This year has been a significant year for Microsoft operating systems. In addition to releasing their latest and most powerful server operating system, Windows Server 2022, they have also released the successor to Windows 10. Windows 11 is the new client operating system from Microsoft, and it contains many new features that build on the architecture and legacy of Windows 10.
Windows 11 contains many new features for business users and enterprise organizations that complement the new features found in Windows Server 2022. Let’s consider the top Windows 11 enterprise features and see what capabilities these bring for organizations today.
Top Windows 11 enterprise features
Far from being a simple version upgrade of the existing Windows 10 operating system, Windows 11 is a true successor to Windows 10 with great new architecture at its core and features not found in Windows 10. Let’s consider the following top new features:
- Cloud-based management and configuration
- SMB over QUIC support
- SMB compression
- Elevated security across the board
- Virtual desktops and Snap Layouts
1. Cloud-based deployment, management, and configuration
One of the top concerns of any new operating system release is the initial deployment of the operating system. Organizations at this point are starting to adopt cloud-based processes. Microsoft has been rapidly developing the hybrid cloud features between Azure and on-premises environments.
With the aggressive move to a hybrid workforce, many organizations have adopted Windows Autopilot for deploying end-user clients to remote workers. Windows Autopilot is a collection of cloud solutions and services used to provision and configures new devices, getting them ready for production use. Autopilot can be used to reset, repurpose, and recover devices.
Organizations will be happy to know that Microsoft has developed and extended existing components of their cloud-based management architecture to support Windows 11 and enable upgrades from Windows 10 to Windows 11. This allows businesses to continue to use the cloud-based processes they have become familiar with and use these for the management and provisioning of Windows 11.
Windows 11 can be deployed using Windows Autopilot and configured in a ready state with all the applications, settings, and policies. It can also be used to change the editions from Pro to Enterprise if needed. Microsoft Intune has been updated to enroll both Windows 10 & 11 devices.
Using the Windows 11 Readiness Status report, companies can also survey the landscape of existing Windows 10 devices, no matter where these are located, and determine their update readiness status.
2. SMB over QUIC Support
Windows 11, in combination with Windows Server 2022, has received many enhancements to Server Message Block (SMB). One of the new features of Windows Server 2022 file servers is SMB over QUIC functionality. What is it? SMB over QUIC provides another means to provide secure, reliable connectivity to file servers over untrusted networks, a.k.a, the Internet.
SMB has long been a protocol that you never expose to the Internet, making for challenges with file shares and other client-server communications. However, QUIC (Quick UDP Internet Connection) is an IETF-standardized protocol that provides new remote access capabilities to file servers. It is superior when compared to traditional SMB over TCP in terms of flexibility and security. Note the following features:
- It survives a change in the client’s IP address or port
- Better congestion control and packet loss recovery
- It exchanges application data in the first RTT (round trip time)
- Includes parallel streams of reliable and unreliable application data
- All packets are encrypted, and the handshake is authenticated with TLS 1.3
Combining SMB and the new QUIC protocol can secure traditional SMB communication without specialized network connections. The way Microsoft has described SMB over QUIC is an “SMB VPN.” It means remote workers, telecommuters, or other remote access connections can create a TLS 1.3-encrypted tunnel over UDP port 443 instead of TCP port 445. Due to the secure tunnel functionality, authentication and authorization are not exposed to the Internet. As a result, SMB operates as expected within the QUIC tunnel, and the end-user does not see any difference in behavior.
The Windows 11 client performs the secure handshake and TLS 1.3 connection tunnel to the Windows Server 2022 server using server-side SSL certificates. As shown below, SMB over QUIC is configured using Windows Admin Center.
Configuring file sharing across the Internet with SMB over QUIC
3. SMB compression
Another advancement in Server Message Block (SMB) technology with Windows 11 paired with Windows Server 2022 is SMB compression. SMB compression can significantly bolster the performance of file copies between Windows 11 and Windows Server 2022. It allows users or applications to request compression of files as they transfer over the network. Gone are the days where you first “zip” multiple files for space and time savings for a network copy.
