With Windows 10 available, many organizations are considering upgrading. There are a lot of reasons to consider upgrading to Windows 10 and if you’re interested in learning more please visit: https://technet.microsoft.com/en-us/library/dn986867(v=vs.85).aspx
If you’re interested in learning more about the Windows 10 Roadmap for Business please visit: https://www.microsoft.com/en-us/WindowsForBusiness/windows-roadmap
First I’ll walk through the registration of a Windows 10 device with Azure Active Directory (Azure AD), then I’ll walk through setting up WS4B. After, I’ll access the Windows Store from a Windows 10 device where the private business store resides.
During the setup process, users will have the choice (if you’re not deploying using MDT or System Center Configuration Manager for auto deployment) to choose how they’ll authenticate. They can either perform a traditional domain join or join Azure AD.
To learn more about the differences between domain join and Azure AD join please visit: https://blogs.technet.microsoft.com/ad/2016/02/17/azure-ad-domain-join-windows-10/
If your devices are Azure AD joined and you maintain an AD forest on premises, then you’ll be interested in learning more about how to writeback the device objects to Active Directory on premises.
For more information on writing back device info to Active Directory please visit: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-feature-device-writeback/
There’s also the ability to have Windows devices automatically register with Azure AD as they’re domain joined. Links about automatic device registration across the various Windows OS versions are below:
- Automatic device registration with Azure Active Directory for Windows domain-joined devices: https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-automatic-device-registration/
- Windows 10: https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/
- Windows 8.1: https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-automatic-device-registration-windows8_1/
- Windows 7: https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-automatic-device-registration-windows7/
- Configuration a federation server with Device Registration Service: https://technet.microsoft.com/library/dn486831.aspx
- Workplace join: https://technet.microsoft.com/en-us/library/dn280945.aspx
Joining a Windows 10 Device to Azure Active Directory
One of the advantages to joining devices to Azure AD is single sign-on (SSO) benefits. In traditional domain joined environments typically this is provided by way of a federated identity provider (e.g. Active Directory Federation Services or ADFS). However, when devices are joined directly with Azure AD the direct benefit is SSO to cloud applications such as Office 365 and other SaaS based applications that have a federated trust directly with Azure AD.
Let’s walk through how to join a device to Azure AD. The following walks through the OOBE experience, however devices that are already set up can be joined as well.
Note: if the device is already domain joined, refer to the links above for device writeback and registration.
Install Windows 10 and after Windows 10 has completed the setup process, select “Join Azure AD”
Type in a user name and password (make sure the user is licensed for Intune or EMS via the O365 admin portal). Select “Sign in” to enroll the device with Azure AD:
Once registration is complete I’m asked to set up a PIN:
PIN setup process
There are three methods to verify your identity via Multi-Factor Authentication. Select the method that best suits your needs. I chose to use the Mobile App.
Download or open the Azure Authenticator app on iOS, Android, or Windows Phone and scan the QR code or use the code provided:
Because I used the mobile app, Azure Authenticator has now registered the account:
Back on the Windows 10 device, once the QR code is scanned or entered and register with the Azure Authenticator app, the Next button lights up. Select Next.
Select how you’d like to authenticate; I chose to receive a notification on my phone (via the Azure Authenticator app):
On my phone, I select “Verify” to complete the process:
Lastly I need to select a country and enter my phone number and select Next:
Now I’m asked to provide a PIN:
After a pin is entered I’m logged into the device under the Azure AD credentials I registered with:
To prove I’m logged in as and Azure AD registered user, I open a command prompt and type in “whoami” without quotes:
On the backend, my device auto registers with Microsoft Intune for mobile device and application management. Intune will also deploy the policies I’ve configured such as configuring Windows Update, Windows Defender, Enterprise Data Protection, OS Upgrade, and so on.
For example, the following are the Windows Defender settings from the same device I registered, as you can see the settings are grayed out; that’s because my Intune policy was deployed to the device:
What about group policies?
If the device is enrolled and managed by Intune, I recommend sticking with Intune policies. However, if there are group policies that your organization already uses, then the more restrictive policy will always take precedence (either Intune or GP). The Intune admin console will point any conflicts out as well.
Windows Store for Business
What is Windows Store for Business?
With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
Source and more info: https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview
Now that I have my Windows 10 device registered with Azure AD (and enrolled with Intune), let’s take a look at the Windows Store for Business.
Navigate to: http://www.microsoft.com/en-us/business-store and either sign up or sign in with your organizational account.
The first thing I do is connect WS4B to Microsoft Intune. To connect the services, select Settings and then Management Tools:
Select “Add a management tool”
Search for Microsoft Intune and select Microsoft Intune from the list:
Microsoft Intune will be added and activated:
Adding Applications
Select “Shop” in WS4B to view and add applications. This is very similar to a volume purchase program (VPP):
Select an app to add, in my case I selected Foxit MobilePDF. Then select “Get the app” – other apps have online and offline options that you can select as well.
The distribute screen will open and we have a few options to select from as shown below. I selected to assign the app to people, in this case all FTE group I created in O365. Once you’ve selected an option select “Confirm” to add the app to the WS4B inventory.
Now I’m taken to the WS4B inventory page where all of the apps added may be seen and modified. Select an app to see who it’s been assigned to.
Intune Volume Purchase Program (VPP)
Let’s move over the Intune admin portal to view the VPP apps added by WS4B. After I log into Intune I select APPS then Volume-Purchased Apps. Here’s a brief list of some of the apps that came over from WS4B:
Windows Store for Business on the Windows Client
Let’s now look at where to access applications in the private store. To view the published apps search for or open the Windows Store on a Windows 10 machine (I’m using the device joined with Azure AD). From there you’ll see a list of tabs and on the far right there’s a new tab for WS4B as shown below:
In my environment I select “Contoso cbcloudmobility” and see the following apps I’ve published so far:
When I select Sway, I’m provided an option to install:
If you’re wondering if LOB apps can be published, the answer is yes. From the WD4B portal select “Manage” and then “New LOB Apps” from there you can go to the LOB Publishers page to invite publishers.
More details here: https://technet.microsoft.com/library/mt606952%28v=vs.85%29.aspx
This concludes the walk-through of registering a Windows 10 device with Azure AD and publishing applications via the Windows Store for Business. Try it out to see how it would work for your organization.
Mobility, Management, & Security 