Home > Sample chapters > Windows > Windows client

Supporting the Operating System and Application Installation for Windows 8.1

Objective 1.3: Support Windows Store and cloud apps

The previous objective covered supporting desktop apps. This objective covers supporting apps from the Windows Store and Office 365, sideloading apps, and managing the apps you want to use. You’ll also see more about how to sync settings unique to a user by incorporating the cloud, specifically with a Microsoft account and a trusted PC.

Integrating a Microsoft account

These days, almost all Windows 8 and Windows 8.1 users have Microsoft accounts that they use to log on to their personal Windows 8-based computers and tablets. These accounts enable them to sync certain settings related to their user experience, including but not limited to the Start screen layout, app data, account picture, web browser favorites, and some passwords. Settings are stored via OneDrive. Consumers can use their Microsoft accounts to manage billing for their Xbox accounts, the Store app, and even connect their Xbox gamer tags. Users also receive cloud services when they sign up for the account, including a calendar, contact list, and similar features and tools. They can decide what to sync by using PC Settings on their local computers.

Network administrators can integrate users’ Microsoft accounts into the workplace to help users incorporate what they’ve configured with these accounts with their domain accounts. Network administrators can also opt not to let users connect to their Microsoft accounts by setting limitations in Group Policy. This section looks at the Group Policy options first, followed by how users can tweak what they want to sync and how to trust various PCs, and then how users connect their Microsoft accounts to the domain account.

Exploring Group Policy settings

You configure Group Policy to allow or deny Microsoft accounts in a domain by using the \ or Group Policy Management Editor. You open the Group Policy Management Editor window, and then expand Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Security Options. You also can use the Local Group Policy Editor to allow or block Microsoft accounts on local computers by navigating to Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options. Figure 1-19 shows the path to the latter.

FIGURE 1-19

FIGURE 1-19 Navigate to the Local Group Policy setting Accounts: Block Microsoft Accounts.

Double-clicking the entry Accounts: Block Microsoft Accounts presents three options:

  • This Policy Is Disabled If you apply this setting or don’t configure any others, users can use Microsoft accounts.
  • Users Can’t Add Microsoft Accounts If you apply this setting, users can’t create new Microsoft accounts, switch from local accounts to Microsoft accounts, or connect domain accounts to Microsoft accounts. This is the best option to choose if you want to limit the use of Microsoft accounts in your enterprise.
  • Users Can’t Add Or Log On With Microsoft Accounts If you apply this setting, users who have existing Microsoft accounts can’t log on to Windows. This can limit even the administrators’ ability to log on.

Locating and managing what’s synced with a Microsoft account

Users can change what items they opt to sync to and from the personal computers they log on to with their Microsoft accounts. Users can access the options on their personal computers via PC Settings, the OneDrive tab, and Sync settings (see Figure 1-20). (Press Windows logo key+C to access the charms and click Change PC Settings.) Users will encounter additional sync options when they connect with their domain accounts.

FIGURE 1-20

FIGURE 1-20 Change what syncs from PC Settings.

Configuring trusted PCs

User settings are synced via Microsoft accounts and OneDrive. OneDrive also enables users to configure and sync passwords with trusted PCs. You can use a configured trusted PC (sometimes called a trusted device) to synchronize passwords and to reset the Microsoft account password if it’s forgotten or compromised. Users decide which of their devices should be trusted. Two scenarios are involved.

In the first scenario, users log on to a new computer with a new Microsoft account (or an account that’s new to that computer). In this instance, users are prompted to enter a security code. Microsoft generates this code and sends it to a backup email address or cell phone number already configured for the account. After the users type the code, they can then opt to state that the PC being configured is one they log on to often and should thus be trusted.

In another scenario, users opt not to sync passwords while configuring a PC, for whatever reason. In this case, when they try to sync passwords later, they see a message that states the passwords can’t be synced until the PC is trusted. When the users opt to trust the PC, the same process completes as noted before with the generation of a code they must type.

Finally, users can log on to their Microsoft account online via a web browser, navigate to Security info, and then gain access to options for recovering passwords and setting up additional trusted devices. Users can also remove all trusted devices associated with an account, should the account be compromised.

Connecting a Microsoft account with a domain account

If users have domain accounts in the workplace, they can connect their Microsoft accounts to them and see the same desktop background, browser history, and other account settings they’ve already configured on their home PCs. They also can use Microsoft account services from their domain PCs without signing in to them.