SMB compression allows reducing network bandwidth, and the time it takes to transfer files between a client and server. It does this at the cost of slightly elevated CPU usage during the compressed transfer. SMB compression benefits low-bandwidth networks, such as a 1Gbps client connection or over a Wi-Fi network.
Note the following specifications related to SMB compression:
- Supports compression algorithms XPRESS (LZ77), XPRESS Huffman (LZ77+Huffman), LZNT1, or PATTERN_V1*. XPRESS is used automatically
- Supports SMB signing and SMB encryption
- Supports SMB over QUIC
- Supports SMB Multichannel
- Doesn’t support SMB Direct over RDMA
As you note above, you can use SMB compression in tandem with SMB over QUIC, discussed earlier, to provide the ultimate benefits to remote workers. Remote employees can enjoy the security and flexibility of the “SMB VPN” characteristics of SMB over QUIC with the space and performance improvements of file copies that have been compressed with SMB compression.
The requirements include:
- A Windows Server 2022 file server on-premises or in Azure
- A Windows 11 Insider Preview build
- Windows Admin Center
Enterprise organizations can also take full advantage of SMB compression on mapped drives. This can be configured as part of a logon script or when run manually using PowerShell or the legacy NET USE command.
|
1 |
New-SmbMapping -LocalPath "Z:" -RemotePath "\\fs1.mydomain.local\marketing" -CompressNetworkTraffic $true |
|
1 |
NET USE * \\ fs1.mydomain.local\marketing /REQUESTCOMPRESSION:YES |
Copy tools can also take advantage of the compression benefits of SMB compression. Tools such as Robocopy, Xcopy, and others can call the compression parameter to compression traffic.
|
1 |
ROBOCOPY c:\hypervdisks \\hypervserver.mydomain.local\disks$ *.vhdx /COMPRESS |
|
1 |
XCOPY c:\hypervdisks\*.vhdx \\hypervserver.mydomain.local\disks$\* /COMPRESS |
Using a registry key, enterprise admins can also choose to always compress all traffic:
|
1 |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters |
|
1 |
DWORD value EnableCompressedTraffic |
|
1 |
Value 1 |
The new SMB compression capability found in Windows 11 combined with Windows Server 2022 will give organizations new capabilities that have not been available before to maximize network bandwidth and immediately benefit the performance of file transfers across the board.
With the combination of SMB compression with SMB over QUIC, remote workers have the added benefits of SMB secure connections without specialized network hoops to jump through and the added benefit to performance. In addition, low bandwidth networks stand to gain the most benefit from the capabilities of SMB compression.
Organizations that have Edge or ROBO locations with minimal network bandwidth, such as Wi-Fi connections for client-server communications, will see significant improvements to file copy performance.
4. Elevated security across the board
A continually moving target for enterprise organizations today is security. Security remains at the top of the priority list for businesses, especially with high-profile ransomware attacks and data breaches frequently in the news. As a result, companies must continue to implement and use secure platforms and solutions.
Windows 11 is the most secure client operating system from Microsoft to date. With Windows 10, Microsoft introduced quite a few security technologies that brought about tremendous benefits from a security perspective, such as virtualization-based security. However, with Windows 10, many of the recommended security best practices, such as VBS, were not turned on by default.
With Windows 11, Microsoft is taking a much different approach to the default security turned on in Windows 11. With Windows 11, Microsoft has enabled the following security settings by default:
- Virtualization-based security (VBS) – VBS uses hardware virtualization capabilities to create and isolate secure regions of memory from the host operating system. This “virtual secure mode” can be used to store security solutions, giving them further protection from vulnerabilities that may exist in the operating system. In addition, it helps prevent malicious exploits that attempt to defeat protections.
- Upgraded hardware requirements (installs and upgrades)
– A notable new requirement gaining much attention with Windows 11 is the new requirement for a TPM 2.0 chip. The TPM chip carries out cryptographic functions and contains tamper-resistant physical security mechanisms to help keep it secure. It is required for BitLocker encryption, which is on by default with Windows 11.
