9 Oct.

Microsoft 365 Business Part 4 – Office 365 Business Deployment

In the earlier posts in this series we covered Windows 10 Business, Azure Active Directory and Windows AutoPilot, and now we move over to the deployment of Office 365 Business. In the last post on Windows AutoPilot we saw that this gets installed automatically as part of the Azure Active Domain Join and autoenrollment into Intune, and today we’ll take a look at enabling this deployment, as well as what is going on behind the scenes with Intune.

From the Microsoft 365 Portal we choose Manage Office deployment.

First of all, we need to select who to assign this to. We will keep this simple today by using the inbuilt groups, rather than doing more selected targeting.

In this case we have the All Users group, but if we had more groups created they would appear here.

Select All users

A couple of things to highlight here – first of all that this is targeting Intune enrolled devices. How can we tell? Because we are doing an automated application installation, as opposed to just applying policies to an already installed application. The second point is that we only have the options to Install Office as soon as possible, which I have highlighted, or to Uninstall Office.

Take a second to review the changes.

And then we can close the window. That’s it. If you’ve previously deployed Office 365 desktop apps via the Office Deployment Tool or Intune, you probably realise there were a large number of options that you weren’t presented with, so how do you know if the defaults that were selected make sense for you. That’s easy, we can just jump in to the Azure Portal.

After opening the Intune blade, select Apps, and you can see something a little peculiar – the TYPE column for the Office Desktop Suite shows Office 365 Pro Plus Suite (Windows 10). The version of Office that is installed converts to Office 365 Business when it is automatically activated, so don’t worry about the Pro Plus licence not activating against a Business license, this is transparent.

Selecting Office Desktop Suite and then Properties shows us the three pre-configured property areas.

Configure App Suite shows
that we could do select install of the Office suite components, but in this case we want a full install. The second thing to notice here is that we could also have Project and Visio show as installed, but you would need to have purchased and assigned those licences separately. This is not a change you would usually make in the default Office installation settings, instead you would create a new group and target that group instead.

Under App Suite Information we have some prepopulated options, but again the recommendation here is to not change the settings that are in here, instead create a similar Mobile Apps policy but with your required settings.

App Suite Settings is where things really get interesting though, this is where Microsoft 365 Business is making decisions that are designed to be most beneficial across a variety of scenarios – thus the 32 bit installation, Monthly updates, acceptance of the EULA and setting up for single user activation, not shared computer/RDS installation. What other options would we normally see here? Let’s take a look.

Before I explain these options, I need to highlight that I am not editing the base configuration, I’ve just taken a screenshot of a new deployment. As the names of these releases has evolved the names in the drop down have also changed. If you take a look at my earlier post on this topic you can see this. If you need to learn more, take a look at Overview of update channels for Office 365 ProPlus. If you want to get an idea of just how much Office 365 desktop apps change over time, take a look at Office 365 client update channel releases.

The final section, Assignments, shows what we already know, that the All Users group has an install type of Required.

^ Scroll to Top
 30 Sep.

Microsoft 365 Business Part 3 – Windows AutoPilot

Following on from the last post on Azure Active Directory inclusions in Microsoft 365 Business, let’s take a look at the Windows AutoPilot pieces. For full details on Windows AutoPilot take a look at the official documentation.


To start adding enrolling devices into Windows AutoPilot, sign in to the Microsoft Store for Business as an admin and clicking Manage.

Click on Windows AutoPilot Deployment Program.


I already have one device enrolled, but I need to add another device.

I already have the required details for the device in a CSV file, so I begin the process of adding a new device by clicking on Add Devices.


After selecting the file I can Add devices to an AutoPilot deployment group, but I will skip this step.

You can now see the second device listed, but it doesn’t have a Profile assigned.

I begin clicking AutoPilot deployment and then selecting the profile I had pre-created, which skips several of the Out of Box Experience Steps.

You can now see that the policy is applied, which means it’s time to test it out.

Starting up our new Windows 10 Pro device, we don’t need to choose whether the device is a work or school account, I only have to choose some region and keyboard settings. You can see that the company branding, text and naming is brought in to the initial sign in screen.


