-V, AGPM, MBAM and DaRT) remain strictly as benefits for SA subscribers so are not available to CSP customers.
In the rare instances of customers using MDOP to manage Windows Pro installations note that APP-V and UE-V will no longer be supported on Pro installations with the August 2016 anniversary update installed.
Hopefully this post has provided some clarification on the differences between the two newly branded versions of Windows 10 for the enterprise and offered some guidance on the licensing options available. If you would like a more specific recommendation for licensing Windows in your organisation, feel free to get in touch.