>> Hi. Thank you so much for
joining us for this our show on Microsoft 365
Business under the hood. My name is Ashanka Iddya, and I am the Senior
Product Marketing Manager for Microsoft 365 Business. Today, I'm very excited
to talk to you about what Microsoft 365 Business
is and how you can deploy Microsoft
365 Business. Before we get started, I thought it would be very
useful for us to talk about the vision of
Microsoft 365 Business, and what we see for our small and medium
business customers. What we see in the marketplace
for SMB customers, is there's the plethora
of SaaS apps being used. We're seeing our
customers move from traditional on
premise applications, and embracing SaaS application. What this does is, now it makes your
security posture insecure because now you
have a lot of data residing, in SaaS applications. Apart from SaaS applications, we're also seeing a lot of personal devices being
used at the workplace, among our SMB customers. In fact, we have
a data plan that says, "Seventy one percent of SMBs use personal devices to access
company owned data." Again, what we're seeing
is you have a lot of data residing in
these personal devices that makes the
security posture hard. So, the most important thing
for M365 Business, is protection of data
for SMB customers. Given that we have our SMB customers using SaaS applications,
using personal devices, one of the biggest challenges
among our SMB customers, is managing this data
given all of these devices and
apps being ques. That's really one of the core goals of
Microsoft 365 business, is protecting your data
wherever it's on the move. If you look at how hard it is to actually increase the security
of your small business, there's a lot of things that
our small business customers have to do to manage security. You have to first of all, make sure you're running the latest version of everything. You have to make sure you have the latest anti-virus, or
anti-malware solution. You have to have
a strong password and change it regularly. I think you can see
there are many steps that you may have to manually do. Taking these steps manually
is hard and not easy, it takes a lot of effort. What we've learned from
SMB customers, is a lot of them, want to spend their time running their business because that's what they care about. This is a security something that needs to happen
on the background. So, given that we have
the challenge in SMBs. This is what is primarily the challenge among
our SMB customers, is we have a lot of SMB customers using
legacy infrastructure. So, if you see a lot of
old versions of Windows, if you see a lot
of old versions of Office client or even email, being used, Ex Server
2007 for example. Then we have this newer trend of SaaS applications being used, and personal devices being used. If you look at all of this is managing security in
this environment, where there is
legacy infrastructure, unauthorized SaaS apps,
for example, as our personal devices, managing security in this environment
becomes really hard. One of the goals of Microsoft's
365 Business is to make management of SMB IT
really simple. The big vision of
Microsoft 365 Business, is to have one subscription that gives you the latest
version of Windows, keeps your Office up to date, you have cloud services that help you enable
your productivity, and all of this is
centrally managed. So, the whole vision of Microsoft 365 Business is to be that one standard
subscription, that provides a greater
security posture, but also helps you manage your infrastructure with
the least hassle possible. That's really the goal of
Microsoft 365 Business. Is we wanted to provide a holistic subscription
that helps your customers, get more done, it gives you the best productivity
capabilities to help you work better together. We also have specific apps to help you build your business. All of this is overlaid by security features that help
you safeguard your data. The vision of all of this is it should not be
hard to enable or manage and the entire
deployment process has been simplified for you. So, let's go into
a little more detail of what exactly you get from
Microsoft 365 Business. Our goal with Microsoft 365
Business was to give you a holistic solution
that not only gives you the best collaboration
and productivity tools, for you to grow
your business but also, security capabilities to protect your data wherever
it is in transit. So, with Microsoft 365 Business, our goal was for SMB customers to securely run and
grow their business. Just briefly going through what each of these pullers mean. With "Get more done", you get the latest Office applications, where you get the latest
and greatest Office. A lot of times you
have customers asking, "Why should I be on
the latest version of Office?" The latest version
of Office gives you access to intelligent
capabilities. For example, PowerPoint has this feature called, "Designer", which automatically
recommends light designs for you based on the content. What this means is the artificial intelligence
capabilities in Office, that is there in
the latest Office, helps you get
your work done faster, and saves you a lot of time, and of course, it is a more secure Office possible as well. Then you also get collaboration