To connect a Microsoft account with a domain account, follow these steps:

  1. Access the charms and click Change PC Settings.
  2. Under PC Settings, click Accounts.
  3. Click Connect To A Microsoft Account.
  4. Clear the check boxes for items you don’t want to sync, and click Next.
  5. Enter the applicable email address and click Next.
  6. Enter the password and click Next.
  7. Complete the security information requirements and type in the generated code.
  8. Click Next, and then click Finish.

Installing and managing software by using Office 365 and Windows Store apps

Network administrators who manage large enterprises of computers and users don’t carry physical media from machine to machine to install software. Instead, they opt for more practical solutions. You’ve already learned about several of those options in this chapter. More ways are available than what’s been covered so far, however; administrators can install and manage software using Office 365, and they can make their apps available from the Windows Store.

Installing software by using Office 365

Office 365 in its multiple editions is Microsoft Office. But it is Microsoft Office in the cloud, accessible via a user-based paid subscription. Because it’s cloud-based, users can access the Microsoft Office products that are licensed to them on up to five compatible devices (with Office 365 ProPlus). Office 365 ProPlus is designed to run locally on PCs, so a persistent connection to the Internet isn’t required.

Many compatible platforms are available, including Windows, Mac, and compatible mobile devices. With Office 365, updates are applied automatically, so enterprise administrators never have to worry about updating computers or other devices manually, although they are still in control of those updates and can decide how and when they’ll be offered to users. Just about every other maintenance task you can encounter when you host Office 365 in your enterprise is also handled without any interaction from you (after Office 365 is set up). Beyond that, administrators can also decide where users’ data should be stored: on a company’s onsite data servers or private cloud, in the public cloud, or a combination of these.

The reality is that Office 365 is “application virtualization.” And you know about virtualization, and that virtualized applications run in their own space. This means that users can run the latest version of Office in the cloud while at the same time leaving older versions installed and available on their own PCs. It also means that users can have the same user experience from wherever they log on while using the hosted apps.

You can get a free trial of Office 365 Small Business Premium or Office 365 Midsize Business here: http://office.microsoft.com/en-us/business/compare-office-365-for-business-plans-FX102918419.aspx?tab=1. Setting up Office 365 involves creating an account, creating an administrator logon and domain name, and requesting and then typing in a security code from Microsoft. Figure 1-21 shows the Office 365 Admin Center.

FIGURE 1-21

FIGURE 1-21 The Office 365 ProPlus Admin Center offers the tools you need in a single console.

Before you can go much further, you need to create at least one user account. That user will then log on to the Office 365 portal with a temporary password and create a new password. Then the user can download whatever parts of Office you want to license that user to use.

To perform the initial setup tasks and to create a user and assign a license (after signing up for a free trial, completing the administration requirements, and logging on to the portal at https://portal.microsoftonline.com), follow these steps:

  1. Click the Settings icon in the top right corner and click Office 365 Settings.
  2. Click Setup.
  3. From the Quick Start section, click Start.
  4. Choose the desired domain and click Next.
  5. Click Add users and assign licenses.
  6. Choose an option to add users. For this example, choose Add Users One At A Time. Click Next.
  7. Input user details and click Next (see Figure 1-22).

    FIGURE 1-22

    FIGURE 1-22 Create a new user before deploying software.

  8. Choose the new user’s status (administrator or not) and set the user location. Click Next.
  9. Leave Office 365 ProPlus selected under Assign Licenses, and then click Next.
  10. Read the information on the final page and click Create.
  11. Write down the temporary password (which is good for 90 days).
  12. Click Finish.

The new user can now install Office Professional on one or more computers. The easiest way to do this is to let users install Office 365 directly from the Office 365 portal, as outlined here. You can also opt to download the software to a network share and deploy it to users in any applicable manner you prefer. An overview of how that’s done comes later.

Before you start, though, you might want to explore the admin portal for a few minutes. Specifically, look at the Service Settings tab, where you can clear check boxes for Office products that you don’t want users to have permission to install, if you have a software package that offers this as a feature. The list depends of the software package that the enterprise has obtained. Office 365 ProPlus includes Access, Excel, InfoPath, Lync, OneNote, Outlook, PowerPoint, Publisher, and Word, and installs as a single package. You can’t select only one or two here. Whatever the case, you should check it out anyway.

