Windows 10 Deployment Rules Changed
Microsoft eschews traditional methods, opting for more current technologies like Azure.
Whatever you thought you knew about Windows 10 deployment will soon be outdated.
Microsoft has changed how its chief operating system is pushed to users, and the new methods don't involve putting a disc into a drive. They now favor cloud downloads and user self-service.
Microsoft's Windows 10 deployment direction, as outlined at Ignite last week, dispenses with the traditional imaging process and instead relies on Azure Active Directory domain joins, mobile device management (MDM) and self-provisioning by end users.
That approach was laid out in a talk by Michael Niehaus, director of product marketing for Windows at Microsoft. The Ignite session, "Deploying Windows 10: An Overview of What's New and Future Direction," is available on demand here.
Organizations can still use traditional Microsoft deployment tools and methods to move to Windows 10, such as using Windows Preinstallation Environment (Windows PE), the User State Migration Tool, the Windows Assessment and Deployment Kit and Microsoft Deployment Toolkit (MDT), along with Windows Configuration Designer. Microsoft is even planning to release an updated version of the MDT this fall, Niehaus said. However, Microsoft sees those traditional tools as being "secondary" to so-called "modern" approaches using Microsoft Intune or other mobile device management solutions for the provisioning of devices, both mobile and desktop.
New Deployment Tools
The new deployment scenarios highlighted in Niehaus' talk relied on using specific tools, namely:
- Microsoft Intune or an MDM solution
- Windows AutoPilot, a service that enables users to self-provision new devices during the out-of-box stage
- Windows Store for Business for housing device provisioning lists for Windows AutoPilot
- Windows 10 Subscription Activation for moving from Pro to Enterprise editions
- Windows 10 Automatic Redeployment for repurposing an Azure AD-joined device
- Windows Analytics, including the Upgrade Readiness and Upgrade Compliance tools
It also mostly depended on having certain software licensing in place, such as:
- Azure AD Premium subscription
- Office 365 ProPlus subscription
- Windows 10 version 1703 or above with the July cumulative update
Niehaus argued that organizations face a trend where there are multiple device platforms, and the devices that need to be managed are owned by both end users and businesses. They need to transition from what IT been doing over the last 15 years, he added. Organizations with Windows 7 devices should use in-place upgrade to get to Windows 10, which adds a clean Windows image. They should also try to get away from traditional imaging when setting up new devices, according to Niehaus.
An in-place upgrade is "fairly bullet proof," Niehaus said. If anything goes wrong, it rolls back to the earlier state. The in-place upgrade process is supported via Windows Server Update Services (WSUS), System Center Configuration Manager, the Microsoft Deployment Toolkit and third-party management tools. Niehaus added that if an organization is installing all of its new apps at one time, then maybe it's better to do the traditional wipe-and-replace operation, rather than an in-place upgrade.
Windows 10 Compatibility
Upgrade Readiness, part of Windows Analytics, can be used to get ready for Windows 10, according to Niehaus. It will show the devices that are ready for upgrading. Organizations also can use Update Compliance (also part of Windows Analytics) to check for update and antimalware compliance. Those tools are part of Microsoft's Operations Management Suite offering.
There's 99 percent compatibility from Windows 7/8.1 to Windows 10 in terms of desktop application compatibility, Niehaus said. Windows 10 comes with both the Microsoft Edge and Internet Explorer browsers, but Niehaus advocated for organizations having a dual-browser strategy.
Microsoft offers a MBR2GPT tool, which will convert PCs from BIOS to UEFI after upgrading to Windows 10. It even lets users turn on "Secure Boot" at the same time and it works with third-party encryption software, Niehaus said.
Windows AutoPilot for New Deployments
Microsoft's scenario for "easy" Windows 10 deployments on new devices is focused on Windows AutoPilot, which Niehaus called "the golden path." It's a different way to set up devices to enable self-provisioning by end users.
Organizations typically reimage the devices that ship with original equipment manufacturer images, but that reimaging work just adds time and expense to the process, Niehaus argued. Microsoft's aim is to keep IT out of the reimaging process altogether, so that IT pros won't have to touch the device. Instead, end users should be able to set up the devices themselves. Intune or MDM is used to push the configurations down to the devices. It's also used to put Office on the devices.
The basic process is to register devices and assign a profile of the settings, and then ship the devices to end users. IT pros need to get the hardware device IDs and then upload a list to the Windows AutoPilot service. They can use the Microsoft Store for Business to maintain that list, which gets uploaded via a CSV file. The creation of the CSV file and the upload to the Microsoft Store for Business happens using a PowerShell script, Niehaus said. IT pros can configure the out-of-box session and brand the user sign-in experience. It's possible to skip having end users enter privacy settings during the out-of-box setup process.
Microsoft is working on an ability to skip the end user licensing agreement (EULA) phase during setup, too, which is targeted to the release of Windows 10 version 1709 (also known as the "fall creators update"). Microsoft also expects to add a progress graphical display for end users during the out-of-box phase and add support for expanded MDM security features when Windows 10 version 1709 becomes available. It's expected to arrive on Oct. 17.
Future Windows AutoPilot out-of-box enhancements under consideration include support for local Active Directory-joined devices using Intune or another MDM solution, even without being connected to a corporate network, but that will take more time, Niehaus said. Microsoft is also contemplating the ability to assign the devices to end users and get a more personalized experience. It's also looking at adding support for multifactor authentication, a secondary user identification process, in the future. Another effort being worked on is the ability to completely set up a device with no user input at all.
Niehaus said that deploying Office via Intune previously was a pain, but now with Windows 10 version 1703, it's been made as simple as possible. Office 365 ProPlus bits get streamed to the device from Microsoft's datacenters.
Niehaus emphasized that Windows 10 version 1703 or above with the July cumulative update is needed for these provisioning scenarios. Also needed is an Azure AD Premium subscription, plus a subscription to Microsoft Intune or another MDM service.
Other Provisioning Tools
For more traditional provisioning, Microsoft has the Setup School PCs app. It's for device provisioning by schools and will generate an image on a USB stick, which can be taken from machine to machine in the classroom for provisioning.
Windows 10 Subscription Activation is a new capability associated with Windows 10 version 1703. It lets organizations move from the Windows 10 Pro edition to the Windows 10 Enterprise edition. Windows 10 Subscription Activation is available to anyone with a Windows 10 enterprise E3 or E5 subscription. Organizations first have to submit a purchase order to set it up.
Microsoft is working on a new capability called "Windows 10 Automatic Redeployment." It allows organizations to repurpose an Azure AD-joined Windows 10 device. The device gets repurposed by administrators by hitting a special key combination. It produces a clean install on the machine, with nothing to clean up in Azure AD, as would be the case with a PC reset. This feature is turned off by default and requires the use of the Windows 10 version 1709 fall creators update. Niehaus added that any user who can add a device to Azure AD is considered an administrator, so that's a precaution for IT pros to consider in enabling this capability.
Niehaus also noted that Microsoft has disabled the Shift F-10 command, starting with Windows 10 version 1703, for security reasons. IT pros use Shift F-10 to get to a command prompt on a PC. However, it has a flaw in that pressing Shift F-10 during upgrades can bypass BitLocker encryption. This flaw was notably publicized by Microsoft Most Valuable Professional Sami Laiho, and Microsoft seems to have responded.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.