capabilities in teams, where you can work better
together with your customers, with your suppliers,
with your vendors. Teams truly brings all of those resources into
a single place, where you don't have to
keep track of where, when you're working in a group, it really becomes challenging, in the fact that different
people in a group will start exchanging
e-mails or documents, and it's really hard
to keep track of. Teams brings all of that
together in a single workplace. We also have specific apps that help you build and
grow your business, and help you maintain
customer relations, for examples, a planned
work processes. Then in terms of security, we'll talk more about
that in this session, but we've included a lot of new features and
we're excited to talk about the new
security features in Microsoft 365 Business. But our goal with
security is to help make it simple to enable, but also something that
doesn't come in the way of productivity because
what we've learned is productivity has
to be seamless, and when you enable
security features, if they come in
the way, your employees will go around it. So, in terms of
security features, our vision was to give you the most secure
capabilities possible, but also make sure that they
work in the background, so it's not coming in the way. So, we'll talk more about security capabilities of
Microsoft 365 Business. Of course, the core principle of Microsoft 365 Business is, we want these solutions
to just work for you. If you have amazing
capabilities but you're unable to take the value of them faster because it's too complex, that means it's not
working for you. So, what we've done
is spend a lot of time simplifying the enablement of these capabilities and so, you can just quickly enable these capabilities and get going, and realize the value of
your subscription faster. So, we briefly wanted
to talk about, what are some of the
new capabilities we've announced in
Microsoft 365 Business? Microsoft 365 Business
is our ideal product for SMB customers because
we believe it meets the IT needs of
most SMB customers, because it goes beyond just collaboration
and productivity, it also gives you
security capabilities, it helps you stay on the latest and greatest
version of Windows by offering you
a free upgrade from, previous Pro versions
to Windows 10 Pro. You have the ability to manage Windows capability with
your Windows devices from a central console. You can manage
non-Windows devices with Microsoft 365 Business, including iOS and Android, through the
availability of Intune. We also want to
talk about some of the security capabilities
we have enabled. We have enabled security
capabilities to deal with external threats
like Office 365 ATP, and Windows Exploit Guard, but we also have capabilities to help you safeguard your data. So, you get data loss
prevention capabilities in Microsoft 365 Business, and you get Azure Information
Protection as well. Azure Information
Protection helps you put rights management
capabilities and permissions, on your data like for example, "Do not forward", "Do not copy." It also helps you encrypt
outgoing messages as well. So, you get all of those Azure Information
Protection capabilities, plus you get the ability to classify and label data as well. You also get
Intune App Protection, which helps you put
restrictions on cut, copy, paste, on mobile devices as well, when you use in the Office app, so you get in-full Intune
capabilities as well. Data loss prevention
capabilities help you prevent sensitive information from leaving the organization. So, what it does is it does
deep content analysis, and looks for patterns such
as credit card information, or a bank crowding numbers, or PHI routing numbers, and help prevent the transmission of these sensitive
information outside. Then you will also get litigation hold and
compliance capabilities, where you can enable archiving, you can enable litigation hold, you can do eDiscovery as well. As you can see our vision with Microsoft 365 Business with the addition of new capabilities, it is designed to be
a single subscription, that meets most of your IT needs, not just looking at
productivity and capabilities, but going beyond that in terms
of managing your devices, and giving you IT capabilities to keep your business secure. So, let's go deeper into what Microsoft 365 Business does as far as security is concerned. Keeping security acting
as guardrails so it's only there when you need it is a very important
philosophy for us, when designing
Microsoft 365 Business, because we understand
productivity is paramount. But you also need the very best security given the environment
that we live in, where there are a lot
of external threats. In fact, we ran a recent survey
where we identified that 71 percent of our SMB
customers feel very vulnerable threat to
external cyberattacks. So, given the
environment we're in, we've designed
Microsoft 365 Business to really give you a layered
approach to security, and make it seamless. So, you can focus on the productivity while the system takes care of security for you. In terms of
safeguarding your data, we're looking at security
at three levels. Protection from external threats. What are the different systems
that you can enable in Microsoft 365 Business to help protect you from