To let the new user install Office 365 ProPlus from the Office 365 portal, follow these steps:

  1. Log on as an administrator to a local computer where you want to install Office 365.
  2. With Internet Explorer, navigate to https://portal.microsoftonline.com.
  3. Type the user ID and temporary password, and then click Sign In.
  4. Type the old password, input a new password, and confirm it. Click Save.
  5. Follow the applicable instructions to install the software and connect to Office 365.
  6. Select the 32-bit version of Office 365 and the language to install. The 32-bit version is recommended. Click Install.
  7. Click Run to start the installation, click Yes to continue, and click Next to start the wizard.
  8. Select No Thanks to not send updates to Microsoft, and then click Accept.
  9. Click Next in the Meet OneDrive screen.
  10. Click Next to accept defaults, select No Thanks, and then click All Done.

Other deployment options exist beyond this self-service method. For large organizations with a domain and Active Directory, administrators can save the installation files on a local network share. For this method to work, however, you need the Office Deployment Tool, available from the Microsoft Download Center. You can use this tool to create a Configuration.xml file that contains information about what language to download or what architecture to use. It can also include where the software is located on the network, how updates are applied after Office is installed, and what version of the software to install. As soon as the files are available, deployment can include Group Policy, startup scripts, or Configuration Manager.

On a high level, deployment via a network share involves these steps:

  1. You create a network share, \\yourservername\Officeversion\Source, and the files are extracted there. The extraction command is microsoftoffice.exe /extract:”pathtosourcefiles”.
  2. You download additional required files, such as template files and Office Customization Tool files.
  3. You configure these files, complete installation, and copy the necessary data to the shared folder in a new folder called Admin.
  4. You then start the Office Customization Tool, using the command \\yourservername\Officeversion\Source\setup.exe /Admin, and customize Office. Changes are saved to a customization files (.msp). This is also saved to the shared folder.
  5. Users log on to the Office 365 portal and run MicrosoftOffice.exe from the network share.

Managing software by using Office 365

When you set up Office 365, you are the Global Administrator. You have the power to create users who are administrators and users who aren’t, and to perform any other task associated with Office 365. You can create several types of administrators, as outlined in Table 1-5. Creating these administrators and delegating responsibilities is part of managing Office 365. Each administrator has specific permissions.

TABLE 1-5 Administrator roles in Office 365

Permission

Admins who can manage

Admins who can’t manage

View information related to the organization and users

Billing; Global; Password; Service; User Management

Not applicable

Manage support tickets

Billing; Global; Password; Service; User Management

Not applicable

Manage user passwords (reset)

Global; Service; User Management can reset passwords for Password and User Management admins

Billing

Manage billing and purchasing

Billing; Global

Password; Service; User Management

Manage user views

Global; User Management

Billing; Password; Service

Manage user licenses

Global; User Management with limitations (can’t delete a global admin or create admins)

Billing; Password; Service

Manage domains

Global

Billing; Password; Service; User Management

Manage organization information

Global

Billing; Password; Service; User Management

Create and manage admin roles

Global

Billing; Password; Service; User Management

Use directory synchronization

Global

Billing; Password; Service; User Management

After you delegate responsibilities and roles to the various members of your administration team, you’re ready to start managing the product. This involves many facets. To see these facets, click each tab in the Office 365 Admin Center. A few examples include the following:

  • Users And Groups tab From the Active Users tab (see Figure 1-23), you can set up single sign-on, set up Active Directory synchronization, create password policies, and configure multifactor authentication requirements. You can also add users, filter users, and search for users, as well as edit user information. The Delete Users, Security Groups, and Delegated Admins tabs each have their own available management tasks. (Click Learn More to the right of Single Sign-on to learn what this feature offers; you might be asked about this on the exam.)

    FIGURE 1-23

    FIGURE 1-23 You can perform many management tasks from every tab and subtab in the Office 365 Admin Center.

  • Domains tab Use this tab to manage your domain, add a domain, buy a domain, and perform similar tasks.
  • Licensing tab Here, you can review your current subscription; view the number of licenses that are valid, expired, and assigned; and manage your subscription.
  • Service Settings Here, you can manage user software, including choosing which software your users can download directly from Office 365 (see Figure 1-24). You also can configure a password expiration policy.

    FIGURE 1-24

    FIGURE 1-24 There are many options available from the Service Settings tab in the Office 365 Admin Center.

  • Service Health tab You can see the status of the Office 365 service in relation to use as categorized by day. You also can review planned maintenance.
  • Message Center tab You can access messages provided by Microsoft, including messages regarding new features in Office 365 and information about available upgrades.

As you can see, you can manage Office 365 in many ways. You should become familiar with how to perform certain tasks, such as resetting a user’s password, configuring a password expiration policy, and creating new admins. Spend some time now exploring, and perform these tasks as time allows. Notice that the Dashboard tab, the first one on the left, offers access to videos for performing tasks as well as setting up services. For an introduction, the following steps walk you through one task: resetting a user’s password.

To reset a user password, follow these steps:

  1. From the Office 365 Admin Center, click Users And Groups.
  2. Select the user you want to modify.
  3. Click Reset Password.
  4. Click Finish.

Performing other tasks is similar. You click the tab that offers the resource you need (perhaps Service Settings, and the Password tab you find there to set a password expiration policy), and then you click to view, edit, create, or configure the option desired.

Before you leave this Office 365 discussion, here are a few more things to familiarize yourself with:

  • Click-to-Run Traditionally when you install Office, you have to wait until the whole Office product is installed before you can use it. Click-to-Run allows you to stream installations, which means users can open and start to use the product before the entire product is installed.
  • Other features You might be familiar with features beyond Word, Excel, PowerPoint, and others. For example, large enterprises might also use Exchange Online, SharePoint Online, Lync Online, and opt to incorporate other services such as Yammer.
  • Windows PowerShell management You can manage Office 365 with Windows PowerShell. Read this TechNet article to familiarize yourself with this: http://technet.microsoft.com/en-us/library/dn568002.aspx.
  • Desktop versions Many Office 365 plans also include the latest desktop versions of Office. If your users can’t always be online, this option is something to consider.
  • Mobile apps Many mobile apps support Office 365, including but not limited to Office Mobile, Outlook Mobile, OneNote, and Lync Mobile.

Installing software by using the Windows Store

You should know how to install software from the Windows Store as a consumer. You simply click the Store tile from the Start screen, navigate to the app to install, click it, and choose Install. These apps are also called packaged apps. If you aren’t yet familiar with the Store, press the Windows logo key to access the Start screen, click the Store tile, and install a few apps before continuing here. Figure 1-25 shows the Store and the results that appear after searching for “Microsoft.”

FIGURE 1-25

FIGURE 1-25 The Windows Store offers apps made available to the public.

The Windows Store has the following characteristics and features:

  • It’s a central depository for publicly created apps available for free, as a trial, and for purchase.
  • Users must have a Microsoft account to obtain Store apps.
  • Publicly created apps must pass Microsoft’s certification and compatibility tests before they can be published to the Store.
  • Installed apps appear on the All Apps page. (They no longer appear automatically on the Start screen like they did in Windows 8.)
  • Your enterprise can offer Line of Business (LOB) apps through the Store. You can certify your apps through Microsoft to make public, or choose not to certify them and make them private and available only to your employees.
  • As an administrator, you need to configure Group Policy to define how you want your users to interact with the Store with devices you provide and those they bring to work (“bring your own device,” or BYOD). See “Managing software by using the Windows Store,” next.

Managing software by using the Windows Store

By default, all users can access the Windows Store. You might want to change this behavior. You can modify access in two ways. You can configure it so users can’t access the Windows Store at all, or you can limit their use by allowing them to acquire only specific apps. If you opt to let users access the Store, you can disable app updates, if you want.

Disable App Updates

You might opt to let users access Store apps but choose to disable app updates (they are installed automatically in Windows 8.1). You can do this by using Group Policy in a domain, via the Local Group Policy Editor in a workgroup, or from a single computer using the Store app options. First, look at how to achieve this on a single computer. This is really the only setting relevant to single users at a single PC.

To disable updates on a single client computer, follow these steps:

  1. From the Start screen, click the Store app.
  2. Press Windows logo key+I to open the Settings charm.
  3. Click App Updates.
  4. Move the slider under Automatically Update My Apps from Yes to No.

If you need to manage a group of computers in a workgroup or domain, you need to apply Group Policy. The location of the Group Policy setting is in the same place whether you use the Local Group Policy or the related Group Policy Management Console on your domain server. The path to the Local Group Policy setting (in gpedit.msc) is Computer Configuration, Administrative Templates, Windows Components, Store. If you enable the setting Turn Off Automatic Download Of Updates On Win8 Machines, updates are disabled (see Figure 1-26).

FIGURE 1-26

FIGURE 1-26 Use Group Policy to manage Store settings.

Disabling Access through Group Policy

You can’t disable access to the Windows Store from the Settings charm like you can when disabling app updates. To disable access, you must use the applicable Group Policy Editor. You might want to do this if your employees are downloading and installing games, for example. You might need to disable access to meet a company’s security needs. You can disable the Store for computers, users, and/or groups. Whatever the case, to disable access to the Windows Store using the Local Group Policy Editor, follow these steps:

  1. On the Start screen, type gpedit.msc and click it in the results. (You can also use the Run box on the desktop.)
  2. In the Group Policy Editor, expand the following nodes: Computer, User Configuration, Administrative Templates, Windows Components, and Store.
  3. Double-click Turn Off The Store Application.
  4. Click Enabled.
  5. Click OK.

Sideloading apps into online and offline images

Companies sometimes create their own apps. These apps have the same characteristics as the apps you find on the Start screen and from the Store (which aren’t desktop apps). These apps are meant to be used by employees to do work. As noted earlier, enterprise administrators can make these apps available publicly if they want to go through the Microsoft certification process, or they can make them available to their enterprise users through a process known as sideloading. Tools such as DISM, Windows PowerShell, Configuration Manager, and Windows Intune help with sideloading.

As a new technology, sideloading can be used only with Windows Server 2012, Windows 8 and Windows 8.1 Enterprise, and Windows 8 and Windows 8.1 Pro. You can also do side-loading on Windows RT tablets, but with a few tweaks. Sideloading is easiest if the devices are also joined to an Active Directory domain, but you can work around this if you need to. Beyond that, you must enable a specific Group Policy setting, which you’ll learn about shortly, and the app must be signed by a Certificate Authority (CA) trusted by the PCs on your network (at least the ones you want to offer the app to). If the PCs aren’t domain-joined or are Windows RT devices, you’ll also need a sideloading product activation key. You can get this key from Microsoft’s Volume Licensing Service Center (VLSC).

Setting Group Policy

To set Group Policy so that computers can accept and install sideloaded apps that you created for your enterprise, on a Windows 8-based Enterprise or Pro machine, navigate to Computer Configuration, Administrative Templates, Windows Components, App Package Deployment. Double-click Allow All Trusted Apps To Install. Figure 1-27 shows this in the Local Group Policy Editor. When enabled, any LOB Windows Store app (signed by a CA that the computer trusts) can be installed. To perform this task for multiple computers in your enterprise, use the Group Policy Management Console (GPMC) and navigate to Computer Configuration, Policies, Administrative Templates, Windows Components, App Package Deployment.

FIGURE 1-27

FIGURE 1-27 You must enable the applicable Group Policy setting Allow All Trusted Apps To Install to incorporate sideloading.

Activating a sideloading key

To enable sideloading on a Windows 8 or Windows 8.1 Enterprise computer that’s not joined to a domain or on any Windows 8 or Windows 8.1 Pro computer, you must use a sideloading product activation key. To enable sideloading on a Windows RT device, you must also use a sideloading product activation key.

To add a sideloading product key and then activate it with the generic activation Globally Unique Identifier (GUID), follow these steps:

  1. Open an elevated command prompt.
  2. Type slmgr /ipk <sideloading product key>.
  3. Type slmgr /ato ec67814b-30e6-4a50-bf7b-d55daf729d1e.

Sideloading the app

After you configure the necessary Group Policy settings and create your app package, you’re ready to sideload the app. You can do this manually, per user, or you can do it for multiple users at one time.

If you want to manually sideload the app to the current user, in Windows PowerShell you must add the appx module and then add the app package, as follows:

  1. Type Import-module appx. Press Enter.
  2. Type Add-appxpackage “path and name of the app” to add the app. Press Enter. Table 1-6 shows the available appx cmdlets. If you need to add app dependencies, the command should look more like this: add-appxpackage C:\MyApp.appx –DependencyPath C:\appplus.appx.

TABLE 1-6 Appx module cmdlets

Cmdlet

Desription

Add-AppxPackage

To add a signed app package to a single user account

Get-AppxLastError

To review the last error reported in the app package installation logs

Get-AppxLog

To review the app package installation log

Get-AppxPackage

To view a list of the app packages installed for a user profile

Get-AppxPackageManifest

To read the manifest of an app package

Remove-AppxPackage

To remove an app package from a user account

The app installs and then is available to the user. This must be done for each user if multiple users share a single computer. Figure 1-28 shows a Windows PowerShell session with two typed commands: import-module appx and add-appxpackage.

FIGURE 1-28

FIGURE 1-28 Use Windows PowerShell to sideload an app to the current user.

If you want to sideload the apps to multiple computers, use DISM. You can use DISM commands to manage app packages (.appx or .appxbundle) in a Windows image. The .appxbundle is new for Windows 8.1 and combines both app and resource packages to enhance the app experience. When you use DISM to provision app packages, those packages are added to a Windows image and are installed for the desired users when they next log on to their machines.

You should be familiar with the DISM syntax when servicing a Windows image, whether a computer is offline or online. Table 1-7 lists a few to keep in mind.

TABLE 1-7 DISM syntax for servicing a Windows image

Command

Purpose

DISM.exe {/Image:<path_to_image_directory> | /Online} [dism_global_options] {servicing_option} [<servicing_argument>]

To service a Windows image with DISM

DISM.exe /Image:<path_to_image_directory> [/Get-ProvisionedAppxPackages | /Add-ProvisionedAppxPackage | /Remove-ProvisionedAppxPackage | /Set-ProvisionedAppxDataFile]

To service an app package (.appx or .appxbundle) for an offline image

DISM.exe /Online [/Get-ProvisionedAppxPackages | /Add-ProvisionedAppxPackage | /Remove-ProvisionedAppxPackage | /Set-ProvisionedAppxDataFile

To service an app package (.appx or .appxbundle) for a running operating system

Other command-line service options include /Get-ProvisionedAppxPackages, /FolderPath, /PackagePath, /LicensePath, and /Add-ProvisionedAppxPackage. Becoming familiar with these is extremely important because you’ll likely be tested on them. You can learn about all available commands and options at http://technet.microsoft.com/en-US/library/hh824882.aspx. Review this article and make sure that you can make sense of commands you might see, perhaps one that looks like

Dism /Online /Add-ProvisionedAppxPackage /FolderPath:C:\Test\Apps\MyUnpackedApp
/SkipLicense

or like

Dism /Image:C:\test\offline /Add-ProvisionedAppxPackage /FolderPath:c:\Test\AppsMyUnpackedApp /CustomDataPath:c:\Test\Apps\CustomData.xml

Sideloading apps by using Windows Intune

Windows Intune lets you sideload apps via the cloud and make them available to any authorized, compatible device that’s connected to the Internet. You need to perform several steps to sideload apps (If you want to follow along, you can download Windows Intune for free and use it for 30 days without a subscription to TechNet or MSDN, or even without using a credit card):

  1. Work through the available wizard to upload your software.
  2. Add users and create groups, if applicable.
  3. Choose the users, groups, computers, and devices that can download the software, and link them (user-to-device).
  4. For the self-service model in this example, choose how to deploy the app. It can be available, or available and required.
  5. Verify that the app is available in the Windows Intune Company Store.

Adding a user

To get the full Windows Intune experience, you need to create a few users and, perhaps, add them to groups. From the Admin Overview page shown in Figure 1-29, click Add Users. Notice that the Admin page is selected at the top. Fill in the fields to create your new user. Type a first and last name, a display name, a user name, and any additional details you want to include. Assign the desired role, perhaps Billing Administrator or User Administrator, or simply create a new user. Finally, select the Windows Intune user group—by default, only one, Windows Intune (although you can create your own). Watch for an email that contains a temporary password for the new user.

FIGURE 1-29

FIGURE 1-29 Add users and perhaps put them into groups before uploading software.

Uploading software

In the Windows Intune Admin page shown in Figure 1-29, click Admin Console at the top of the page. (Notice also a link to the Company Portal.) This opens a new window with many more tools and opportunities to personalize Windows Intune for your enterprise (see Figure 1-30). Click each tab in the left column, including System Overview, Groups (you might want to create a group now), Updates, Endpoint Protection, Alerts, Software, Licenses, Policy, Reports, and Administration. You’ll be expected to be familiar with each tab when taking the exam. Now, click the Software tab.

FIGURE 1-30

FIGURE 1-30 Review the options in the Windows Intune Admin Console page.

To upload the desired software, follow these steps:

  1. Click Add Software (on the Software Overview page).
  2. If prompted, sign in with your Windows Intune Administrator account.
  3. Read the information on the Before You Begin page and click Next.
  4. Make the desired choices from the Select The Platform And Specify The Location Of The Software Files page, including:

    1. How this software is made available to devices: Software Installer or External Link. Choose Software Installer here.
    2. The type of installer file type you’ll use: Windows Installer (*.exe, *.msi) or Windows App Package (*appx, *appxbundle). Choose Windows Installer (*exe, *msi) here.
    3. Click Browse and locate the software file to install. You might browse to something like C:\Program Files as a start.
    4. Click Open.
    5. Click Next.
  5. Continue to work through the wizard, adding information about the publisher, application name, architecture, operating system, and so on, clicking Next as applicable.
  6. When you are at the end of the wizard, click Upload (see Figure 1-31).

    FIGURE 1-31

    FIGURE 1-31 Upload software at the end of the wizard.

  7. Click Close.
  8. Back on the Software Overview page, click Managed Software to see the uploaded file(s).

Selecting users and/or groups and deploying your app

With the software uploaded, you’re ready to choose the users, groups, computers, and/or devices to which you want to deploy the application. You can use Active Directory synchronization to populate the account portal if you want. If you don’t have that option, however, open the Windows Intune Admin Console, shown in Figure 1-30, click the Software tab and from Software workspace click Managed Software. From there you can manage deployment.

Now you can select the users, groups, and computers that can access the software. If you are following along here, click Ungrouped Users and then click Add. Otherwise, select any group you’ve created or other applicable choices. From the Select The Deployment Settings For This Software page, shown in Figure 1-32, click the arrow beside each entry that shows Do Not Install and click Available Install or Required Install as applicable. Then, you can click Finish (not shown).

FIGURE 1-32

FIGURE 1-32 Make the software available to users.

Review the results. From the Managed Software page you can see how many users have this software available. Now, as an administrator you must link the users to a device (or devices) in your inventory. You do this from the Groups tab, from All Computers, and by clicking Link User. From there you select the desired device to link. The user is almost ready to log on and access your app. (You need to wait a half hour or so for all the information to sync.)

To test your new configuration, log on as the standard user you created at the Windows Intune Company Portal. If you created an administrator account, log on using either the Windows Intune Administrator Console or the Windows Intune Account Portal. All these links are available in the email the user received with his or her temporary password. After logon, users must click the option to enroll the device they’re using. Following that, click All Apps to see the available app. Figure 1-33 shows the Windows Intune Company Portal.

FIGURE 1-33

FIGURE 1-33 The user logs on to the Windows Intune Company Portal from an approved device to access the All Apps option.

Finally, you can review how many computers have installations pending and how many users have the deployed software available. Figure 1-34 shows the Managed Software tab in the Windows Intune Administrator Console, with a deployed application selected and the current status of the software showing at the bottom of the page.

FIGURE 1-34

FIGURE 1-34 Administrators can keep track of the status of their deployed software easily.

Before moving on, you need to know a few more things about Windows Intune:

  • You can embed Windows Intune in an operating system deployment image.
  • After you install the Windows Intune client software, you must restart the PC.
  • You can enroll mobile devices from the Administration tab.
  • Windows Intune client software can be installed only on computers that are running the following:

    • Windows XP Professional, Service Pack (SP) 3
    • Windows Vista Enterprise, Ultimate, or Business editions
    • Windows 7 Enterprise, Ultimate, or Professional editions
    • Windows 8 Enterprise or Pro editions
    • Windows 8.1 Enterprise or Pro editions
  • Windows Intune supports the following mobile devices:

    • Windows Phone 8
    • iOS
    • Android
    • Windows RT
  • When you opt to deploy an application by using an external link, you can provide a link to an application on the Windows Store or to a web-based application that runs in a user’s web browser.
  • Users can contact IT from the Windows Intune Company Portal.
  • After installing client software and performing other tasks, you might have to wait for a while before you see the changes in the Windows Intune Administrator Console.

Deep linking apps by using Windows Intune

You can make Windows Store apps available to your Windows RT users in your company portal by using Windows Intune as well as Configuration Manager. This section focuses on Windows Intune. You’ll follow the same basic process as you did when deploying an app via the Installed Software option, but this time you choose External Link when you get to the Select The Platform And Specify The Location Of The Software Files page. Before you begin, decide which Windows Store app you want to deploy. For this example, choose OneDrive for Business.

The first part of the process requires you to obtain the link to the app you want to add to your company portal. To obtain the link for OneDrive for Business, follow these steps:

  1. From the Start screen, click Store.
  2. Search for OneDrive for Business, and then click it to access the installation page.
  3. From the charms (Windows logo key+C), click Share.
  4. Click Mail.
  5. The email contains the link. Send this link to yourself, copy the link and paste it into Notepad, or otherwise make the link accessible for later.

The second part of the deep-linking process involves adding the app to add to Windows Intune:

  1. Log on to the Windows Intune Administrator Console.
  2. Click the Software tab, Managed Software, Add Software.
  3. From the Select The Platform And Specify The Location Of The Software Files page, under Select How This Software Is Made Available To Devices, select External Link.
  4. In the Specify The URL box, paste the link to OneDrive for Business. Click Next.
  5. Carefully input the information to describe the software. What you input can be viewed by your employees. Click Next when finished.
  6. Verify that the information is correct (see Figure 1-35). Click Upload.

    FIGURE 1-35

    FIGURE 1-35 Add a Windows Store app to Windows Intune for deploying to users.

  7. Click Close.
  8. From the Managed Software screen, verify that OneDrive For Business is selected, and click Manage Deployment.
  9. Click All Users, Add, and then click Next.
  10. Under Approval, click the arrow and select Available Install.
  11. Click Finish.

Your Windows RT users can now open their company portal app (which they’ve previously obtained from the Windows Store), log on, locate the deployed app, and install it.

Objective summary

  • Network administrators can integrate users’ Microsoft accounts into the workplace to enable users to incorporate what they’ve configured with these accounts with their domain accounts.
  • You can manage desktop apps in many ways, such as by using Office 365, Configuration Manager, DISM, and Windows Intune.
  • You can sideload apps to offer them to your users without going through the Windows Store certification process.
  • You can configure Group Policy settings to manage your desktop apps, to manage access to the Windows Store, and to enable sideloading.

Objective review

Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

  1. Where can you configure a Group Policy that restricts the use of Microsoft accounts for a specific group of users in an Active Directory domain?

    1. In the Group Policy Management Editor window, by expanding Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Security Options
    2. In the Group Policy Management Editor window, by expanding Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignment
    3. In the Local Group Policy Editor, by navigating to Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options
    4. In the Local Group Policy Editor, by navigating to Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment
  2. Where can users opt to connect a Microsoft account with a domain account?

    1. Users can’t do this; an administrator must perform this task for them in Active Directory.
    2. From their local computer, in PC Settings, from the Accounts tab
    3. In the Group Policy Management Editor window, by expanding Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Security
    4. From their local computer, in PC Settings, from the OneDrive tab
  3. Which of the following can you manage in the Office 365 Admin Center?

    1. Active Directory synchronization
    2. Valid, expired, and assigned licenses
    3. User passwords, including resetting
    4. All of the above
    5. B and C only
  4. You need to disable access to the Windows Store for one group of employees in your workgroup. How do you do this?

    1. Configure a Group Policy setting that disables the policy Turn On The Store Application.
    2. Configure a Group Policy setting that enables the policy Turn On The Store Application.
    3. Configure a Group Policy setting that disables the policy Turn Off The Store Application.
    4. Configure a Group Policy setting that enables the policy Turn Off The Store Application.
  5. Which of the following tools and technologies can help you sideload company apps?

    1. DISM
    2. Windows PowerShell
    3. Configuration Manager
    4. Windows Intune
    5. All of the above
    6. Only C and D
  6. What Group Policy setting do you have to enable before users can install apps you’ve sideloaded?

    1. None
    2. Allow All Trusted Apps To Install
    3. Allow Development Of Windows Store Apps
    4. Block Microsoft Accounts
  7. When you offer a sideloaded app to a Windows RT device, which of the following commands must you run at an elevated command prompt?

    1. slmgr /ipk <sideloading product key>
    2. slmgr /ato ec67814b-30e6-4a50-bf7b-d55daf729d1e
    3. import-module appx
    4. Add-AppxPackage
    5. All of the above
  8. True or false: You can make sideloaded apps mandatory and force their installation on to clients by applying the applicable settings in Windows Intune.

    1. True
    2. False
  9. You want to manage a user’s computer by using Windows Intune, on a computer running Windows 7 Professional. What must you do first?

    1. Install the Windows Intune client software package on it.
    2. Install the Windows Intune connector.
    3. Upgrade the computer to Windows 7 Enterprise or Windows 8 Enterprise.
    4. Install the company portal from the Windows Store.
  10. Which of the following describes the purpose of deep linking an app?

    1. To push out specific Windows Store apps to your Windows RT users
    2. To make Windows Store apps available to your Windows RT users in your company portal
    3. To add your company apps to the Windows Store
    4. None of the above