Windows 10 for Enterprise: Deployment Achieve more and transform your business with the most secure Windows ever.
Safer and More productive More personal Powerful, more secure modern devices Agenda
Application Compatibility Windows Deployment Methods Windows as a Service Additional Resources
Overview Approach Prepare
Application compatibility Overview
Supportability Discovery Rationalize
What’s new Prioritize Application compatibility tools
Web application Test compatibility tools Overview
Application compatibility Supportability
What‘s new Compatibility in Windows 10
• Compatibility of Windows 7, Windows 8 and Windows 10 desktop apps is a top Microsoft goal. • Most existing Win32 and Win64 applications run reliably on Windows 10 without any changes. • Strong compatibility and support for Web apps and devices.
Desktop apps Web sites Modern apps Hardware Overview
Challenges
Overview Approach Prepare Win32 / UWP Applications Web Applications
Discover What applications does my company rely on? What web applications does my company rely on?
Rationalize What should I test What should I test
Prioritize When and how should I test When and how should I test
Test Validate application Validate web application
Remediate Determine remediation approach Determine site/ browser configuration required for remediation
Deploy Deploy application in production Deploy site or browser configuration in production
Overview Approach Prepare
Applications Browser 12 January 2016 January 12
Overview Approach Prepare Overview
Overview Approach Prepare Approach
Overview Discovery
Rationalize Prioritize Test Overview
Pros Cons
Focus available resources on what’s critical for the Issues with non critical applications (larger set) are identified business later
Fits better with a faster rhythm of changes Dependent on application portfolio accuracy
Discover potential issues on critical applications earlier May introduce changes in the organizational processes
Leverage application users to check application compatibility
Optimize overall Operating System update cost
Overview Approach Prepare ▪ Risk based App Compat fits with Windows 10 as updates will mainly extend OS capabilities Fit the OS ▪ Windows 10 OS will evolve through ‘feature updates’ more frequently than in the past servicing model ▪ OS updates will be available at various time (WIP, CB, CBB) giving choices to start App Compat (Critical Apps first) before broadly deploying the OS update
▪ Critical Applications identified in the App Portfolio need to be addressed earlier Focus on critical Applications ▪ ‘Nice to have’ Applications could directly target End Users devices (when pilot prioritized Apps) ▪ Third party applications App Compat should leverage ISV input first (support required)
▪ Organize your target users/devices in rings in order to gradually update devices Gradually increase ▪ WaaS first rings focus on non-production and pilot devices up to last ring (broad deployment) device updates ▪ Test environments need to take care of multiple OS releases when moving across rings until all devices are updated
Overview Approach Prepare Discover Mandatory Optional Other Internal Supplier Other
Rationalize Managed Supported Unsupported Unwanted Applications Applications Applications Applications
Prioritize Must Test Should Test Don’t Test
Test
Overview Approach Prepare No/Incomplete Application Portfolio Full Discovery
Legacy Approach • Limited to no visibility of the application • Identify every application used by in the landscape organization • Application ownership and support may be • Discovery performed manually unknown • Decentralized strategy
Application Portfolio ▪ Cost implications due to no or limited application portfolio management ▪ Having no information on application ownership or support greatly adds to the complexity Why Change? Full Discovery ▪ Requires a longer duration to be able to complete a full discovery ▪ Manually approaching each user is impractical
Overview Approach Prepare Mandatory Apps Optional Apps Other Apps
Internal Supplier Other
Overview Approach Prepare IT Centric Test before Rationalize
Legacy Approach ▪ All applications are considered business ▪ Limited collaboration with business groups or critical application owners ▪ All applications are tested first before ▪ Application assessment mostly done based on categorization IT knowledge ▪ No appropriate goals for the application portfolio IT Centric ▪ Limited understanding of what the business needs and which applications have business value ▪ Lack of concrete information leads to higher project cost and complexity ▪ Absence of support and buy-in from the business makes the activity more challenging Why Change? Test before Rationalize ▪ Streamlined application management - Operations team will need to manage a significantly small app portfolio ▪ Save time and money from testing applications with no business value ▪ Optimize licensing costs and reduce the risk of running unlicensed software
Overview Approach Prepare Overview
Managed Applications Supported Applications Unsupported Applications Unwanted Applications
▪ Financial or business ▪ Application has business ▪ Application superseded ▪ Unlicensed application impact if application does value by new version or new ▪ Applications banned by not work application corporate policy ▪ Productivity impact if ▪ Critical to business application does not ▪ Application not operation work introduced in environment by IT
Overview Approach Prepare Overview
Must Test (Managed Applications) Don’t Test (Unsupported Applications) ▪ Dedicated resources to test ▪ Not included in pilot test group ▪ Test plan to confirm operation ▪ Test when service desk call raised ▪ If it breaks, it may not be fixed
Should Test (Supported Applications) ▪ Test when resources available ▪ Test as part of pilot group for OS update / upgrade
Overview Approach Prepare Workaround as permanent Inefficient testing process Remediate before deploy fixes
▪ Only runtime ▪ Platform deployment will ▪ Workarounds such as (functionality) tests not begin until all virtualization or Overview performed applications are compatibility mode are ▪ Installation, launch and remediated considered compatibility uninstallation not tested solutions ▪ A documented test plan is manually performed ▪ Challenges with business group involvement ▪ Decentralized test environments