external threats? Then, there is keeping your data safe from data leaks
that could happen to unintentional
employees sending sensitive information that
they should not be sending. So, we have a lot of
safeguards on how to protect data while it
is in transmission, while it is sitting in
different applications, and also, how you can
control data access better. Making sure that you can
apply restrictions so only the right people can
have access to the data. So, you can set all
of those permissions. So, let's go deeper into how Microsoft 365 Business
helps safeguard your data. So, in terms of protection
from external threats, we talked about the new addition to Microsoft 365 Business
that we're making. One of the things
that we're excited is making the availability of Office 365 ATP available in
Microsoft 365 Business. What Advanced Threat
Protection or ATP does, it does two things. First, it checks links in real time and gives you what we call Time-of-Click Protection. So, what happens is if you have any link that is sent
through email or in a document and instead
of manually checking it, when you click on it, what
we do is we prevent you or the system Advanced
Threat Protection prevents you from
accessing malicious links. So, we understand
it's very difficult, while training is always good, it's really difficult to
expect every employee to really check for every link
that they're clicking on, and the times that we live in these links have gotten
very sophisticated as well. So, even if you
are ultra careful, and manually check every link, it's not guaranteed that the backends of a website
is not malicious, or it's not injecting
suspicious code. Really that's where
Advanced Threat Protection comes in as it protects the user from clicking onto a website
that has malicious intent. What the system does is
we check the backend for the website that's
being referenced to see if there's any code
injection happening, if there's any server in between, there's anything suspicious
happening in the backend. So, when the user clicks on it, we act as- Advanced Threat
Protection acts as a line of defense to prevent the user from clicking onto
a malicious site. The thing that Advanced
Threat Protection does is also scans attachments. Every attachment coming in is analyzed in a virtual sandbox, where it is analyzed
for behavior and intent to see if an attachment
is behaving suspiciously, if it is doing a registry call, if it is doing things that a regular attachment
wouldn't be doing, and that's where artificial
intelligence is enabled to make a call on whether an attachment is
suspicious or not. This is where ATP, the infrastructure
enabled for ATP is enormous in the sense that every attachment that is
coming in is scanned. So, what customers are
getting is really the latest and greatest
sophisticated tools to prevent them from really advanced
malicious content because of the test that we are
running to prevent all of this malicious content
from coming into the system. Also, we have
Windows Exploit Guard, enabled in Microsoft
365 Business, where you can prevent your Windows device
from accessing ransomware content
and what it does is it reduces the attack surface and so it kicks in even before the antivirus
comes into place. So, Windows Exploit Guard is a great endpoint level
protection to prevent against malicious content
like ransomware. So, together with Advanced Threat Protection
and Windows Exploit Guard, you're getting a combination
of protection to really safeguards your business
and your data from sophisticated threats that are becoming more
sophisticated everyday, and you have a system that's
not just keeping up with it, but also advancing beyond it to help you
protect against that. In terms of safeguarding
your data like we mentioned, we have a number of systems
that you can enable, like data loss prevention
policies that help you prevent sensitive
information from leaking out. You can also enable
BitLocker device encryption. If you need to prevent, in the case if a device
is lost or stolen. So, BitLocker encryption means that if a device
is stolen or lost, your data will not fall
into the wrong hands. So, you can also easily enable BitLocker encryption
to protect your data. Then in order to protect your data end-to-end across
all of your devices, you have the ability to enable full featured
into management, where it really protects your devices and data
regardless of other device is, whether it's Mac, or Windows, or Android or iOS
devices as well. In order for controlling
data access, you can also put a lot
of restrictions. We talked about, how you can put restrictions on email like, do not forward or encrypt. But you can also mandate PIN
policies on mobile devices. So, when somebody is logging
in on their mobile device for example to
access company data, you can mandate PIN
policy or fingerprints. So, for example, if you
don't want your- if your employees are using
their personal devices and sometimes kids access
these personal devices, or it could be lost, you want to enable safeguard so you
could put PIN policy easily. One of the key capabilities that a lot of our customers
are very excited about is the ability to remotely wipe business data without affecting
personal information. So, you can do a selective