– Upgraded CPU requirements – the CPU requirements for Windows 11 are CPUs that have primarily been produced in the past four years. Microsoft has made sure that CPUs that are required to take advantage of VBS and other features are part of the upgraded hardware requirements
- Secure boot – Blocks malware from loading during PC boot-up, along with BitLocker device encryption
- HVCI (Hypervisor-protected code integrity) – Based on the capabilities of VBS, HVCI is a memory integrity capability that disables any dynamic code injection attempts from an attacker
- Container-based isolation for Office apps and Edge Browser – Microsoft is getting smart about how applications run in Windows 11. Now, apps such as Office applications and Microsoft’s Edge browser run inside hypervisor-isolated containers so that zero-day exploits or other attacks have no access to the host. This is made possible with Microsoft Defender Application Guard, or (MDAG). It uses what’s known as “Krypton” Hyper-V containers that create an isolated memory instance of your browser, preventing enterprise data from being compromised by untrusted websites.
- Non-guarantee of security updates for unsupported hardware – Microsoft is becoming passive-aggressive about security updates on unsupported hardware running Windows 11. If you bypass the security mechanisms to run Windows 11 on unsupported hardware, Microsoft has said these devices may not be guaranteed to receive updates, including security updates. This new stance helps to emphasize further the need for running the new platform on hardware that supports the required security capabilities.
Organizations upgrading to Windows 11 will receive a better default security stance for their enterprise environments. Coupled with the new security advancements of Windows Server 2022, Windows 11 provides the most secure Microsoft client operating system to date.
However, as mentioned, taking advantage of the new security advancements of Windows 11 is dependent on the underlying modern hardware requirements to enable the latest security features. However, secure software is not possible without the hardware it is running on being secure also.
5. Virtual Desktops and Snap Layouts
A couple of new features help users be more productive with the desktop space available to them in Windows 11. Business and power users alike will benefit from the new Virtual Desktops and Snap Layouts feature in Windows 11. These features provide the ability to group open windows and applications into more useable and manageable views that help increase efficiency and productivity.
The new Virtual Desktop feature is a feature that is similar to the functionality found in macOS. With Windows 11 Virtual Desktops, you can create separate Windows desktops customized as you want them for different purposes. For example, you may have a desktop for business applications, one for personal use and applications, and finally, one for gaming.
New virtual desktops are created with the desktop button on the taskbar. If you tap or click the desktop button, you will have a pop-up panel displaying the current desktop and the ability to create additional virtual desktops. You can click the “X” or close button to remove a virtual desktop. You can tap or click the desktop tile you want to interact with to make it active.
Snap Layouts are another new feature that allows users to take advantage of a much easier way to manage their desktop space in Windows 11. These introduce users to the ability to “snap” their windows to predefined layout spaces. Hovering over the Window’s maximize button or pressing Windows Key + Z reveals the Snap Layout functionality.
When a user clicks the zone defined in the layout screen, the first Window is snapped to the layout selected. The “Snap Assist” workflow then asks the user to select additional windows they would like to position in the remaining windows of the Snap Layout.
The Snap Layouts are customized to the current screen size and orientation. Users can also use the Snap Layouts and the new Virtual Desktop functionality to provide multiple virtual desktops, organized with the Snap Layouts defined for each one.
The new Snap Layout feature will help enterprise power users quickly and easily organize Windows and open applications when multitasking. As a result, it helps to make daily business productivity much more efficient.
Wrapping Up
Windows 11 provides many new features for enterprise organizations meeting the continued challenges of remote work, business productivity, security, etc. Windows 11 is a step forward for enterprise organizations looking to benefit from hybrid connectivity, the latest in security advancements, and empowering users with a better end-user experience.
Windows 11 has been designed to take full advantage of the server-side features in Windows Server 2022. Many of the new features in Windows Server 2022 need Windows 11 to realize the capabilities or see these at all. Organizations need to keep in mind that as they look to take advantage fully of Windows 11 features or Windows Server 2022, they need to be on the native 2022/11 platform to do so.