Overview Approach Prepare ▪ Support and buy-in from the business units provides a more holistic testing strategy Inefficient testing ▪ The most important factor in determining that no bugs exist that affect user scenarios is the user process ▪ Automated testing delivers more efficiency and time to test benefits ▪ Virtualization offers a faster and standard infrastructure provisioning for validation and testing
▪ Development of a new approach for deployment and monitoring based on a staged or pilot roll-out Remediate before will save on time and cost deploy ▪ It will be more effective to quickly have a simple pilot so that issues can be discovered immediately in a controlled, but more realistic, environment
▪ Having a workaround, in some cases, may be critical but having a plan for how to provide a proper fix Workaround as is the right path permanent fix ▪ Workarounds (shims or virtualization) are not future proof
Overview Approach Prepare Overview
✓
✓ ✓
✓ ✓
✓
Overview Approach Prepare Prepare
Application Overview Compatibility Tools
Web Application Compatibility Tools ▪ Since Win7, focus has been to keep the OS highly backwards compatible Increased OS ▪ Not compatible means no shipping the OS compatibility ▪ Close engagements with feature teams and ISV/IHV on code & design changes ▪ Raised the bar with in-place upgrade
▪ Developed new technologies to gather insights into the ecosystem Data-Driven ▪ Prioritize which apps to test and mitigate Insights ▪ Prioritize ISV and IHV engagements for problematic apps and drivers ▪ Upgrade machines only when we know they will have a good experience
Overview Approach Prepare Win32 / UWP Applications Web Applications
System Center WMI Microsoft Assessment & Planning Toolkit Discover Enterprise Site Discovery Configuration Manager Query 3rd Party Tools
Rationalize Upgrade Analytics Prioritize
User and/or Administrator Test Windows 10 Setup Compatibility Scan Service Provider 3rd Party Tools IE 11 F12 Developer Enterprise Tools Dedicated Resource Mode Remediate Application Compatibility Toolkit 3rd Party Tools ISV
Group Enterprise See Windows 10 Deployment Workshop Deploy Policy Site List
Overview Approach Prepare Discover
Test
Remediate
Overview Approach Prepare Prepare Your Resolve Issues Deploy 1 Environment 2 3
▪ Upgrade overview ▪ Review applications with ▪ Deploy Windows to those known issues devices that have had ▪ Run a pilot compatibility issues resolved ▪ Review applications with no ▪ Prioritize your applications known issues ▪ Review Drivers with known issues
Overview Approach Prepare Microsoft cloud service that allows enterprise IT to quickly identify and focus on the critical issues impeding upgrades; provides data driven tools to plan and manage the upgrade process end to end
▪ Leverages Windows telemetry for rapid data collection Discover & Rationalize ▪ Applications, usage, device and device driver inventory ▪ Data-driven rationalization based on install base and usage
▪ Integration with Microsoft compatibility data to determine compatibility Resolve Issues & ▪ As Microsoft publishes compatibility information based on investigations and ISV information, Assess Apps Upgrade Analytics has access to the data ▪ Issue resolution guidance where available
▪ Identify computers eligible for deployment Deploy ▪ Report on overall deployment progress
Overview Approach Prepare ▪ Azure Operations Management Suite (OMS) provides a reporting interface Cloud ▪ OMS account may be created using a Microsoft Account or Azure Active Directory account Service ▪ OMS dynamically generates a COMMERCIAL ID that is unique to your organization ▪ Data sent to Microsoft will be tagged with the commercial ID to present only your information in OMS
▪ Reg key configuration to send data to Microsoft for analysis ▪ Proxy/firewall configuration may be required to allow data to flow to Microsoft Client Configuration ▪ Microsoft Privacy Statement - https://privacy.microsoft.com/en-us/privacystatement ▪ Management/GPO may be used to configure CEIP and set commercial ID on participating systems ▪ Install client compatibility analysis tools/KBs and restart
Operating System Required KB Windows 7 RTM KB2977759 Required KBs Windows 7 SP1 KB2952664 Windows 8 RTM KB2976978 Windows 8.1 KB2976978
Overview Approach Prepare
Discover Test Remediate Deploy
▪ Select target groups / ▪ Use Setup compat ▪ Determine ▪ Deploy Windows 10 users scan on Windows remediation with confidence 7/8.1 device with approach for each ▪ Collect information managed/supported application ▪ Develop a strategy to ahead of project applications installed maintain application ▪ Favor long term fixes compatibility with ▪ Determine managed ▪ Select pilot groups / over band-aid Windows as a Service and supported users based on solutions applications discovery information ▪ Track and document ▪ Use Upgrade ▪ Select virtual or environment changes Analytics to obtain physical test platform to support information application ▪ Involve service desk representatives
Overview Approach Prepare Discover
Remediate
Deploy
Overview Approach Prepare ▪ Provides IT Pros with clearer picture about how IE is being used in their deployment based on actual Overview user data. ▪ Works with Internet Explorer 8, 9, 10 and 11
▪ Understand what web applications are being used and what websites are being accessed Purpose ▪ Determine the add-ons required for each web application and website
▪ Works with Internet Explorer 8, 9, 10 and 11 on Windows 7 or Windows 8.1 Requirements ▪ Installed via PowerShell
▪ Managed by PowerShell or Group Policy SiteScoping
Overview Approach Prepare ▪ Enterprise Mode is a compatibility mode in Internet Explorer 11 that can emulate Internet Explorer 7, Internet Explorer 8, and other Internet Explorer document modes. Overview ▪ Enterprise Mode is designed to avoid the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. ▪ In Windows 10, Enterprise Mode Site List can be set to open sites in Internet Explorer 11 if attempted to be viewed in Microsoft Edge, allowing the modern browser to be left as the default choice.
