Microsoft & Bromium Make Windows 10 Most Secure Endpoint Available

There was some very interesting news last week at the Microsoft World Partner Conference (WPC). Bromium and Microsoft announced a strategic partnership, Microsoft is now endorsing Bromium micro-virtualization and is aligning with Bromium in adopting a security architecture based on isolating critical information on the endpoint in Windows 10. The combination of Bromium and Windows 10 results in the most secure PC available today. You can read all about it here Bromium Partners to Bring Micro-virtualization to Windows 10

Bromium has been around for a while and I have always like the concept. Instead of trying to aim for a 100 percent secure system they acknowledge this is impossible. This means they realize that systems will get malware, zero day exploits, etc. Trying to provide complete protection is impossible. Try and you will fail. This means that we can play with a popular saying and state that “failure is not It’s a certainty”.

Just like any secured system, like a ship for example, the idea is to accept that there will be unavoidable breaches. To mitigate the risk you need to minimize the impact of these breaches. That’s what the water tight doors, the compartmentalization and isolation in ships are for. Banking on a 100 % success rate in avoiding breaches is just unrealistic. Bromium uses this same concept.

When breached It will limit the damage to as small and isolated environment. A temporary environment for that matter, something ships can’t do. Bromium runs every process on the machine in a hardware isolated micro VM, which is based on hardware virtualization technology (minimally VT-x or AMD-V).

innovations-micro-virtualization

Figure courtesy of Bromium

This goes pretty far. Not the internet browser level or e-mail client but every tab and every e-mail you open is isolated this way. If your browser tab gets compromised by a zero day exploit the infection and damage is limited to that browser tab. Or your e-mail message or you word document. All your other documents, browser tabs and word documents are protected. You get the idea. Even better when you close that word document or browser tab, the isolated micro VM in which it existed disappears together with the infection.

Figure courtesy of Bromium

This fits in well with Microsoft its own initiatives. Windows 10 leverages hardware security features such as UEFI secure boot, a Trusted Platform Module (TPM) and virtualization to provide a more secure computing environment already. Windows Server 2016 leverages the combination of hard ware technologies and the hypervisor to create a “Virtual Secure Mode” (VSM) to deliver shielded virtual machines.

While nothing is perfect it is an interesting approach as it protects against the unknown, isolates, minimizes impact and discards malware infections. It buys time to react and respond more long term to threats once they’re known while providing protection even when still unknown. Whereas anti malware only protects against known threats and is very reactive in nature.

Read more here http://www.bromium.com/products/our-technology.html and have a look here How does Bromium protect you?

Windows 10 KMS Client Setup Keys

Windows 10 build 10240 has been released to the Fast Ring. That’s what I’m running on my laptops now. There were heavy rumors yesterday that this is the to Release To Manufacturing (RTM) build and is the one to be publically available on July 29th. But there is no hard confirmation on this by Microsoft yet Build 10240 now available for Windows Insiders in Fast and Slow rings.

image

“Over the past few days we’ve been preparing our release pipelines and processes, and this build is one step closer to what customers will start to receive on 7/29 …

On Monday we announced that builds from here on will only be available through Windows Update, so to get this one you can either wait and it will be installed automatically.”

Here’s how you prepare to roll it out in your company.

In a previous blog post I wrote about the update you needed for your KMS server to be able to activate Windows 10 clients. Read about that in KB3058168: Update that enables Windows 8.1 and Windows 8 KMS hosts to activate Windows 10 You can get ready today, you have all you need.

Meanwhile Microsoft has also published the Windows 10 client KMS activation which keys can be found here Appendix A: KMS Client Setup Keys

image

Do note this is the key you use when you activate the Windows 10 Client against a KMS server. It is not the KMS license server key. That one you’ll need to obtain from your valid Microsoft licenses.

If you don’t have a KMS, the MAK key option will still be available.

Windows 10 looks set for a great start. DELL has been accepting preorders for a month now (Dell Brings Windows 10 to Life: Pre-order Today) which will be shipped to you on July 29th. Windows 7 owners could already reserve their upgrade via Windows update. The OEMs and the customers seem ready. I’ve heard of several large deployments in the works, often from organization still running Windows XP. We’re a Windows 8.1 shop but our new images are being build and will be deployed as the default image via MDT. We won’t let our investment in software assurance go to waste Winking smile

Hit me baby one more time or the Faster Fast Ring of Windows 10 Insider Builds

Hit me baby one more time!

This blog is brought to you by Francesco V. Buccoli, a brilliant ex Hyper-V MVP who went blue badge and became a PFE. Why? Because he called me a genius, that’s why!

image

Here we go again, things are heating up in the last straight track towards RTM of Windows 10. We’re now getting build 10162 right on the heals of build 10159 that basically overran people who were still downloading 10158.

No this is not some PM in Redmond hitting the publish button by mistake again a la “Oops, I did it again” but it’s with intent and purpose. Deliver an awesome client right from the start.

So far it’s all good. The quality of these lasted builds, even during the limited time we get to spend with them, is very good and show real improvements over the entire line. Windows 10 should be ready for rollout at RTM/GA if the quality is this good and only improves.

We lead, we weren’t born to follow.

Now, go download it already and I’ll quit the cheesy music references Winking smile

KB3058168: Update that enables Windows 8.1 and Windows 8 KMS hosts to activate Windows 10

Unless you’re living under a rock you will know that Windows 10 will be available on July 29th 2015. Microsoft has prepared for this by already making an Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a “later version of Windows”. This must mean Windows 10. I do not know if this means that even the versions after Windows 10 will be activated by a KMS server running this update but it might.

Select the version you need for the KMS server or servers you use and install them.

image

Launch the update by launching Windows8.1-KB3058168-x64.msu

image

Click “Yes” to install the update

image

Install the update

image

Restart the KMS Server

image

So there you go, you’re ready to to start deploying Windows 10 Enterprise edition which can then be activated by your KMS server when the new client OS is generally available. Good luck.

Closing note: Don’t even bother posting comments where you ask for KMS Server keys or MAK keys for Windows 10. As I’ve stated before, while it might be more fun to join the pirates we’re the navy and as such we don’t condone piracy Winking smile. Got it? GOOD!