Windows 10 in CSP

On the 1st of September a new item was added to the list of services on Partner Center - Windows 10 Enterprise E3. End-user with Windows 10 Enterprise E3 license, assigned through CSP, can convert up to five Windows 10 Pro devices to Windows 10 Enterprise by logging in using Azure AD account.

In a month after that Windows 10 Enterprise E5 was also added into CSP. Windows 10 Enterprise E5 is a bundle, that includes Windows 10 Enterprise E3 and  Windows Defender Advanced Threat Protection (ATP) subscription.

Let's dig in details what does it mean:

  1. It works for Windows 10 Pro with Anniversary Update or later.
  2. It won't work on Windows 10 Pro RTM or November update. User needs to install Anniversary update first.
  3. It won't work for Windows 10 Home. User needs to purchase Windows 10 Pro and upgrade Home to Pro (it doesn't require a re-install), or purchase a new device with Windows 10 Pro OEM pre-installed.
  4. It won't work for Windows versions prior to Windows 10 (e.g. Windows 7 or Vista). Now you can upgrade Windows 7 or Windows 8.1 machines to Windows 10 Enterprise through CSP. Read here for details.
  5. No OS re-install is required - just connect Windows 10 Pro with Anniversary Update to Azure AD, sign-in with a user with assigned Windows 10 Enterprise E3 license and the device will become Windows 10 Enterprise after reboot.
  6. Windows 10 Enterprise E3 is a "per-user" license (while traditional Windows licenses are "per-device"). Device will rollback to Windows 10 Pro in 90 days if there will be no signing in users with Windows 10 Enterprise E3 license assigned.
  7. Users can manage devices, where their Windows 10 Enterprise E3 license is assigned, on the special web-portal. If they've reached the 5 device limit, they can remove the unused devices using that portal and convert a new device to Enterprise edition then.
  8. There will be no Product Key or Windows 10 installation media available.
  9. License is assigned to Azure AD user in the CSP Customer (=tenant). It makes sense to integrate On-Premise AD and Azure AD to simplify the Windows 10 Enterprise deployment in big organization.
  10. Connecting Windows 10 device to Azure AD doesn't mean that you won't be able to connect this device to On-Premise AD at the same time.

With this addition, CSP partners are able to provide Windows 10 Enterprise license to their customers as a monthly subscription instead of annual Software Assurance purchase. Customers will be able to use unique features of Windows 10 Enterprise edition with a support from local CSP partner on their work and home devices (including Windows 10 Mobile smartphones), such as:

  • Credential Guard - stores user access tokens within a virtualization-based security (VBS) environment running on Hyper-V technology. This helps prevent attackers from extracting the tokens from devices, even when the Windows kernel itself has been compromised. Malware running in the operating system, even with the highest privilege level, can't access tokens that are protected by Credential Guard.
  • Device Guard - help protect the Windows system core and prevent untrusted apps and executables from starting. It help secure your environment and prevent untrusted apps and code from running by using the ultimate form of app control. Using virtualization-based security, the Device Guard feature in Windows 10 offers a solution more powerful than traditional app control products, providing rigorous protection from tampering and bypass. Device Guard uses hardware-based isolation and virtualization to protect itself and the Windows system core from vulnerability and zero-day exploits. Device Guard enables your IT department to decide which software vendors and apps can be trusted within your environment. IT can designate as trustworthy the right combination of apps for your organization, from internal line-of-business apps to everything from the Windows Store to apps from specific software vendors.
  • AppLocker - helps administrators determine which applications and files users can run on a device, also known as "whitelisting". These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
  • Managed User Experience - advanced lockdown capabilities that give Internet of Things (IoT) devices an extra layer of security and provide a predictable experience for line-of-business device scenarios by allowing you to protect a device from write operations using Unified Write Filter (UWF intercepts all write attempts to a protected volume and redirects them to a virtual overlay instead), control the start screen layout and access to USB devices, automatically boot to a Classic Windows app or Universal Windows app. For example, you can restrict customers at your business to using only one app so your PC acts like a kiosk.
  • App-V - transforms applications into centrally managed services that are never installed and don't conflict with other applications. It also helps ensure that applications are kept current with the latest security updates.
  • UE-V - provides an enterprise-scalable user state virtualization solution that delivers a personal Windows experience.
  • Branch Cache
  • Direct Access
  • Telemetry
  • Windows Defender ATP (only for Windows 10 Enterprise E5) - security service, that helps customers to detect, investigate, and respond to advanced and targeted attacks on their networks. It includes client-end-point behavioral sensor, Cloud security analytics service and Microsoft and community intelligence for investigating the data, finding new behavioral patterns and correlating the data with existing knowledge from the security community.

capture_06092016_184135_006

More details about Enterprise features also available here.

Windows 10 in Partner Center

To assign Windows 10 Enterprise E3 license to the end-user, create a new Customer in Partner Center or add a new subscription to the existing one. Choose an offer called Windows 10 Enterprise E3 and choose the number of licenses (=users).

capture_06092016_171342_001

Then go to Users and Licenses menu and choose the user, whom you wish to assign Windows 10 Enterprise E3 license.

capture_06092016_172303_003

Converting Windows 10 Pro to Windows 10 Enterprise

There are 2 ways to convert Windows 10 Pro to Windows 10 Enterprise with Windows 10 Enterprise E3 license.

After the first OS boot

Choose "My work of school owns this PC" during the first OS launch (e.g. brand new device first boot or OS was just reinstalled), choose "Join Azure Active Directory" and authenticate with Azure AD credentials of the user, that has Windows 10 Enterprise E3 license assigned.
capture_06092016_200117_011 capture_06092016_200125_012 capture_06092016_200956_016a capture_06092016_200407_013 capture_06092016_201124_019

If you did it, but the Windows edition still shown as "Windows 10 Professional", then it seems that the device came with Windows 10 RTM or Windows 10 November update pre-installed. Install Anniversary update and check again.

Connect the existing OS to Azure AD

This method can be used to convert the existing device with Windows 10 Pro with Anniversary Update to Windows 10 Enterprise. Go to Settings -> Accounts -> Access Work or School and click +Connect, then choose Join this device to Azure Active Directory and provide the credentials of Azure AD user with Windows 10 Enterprise E3 license assigned. Then sign in with that user, reboot and check if Windows edition changed to Windows 10 Enterprise.

capture_06092016_223735_045 capture_06092016_223813_046 capture_06092016_225252_049 capture_06092016_225347_051 capture_06092016_225803_052 capture_06092016_201124_019

You can find more details in Windows 10 Enterprise E3 CSP Technical Guide.