▪ Windows 10 Requirements ▪ Windows 8.1 ▪ Windows 7 Service Pack 1
▪ Improved web app and website compatibility ▪ Tool-based management for website lists Features ▪ Centralized control ▪ Integrated browsing ▪ Data gathering ▪ Supported until Jan 14 2020
Overview Approach Prepare ▪ Microsoft Edge and Internet Explorer 11 are designed to operate in conjunction to give the best experience Overview for web browsing in Windows 10. ▪ Administrators can define interoperability between browsers for managed devices
Option User Experience Administrative Effort ▪ All websites open in Microsoft ▪ Users needs to manually open ▪ Nil – default configuration Edge (Default) Internet Explorer 11 if a site fails to ▪ Critical intranet sites to be tested on operate correctly. Microsoft Edge to confirm operability
▪ Websites open in Microsoft Edge ▪ No user interaction required to ▪ Moderate - List creation and unless Internet Explorer 11 is switch to Internet Explorer 11 for management overhead defined by an administrator sites with known issues ▪ Users can provide feedback using (Recommended) . ▪ Interstitial page will be removed by Enterprise Site Discovery tool to default in Windows 10 1607 reduce administrative effort ▪ All websites open in Internet ▪ Single browser for all sites ▪ Low – Setting implemented via Explorer 11. (Not Recommended) ▪ Sites may not display correctly Group Policy
Overview Approach Prepare Discover Test Remediate Deploy
▪ Use the Enterprise ▪ Use IE11 on Windows ▪ Determine ▪ Deploy IE 11 with Site Discovery Toolkit 7 / 8.1 / to test critical compatibility for each confidence to on IE8/9/10 (11 if LoB web applications web application using Windows 7/8.1 needed) assessment ▪ Select pilot groups / information / F12 ▪ Deploy Windows 10 ▪ Select target groups / users Developer tool with confidence users ▪ Test using Enterprise ▪ Create & configure ▪ Develop a strategy to ▪ Collect information Mode Enterprise Mode site move web monthly lists applications away ▪ Confirm add-on ▪ Modify websites from Enterprise Mode ▪ Determine critical LoB compatibility where required reliance applications
Overview Approach Prepare Application Readiness Resources
Windows Ready For Windows Desktop Bridge WaaS Servicing Cookbook Upgrade Analytics
Join the Windows Leverage the identify critical issues Look for a list of Use the Desktop Bridge or Adopt the new Insiders Program Application impeding upgrades; compatible apps in build UWP to bring your existing desktop apps to Windows Servicing community to help Compatibility data insights to plan Microsoft’s global model for app shape the future of the Universal Windows Cookbook for and manage the Ready for Windows development and Windows, get early Platform releases and more. guidance in verifying upgrade process end Directory available for testing of internally compatibility of to end IT decision makers developed custom existing and planned around the world. apps. apps. for Windows 10.
Download Desktop Download a preview build of Download the Application Sign up for Windows Submit your compatible Application Converter to make Implement new practices in the latest Windows SDK and Compatibility Cookbook for Upgrade Analytics and begin application to the Ready for your applications available in your organization and adopt Emulator to explore what's Windows 10. evaluating your environment. Windows Directory. the Windows Store. best practices to optimize new in building apps. for app development and Windows. management costs. 1 Network 2 OMS Setup 3 Solution Config 4 System Config
▪ Device telemetry must be ▪ Signup at: ▪ From the Solutions Gallery, ▪ MDM/GPO may be used to able to leave the system aka.ms/omsregister add the Upgrade Analytics configure Windows client and the network solution to the workspace systems that will participate in ▪ Data is transmitted to ▪ Microsoft Account or ▪ In Settings, select Connected telemetry Microsoft servers Azure AD Credentials Sources. Find the Windows ▪ Applies the Commercial ID Key ▪ Telemetry is sent as Local may be used Telemetry panel to the registry System – ensure that ▪ If required, create your ▪ Generate a Commercial ID ▪ Data sent by the system proxy servers allow this own workspace Key. This is the key that is contains the commercial ID to method of internet used to identify all data from allow your data to be accessible access your organization by the Upgrade Analytics Solution
Overview Approach Prepare
Overview Image Wipe & load In-place upgrade Provisioning
Overview Choices Architecture Edition Overview Methods Overview
Upgrade Upgrade vs User state process refresh Tools Strategy migration Demo
Platform configurati Driver Recovery & troubleshooting Branding on management
Considerations Recommendations Security Recommendations Recommendations Overview
Choices Tools
Recommendations Deployment Choices
Wipe-and-Load In-Place Provisioning Traditional process Let Windows do the work Configure new devices • Capture data and settings • Preserve all data, settings, • Transform into an Enterprise • Deploy (custom) OS image apps, drivers device • Inject drivers • Install (standard) OS image • Remove extra items, add • Install apps • Restore everything organizational apps and config • Restore data and settings
Still an option for all scenarios Recommended for existing New capability for new devices devices (Windows 7/8/8.1) Windows 10 Wipe & Load / Device Refresh
In-Place Upgrade Windows 10 Device Guard
Windows Hello