We can still see the customisations on the password page.

Once entered and verified, Windows OOBE continues.

We are prompted to enter a PIN.

I’ve already enrolled my contact details for Multi Factor Authentication, so I just need to enter the received code here.


The PIN is now entered and confirmed.

And we are ready to go.


As soon as we sign in you can see the desktop customisations provided by Enterprise State Roaming, which was briefly mentioned in yesterday’s post.

If you look at the time here, it’s only one minute after I was able to sign in, and you can see that Office 365 Business Premium is being installed automatically for me as part of the device configuration by Microsoft Intune.

Within another three minutes the installation is complete, which will obviously vary based on connection speeds.

To wrap up, I want to show that under Windows Specifications the Edition has been changed to Windows 10 Business to highlight that this is now a Microsoft 365 Business managed device.


^ Scroll to Top
 28 Sep.

Microsoft 365 Business Part 2 – Azure Active Directory

In the first post of this series I covered the Windows 10 Pro upgrades included in Microsoft 365 Business, today it’s time to discuss the Azure Active Directory components that work alongside Intune to enable Windows 10 Business. I’ll start by posting the components included with the Microsoft 365 Business SKU again.

Third from the bottom you can see Azure Active Directory, and this version is a subset of Azure Active Premium P1, focusing on the required components that allow the Windows 10 management scenarios that are required. These include MDM Auto enrol, more than ten SaaS apps for single sign on in myapps, as well as self service capabilities and enterprise state roaming. We can still open the Azure Active Directory admin center from the Microsoft 365 admin center, and it looks like this.

Looking at the dashboard you can see that this doesn’t offer all of the capabilities of Azure Active Directory Premium P1, but if you do need the extra capabilities such as the additional security reporting, and clicking through the various options will soon give an idea of what is and isn’t included. If you eventually need to add these capabilities, you can easily add the required licenses alongside your Microsoft 365 Business licenses, and below I’ve included some screenshots of what happens in a tenant that has taken more of a mix and match approach.

Starting with a simple view, you can see that I have five different SKUs in this tenant, a mix of enterprise and SMB focused offerings.

In this screenshot I want to highlight the specific naming of the Azure Active Directory SKUs that are include with EMS E5- Premium 1 and Premium 2, as opposed to the Azure Active Directory that is referenced in the first image in this post.

Finally, for comparison, you can see here that because this tenant has AAD Premium, I can see the additional reports, as well as not being prompted to sign up for a trial subscription to AAD Premium.

^ Scroll to Top
 18 Sep.

Microsoft 365 Business Part 1 – Windows 10 Business

As I’m currently preparing some session content for Ignite 2017, I thought I would share some of the pieces I’ll be going through, starting with Windows 10 Business. This raises the question – what is Windows 10 Business, is it another Windows SKU? Rather than think of it as another SKU, the best way to think about it is that it’s Windows 10 Pro when it’s being managed by Microsoft 365 Business. If that’s not clear, think of it as Windows 10 Pro, plus the cloud based management capabilities that Azure Active Directory and Intune provide, including the choice of MAM or MDM based management options. You get to take advantage of MDM auto-enrolment, Windows Autopilot and other capabilities on offer when you start combining these technologies.

At the bottom of the graphic above you’ll see Windows Business listed. What you need to understand here is that this is an upgrade license for PCs that have licensed Windows Pro editions of Windows 7/Windows 8/Windows 8.1 that they haven’t upgraded already. If you had to sit on the sidelines during the Windows 10 upgrade offer and miss out, this is a way of getting the Windows Pro based devices up to date, assuming you didn’t upgrade due to hardware and software compatibility issues that haven’t been resolved.

The online activation via the users Azure Active Directory details is something that also needs to be taken into account. There are no product keys provided for this upgrade, which means the target PC is one that needs to be Azure Active Directory Joined as opposed to traditional on-premises deployment with Windows Server’s Active Directory Domain Services.

From the Microsoft 365 Admin Center you have the links above,

Install upgrade – this takes you to the Download Windows 10 page – https://www.microsoft.com/en-au/software-download/windows10

Share the download link
This creates an email message with the following text…
Create installation media – this also takes you to the Download Windows 10 page – https://www.microsoft.com/en-au/software-download/windows10
Troubleshoot installation – as per the link name, this takes you out to Windows 10 Help.
How do you tell if you running Windows 10 Business? Settings -> System -> About will show you the following.

As a comparison, here’s what it looks like after I enrol a Windows 10 S device in the same tenant, via the same process.

As you can see, because it’s not the Windows 10 Pro SKU, it doesn’t show as Windows 10 Business. I thought I’d throw this in as an introduction to what the Windows 10 Business inclusion isn’t – it’s not a Windows 10 Home or Windows 10 S path to Windows 10 Pro, only the older versions of Windows Pro mentioned earlier in the post. One of the topics I’ll cover in an upcoming post is Upgrade Readiness Solution in OMS, which can help to identify potential issues that previous operating systems and installed applications might have during or after the upgrade process.



^ Scroll to Top
 7 Aug.

Updates to WSUS/WU Dual Scan on Windows 10 1607

One of the scenarios I’m often asked about at the events I’m involved with is “why are my Windows 10 clients going to Windows Update instead of WSUS?”, and previously I’ve pointed people to the Demystifying “Dual Scan” post from the WSUS Product Team Blog. They’ve just put up a new post Improving Dual Scan on 1607 which is being released as part of the August cumulative update.

This update is also being rolled into 1703, and is already part of 1709.  Right now the support is for Group Policy, with MDM support coming later this year.  Jump to their blog post to get the full details of this update, but here’s their description of how dual scan works with this policy…

In order for Dual Scan to be enabled, the Windows Update client now also requires that the “Do not allow update deferral policies to cause scans against Windows Update” is not configured. In other words, if this policy is enabled, then changing the deferral policies in a WSUS environment will not cause Dual-Scan behavior. This allows enterprise administrators to mark their machines as “Current Branch for Business,” and to specify that feature updates should not be delivered before a certain amount of days, without worrying that their clients will start scanning Windows update unbidden. This means that usage of deferral policies is now supported in the on-premises environment. While the new policy (dubbed “Disable Dual Scan”) is enabled, any deferral policies configured for that client will apply only to ad hoc scans against Windows Update, which are triggered by clicking “Check online for updates from Microsoft Update”

They then go on to discuss five of the common update management scenarios, and how they should be updated for use with this policy…

Windows updates from WU, non-Windows content from WSUS

Windows updates from WSUS, blocking WU access entirely

Windows updates from WU, not using WSUS at all

Windows updates from WSUS, supplemental updates from WU

Windows updates from Configuration Manager, supplemental updates from WU


^ Scroll to Top
 3 Aug.

Updated Windows 10 Deployment and Management Lab Kit available

One of my favourite download recommendations for those looking into Windows 10 deployment and management scenarios is the Windows 10 Deployment and Management Lab Kit. This set of downloadable virtual machines comes in at just under 32GB, and this update includes some major updates to the included components and scenarios for testing.

The Windows 10 Deployment and Management Lab Kit provides you with a hands-on lab environment for evaluating the latest Microsoft products and tools available for managing your Windows 10 deployment. The kit includes:

Lab environment

The lab includes the latest evaluation versions of:

  • Windows 10 Enterprise, Version 1703 (Creators Update)
  • System Center Configuration Manager, version 1702
  • Windows Assessment and Deployment Kit for Windows 10, version 1703
  • Microsoft Deployment Toolkit (8443)
  • Microsoft Application Virtualization 5.1
  • Microsoft BitLocker Administration and Monitoring 2.5 SP1
  • Windows Server 2016
  • Microsoft SQL Server 2014

Step-by-step lab guides

Illustrated lab guides take you through multiple deployment and management scenarios:

Deployment and Management

  • In-Place Upgrade
  • Image Creation
  • Lite-Touch Deployment
  • Zero-Touch Deployment
  • BIOS to UEFI Conversion
  • Enterprise State Roaming
  • Enterprise Client Management
  • User Experience Virtualization
  • Managing Windows 10 with Configuration Manager
  • Windows 10 Provisioning
  • Microsoft Store for Business
  • Device Onboarding


  • Windows App Certification Kit
  • Windows Analytics – Upgrade Readiness
  • Browser Compatibility
  • Application Virtualization
  • Desktop Bridges


  • Microsoft BitLocker Administration and Monitoring
  • Secure Host
  • Credential Guard
  • Device Guard: User Mode Code Integrity
  • Windows Information Protection
  • Windows Defender Advanced Threat Protection
  • Remote Access (VPN)


English (United States)


The lab kit consists of two self-extracting zip files: the lab environment and the lab guides.

Carefully read the information below before you continue with the download.

Windows 10 Deployment and Management Lab Kit system requirements

The lab supports the 64-bit editions of Windows 10 and Windows Server 2016. It must be imported to set up a lab once Hyper-V is installed.

The Hyper-V Host on which the Windows 10 PoC Lab needs to be imported must meet the following minimum specifications:

  • Hyper-V role installed
  • Administrative rights on the device
  • 300 gigabytes of free disk space
  • High-throughput disk subsystem
  • 32 gigabytes of available memory
  • High-end processor for faster processing
  • An External virtual switch in Hyper-V connecting to the external adapter of the host machine for internet connectivity named External 2
  • A Private virtual switch in Hyper-V for private connectivity between the virtual machines named HYD-Corpnet

The required hardware will vary based on the scale of the provisioned lab and the physical resources assigned to each virtual machine.

Lab expires September 14, 2017. A new version will be published prior to expiration.

Things to Know

This lab kit contains evaluation software that is designed for IT professionals interested in evaluating Windows 10 deployment and management products and tools on behalf of their organization. We do not recommend that you install this evaluation if you are not an IT professional or are not professionally managing corporate networks or devices. Additionally, the lab environment is intended for evaluation purposes only. It is a standalone virtual environment and should not be used or connected to your production environment.

^ Scroll to Top
 20 Jul.

Inspire 2017 Windows 10 And Devices Session Recordings

Following up from the last post on Inspire’s EMS session recordings, this post includes the links to the recorded sessions for Windows 10 as well as some of the devices sessions.

ODR07p-R Reduce customer TCO and stay profitable with Windows

With pressure to reduce costs, customers are increasingly looking to optimize and reduce spend in hardware and line items around deployment, management, and support. Join us to hear how Windows 10 enables customers to cut costs without putting your profitability at risk.

Watch Video

ODR04p-R How to accelerate your device sales with intelligent investments

Come hear partner success stories for maximizing investments, and learn how to utilize key levers to help grow your business, such as the new ProWins incentives, Device Deployment, Device Days, benefits of shifting to Electronic Software Distribution (ESD), digital marketing resources, and more!

Watch Video

WIND03 Building better business opportunities with Microsoft Devices Partner Programs

In working with partners to land the premium position and value of Microsoft devices, we have captured the key learnings that are working in market to build into new and existing devices partner programs and resources to enable partners to capitalize on customer opportunities in the year ahead.

Watch Video

WIN04p Windows 10 S for commercial customers: Start focused and expand in the future

We just announced Windows 10 S and even though its initial focus is for the education sector there are scenarios in commercial customers where it provides great value, and these scenarios will only increase in the future.

Watch Video

WIN08 Detect and respond to advanced and targeted attacks with Windows Defender ATP

Windows Defender Advanced Threat Protection (WD ATP) enables enterprises to detect, investigate and respond to attacks on their networks. Organizations can address post-breach situations to determine the scope of breach and bring the organization back to a pre-breach state using threat intelligence.

Watch Video

WIN09 Windows in CSP: What’s new, what’s coming, and why you should include Windows in your managed service offerings

An overview of the current and upcoming Windows in CSP offerings plus best practices for delivering Windows as a partner managed service.

Watch Video

WIN11p Selling the value of Windows Enterprise 10 to commercial customers

Windows 10 Enterprise will continue to be an important part of how we go to market with Secure Productive Enterprise. There are several new and updated tools available to partners to support the sales of Windows 10 and Secure Productive Enterprise. These are presented during the session.

Watch Video

WIN13 Accelerate Windows Pro devices sales

In this session, hear the latest program information, along with changes to the ProWins Program starting in FY18.

