MS-101 Microsoft 365 Mobility and Security – Windows 10 Deployment Strategy

1. Planning for Windows as a Service

With windows. Ten. Corporations are now dealing with something called Windows as a service, right. No longer are we in an environment where we push out a single operating system to all of our desktop or our end user computers and then expect that that’s going to sit there for anywhere from three to five years. Instead we’re getting version here and refreshes at a very fast rate now and Windows as a service is constantly updating in that environment, right? So it’s a servicing model that was introduced with Windows Ten. So this is now something new that we have to actually deal with in the environment and we get faster release cycles. We’re talking about new features being added to the Windows Ten environment at a rate of every six months instead of between multiple years, right? So there’s a lot more effort that has to go into dealing with this.

We get feature releases twice a year, so every six months we’re going to have new features being added to the environment. We’re still going to get those monthly quality updates, those things that come out on Patch Tuesday as we always like to deal with them, right? So all of the bug fixes, the security fixes and things of that nature, we’re still going to get monthly. But now we’re going to go out there and get the feature releases every six months as well. We do have the ability, if we wanted to kind of get a head start on what’s going to be the next feature release, we can go out there and get these builds made available to us as part of the insider preview so we can start working with the product well before it becomes released.

To everybody out there in the environment, there are different servicing channels as to when things are going to happen for your organization. We have the ability to have our environment be part of the semiannual or the semiannual channel targeted. