Windows 10 DeploymentIn-Depth Overview

Michael Niehaus@mniehausblogs.technet.com/mniehaus

Required Reading

Plan for Windows 10 Deploymenthttps://technet.microsoft.com/en-us/library/mt574241(v=vs.85).aspx

Introduction to Windows 10 Servicinghttps://technet.microsoft.com/en-us/library/mt598226(v=vs.85).aspx

Personal picture of your hobby or location picture

#MMSMOA

@mniehaus

Director of Product Marketing

http://blogs.technet.com/mniehaus

• 20 years with SMS/ConfigMgr

• 12 years with Microsoft

• 3 years with Windows product management

Redmond, WA, USA

Michael Niehaus

Only 1526 days until the end of support

for Windows 7

Windows 7 end of support date: January 14, 2020

Only 63 days until the end of support

for IE8, 9, and 10 on Windows 7

You need to move to IE11 by January 12, 2016. https://support.microsoft.com/en-us/gp/microsoft-internet-

explorer

Step 0. Get to Internet Explorer 11.

Enterprise Investments for Internet Explorer 11Help with Compatibility Issues

• Enterprise Mode, offering improved Internet Explorer 8 compatibility and document type overrides

• Enterprise Site Discovery Toolkit, to better understand how users are browsing

• All capabilities will be carried forward to Windows 10

A Natural Stepping Stone to Windows 10

• Migrate to Internet Explorer 11 on Windows 7 (before 2016) to prepare

• http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx

Legacy Web Apps

Required Reading

Internet Explorer 11 (IE11) - Deployment Guide for IT Proshttps://technet.microsoft.com/en-us/library/dn338135.aspx

Stay up-to-date with Internet Explorerhttp://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx

Step 1. Prepare for Windows 10.

ConfigMgr and MDT Support for Windows 10

Configuration Manager v.Next Enhancements• Upgrade task sequence• Windows 10 configuration support• New Windows 10 servicing features• Configuration Manager as a service, to support Windows 10

CB/CBB

MDT 2013 Update 1 (re-release) Enhancements• Upgrade task sequence• Split WIM support• DISM for applying and capturing images• Bug fixes

Product Supports Windows 10 Management?

Supports Windows 10 Deployment?

System Center Configuration Manager 2007 with hotfix

System Center 2012 Configuration Manager with SP2

System Center 2012 R2 Configuration Manager

with SP1

System Center Configuration Manager v.Next

Microsoft Deployment Toolkit 2013 with Update 1

Required Reading

The Future of Configuration Managerhttp://blogs.technet.com/b/in_the_cloud/archive/2015/10/27/the-future-of-configuration-manager.aspx

System Center Configuration Manager: Support for Windows 10 and Microsoft Intunehttp://blogs.technet.com/b/configmgrteam/archive/2015/10/27/system-center-configmgr-support-for-win-10-and-intune.aspx

Windows update needed to support Windows 10 with existing KMS servers (Windows Server)• https://support.microsoft.com/en-us/kb/3058168 adds support with Windows 8,

Windows 8.1, Windows Server 2012, Windows Server 2012 R2• https://support.microsoft.com/en-us/kb/3079821 adds support for Windows 7 and

Windows Server 2008 R2

New KMS and MAK keys needed, available on VLSC on 8/1• Look for “Windows Srv 2012R2 Data Ctr/Std KMS for Windows 10” on VLSC under

licenses, not under downloads and keys

Continued support for Active Directory-based activation (re-configure with new KMS key)

Windows 10 Activation

Windows Server 2008 R2 and above• Previous versions are no longer supported, upgrade now

• Update KMS with a hotfix, as already discussed

• Any forest level, functional level, schema level (although some specific features may require higher)

Consider upgrading to Windows Server 2012 or above• WSUS support for deploying Windows 10 feature upgrades via hotfix

http://support.microsoft.com/kb/3095113

• Won’t be backported to Windows Server 2008 R2 (already in extended support)

• Be sure to select new products (for WSUS and ConfigMgr SUP)

Keep an eye on Windows Server 2016

Windows Server support for Windows 10

MDOP 2015 (released in August) adds Windows 10 support, via service pack-style releases

MDOP Support for Windows 10

Product Required/Recommended Version

AGPM AGPM 4.0 SP3

App-V App-V 5.1

DaRT DaRT 10

MBAM MBAM 2.5 SP1, 2.5 is OK

UE-V UE-V 2.1 SP1

App-V 5.1 Enhancements

App-V 5 Adoption

Application Compatibility Manageability

Added Windows 10 support

Added Advanced Package Editor Abilities

Expanded Copy-on-Write to support more file extensions

Environment Variables are merged in Connection Groups

Modernized the App-V Server User Interface

Consolidated and simplified client logging

Improved Q:\ drive support for App-V 4 package conversion

Added support for multiple scripts per trigger

UE-V 2.1 SP1 Enhancements

Windows 10Network Printers Others

Network printers synchronized between devices

Synchronized default printer setting

Improved performance when deploying templates from a Template Catalog

Fixed automatic population of AD Home Path for Setting Storage Path configuration

Added Windows 10 compatibility

New Windows 10 desktop settings

Improve MBAM server logging and diagnostic

abilities

TPM Auto-Unlock after BitLocker Recovery

Customize the message in the BitLocker

Recovery Screen (Win10)

Full Windows 10 support

Encrypted Hard Drive support

International Domain Name support

FIPS compliant recovery password support on Windows 7 (requires

Windows hotfix: http://aka.ms/bitlockerfips)

Deployability

Manageability

Industry Compatibilit

yImprove managing the

enablement of BitLocker during Windows Imaging

Import BitlLocker/TPM recovery information

from AD to MBAM

Backup Windows-created TPM OwnerAuth (not just

MBAM-created)

MBAM 2.5 SP1 Enhancements

Step 2. Deploy Windows 10.

How to deploy

Wipe-and-LoadTraditional process• Capture data and settings• Deploy (custom) OS image• Inject drivers• Install apps• Restore data and settings

Still an option for all scenarios

In-PlaceLet Windows do the work• Preserve all data, settings,

apps, drivers• Install (standard) OS image• Restore everything

Recommended for existing devices (Windows 7/8/8.1)

ProvisioningConfigure new devices• Transform into an Enterprise

device• Remove extra items, add

organizational apps and config

New capability for new devices

Moving In-place

• Supported with Windows 7, Windows 8, and Windows 8.1

• Consumers use Windows Update, but enterprises want more control

• Use System Center Configuration Manager or MDT for managing the process

• Uses the standard Windows 10 image

• Automatically preserves existing apps, settings, and drivers

• Fast and reliable, with automatic roll-back if issues are encountered

• Popular for Windows 8 to Windows 8.1

• Piloted process with a customer to upgrade from Windows 7 to Windows 8.1, as a learning process

• Feedback integrated into Windows 10 to provide additional capabilities for automation, drivers, logging, etc.

• Working with ISVs for disk encryption

Preferred option for enterprises Simplified process, builds on prior experience

Moving In-place

ConfigMgr v.Next

MDT 2013 Update 1

When not to use in-place upgrade?• Changing from Windows x86 to x64• Systems using Windows To Go, Boot from VHD• Changing from legacy BIOS to UEFI• Dual boot and multi-boot systems• Image creation processes (can’t sysprep after

upgrade)• Using certain third-party disk encryption

products• Wholesale changes to the apps on existing PCs

Provisioning, not reimaging

Take off-the-shelf hardware

Transform with little or no user interaction

Device is ready for productive use

Provisioning, not reimaging

• Company-owned devices:Azure AD join, either during OOBE or after from Settings

• BYOD devices:“Add a work account” for device registration

• Automatic MDM enrollment as part of both

• MDM policies pushed down:

• Change the Windows SKU

• Apply settings

• Install apps

• Create provisioning package using Windows Imaging and Configuration Designer with needed settings:

• Change Windows SKU

• Apply settings

• Install apps and updates

• Enroll a device for ongoing management (just enough to bootstrap)

• Deploy manually, add to images

User-driven, from the cloud IT-driven, using new tools

Enhancements to existing tools

Minimal changes to existing deployment processes

• New Assessment and Deployment Kit includes support for Windows 10, while continuing to support down to Windows 7

• Minor updates to System Center 2012 to add support

• Minor updates in Microsoft Deployment Toolkit 2013 Update 1 to add support

• Will feel “natural” to IT Pros used to deploying Windows 7 and Windows 8.1

• Drop in a Windows 10 image, use it to create your new master image

• Capture a Windows 10 image, use it for wipe-and-load deployments

Traditional Deployment

App & Device Compatibility

• Hardware requirements are unchanged• Strong desktop app compatibility• Windows Store apps are compatible• Internet Explorer enterprise investments

Step 3. Keep Windows 10 up to date.

*Conceptual illustration only

Current Branch for BusinessCurrent BranchMicrosoftInsider Preview Branch

Broad Microsoft internal validation

Engineering builds

Users

10’s of thousands

Several Million

Hundredsof millions

Time

4 to 6 months

4 months

8 months

Customer Internal Ring I

Customer Internal Ring II

Customer Internal Ring III

Customer Internal Ring IV

Market driven quality: external and internal

Application Compatibility TestingWindows as a Service requires a new approach:

Identify mission-critical applications and web sites• Focus testing effort on just these apps

Leverage internal flights for testing other applications and web sites• From initial pilot groups to large populations of users

• Define groups to ensure broad hardware and software coverage prior to broad deployment

• React to issues reported, remediate issues before expanding

Talk to your ISVs to determine how they plan to support Windows as a service

Costs for deployment

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Traditional deployment (every 3-5 years)

Apps Infra Imaging

2009 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028

Windows as a service (2-3 times per year)

Apps Infra Imaging

Current Branch for Business

Stage broad deployment

Information workersGeneral population

Long Term Servicing Branch

Deploy for mission critical systems

Specialized systems

Specific feature and performance feedback

Application compatibility validation

Windows Insider Preview Branch

Test machines, small pilots

Current Branch

Deploy to appropriate audiences

Test and prepare for broad deployment

Early adopters, initial pilots, IT devices

STAGE

NU

MB

ER

OF D

EV

ICES

Release

Thinking through deployment strategy

Configuring to receive feature upgrades via CBB

If you are using WSUS or ConfigMgr, the setting doesn’t really matter. Affects Windows Update.

Computer Configuration -> Administrative Templates -> Windows Components ->

Windows Update

Settings-> Update and Security-> Windows Update -> Advanced Options

What to deploy

Microsoft Windows 10 Enterprise(Current Branch, Current Branch for

Business)

Microsoft Windows 10 Enterprise 2015 LTSB

Windows Insider Preview Branch

Specific feature and performance feedback

Application compatibility validation

When to deploy

Stage broad deployment via WU for

Business

Current Branch For Business

Deploy to appropriate audiences via WUB

Test and prepare for broad deployment

Current Branch

Evaluate Pilot Deploy

4-8 months of active development

4 months (minimum) 8 months (minimum)

12 month deployment (minimum)

When to deploy

• There will be two supported CBB releases in the market at all times• Be prepared to jump from one release to the next• Don’t try to skip one, as it compresses the deployment timeline too

much

Evaluate Pilot Deploy

Evaluate Pilot Deploy

Evaluate Pilot Deploy

Staying up to date with Windows 10

Windows Update

• Cloud• Upgrades

installed as they are released (subject to throttling)

• Delivery optimization for peer-to-peer distribution

• Only option for Windows 10 Home

Windows Update for Business

• Cloud• Upgrades can be

deferred• Uses Windows

Update for content

Windows Server Update Services

• On-Prem• Upgrades are

deployed when you approve them

• Content distributed from WSUS servers

• Requires KB3095113

System Center Configuration

Manager• On-Prem• Choice of task

sequence-based upgrades or (with vNext) software update capabilities

• Content distributed from ConfigMgr DPs

Configuring Windows Update for Business

Computer Configuration -> Administrative Templates ->

Windows Components -> Windows Update

Step 1. Point all computers to Windows Update directly (no WSUS or SUP)

Step 2. Create policies (GPO) or settings (MDM) to specify how long groups of machines should defer.

Step 3. Target policies or settings to different groups of PCs.

Evaluations: Please provide session feedback by clicking the EVAL button in the scheduler app (also download slides). One lucky winner will receive a free ticket to the next MMS!Session Title: Deploying Windows 10 in the Enterprise

Discuss…

Ask your questions-real world answers!Plenty of time to engage, share knowledge.

SPO

NSO

RS