wipe as well very easily where if
an employee leaves, or if somebody's device is lost, you can wipe all
corporate data out of it, without touching
their personal devices. So, as you can see, we have incorporated
Microsoft 365 Business with a lot of sophisticated
Enterprise features, right from giving you the latest and greatest tools to prevent you from cyberattacks, and ransomware attacks to giving you safeguards to protect your sensitive information like data loss prevention
capabilities, and BitLocker encryption
capabilities for your devices. Now you also have a lot of controls to make
sure the data, the right people access the data. Or more importantly, when
people leave the organization, then they should not
have access to data, you can restrict access
to data that way as well. So, the goal of
Microsoft 365 Business is to give you best productivity and collaboration experiences, but also the best
enterprise-level of security safeguards to
safeguard your data. Like I said, we want to give you all of these capabilities, but we also want to make it easier for you to
enable and so one of the core principles of
Microsoft 365 Business is to make the enablement of these technologies
easier for you. Microsoft 365
Business is unique in the sense that it has
a unique administration center, that is designed to help make it easier for you to enable all aspects
of the service. So, it's not just Office
365 capabilities, but also device
management capabilities. One of the things that
I got excited when I was looking at Microsoft 365
Business as it was developing is how
simple we've made enablement of
these data protection device management capabilities. What would take hours in sort of going into the
interim console and configuring it has
now been reduced to just toggle buttons
like you see here. For example, this
is a screenshot of the Microsoft 365 Business
Administration Center, where you can see the Windows 10
device configuration, and you can see you have
various toggle buttons to help you manage your Windows 10 Pro device from a central portal and that is a Microsoft 365 Business
Administration Center. So, as you can see here, just by setting these
toggles you can essentially enable security policies
for your Windows devices. Previously for Pro devices, there was no management. So, your users could go in, and really turn off
antivirus if they wanted to, or they could download any apps, and there was really no way to manage a Pro device previously. But what Microsoft 365
Business is designed to do is help you
as a business owner or your partner for
managing and putting up security policy centrally
that cannot be turned off. So for example, in
the set of options, when you see Secure
Windows 10 devices, you can enable the toggle on
or off, and so for example, if you want to enable the Windows Defender for
all of your devices, which we highly recommend, when you enable it on
your end user cannot turn it off on a device because now this is essentially
enforced policy. As you can see, you
have many options that way where you can enable on. So, with a single toggle button, you have now enabled
centrally enforced policies. So, there are two
aspects to this. One is now you get
centralized management, that previously would be
a bit complex to enable. So, we have simplified
central management of devices, and enablement of
security policies. But the other aspect of this is this used to be pretty
complex to enable. You'd have to know aspects
of device management, you'd have to go into separate
portals, if you wanted to. But our goal in
Microsoft 365 Business is to simplify all of the most important controls that you need, give you the best defaults. So, you don't have to worry about enforcing
security policies. It just giving you easy control so you can
enable all of this easily so you can realize the value and benefits of these security
capabilities faster. And similarly, we have a lot of toggles for protecting your
work files in mobile devices. Again, if one of the things I've worked on
Intune portal previously and if you want to go and
enable all of this on the Intune portal especially
protection of work files, it's about, I would say, 10 clicks to get there. But Microsoft 365 Business, we have reduced a complexity
to a single toggle button, and that's really like the magic of the engineering involved
in this and that's really where we plan to go
further on as to help simplify the enablement of all the security capabilities. So whether you're a partner or a customer you can take
advantage of this faster. So, let's go a little bit
into the deployment of Microsoft 365 Business
and how do you deploy Microsoft 365 Business
given that we have a lot of components in
terms of identity, Windows Management
and Office as well. So quickly, one of the
questions we spent a lot of time talking about
Microsoft 365 Business, but we want to talk
about what it is not, and so quickly we get a lot of questions on Microsoft 365
Business and we want to highlight some questions
that we get and take out some misconceptions
of M365 Business. One of the most common questions
that we get from 365 Businesses is does
it include Windows? Well, the answer is it includes an upgrade from Windows 7 Pro, 8 Pro to Windows 10 Pro, but it's a bit
complicated in the sense that you don't got
a Windows entitlement, you don't get a product key. What you get with
Microsoft 365 Business is you get Windows Management, ability to centrally manage Windows Pro devices that
you previously couldn't. So, you get Windows Management and you get the benefits
of centralized management, like enforcing device policies
or security policies. It also includes a free upgrade from previous Pro versions, so if you already have a Pro
device that's on Windows 7, or 8 Pro, or 8.1 Pro, you get the upgrade
to Windows 10 Pro. But when you buy Microsoft 365 Business you're
not getting a license key. You don't get
a licensing entitlement. What you get is upgrade benefits
and management benefits. The second question that we
get is does it include EMS. One of the things is with Microsoft 365 Business
we're curating the security features or management features that
our customers need. So, Microsoft 365 Business
has a unique level of features that we do have a few features from EMS and other aspects of
our technology stocks, but it does not include full EMS. So one of the things
to be aware of is not to think that when you buy a Microsoft 365 Business
you're getting full EMS. You may have capabilities from
EMS like Intune and Azure information protection
but that does not mean you get full EMS with
Microsoft 365 Business. Our goal is to curate the right level of features
for our SMB customers and and tailor
Microsoft 365 Business as a full solution
for SMB customers. So, it does not have
licensing entitlements for EMS. Then we have a question
that we get, do I have to migrate
from Office 365 when you enable Microsoft 365 Business for Business and
the answer is no, you don't have to migrate. Microsoft 365 Business runs on the same base as Office 365. So, if you're currently using Office 365 Business Premium or E3 and you want to switch
to Microsoft 365 Business, there's no migration
of data involved. All you have to do is switch the back end licenses and account for differences
and features that way. But there is no migration
of data needed. Unless, of course
you are migrating from a third party email system. So if you're just
going from Office 365 to Microsoft 365 Business there is no migration of data needed. So, here's a quick deployment
overview on what are the steps you would take to deploy Microsoft 365 Business. In terms of as an admin, the the steps that you can take is you can go through
the motion of setting Microsoft 365 Business similar to Office 365 if
you're familiar with. So, you can set up
DNS and configure your users and then assign
licenses to your users. If you have on-premises assets, previously we had said
Microsoft 365 Business, you can now use AAD Connect
with Microsoft 365 Business. Because you have
Windows PC management that is happening to
device management and Intune for accessing
on-premises resources you might want to consider
something known as Hybrid Azure AD joined
devices capability. We will talk more
about it and then you will migrate user email if
you're not using Office 365. So, in terms of admin policies, the things that you would
do is you would set up DNS, you would configure users, you would assign the licenses, you would enable AAD
Connect if you're looking at on-premise assets. You will enable
Hybrid Azure AD configuration and we'll talk more about that, and then you can set policies using the centralized console. In terms of the user PC, upgrade to Windows
10 Pro Creators upgrade is really imprudent. The minimum requirement for Windows PC has to
be Windows 10 Pro. So like I said, if you have previous
versions of Pro you will use the enablement or
the upgrade benefits that you have with your Microsoft
365 Business subscription to upgrade older versions to Windows 10 Pro and then once all of your devices
are Windows 10 Pro, you will do what is known as
Azure Active Directory Join. You do that by signing in
with your credentials, which is your username
and password. Once you sign in with
your username and password, what happens is it joins
Azure Active Directory. Then the Windows 10 is elevated
to Windows 10 Business, and what Windows 10
Business means is now it is under
centralized management. So the previous
console that I showed you where you can set up
devices and security policy, where you can set up, you can put the toggle buttons for securing your Windows device, those policies are now flowing over into
the Windows device. That's what signing in and that's what Windows 10
Business elevation means, is now the device is under
centralized management. And once the elevation is done, you can install other apps
and you can install Office and Teams and set
it up for your end user. As far as your mobile
device is concerned, again, your user could
download and set up Outlook. You can download
the company portal if you wanted to and you can
download Word, Excel, PowerPoint and other Office
365 apps that are available, that you can install on
your users mobile device. So let's talk about what
an Azure AD Joined Device is. Here, we talked about what a Windows 10 Pro device joining into Azure
Active Directory does. So, once you have
a Windows 10 Pro device and you sign in with your Azure AD credentials
