Windows 10 in CSP

  • 發行項

On the 1st of September a new item was added to the list of services on Partner Center - Windows 10 Enterprise E3. End-user with Windows 10 Enterprise E3 license, assigned through CSP, can convert up to five Windows 10 Pro devices to Windows 10 Enterprise by logging in using Azure AD account.

In a month after that Windows 10 Enterprise E5 was also added into CSP. Windows 10 Enterprise E5 is a bundle, that includes Windows 10 Enterprise E3 and  Windows Defender Advanced Threat Protection (ATP) subscription.

Let's dig in details what does it mean:

  1. It works for Windows 10 Pro with Anniversary Update or later.
  2. It won't work on Windows 10 Pro RTM or November update. User needs to install Anniversary update first.
  3. It won't work for Windows 10 Home. User needs to purchase Windows 10 Pro and upgrade Home to Pro (it doesn't require a re-install), or purchase a new device with Windows 10 Pro OEM pre-installed.
  4. It won't work for Windows versions prior to Windows 10 (e.g. Windows 7 or Vista). Now you can upgrade Windows 7 or Windows 8.1 machines to Windows 10 Enterprise through CSP. Read here for details.
  5. No OS re-install is required - just connect Windows 10 Pro with Anniversary Update to Azure AD, sign-in with a user with assigned Windows 10 Enterprise E3 license and the device will become Windows 10 Enterprise after reboot.
  6. Windows 10 Enterprise E3 is a "per-user" license (while traditional Windows licenses are "per-device"). Device will rollback to Windows 10 Pro in 90 days if there will be no signing in users with Windows 10 Enterprise E3 license assigned.
  7. Users can manage devices, where their Windows 10 Enterprise E3 license is assigned, on the special web-portal. If they've reached the 5 device limit, they can remove the unused devices using that portal and convert a new device to Enterprise edition then.
  8. There will be no Product Key or Windows 10 installation media available.
  9. License is assigned to Azure AD user in the CSP Customer (=tenant). It makes sense to integrate On-Premise AD and Azure AD to simplify the Windows 10 Enterprise deployment in big organization.
  10. Connecting Windows 10 device to Azure AD doesn't mean that you won't be able to connect this device to On-Premise AD at the same time.

With this addition, CSP partners are able to provide Windows 10 Enterprise license to their customers as a monthly subscription instead of annual Software Assurance purchase. Customers will be able to use unique features of Windows 10 Enterprise edition with a support from local CSP partner on their work and home devices (including Windows 10 Mobile smartphones), such as:

  • Credential Guard - stores user access tokens within a virtualization-based security (VBS) environment running on Hyper-V technology. This helps prevent attackers from extracting the tokens from devices, even when the Windows kernel itself has been compromised. Malware running in the operating system, even with the highest privilege level, can't access tokens that are protected by Credential Guard.
  • Device Guard - help protect the Windows system core and prevent untrusted apps and executables from starting. It help secure your environment and prevent untrusted apps and code from running by using the ultimate form of app control. Using virtualization-based security, the Device Guard feature in Windows 10 offers a solution more powerful than traditional app control products, providing rigorous protection from tampering and bypass. Device Guard uses hardware-based isolation and virtualization to protect itself and the Windows system core from vulnerability and zero-day exploits. Device Guard enables your IT department to decide which software vendors and apps can be trusted within your environment. IT can designate as trustworthy the right combination of apps for your organization, from internal line-of-business apps to everything from the Windows Store to apps from specific software vendors.
  • AppLocker - helps administrators determine which applications and files users can run on a device, also known as "whitelisting". These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
  • Managed User Experience - advanced lockdown capabilities that give Internet of Things (IoT) devices an extra layer of security and provide a predictable experience for line-of-business device scenarios by allowing you to protect a device from write operations using Unified Write Filter (UWF intercepts all write attempts to a protected volume and redirects them to a virtual overlay instead), control the start screen layout and access to USB devices, automatically boot to a Classic Windows app or Universal Windows app. For example, you can restrict customers at your business to using only one app so your PC acts like a kiosk.
  • App-V - transforms applications into centrally managed services that are never installed and don't conflict with other applications. It also helps ensure that applications are kept current with the latest security updates.
  • UE-V - provides an enterprise-scalable user state virtualization solution that delivers a personal Windows experience.
  • Branch Cache
  • Direct Access
  • Telemetry
  • Windows Defender ATP (only for Windows 10 Enterprise E5) - security service, that helps customers to detect, investigate, and respond to advanced and targeted attacks on their networks. It includes client-end-point behavioral sensor, Cloud security analytics service and Microsoft and community intelligence for investigating the data, finding new behavioral patterns and correlating the data with existing knowledge from the security community.

capture_06092016_184135_006

More details about Enterprise features also available here.

Windows 10 in Partner Center

To assign Windows 10 Enterprise E3 license to the end-user, create a new Customer in Partner Center or add a new subscription to the existing one. Choose an offer called Windows 10 Enterprise E3 and choose the number of licenses (=users).

capture_06092016_171342_001

Then go to Users and Licenses menu and choose the user, whom you wish to assign Windows 10 Enterprise E3 license.

capture_06092016_172303_003

Converting Windows 10 Pro to Windows 10 Enterprise

There are 2 ways to convert Windows 10 Pro to Windows 10 Enterprise with Windows 10 Enterprise E3 license.

After the first OS boot

Choose "My work of school owns this PC" during the first OS launch (e.g. brand new device first boot or OS was just reinstalled), choose "Join Azure Active Directory" and authenticate with Azure AD credentials of the user, that has Windows 10 Enterprise E3 license assigned.
capture_06092016_200117_011 capture_06092016_200125_012 capture_06092016_200956_016a capture_06092016_200407_013 capture_06092016_201124_019

If you did it, but the Windows edition still shown as "Windows 10 Professional", then it seems that the device came with Windows 10 RTM or Windows 10 November update pre-installed. Install Anniversary update and check again.

Connect the existing OS to Azure AD

This method can be used to convert the existing device with Windows 10 Pro with Anniversary Update to Windows 10 Enterprise. Go to Settings -> Accounts -> Access Work or School and click +Connect, then choose Join this device to Azure Active Directory and provide the credentials of Azure AD user with Windows 10 Enterprise E3 license assigned. Then sign in with that user, reboot and check if Windows edition changed to Windows 10 Enterprise.

capture_06092016_223735_045 capture_06092016_223813_046 capture_06092016_225252_049 capture_06092016_225347_051 capture_06092016_225803_052 capture_06092016_201124_019

You can find more details in Windows 10 Enterprise E3 CSP Technical Guide.

Comments

  • Anonymous
    October 28, 2016
    This article is incorrect, and it is incorrect on a very big subject!10. Connecting Windows 10 device to Azure AD doesn’t mean that you won’t be able to connect this device to On-Premise AD at the same time.This is NOT true. You can only Azure AD join, if the Workstation is NOT already joined to a local on-prem. This makes the product as of now very limited in use-cases..You can overcome this by disjoining the local AD prem. Reboot, join Azure AD, reboot, log in as the cloud user, reboot, disjoin Azure ad, reboot, join local on-prem AD, reboot, and you device is now enterprise. Now we have not been able to get a response from MS if the device in this way will keep it's E3 license, or if it will roll back to pro. Så right now we are in a limbo.It would be really great if you could shed some light on this, because the product seems so new that even MS is not quite sure about how it Works.On top of this, the marketing about that this license is user based, is in my eyes not entirely true. If it was user based the license would up/down-grade according to log in every time, and it clearly is dependant on the device and not only on the user. The upgrade path you have to take as an administrator, as described above, makes this product not worth-while ontil you fix it.The product should instead be able to upgrade to E3 enterprise if you just added a Work or school account. Azure AD domain join (which cannot be done when you are already local ad joined), is a multiple step thing, that you cannot demand the user to do by himself, AND requires the user of the machine to be local administrator if the machine is joined to an on-prem AD.
    • Anonymous
      October 28, 2016
      Here is the link with a guide how to join Windows 10 device to Azure AD if it's already joined to a domain:https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/We call it "user-based license" because user can logon with his/her Azure AD credentials on several devices and all of them will convert to Windows 10 Enterprise. Before that with traditional per-device Windows licenses you were required to purchase several Windows Upgrade with SA licenses for every device, and now 1 user with several devices needs only one license.
      • Anonymous
        April 05, 2017
        The comment has been removed
  • Anonymous
    June 07, 2017
    No one in MS can help me and I have not responded for a month. I've opened support cases and left me on hold. Why do they factorize something they do not handle?Can somebody help me? Is a computer that I installed from Windows 10 pro (1703) is a CSP subscription. The subscription activates correctly but windows does not.
    • Anonymous
      June 12, 2017
      Hi Leider,What is the support ticket ID?
  • Anonymous
    June 08, 2017
    The comment has been removed