“Store” is the worst name for a store.

CMSWire is read by marketers, a great many of whom would heartily agree with me on this point. The fact that Microsoft named its Windows 8 apps store “Store” should have been everyone’s first clue that marketing professionals were not consulted as to its presentation.

When Windows 8 was being prepared for general release, I made the prediction that “Store” would either be responsible for its eventual success or its dramatic failure.

In retrospect, I realize this must have sounded like a prediction from a cable news commentator: This major campaign either succeeds or fails, and when it does, then look at that, I was right again.

Here’s the point I was trying to make, only this time without the built-in hedging: Store is the center of the Windows software ecosystem.

As long as all paths to customer satisfaction lead through any store whatsoever, then we can gauge the general success of the campaign by how well people remember the brand.

Ever heard of “Store” before today?

Microsoft Invents the Apps Store, Try #6

Windows 10 has a store, and with this iteration — as well as with all future versions of Windows — it will serve as Microsoft’s central hub for the distribution of software.

Keep in mind, this is not just a remote payment system we’re talking about. Through the Windows 10 Store, users acquire the software they install on their systems, so the installation method is built into the store.

With Windows 10, this goes for software designed for the traditional Desktop (either the .NET Frameworks or the original Win32 API) as well as the “Universal” apps that can run on Windows 10 desktops and phones.

The Store is now every user’s self-provisioning system.

And perhaps now you see the problem: As organizations already learned when their employees started bringing technology from the 21st century in to work with them, when users make their own choices, they tend not to be the ones their IT departments would make for them.

The great thing about people bringing in their own 21st century technology is that they’ve already purchased it. It would be a shame for businesses to treat that investment as worthless, especially when someone else has already made it for them.

But if every Windows device was completely open to whatever changes that its user would make to it on the consumer side of the equation, the business side would not be able to apply policy to it. One reason “Store” was rejected by businesses was because, at least theoretically, it opened up business assets to possible exploit by consumer software.

Many businesses asked, is there any way we can disable the Windows 8 store so that employees can’t just install any software we want? Sure, you could manually disable some Registry keys or reverse the setting for a couple of group policy variables.

Just a small side-effect: Doing so would disable the scheduling system, which would in turn make Windows impossible to update.

In a feat of fleeting brilliance, Microsoft realized that what businesses truly desired was a way to leverage the self-provisioning and appropriations engine of the Windows Store for their own purposes — in other words, not to turn off the Store altogether, but to take control of it for their own purposes.

This is the purpose of Windows 10’s Business Store Portal: a way for businesses to take control of the checkout counter, if you will, and move it on-premise. This way, managed Windows devices only use the software their users’ employers expressly permit.

“Now the Store understands that you have personal apps and corporate apps,” explained veteran Windows consultant and educator Mark Minasi, during a presentation at a recent Microsoft conference.

Into Account

Last week, I showed you how Windows 10 intends to make use of Azure Active Directory, the account system for Windows’ business users on Microsoft’s Azure cloud. Here’s where Azure AD comes into play:

Suppose an employee brings her own personal device to work, he explains. On this device are consumer Store apps registered to the employee’s personal Microsoft Account. Her employer needs her to run a set of line-of-business applications, and the IT department has registered her under a separate Azure AD account.

In Windows 8, every app downloaded from the Store by any one user was registered to the Microsoft Account of that one user. This was a major architectural mistake on Microsoft’s part. For the IT department to manage the device, it needed access to her personal account.

“If one of your users acquired an application from the consumer Store, then if they ever leave the organization, your app walks out the door with them,” explained Microsoft Senior Program Manager Tejas Patel during this same conference. “We want to make sure that you, as an organization, can maintain that copy of that app.”

The mixture of personal and private information assets may, in itself, render an organization in non-compliance with privacy standards. This seems natural enough when an ex-employee continues to have access to customer data.

But it’s just as logical when the former employer has access to ex-employee data.

As Minasi told developers at the Ignite conference last May, the Azure AD account is used not only to register applications downloaded through the Business Store Portal, but to generate the key necessary to encrypt the documents and data generated by that app.

When an employee leaves the company, all IT needs to do is revoke the key. This passively triggers a process whereby the line-of-business apps are uninstalled. But more importantly, since all the documents are encrypted, they become illegible by the ex-employee.

On a Windows 8 device, having two accounts for logging on meant having two desktops… and two Start Screens, and two browsers… or rather four browsers, since you had one browser for both “Metro world” and “Desktop world.” This was unacceptable for everybody for obvious reasons.

Windows 10 resolves this issue by enabling administrators to join users’ Azure AD accounts with their Microsoft Accounts locally (thus the name “Azure AD Join,” which is also identified as “Workplace Join” deep in Win10’s menus). So there’s still a single login, and the business account name does take precedent, but the user’s personal assets remain protected by the personal account.

Upkeep

The Business Store itself becomes the organization’s own apps store, containing all the applications that the administrator would typically pre-install on the business PC user’s desktop, or virtual desktop.

This enables a self-service scenario that should have existed years ago: Businesses purchase software licenses in bulk, but assign those licenses to their Business Stores on a per-account basis.

(Here’s something else almost impossible to believe: In the Windows 8 Store, there was no way to purchase software in bulk.)

Administrators use Configuration Manager to designate how these applications are automatically installed (e.g., their home directories, their default documents folders, their access to other documents within the corporate network). The result is an installation script that employees execute whenever they download these apps for themselves.

This way, employees are responsible for their own equipment, but can provision corporate resources for themselves without directly involving their IT departments in the process. Each download counts as an execution of one of the bulk licenses that the employer already purchased.

Alternately, an employer can purchase software in bulk and pre-determine which employees are due to receive it. Those applications are then pushed to employees’ clients’ devices as mandatory downloads.

When an employee leaves the company and the licenses to her Azure AD-enabled applications are revoked, they become “undeployed” within about 24 hours.

Nearly everyone admits that Microsoft took its sweet time joining the personal device revolution. In several respects, it blocked its own way to the party with Windows 8. With Windows 10, the company appears at least to be on the verge of a realization: They’re all “personal devices,” all of them, even when businesses purchase them. People’s desktops always belong to them. It’s the data, and the applications that produce that data, that belong to businesses.

Now, at last, Microsoft has figured this out: Give businesses the tools to manage their data, and users the tools to manage their machines.

Keep Up with the Countdown

Top 10 Windows 10 Features #10: Device Guard

Top 10 Windows 10 Features #9: Packaged App Deployment

Top 10 Windows 10 Features #8: Virtual Secure Mode

Top 10 Windows 10 Features #7: Hello Biometric Login

Top 10 Windows 10 Features #6: Enterprise Data Protection

Top 10 Windows 10 Features #5: The Unified Desktop

Top 10 Windows 10 Features #4: One Place for Settings

Top 10 Windows 10 Features #3: Azure AD Join