or your credentials or generally the username
or password that you get with
Microsoft 365 Business, it's signs in into
Azure Active Directory. Azure Active Directory
will invoke your engine policies
and Intune will now manage your Windows
10 Pro device. In this elevation,
this centralized management is Intune is essentially what we call Windows 10 Business. Because now, Intune
has given a set of centralized management
policies that is managing this device now, so your end user can go and do, they cannot go and remove some of
the security capabilities, this device is now
centrally managed. That's really the
Windows 10 Business entitlement that you're getting
with M365 Business, is a centralized
management capabilities that was previously not there for your
Windows 10 Pro Device. So, what this does is once
your device is joined to Azure Active Directory
and is now being centralized managed by
Microsoft 365 Business. What it does is enables what we call the Cloud Only Scenario. So, you can access
SAS application and cloud based assets for file sharing like
OneDrive for Business. One of the things to
consider when you're moving to this configuration is, if you have a current
profile being used, know that when you do the join
to Azure Active Directory, it creates another profile, so it doesn't automatically migrate things from
previous profile. It is on the road-map
that we are looking into but currently you'll have the user manual tool to
migrate the profile. So one of the things to consider is your with current Windows
10 Pro Device, if it has an existing
profile and you're joining it into
Azure Active Directory by signing in with
your credential, it will create a new profile and the old profile will
not manually migrate, so you have to cut,
copy, and paste. Then, joining it into Azure Active Directory
and enforcing management to Intune could
also mean that some of the GP, if you're using GPOs may not map, so it would be good for you to run what we call the MMAP tool, that really maps into GPOs
into the engine console, and so you may need to
look at that as well. Accessing On Premises assets in this configuration will be hard because there is no access to On Premises
resources with this. So, consider this configuration for those customers that
are looking to be cloud only or cloud first because this kind of
configuration where it is join to Azure Active Directory
and managed by Intune may not be suitable for customers that have
On Premises assets or line of business
applications that rely on an On Premises DC. This is the configuration
that we recommend for customers right now with On Premises assets that
need to be accessed. So, this technology call
Hybrid Azure AD Joined Device, and what it does is it enables your
Windows 10 Pro Device. If you have an On
Premise active directory and you're using it to access line of
business applications or file sharers or
printers, any of that. There's already an existing
asset base in terms of using On Premises access and you're using your active
directory heavily. In this settings, you
want to introduce Microsoft 365 Business
Managed Devices. This is the configuration
that you would use. It is called Hybrid
Azure AD Joined Device, and what it does is the
device here is joined both to Azure Active Directory
and your local AD. So, what this means is your
device gets the benefit of centralized management that
is coming into Intune. But your device also has access
to On Premises resources that your customers are
used to like lines of business applications or
file sharers or printers. In order to enable this, you do have to say
that you do have to go to steps in order to do this. So for that, you would
need to first enable the Azure Active
Directory Connect tool to make sure that the
identities are synched, and make sure you have
the latest version of Azure Active Directory
Connect as well. You definitely want
to make sure that the Azure Active
Directory Connect tool is enabled because
it's important, this is what provides
you the connection with your On Premises assets. Then you would run partial command lits on
your domain controller which is the Active Directory and then you will create two GPOs, we will go into details for it. But that's really some of the
steps that you would take, but really the configuration from what we want to take
away from this slide is, these slides sort of
enables you to get the best of Intune management
or your device, so you get centralized
management, you get the ability to manage all of these Pro
devices essentially. But you also have the ability to access lines of
business applications, printers, and file shares
with this configuration. So, here's some of
the steps you would take to Hybrid Azure AD Joined. I want to make sure
everybody understands, this configuration
that requires a lot of thought and it could
be considered complex. So, please make sure you go to the detailed documentation. The detailed documentation
is that aka.ms/hybridaadj, that is aka.ms/hybridaadj. Really, what you're looking at is creating the following steps. The first is you would installing configure the AAD Connect. What this does is it creates
a sync and syncs identities between On-prem AD and your
Azure Active Directory. Then, you would run a partial command list on your domain controller which
is your on-premise AD. What this does is tells
AD Connect to allow the computer objects to sync between On-premise domain controller
and Active Directory. The next step is you
were drawn two GPOs. The first GPO is to do what
we call a Workplace Joined. It allows Domain Joined
Windows 10 devices to register itself with
Azure Active Directory, and this puts it in a Hybrid Azure Active
Directory Joined Device mode. So, the first GPO, what it does is it allows your Windows 10
device to register itself with AAD and this
is a manual process, you would have to run this GPO. Then, you withdrawn a second GPO and what this second GPO does, it allows the Windows 10 device to enroll Intune for management. So, you have to run both of the GPOs and we have just
simplified the steps here, there's a lot of
additional details that you would want to look at. Again, please refer to this documentation on
aka.ms/hybridaadj. We also want to go into details on of the Windows deployment. Again, we want to talk about the Windows benefit or the Windows value that
you're getting is, you're now getting really pre-configured
and automatically deployed security features and management capabilities that you previously did not
have with Pro devices. So, we're bringing those capabilities
because we understand that security and
management capabilities are necessary to protect
our small businesses, and you're getting
these management capabilities. You also get autopilot
capabilities where if you're refreshing a lot of devices and you're
getting new devices, it really becomes hard
to then image this and provided to the employee and
it takes a lot of effort. So, with Windows
autopilot you can just get your device up and running very quickly
into your employee, you can start using it. So, Windows autopilot
makes it really seem less for you to sort of put your device policies and
a new and refresh device. Of course, the Windows value
that you get in Microsoft 365 Businesses
is you get in place upgrade to Windows
10 Pro if you're on 7 or 8.1 Pro previously. So here are the
prerequisites for using Microsoft 365 Business
on the device side. For mobile devices is
Windows 7 Pro, 8 Pro, and 8.1 Pro, so Pro is
a minimum requirement. Of course, if you're on
previous versions of Pro you can use the in-place upgrade to get to Windows 10 Pro. But in order to do
Azure AD Joined, it has to be on Windows 10 Pro, so you have to get your
device to Windows 10 Pro. On your mobile devices, it should be 8.0 or later for iOS and 4.0
and later for Android. Before you enable mobile devices, if there's a previous
MDM solution that is managing the device, the mobile device has to
be un-enrolled from that. So, remove any
previous MDM solution because once use Azure Active
Directory credentials, you'll have MDM policies
flowing through or mam policies flowing to
your mobile devices as well. So, quickly we want
to go over to some of the Windows Deployment
questions that we get. So, like we said, you have to first upgrade your Windows 10 Pro to Windows
10 Pro Creators update. So, if your previous on versions, use the in place
upgrade process to come to Windows 10
Pro Creator update. Then connect to AAD
by signing in with your Azure credentials or
Microsoft 365 credentials. Once the credentials
have been signed in, if you set policies in
the centralized console these policies will then flow
into your Windows device and your Windows
device is now under management and this state is
called Windows 10 Business. So, the deployment process on the Windows side
if you're a CSP, pretty much looks like this. So, as a CSP you will purchase your subscriptions and
what you will do is, you will set the device policies on the admin console
as we showed you. Then, if you have on-premises
resources you will set up, you will do the
necessary steps to make sure you're using
hybrid Azure AD Join. So, you will set up AAD
Connect and do the steps necessary to register
your device with AAD. Then, once the user signs in with their credentials from Pro it elevates into
Windows 10 Business. So, making sure that your device has been upgraded to Windows
10 Pro is necessary, but some of the backend things that you need to take care
of is making sure that you've set the policies in
place and if you're using on-premises assets or is there on-premises assets
that need to be done, then you have to follow
the steps for enabling AAD Connect and
Hybrid Azure AD Join. So, here are some paths
to Windows 10 Pro, one of the questions that we get is what is the path
from Windows Home. So, like I said
the minimum requirements are Windows 7 Pro or
a Pro or 8.1 Pro, and so if you're not on
a Pro version you will have to get to
a Pro version first. So, these are the
steps that you would need to take if you're
on Windows 7 Pro. So, if you're in Windows 7
Home or Windows 8 Home, you will first need to go
from previous version of Windows Home to Windows 10 Home. So, you will go from Home to Home but come to
the Windows 10 version. So, if your Windows 7 Home, 8 Home or 8.1 Home, you will first come
to Windows 10 Home. Then, once you come
to Windows 10 Home, you will purchase
Pro pack upgrade, so you will convert
from Home to Pro. Right now, the option is to go to the store and purchase per device the
Windows 10 Pro pack. Well we're be working on
a solution where partners or CSPs can look into it enabling this on behalf
of their customers, so stay tuned for that news. But really the pathway for Home customers is to go from previous versions of
Home to Windows 10 Home, and then from Windows 10 Home to do an upgrade to
Windows 10 Pro pack. That upgrade needs
to be purchased. It's a separate purchase. It's currently 99 per device
and the Microsoft store, but then once you do
that you will be on Windows 10 Pro and
then you can elevate to Windows 10 Business
by signing in. But really this is a path to Windows 10 Pro for our customers. If you're on previous
versions of Pro, then you'll have to do in-place upgrade where you can choose
to keep your files and settings or you can
keep your files but you have to use the upgrade options
whether it's to USB, DVD, or an ISO. So, use the interface
upgrade option to go from previous Pro versions
to Windows 10 Pro, that is part of
the licensing entitlement. You don't have to
purchase anything to go from previous Pro versions
to Windows 10 Pro. But in order to go
from Home to Pro, you will have to do the
conversion and purchase to go from Home to Pro and that is not part of the subscription, you'll have to purchase
it separately. Then, we'll talk about
Office Deployment as well. One of the capabilities
that you have is you can automatically install Office once your device has joined to
Azure Active Directory. You can auto install Office, so this is great
for new devices or new employees who have
to be given new devices. As soon as they sign in with
their Azure credentials, it will enable the auto
install of Office. So, what you get with Office is essentially the
latest Office client with Word, Excel, PowerPoint,
Publisher, Access, OneNote. Teams has to be
downloaded separately, it's not part of the auto
install package but it is available to download. So, you can download
it separately. What it is not, it is
not 64 bit Office and it does not include MCI apps
like Project and Visio. Some of the prerequisites
that you would do is, before you enable this, you would uninstall older
versions of Office pre-2016. So, if you have
Office 2013 or 2010, you would uninstall older
versions of Office as well. This is a chart that
shows you a path from your current state to what happens when Office is installed. So, if your current state
is new Office is installed, the system will
install Office apps. So, this is like a new device
where an employee comes in, signs in with
their credentials and the system will
install Office apps. If your current state has Office installs where
Click-to-Run, all versions, you don't have to
take any actions because Click-to-Run will
take care of itself. Office is properly
installed and licensed, so what happens after you sign in is Office is properly installed. So, if you have the current state where you're running Office
and software Click-to-Run, there is no action for you, that is the takeaway. Now, if you have Office
installed via MSI, you will have to uninstall all MSI versions
of Office because the system will install Office apps once
MSI versions are removed. So, the big takeaway here is if you have Office
installs for MSI, uninstall all MSI
version of Office before and only after that the system will install Office apps to be
on 365 Business. Now, if you have Office ProPlus installed via Click-to-Run, again, you don't have any action. If you have previously installed Project or Visio
Apps via Click-to-Run or MSI, again, there is
no action for you. So, if you have
Project or Visio apps that is installed via
Click-to-Run or MSI, again, there is
no actions for you because Office apps will install with no impact to
Project or Visio. So, really the big takeaway is if you have Office installs via MSI, uninstall all
MSI versions of Office. All other areas whether you
have Project or Visio apps, or if you have Office ProPlus install via Click-to-Run
there's no action for you. Here we have
a quick illustration of how Office auto-deployment works. So, we quickly upon
activation and the policies delivered
from Intune MTM to the PC and then the PC invokes the OTD file with
the configuration files so essentially it's
a two step process so once Windows 10
Business is activated, Intune delivers the MTM policy because now it's under
Intune management to the PC and then
once the PCs under management it invokes the OTD files, so
it's really simple. It's really great because it makes Office auto-deployment
very simple. Now, you don't have
to I have an image with a package needed by just
enabling or toggle button. You can make sure
that the device is automatically infused
with Office apps. That is the end of
our presentation. We have a lot of resources
on Microsoft 365 Business. Really, the link for all of our partner resources
is aka.ms/partnerm356b. So, that's aka.ms/partnerm365b. My email is
ashiddya@microsoft.com. Please, feel free to send me your feedback or
any questions that you have. We hope you are
excited about some of the new changes to
Microsoft 365 Business. We're very excited
about the potential of Microsoft 365 Business to
transform our SMB customers. Thank you again for your time
today. Have a great day.
