Employees regularly working in the field or traveling extensively throughout the year are more likely to opt for a lighter laptop -- and most Ultrabooks do not have TPM inside. “The executives are the ones I worry about,” Wisniewski said, as they're the ones most at risk of attack and more likely to be using consumer models.
The hardware isn’t the only barrier to getting started; most organizations will also need to make changes to infrastructure and processes. Many IT teams don’t currently use UEFI or Secure Boot because they impact existing workflows. IT may be concerned about getting locked out of computers with Secure Boot; it’s easier to wipe a machine and load a stock corporate image when setting it up. Likewise, some machines may run critical applications with specific requirements that cannot be upgraded.
Fortunately, Device Guard and Credential Guard don't require an all-or-nothing decision. IT can build a new domain with Device Guard and Credential Guard protections turned on and move users who meet the hardware requirements. The machines that can’t be upgraded can be left in the existing domain. This lets IT maintain a “clean” network with signed policy and protected credentials and focus their attention on the older, “dirty” domains. “Don’t hold the entire network back for just one thing,” Wisniewski said.
Few enterprises believe the current state of enterprise Windows security is acceptable. Device Guard and Credential Guard actually offer a way forward, albeit one that demands a substantial investment. With Windows 10, “Microsoft is telling enterprises, ‘If you want good technology you need to do security [our way],’” Wisniewski said. Time will tell whether enterprises are willing to follow that path.
Sign up for Computerworld eNewsletters.