WIP Windows 7 Credential Guard Credential Guard
UI UWP UI UWP Edge Cortana Edge Cortana Store Performance Store Performance
Overview Image Wipe & load In-place upgrade Refresh Replace Upgrade ▪ Assessing systems requires time Pre-Reqs ▪ Extent of assessment depends on approach ▪ Upgrade required infrastructure to support Windows 10 ▪ Image must be designed ▪ Image must be designed ▪ No image or data migration solution ▪ Finalized when compat information is ▪ Finalized when compat information is required Engineer known known ▪ Remote data migration solution ▪ Image is typically larger than Microsoft ▪ Image is typically larger than ▪ Smallest media is from Microsoft Deploy media Microsoft media
▪ All app installers must be compatible ▪ All app installers must be compatible ▪ Only apps determined to require re- Post- with Windows 10 for re-install with Windows 10 for re-install installation must have compatible ▪ User data must be restored from installers Install remote repository ▪ Compatible/non-blocking apps are migrated ▪ No rollback ▪ Revert to old machine ▪ Built-in rollback for ~ 1 month Rollback ▪ Re-deploy old OS and re-configure ▪ Data on old system becomes ▪ Data on old system becomes system increasing stale increasing stale Duration ▪ Fast ▪ Slow ▪ Faster
Overview Image Wipe & load In-place upgrade New Device
Existing Device
▪ BIOS UEFI ▪ Architecture (x86 x64) ▪ Bulk app change ▪ Disk partitioning ▪ Base OS language ▪ WinPE Offline Operation ▪ Domain ▪ 3rd party disk ▪ Local Administrators encryption* ▪ Configuration drift ▪ Moving from XP or Vista ▪ Custom base image
Overview Image Wipe & load In-place upgrade Overview
Microsoft System Center 2012 System Center Capability Deployment Toolkit Configuration Manager Configuration Manager (R2 SP1, SP2) (Current Branch 1606) Windows 10 Version Support 1507, 1511, 1607 1507, 1511 1507, 1511, 1607 Deploy UEFI/BIOS Platforms X X X Deploy applications during Task X X X Sequence Supports Image Creation X X X Lite Touch Deployment X X X Zero Touch Deployment X X Manage a wide range of platforms X X Increased Scalability (PXE, etc.) X X Offline Image Servicing X X Deploy Windows-to-Go X X In-Place Upgrade Task Sequence Servicing
Overview Image Wipe & load In-place upgrade Image
Architecture Edition
Strategy Branding Security Advantages Disadvantages
64-bit Operating System (Recommended)
32-bit Operating System
Overview Image Wipe & load In-place upgrade Image Strategy Thin Image Hybrid Image Thick Image Windows Updates X X X Windows Features X X X Common Frameworks X X X Common Productivity Apps X X LOB used by Every Employee X X Frequently Updated Frameworks X LOB Applications X
Considerations
Overview Image Wipe & load In-place upgrade ▪ Group Policy Objects are commonly used to manage connected machines in a Active Directory Domain Services environment Overview ▪ A similar object called a Local Group Policy object can be used to “stamp” the image with settings
Local Group Policy Objects should be used in the following scenarios: Use Cases ▪ When a machine does not join an active directory domain ▪ When security settings are required by the business to be implemented ahead of a domain join
The settings that are configured in Local Policy Objects will need to be countermanded in Group Disadvantages Policy should they need to be supersede. This can cause a complicated Administrative scenario, leading to unnecessary GPO’s, and the possibility for misconfigured systems
Apply policies using group policy (where possible) to reduce the number of changes required Recommendation to the core image
Overview Image Wipe & load In-place upgrade Wipe & Load
User State Overview Methods Migration
Platform Driver Configuration Management Recommendations ▪ Familiar with enterprises ▪ Out of the box support with Windows 7, Windows 8, and Windows 8.1 Minimal changes to ▪ Customized approach required to move from Windows XP/Vista to Windows 10 existing process ▪ Use System Center Configuration Manager or MDT for managing the process – requires update ▪ Administrator to configure preservation of existing apps, settings, and drivers
Wipe & Load (Refresh) Process
Capture Remove Install Restore Start Install Windows 7 data and existing new OS data and Finish Windows 8 apps Windows 10 Windows 8.1 settings OS image settings
Overview Image Wipe & load In-place upgrade Deployment Tools Advantages Scenarios
Offline Deployment
Lite touch Toolkit Deployment
(LTI) Microsoft Deployment
Zero Touch Deployment
(ZTI) System Center Configuration Center Configuration Manager System
Overview Image Wipe & load In-place upgrade Overview
Supported Versions
Windows Vista Windows 7 Windows 8 Windows 8.1 Windows 10 Windows Vista 4.0 4.0, 5.0 5.0 Windows 7 4.0, 5.0, 6.3 5.0, 6.3 6.3 Supported Windows 8 5.0, 6.3 6.3 Supported Windows 8.1 6.3 Supported Windows 10 Supported Supported
Overview Image Wipe & load In-place upgrade Device Examples
▪ Flexible Deployment Media Support BIOS ▪ All legacy deployment methods still apply ▪ Maintain a single boot image
▪ Allows firmware to implement security policy Firmware ▪ Secure boot UEFI (Recommended) ▪ Faster boot times ▪ Latest UEFI Version required for compliance with Windows 10 Baseline and some features
Moving between UEFI and BIOS configurations is not currently supported through refresh Consideration scenario. The only supported way to move from UEFI to BIOS is through a BARE METAL (new device) deployment scenario, using PXE to boot into the device.
Overview Image Wipe & load In-place upgrade Option Benefits Limitations
Overview Image Wipe & load In-place upgrade Configuration Drift / Fundamental Change Custom Requirements Change
▪ Domain membership ▪ Moving from Windows ▪ WinPE offline operation ▪ Local Administrators XP or Windows Vista ▪ Custom base image ▪ Bulk application swap ▪ Disk partitioning ▪ 3rd party disk encryption ▪ BIOS -> UEFI ▪ x86 -> x64 ▪ Base OS language
Overview Image Wipe & load In-place upgrade In-Place Upgrade Overview Upgrade Process
Upgrade vs Recovery & Refresh Troubleshooting Prepare ▪ Supported with Windows 7, Windows 8, and Windows 8.1 ▪ Supported to upgrade Windows 10 1507 to 1511 and beyond ▪ Consumers use Windows Update, but enterprises want more control Preferred Option for Enterprises ▪ Use System Center Configuration Manager or MDT for managing the process ▪ Uses the standard Windows 10 image ▪ Automatically preserves existing apps, settings, and drivers ▪ Proven process - popular for Windows 8 to Windows 8.1 upgrade
Start Capture Remove Install Restore In-Place Upgrade Windows 7 data and existing new OS data and Finish Process Windows 8 Windows 10 Windows 8.1 settings OS image settings
Overview Image Wipe & load In-place upgrade The Four Primary Phases
1 Down-level 2 Windows PE 3 1st boot to new OS 4 2nd boot to new OS
Running Windows 7, 8, Minimalist OS Binding the new yoke Finalize Upgrade 8.1, 10 Both new & old are offline Specialize to the machine Welcome the user back Check the system Backup down-level OS Install drivers OOBE (skip if Win10 to another) Inventory Applications Lay down new OS Migrate Apps Inventory Drivers Prepare new OS More Migration Assess compatibility Inject drivers Prepare WinRE Some Migration
Ready Set Go Welcome to Windows
Overview Image Wipe & load In-place upgrade ▪ Preserve applications, drivers, user data and settings - Reduce upfront testing and deployment preparation ▪ Compared to refresh, upgrade is… ▪ Faster – 30 to 60 minutes, on average, to upgrade Why Upgrade? ▪ Smaller – file size is just the default OS media, no applications ▪ More robust – “bulletproof” rollback on failure to functional down level system ▪ Zero ADK dependencies ▪ Use it to supplement existing deployment scenarios - Refresh, replace, and bare metal
▪ Compatibility with 3rd Party Disk Encryption tools (BitLocker supported) – Improved support for 3rd Party Disk Encryption with Windows 10 1607 Considerations ▪ Upgrade process can be tested with pre-validation checks ▪ Trial run can be performed with Windows 10 Media using “/Compat ScanOnly” switch
Overview Image Wipe & load In-place upgrade Perform a Pre- Disk Encryption Plan for Content Plan Pilot Approach Validation Check Compatibility Distribution
Use Windows 10 media Check disk encryption Define success criteria Windows 10 Upgrade to assess system technology support (if ▪ Critical LoB and Web package size readiness required) apps tested approximately 3.8Gb ▪ User Experience Understand 3rd party ISV ▪ Group Policy / Plan for content delivery plans to support In- management to large, medium and Place Upgrade approach configuration branch sites updates required Work with Microsoft to Utilize content caching address blockers technologies where required
Overview Image Wipe & load In-place upgrade Provisioning Provisioning Overview Take off-the-shelf hardware Device is ready for use
Transform with little or no user interaction Provisioning Approach
Flexible Methods
Transform a Device
Remove Enable Add Add Start Enterprise corporate Finish Provisioning Provisioning Windows 10 existing corporate Windows 10 Package Process items SKU apps config
Overview Branches Operate Integrate Plan
Deferring Why Windows as a How it feature Service (WaaS)? Overview works updates Adoption Overview
Windows Insider Updating reference Preview Branch images Managing WaaS
Current Branch Modern service Current for management for Introducing WaaS Branch Business Moving branches Windows 10
Long-Term Servicing Branch Scenarios Implementing Overview
Why Windows as a Service (WaaS)? Introducing WaaS Overview Branches Operate Integrate Plan Customer Complexity & Cost ▪ Individual servicing patches ▪ Expensive deployment & auditing Ecosystem ▪ Platform fragmentation ▪ Inconsistent approach to patching Reduced Quality ▪ Not running what Microsoft tested ▪ No consistency in the ecosystem
Overview Branches Operate Integrate Plan What customers What Microsoft are running is testing
Typical Windows 7 PC: Windows 7 Test Lab PC: Selectively Patched Fully Patched
Overview Branches Operate Integrate Plan ▪ Monthly update release ▪ Selective deployment ▪ Accepted short-term (“Patch Tuesday”) of updates risk increase ▪ Innovation delivered at ▪ Selectivity justified by ▪ Insidious long-term risk Service Pack AppCompat, ▪ App portfolio ages ▪ Long service pack bandwidth, others ▪ Out-dated system release cycle ▪ App remediation baselines ▪ Long vNext cycle typically “shelved” and ▪ Costly to operate non- updates never applied homogenous estate ▪ Hidden remediation cost - “remediate” before an upgrade
Overview Branches Operate Integrate Plan Consumer devices Business users Specialized systems
Up to date with feature Faster access to new Enterprise class support and security updates as technology with time for your mission critical they arrive to test and deploy in a systems keeping you business environment in control
Overview Branches Operate Integrate Plan Quality Updates Feature Updates
Overview Branches Operate Integrate Plan Windows Insider Branches Preview Overview Branch
Current Branch for Current Branch Business
Long-Term Servicing Branch Broad Microsoft Engineering Microsoft Insider Preview Current Branch Current Branch for Business builds internal Branch validation
Users 10’s of Customer Internal Ring Customer thousands I Internal Ring Customer Several Million II Internal Ring Customer III Internal Ring Hundreds IV of millions
*Conceptual illustration only
Overview Branches Operate Integrate Plan Overview Pre-release Windows 10 builds and features
▪ Deployment is managed by Microsoft through Windows Update ▪ Offers Slow or Fast adoption cadence: ▪ Fast ▪ Slow Requirements ▪ Release Preview ▪ Available only through the Windows Insider Program. ▪ Individuals should use a Microsoft Account to enroll in the program ▪ Updated Preview ISOs will be released to coincide with the Slow release
▪ Early access to new releases ▪ Preview developer tools for applications Benefits ▪ Evaluate new features as they are being developed ▪ Incubate the future of Windows in your organization ▪ Help shape the future of Windows, participating in the Windows Insider community
Overview Branches Operate Integrate Plan ▪ Windows Insiders stay up to date with preview features as they are released
▪ Opportunity for enterprise customers to preview upcoming features and
influence product New Functionality development
▪ Security updates and fixes are delivered regularly via Windows Update Time *Conceptual illustration only
Overview Branches Operate Integrate Plan The benefits of the Windows Insider Preview Branch can be used to: ▪ Expedite and simplify rapid adoption of Windows innovation Considerations ▪ Create new technology opportunities
▪ Non-Production (lab) environment ▪ Second Device ▪ Technically adept users Recommended ▪ Test new features Usage ▪ Performance testing ▪ Developer enhancements ▪ Developer tool enhancements ▪ Forward planning
Overview Branches Operate Integrate Plan ▪ Public release of new features ▪ Release cadence is slower than the Preview Branch Overview ▪ Validation by millions of Windows Insider Program users prior to release ▪ Feature set is considered ready by Microsoft for broad adoption
▪ Existing Windows 10 systems on the Current Branch Requirements ▪ In-place upgrade supported for down-level Windows Operating Systems ▪ Release performs an upgrade of the existing Windows 10 installation
▪ Latest innovation for Windows coming as feature updates Benefits ▪ Release cadence is expected to be 2 times per year ▪ Monthly updates will be released as cumulative packages
Overview Branches Operate Integrate Plan New New Functionality
Time
Overview Branches Operate Integrate Plan Considerations
Recommended Usage
Overview Branches Operate Integrate Plan U U U
Cadence
Tools
Considerations
Overview Branches Operate Integrate Plan ▪ Deferred Current Branch Overview ▪ Current Branch is validated by millions of users prior to update release ▪ Validation by selected business systems in your organization
▪ Deferred Current Branch installation Requirements ▪ Deployment is managed by WU, WUB, WSUS, MDM or Configuration Manager ▪ WSUS or Configuration Manager updated to support feature update deployment
▪ Ready for broad corporate adoption ▪ Businesses are able to stay up to date but at a slower pace to allow for internal Benefits validation ▪ Ability to stage internal deployment
Overview Branches Operate Integrate Plan New New Functionality
CURRENT BRANCH FOR BUSINESS (CBB)
Time *Customers can also use WSUS for managing delivery updates
Overview Branches Operate Integrate Plan ▪ Select and deploy current branch for business updates to systems currently in service ▪ Quality criteria Considerations ▪ Quality improvement and fixes ▪ Promotion Ring definition
▪ Configure systems to defer feature upgrades Recommended ▪ Systems configured to defer the installation will delay until the installation is mandatory Usage ▪ Target groups should provide feedback to Corporate IT ▪ Microsoft will release updated media periodically
Overview Branches Operate Integrate Plan ▪ There will be a specific media for Long-Term Servicing Branch ▪ First Long-Term Servicing Branch aligns with the release of Windows 10 build 1507 (RTM) Overview ▪ Second Long-Term Servicing Branch follows the release of Windows 10 build 1607 ▪ Approx. 3-6 month notification prior to releasing a Long-Term Servicing Branch
▪ Only for Windows 10 Enterprise Edition Requirements ▪ Requires Enterprise and Software Assurance Agreements
▪ Release cadence is longer than Current Branch for Business ▪ Innovation delivered only at next Long-Term Servicing Branch release Benefits ▪ In place upgrade from one Long-Term Servicing Branch to another ▪ Ability to skip one Long-Term Servicing Branch release
Overview Branches Operate Integrate Plan Long Term Servicing Branch
Long Term Servicing Branch New New Functionality
Long Term Servicing Branch
Time *Customers can also use WSUS for managing delivery updates
Overview Branches Operate Integrate Plan ▪ Updating a system from one Long-Term Servicing Branch to another is considered an upgrade process ▪ Mission-critical workloads demand rigorous app testing Considerations ▪ Device drivers for peripherals ▪ Release cadence 2-3 years ▪ Limited features and capabilities (ie Edge and Windows Store)
New systems ▪ Create a reference system image using the Long-Term Servicing Branch media ▪ Re-install the device Existing systems ▪ In-place upgrade from supported operating systems ▪ Possible to skip 1 Long-Term Servicing Branch upgrade i.e. install alternate Long- Term Servicing Branch upgrades ▪ Deployed using WSUS or from updated media
Overview Branches Operate Integrate Plan Branch Branch Branch Branch Branch RTM Update Update Update Update Update
Cumulative Cumulative LTSBn LTSBn 5 years mainstream 5 years extended support support
LTSB2 LTSB2 5 years mainstream support 5 years extended support
▪ Mission critical systems may remain on an Long-Term Servicing Branch LTSB1 LTSB1 installation for the life of the specific Long-Term Servicing Branch 5 years mainstream support 5 years extended support ▪ Each Long-Term Servicing Branch has: ▪ 5 years of mainstream support AND ▪ 5 years of extended support ▪ After 10 years, the specific Long-Term Servicing Branch is no longer supported by Microsoft ▪ In-Place upgrade supported from one Long-Term Servicing Branch to the next ▪ Monthly security updates are available for the life of the specific Long-Term Servicing Branch ▪ Limited support for future chip sets
Overview Branches Operate Integrate Plan Operating with Windows How it works Deferring feature updates as a Service
Application compatibility impact Moving branches
Scenarios
Overview
Applies to
How? OMA-URI for the CSP: ./Vendor/MSFT/Update/DeferUpgrade ▪ Centrally managed for domain-joined systems with WSUS or System Center Configuration Manager
Evaluate Pilot Deploy/Use Grace
Overview Branches Operate Integrate Plan Scenario
Option 1 Stay on CB
Option 2 Move to CBB
Wipe & Load 1507 1511 1507 1511 1607 Device A 1507 1511 Application to be fixed in supported window Application Status on Device A
Current Branch for 15071507 15071507 15071507 1507 1511 Business Devices
OPTIONOPTION 2 – MOVE 1 – BACKSTAY TOON CURRENT CURRENT BRANCH BRANCH FOR BUSINESS Overview Branches Operate Integrate Plan Scenario
Option 1 Revert to previous CBB
Option 2 Move to CB
WipeUpgrade & Load UnsupportedDefer Upgrade build Device A 1507 1511 16071507 NewEOS Fix app problem Fix app problem Application status on device A
Current Branch 1511 1607 1607 New
OPTION 1 – REVERT TOOPTION PREVIOUS 2 CURRENT– MOVE BRANCHTO CURRENT FOR BUSINESS BRANCH
Overview Branches Operate Integrate Plan Overview
System Image Creation
. Quality-based release Considerations
Inject Obtain Update Branch monthly “Image Deploy New NEW FULL Image Update updates into Factory” Image CBB Media Store WIM
Overview Branches Operate Integrate Plan Going to Starting From
Insider Preview CB/CBB LTSB
In-Place Upgrade In-Place Upgrade Not Supported Insider Preview as new builds are released to the final CB/CBB release Need to wipe & reload
In-Place Upgrade In-Place Upgrade Not Supported CB/CBB after signing up to next CB/CBB release Need to wipe & reload
Not Available In-place Upgrade In-place Upgrade LTSB for LTSB installs to later CB/CBB release to later LTSB release (wait for release)
Wipe and Load – Windows 10 deployment and solution to migrate data/settings
Overview Branches Operate Integrate Plan Integrating Windows as a Service into the Enterprise Adoption Managing WaaS
Implementing WIP Builds Current Branch
TooReduced much time time, and money cost, and effort to reach increaseddeploy decision confidence, greater agility
Overview Branches Operate Integrate Plan Lab Systems IT Pro IT Pro IT Pro IT Dev Limited Corporate Broad Corporate IT Dev IT Dev Early Adopters Systems Systems Primary PC 2nd PC Change Agents
Windows Current Current Branch Current Branch Current Branch 100% Insider Branch for Business for Business for Business Preview Ring 0 Ring 1 Ring 2 Branch 4 Months 12 Months (minimum) (minimum) 16 month deployment (minimum) Overview Branches Operate Integrate Plan Branch Ring Onboarding Opt Out Deferral % of devices WIP N/A MSA User N/A <1 CB A Domain Join Admin Move to CBB 4 B MDM Enrollment 5 CBB 0 E.g. 2 months 45 1 E.g. 6 months 30 2 E.g. 10 months 15
100
80
60
40
20
0 1 2 3 4 5 6
Series1
Overview Branches Operate Integrate Plan Method Branch Content Content Source Configuration Method Cloud ▪ Current Branch ▪ Quality ▪ Windows Update ▪ Group Policy, MDM or User (Windows ▪ Current Branch for Updates Update for Business ▪ Feature Business) Updates* On-Premises ▪ Current Branch ▪ Quality ▪ Windows Server ▪ Group Policy ▪ Current Branch for Updates Update Services ▪ WSUS Console Business ▪ Feature (WSUS)** ▪ Long Term Updates Servicing Branch ▪ Task Sequence ▪ Microsoft Deployment Toolkit ▪ File Share ▪ System Center 2012 Configuration ▪ Distribution Manager SP2 & above*** Point
▪ Software Update ▪ System Center Configuration Point Manager***
Overview Branches Operate Integrate Plan Keep Windows 10-based devices always up to date by directly connecting devices to Overview Microsoft’s Windows Update service
▪ Provides option to delay for 0-4 weeks using Group Policy or MDM Quality Updates ▪ ‘Pause update and upgrade’ option available if problems discovered during test or rollout
▪ Provides option to defer feature updates (upgrades) from 0-8 months using Group Policy Feature Updates or Mobile Device Management ▪ MAK activated devices supported for feature update
▪ Feature update infrastructure does not exist or support Windows 10 Use When ▪ Devices can connect to Windows Update
Overview Branches Operate Integrate Plan Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update
This setting configures Windows Update. WSUS and Configuration Manager settings are not impacted.
Overview Branches Operate Integrate Plan Enables administrators to manage the distribution of Microsoft product quality and feature Overview updates that are released through Microsoft Update
▪ Process unchanged from previous operating systems Quality Updates ▪ Select Windows 10 product in administrative console to synchronize updates
▪ Supported on Windows Server 2012 and Windows Sever 2012 R2 Platform Feature Updates ▪ Requires a patch to WSUS to enable feature update ▪ MAK and KMS activated devices supported for feature update
▪ Domain Joined Device Use When ▪ System Center Configuration Manager not available
Overview Branches Operate Integrate Plan Overview Leverage in-place upgrade functionality with platform delivery tooling
▪ Manually initiated with Microsoft Deployment Toolkit or provisioned with System Center Configuration Manager ▪ Provides more administrative options to configure the device before and after the in-place Feature Updates upgrade process ▪ Apps ▪ Drivers ▪ Settings
▪ System Center Configuration Manager 2012 SP2 and above is available Use When ▪ In-place upgrade requires custom pre-post installation steps
Overview Branches Operate Integrate Plan System Center Configuration Manager capability to manage, deploy and monitor quality and Overview feature updates
▪ Process unchanged from previous operating systems Quality Updates ▪ Select Windows 10 product in administrative console to synchronize updates
▪ Windows 10 Servicing Node used to manage rings Feature Updates ▪ Leverages Software Update Point functionality
Use When ▪ System Center Configuration Manager is available
Overview Branches Operate Integrate Plan Overview Branches Operate Integrate Plan Preview Branch
Familiar process
Quality-based release Develop Current Branch for Current Branch Business Ring 2
Measurable progress Production Test
Clear signoff requirement
User Acceptance Pre-Production Testing Inherently open to future innovation Current Branch for Current Branch for Business Ring 1 Business Ring 0
Overview Branches Operate Integrate Plan Planning Windows as a Service Overview
Modern service management for Windows 10 Windows as a Service
Mobility Mobile Systems App Mgmt Virtual Windows Security as as a Data As A Mgmt as a / Compat Desktop Deployment A Service Service Service Service Testing Services
Overview Branches Operate Integrate Plan Windows as a Service ▪ Governance and Management of Windows 10 “Service” ▪ Planning and Communication of Updates ▪ Update Management ▪ Manage and Respond to Requests and Approvals ▪ Inventory Management
Mobility Mobile Systems App Mgmt Virtual Windows Security as as a Data As A Mgmt as a / Compat Desktop Deployment A Service Service Service Service Testing Services
• Deployment • Windows and • Cloud based • Management of • Efficiently • Security controls • Provision and services for in- Non-Windows Storage Configuration, streamlining and Management of place upgrades mobility • Provisioning and Deployment and application requirements Virtual Desktop from Windows 7 • Mobility Management of Monitoring Tools rationalization, • Creating an environment forward as well Management One Drive for • Health and testing and available and • Application as bare metal Services across Business or other compliance compatibility efficient client Virtualization Operating heterogeneous Mobile Storage monitoring mitigation. experience, Services System environments services to be • Integration to • Application maximizing Deployment • Device Inventory Service Desk and Management security Portal Services
Overview Branches Operate Integrate Plan Next Steps
Configuration of Management Tools
https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool https://docs.microsoft.com/en-us/intune/deploy-use/manage-apps-you-purchased-from-the- windows-store-for-business-with-microsoft-intune https://technet.microsoft.com/en-us/library/mt740630.aspx Additional Resources
• Microsoft Edge Developer Center https://developer.microsoft.com/en-us/microsoft-edge/ • TechNet Browser TechCenter https://technet.microsoft.com/en-us/browser • Microsoft Edge Dev Blog https://blogs.windows.com/msedgedev/ • Enabling Site Discovery in Upgrade Analytics https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-analytics- review-site-discovery
Windows 7 Security features
Breach detection Device Threat Identity Information investigation & protection resistance protection protection response
PRE-BREACH POST-BREACH Windows 10 Security on Modern Devices
Breach detection Device Threat Identity Information investigation & protection resistance protection protection response
PRE-BREACH POST-BREACH