But to get this Credential Guard protection for enterprise credentials, you won't just need Windows Enterprise running on PCs with hardware virtualization and a TPM; you'll also need to move your domain controller to Windows Server 2016.
You'll also need to plan ahead to use Windows Passport, the Fast Identity Online (FIDO) -compliant next-generation credentials in Windows 10. These can be certificates distributed using an existing Public Key Infrastructure or key pairs generated by Windows itself, and they're stored securely in the TPM, and unlocked using biometrics or a PIN (or a picture password). Each device can be enrolled using a smartcard or a one-time password, so the PC itself becomes a second factor for authentication, or you can use a Bluetooth or Wi-Fi-connected phone to authenticate multiple other devices for a user.
You can set the PIN length and complexity (up to 20 characters, including upper and lower case characters, symbols and spaces as well as numbers) by policy, and you can have separate PIN requirements for enterprise credentials, which you can wipe without affecting consumer ones.
In the longer term, many sites and online services are expected to adopt FIDO-compliant credentials, but you can start using Passport with your own line-of-business apps and services. It will work with any well-designed application, Hallum says "every app should be able to take advantage of this unless you've done something that is not best practice, like the app forcing the user to type in their username and password instead of using Windows to prompt for a password." But again, you will need Windows Server 2016 and either Azure Active Directory or some updates to your own AD infrastructure.
If you do choose Azure AD, you can use that to provision the built-in Mobile Device Management (MDM) client in Windows 10 for setting up single sign-on to domain resources and a wide range of cloud services as soon as employees set up their PCs. Microsoft Intune is the first MDM service that can manage Windows 10 devices, but Microsoft is working with other MDM suppliers to add Windows 10 support, which lets you set policies for access control based on where someone is logging in from, whether their device is healthy and in compliance, and how sensitive an application is, as well as the usual user roles and group settings that set access restrictions.
If you want even greater control over what can run on a device, look for PCs with the new Device Guard option; this requires BIOS and UEFI lockdown by the OEM, so you need to buy hardware that's ready for it, but you'll be able to limit exactly what software they can run. That includes apps from the Windows Store both desktop and Universal apps, and chosen apps from software vendors, as well as your own apps that you upload to the Store and software that you sign locally, using a certificate that chains up to Microsoft. As long as those signing certificates are well-protected by enterprises and software vendors, this should help keep malware off your most critical devices.
Sign up for CIO Asia eNewsletters.