Watch Video

WIN14p What’s new in Windows 10 security: Raising the bar of security once again with the Creators Update

Disrupting the current generation of cyber-threats requires a platform with revolutionary security capabilities and the Windows 10 Creators Update rises to the occasion. We also cover how Windows 10 security capabilities join those in Office 365, our Server & Tools products, and Microsoft Azure.

Watch Video

WIN08 Detect and respond to advanced and targeted attacks with Windows Defender ATP

Windows Defender Advanced Threat Protection (WD ATP) enables enterprises to detect, investigate and respond to attacks on their networks. Organizations can address post-breach situations to determine the scope of breach and bring the organization back to a pre-breach state using threat intelligence.

Watch Video

WIN09 Windows in CSP: What’s new, what’s coming, and why you should include Windows in your managed service offerings

An overview of the current and upcoming Windows in CSP offerings plus best practices for delivering Windows as a partner managed service.

Watch Video

WIN15 Reinventing services around the modern desktop with Windows Analytics

GSI and partners are looking for potential opportunities to collaborate with Microsoft and Windows 10 as part of the big deployment process happening worldwide. Learn about the AppCompat readiness process to create transformational consulting services and business applications for Windows 10.

Watch video

^ Scroll to Top
 19 Jul.

Inspire 2017 Enterprise Mobility + Security Session Recordings

Following up from the last post on Inspire’s Microsoft 365 session recordings, this post includes the links to the recorded sessions for Enterprise Mobility + Security as well as some of the standalone components.  I had a chance to see a couple of these in person, including the sessions by @vladpetrosyan and @markmorow and had a chance to catch up with some of the other presenters in the expo hall between sessions.

CE400 How to take your security practice to the next level: Partner programs and resources

Join our Mobility + Security team to hear best practices adopted for using the Microsoft Secure message to get buy-in from senior decision makers, options for landing the value propositions for EMS, accelerate security sales and generating revenue during each stage of this process.

Watch Video

CE411p Identity-driven security through conditional access

Conditional access provides the control and protection needed to keep corporate data secure, while giving teams an experience that allows them to do their best work from any device. Allow or block access or challenge users with multi-factor authentication, device enrollment, or password change.

Watch Video

CE412p Secure your complete data lifecycle using Azure Information Protection

Data is traveling to more locations than ever. It’s hard to identify sensitive data and protect it against accidental or malicious breaches. Learn how classifying, labeling and protecting data using Azure Information Protection can help you secure data throughout its complete lifecycle.

Watch Video

CE413p Protect your network from malicious attacks with Microsoft Advanced Threat Analytics

Inside-out security is necessary with our current mobile and connected workforce, and having eyes and ears on your network will help your customers be prepared. Microsoft Advanced Threat Analytics uses behavioural analytics, machine learning, and deterministic detections to detect advanced threats.

Watch Video

CE414 Identity-driven security

As organizations adopt cloud and mobile technology, identity is more critical to cybersecurity than ever before. In this session, we look at how Microsoft identity-based security solutions work together for a holistic approach to protection.

Watch Video

CE415 Managed mobile productivity

Protecting corporate data is one of IT’s biggest challenges. Enterprise Mobility + Security (EMS) helps to overcome your data protection challenge, access resources on any device, anywhere and simplify management of your enterprise mobility management needs.

Watch Video

^ Scroll to Top
 19 Jul.

Inspire 2017 Microsoft 365 Session Recordings Available Now

Last week at Inspire 2017 Microsoft announced the Microsoft 365 suite offerings. For those of you who weren’t at the event, or were at the event but missed some of the sessions, many of the session recordings are available for watching now.

WIN01 Grow your business with Modern IT

As businesses seek to transform their products, tools, and operations, they need a world class platform built for the digital economy. Windows 10, Office 365, and Microsoft Enterprise Mobility + Security enable IT to deliver cloud-powered modern IT, advanced security, and more productive experiences

Watch Video

WIN05p New, integrated Office 365 and Windows solution for small and midsize businesses delivers more value, and streamlines CSP managed service offerings

Microsoft innovation delivers new value for your small and midsize business customers and fresh opportunities to expand your CSP practice. Learn about the new, comprehensive offering that enables you to help organizations be more productive and less vulnerable to security threats.

