Microsoft announced that organizations can no longer block access to the Windows Store for users on Windows 10 Pro. Previously, organizations could create a group policy to restrict Windows 10 Pro users from accessing and downloading anything from the Windows Store.
Microsoft say the move is down to a design change and because Windows 10 Pro users are small to medium sized organizations that do not want as much control as those with Windows 10 Enterprise Edition. The change will not affect those with Windows 10 Enterprise or the Education edition.
ACCESS TO APPS
Microsoft’s move to stop organizations blocking the Windows Store will likely cause a number of headaches for organizations around the world. Some will view Microsoft’s decision as essentially opening the doors to a massive ‘candy store’ of software, empowering users to browse and download whatever applications they want, without the organization’s permission, consent or knowledge.
Speaking to SAM professionals at events shows that ‘rogue’ users already pose a massive challenge to organizations’ SAM programs. If a user is denied a license for a specific piece of software, then they will go off and find a different source to get the software. Without the right policies and processes in place, the Windows Store will allow users to do just that – now they can pick from 669,000 applications!
That’s an awful lot of software that users have at their fingertips – with a lot of it arguably not fit for business use. It is therefore vitally important that there is management and governance in place to ensure users do not stray from existing software processes and do not download random applications for the sake of it.
This is where the importance of Software Asset Management process and technology comes in to play. SAM will help you to take control of the situation and limit the compliance and financial risk.
IMPACT ON SAM
Software Asset Management’s main concerns with this news are around license compliance, software spending and Shadow IT risks. Having access to such a large portfolio of software at the click of a button may be too tempting for some users – resulting in breaches in compliance and large deployments of non-corporate applications. It is also important to point out that there will be applications within the Windows Store that are for home use only and are not allowed to be used within a corporate environment (at least, not without a paid-for license).
Not only can this result in a compliance breach, it can also result in money being unnecessarily spent on software that isn’t needed. A platform such as Windows Store will allow users to purchase a piece of software on their credit card, which the user will then claim back as an expense. This shadow procurement of IT is most definitely not best practice and means the organization will still not have a licensable copy of the software (as the credit card holder is the licensee!).
Whilst the monetary value may be low, if you have 200 users all doing the same thing the financial risks are plain to see. Through SAM you can effectively manage the financial impact this may have on your organization by ensuring that users follow the correct request and procurement process – even for software in the Windows Store.
Unlocking the potential of the Windows Store poses a risk from a Shadow IT perspective. It makes it easier for users to purchase and create their own software agreements, outside of the existing agreements the organization has in place.
If users have the ability to download software – which requires admin rights – then they will go and find the software they need and download it without thinking about the consequences. The obvious comment to make here is to remove admin rights from your users’ machines. This may not be a viable option for some organizations as users may need admin rights to fulfil their role.
Having admin rights means you need to be proactive in your management of software downloads. The SAM Team needs to ensure that they regularly check Snow License Manager to ensure that only approved software has been installed and that there are no games or other blacklisted applications from the Windows Store on machines.
For those of you with Windows 10 Pro installed across your organization, now is the time to implement a software use policy (if you haven’t already got one) and a SAM process that regularly checks your SAM solution for unwanted installations.
A software use policy will help you govern how your users use software and restrict them in what they download. This will help you manage the Windows Store (and any other ‘app store’ for that matter) and ensure that only approved software is installed via the correct source.
Through existing SAM processes or by creating a software use policy you will identify software titles or categories that you do not want installed within your estate. For example, the Windows Store contains a number of gaming and betting applications – something that I would say is prohibited within a corporate environment.
Checking unwanted software installs is easy with Snow License Manager. By ‘Blacklisting’ unapproved applications, you can quickly and easily identify instances of software that you do not want on your corporate assets. Blacklisted applications will show up as an alert, along with information about the user, usage details and hardware information that the software is installed on.
This enables the SAM Manager to quickly and easily rectify any such cases of unapproved software to ensure the relevant actions to remove the software are followed. Not only will the software pose a compliance risk, but there may be IT Security risks associated that the Security team needs to address. With so many applications available there will be some cases whereby a user will download a piece of software that will harm their machine or your networks.
You should incorporate the Snow Automation Platform in to any software use policy or process ensure that all unwanted software is removed as soon as it has been identified. Once Snow License Manager has identified a piece of software that has been blacklisted, you can use Automation Platform to automatically remove the software from the machine to ensure you remain compliant and that you are following internal protocol.
EDUCATION & COMMUNICATION
You need to communicate and educate users on what they can and cannot do with the Windows Store.
- Don’t download unapproved software
- Don’t think that all the software in the Windows Store is ‘free’
- You will enforce disciplinary action on repeat offenders of the above
- Do follow your software request processes
- Do comply with your software use policy
Remind your users that you have visibility on what they are installing and downloading – and that you will enforce disciplinary action on any user that continues to breach policies and processes. Snow License Manager will provide you with user details, so you can focus extra efforts on serial offenders.
During your communication and education piece around the Windows Store, you need to include your software use policy and software request process to refresh your user’s memory. By keeping your users up-to-date and informed as to why it is important they don’t use the Window Store, you’ll find users are far more receptive and understanding.
This news from Microsoft does not have to cause a mass panic about how many applications users could download. You can easily manage this with the right blend of SAM processes, Snow License Manager and Automation Platform to ensure that your estate remains compliant and free from unapproved applications.
We've introduced A New Way to view Software Asset Management – something that will help you greatly in your quest to restrict users downloading apps from the Windows Store.