Watch Video

WIN16 New, integrated Office 365 and Windows solution for small and midsize businesses delivers more value, and streamlines CSP managed service offerings

Microsoft innovation delivers new value for your small and midsize business customers and fresh opportunities to expand your CSP practice. Learn about the new, comprehensive offering that enables you to help organizations be more productive and less vulnerable to security threats.

Watch Video

OFC01 Extend your portfolio and profit potential with Microsoft 365 Business: a new, integrated solution for small and midsize businesses

Get ready to deliver Microsoft 365 Business for your small and midsize business customers. This offering harnesses the leading capabilities of flagship products in a single solution that enables customers to be more productive while protecting their data on virtually any device.

Watch Video

OFC02 Microsoft 365 Enterprise: a single, trusted solution to grow your managed services practice

Enterprise Mobility + Security—you can deliver one solution that empowers staff productivity while enabling organizations to meet security and compliance mandates. Understand the value and opportunities for your valued-added services.

Watch Video

OFC03 Microsoft 365 Business for small and midsize businesses delivers more value, streamlines CSP managed service offerings

Microsoft innovation delivers new value for your small and midsize business customers and fresh opportunities to expand your CSP practice. Learn about the new, comprehensive offering that enables you to help organizations be more productive and less vulnerable to security threats.

Watch Video

OFC06 Microsoft Workplace Analytics: Deepen engagement, improve productivity, win deals

Office 365 Workplace Analytics transforms digital exhaust into actionable insights that enable managers to maximize their organizations’ time and resources. Discover how Workplace Analytics enhances businesses and helps partners win deals by enhancing their existing solution sets.

Watch Video

^ Scroll to Top
 17 Jul.

New Office 365 Desktop Application Deployment Capabilities In Microsoft Intune

Over the last couple of months we’ve seen different ways of deploying Microsoft Office 365 Pro Plus to Windows 10 PCs, first up we saw the option inside of Intune for Education, and then last week at Inspire we saw how this works from the Office 365 portal in Microsoft 365 Business. For those who aren’t using either of those options, but still want an incredibly easy way to deploy Office 365 Pro Plus and Office 365 Business.

First of all, in the Azure Portal, open the Intune blade and click on Mobile apps.

Once in Mobile apps, you can see more options for app management, and we start by clicking on the Apps link.

I’ve already synchronised this account with Windows Store for Business, so you can see some of the default apps that it adds to the app list. From here we click Add.


From the drop down we choose Office 365 Pro Plus Suite (Windows 10), which as you will see also works for those of you with Office 365 Business or Office 365 Business Plans.

Starting with Configure App Suite, it’s not very likely that you will need to select all of the options, but in this case I’ve just done it to make sure I get all of the application icons exposed.

Next up is App Suite Information, all we really need to do here is populate the Suite Name and Suite Description fields, the others are either pre-populated or not required.

App Suite Settings gives the chance to select 32 or 64 bit, Update Channel, EULA and shared computer activation, along with additional languages.

Once configured we Add the app.

The blue notification bar advises that we need to Assign application to at least one user group, ‘Click Assignments’.

I’ve already got a group set up for deployment, so I can Select that group.

Next I will make the app Required to kick start the installation process on the client.


Switching over the Intune MDM enrolled Windows 10 client, you can see that the Click-To-Run installer pieces are running, as displayed in Task Manager.

As this is going to be over 1GB in size, it might take a while to download, depending on your connection speed.

Once the installation is complete you we can see the Office Pro Plus applications on the Start menu.

Here’s where the Pro Plus versus Business conversation starts. As you can see, the expected version of Office is installed. However, it hasn’t automatically activated because this user doesn’t have  Pro Plus/E3/E5 license assigned, they only have Office 365 Business.

If I close Word and then reopen it, you can see that the edition has changed from Pro Plus to Business, no additional configuration required.

And finally, once Office has been reconfigured itself as office 365 Business, everything is ready to go.

^ Scroll to Top

%d bloggers like this: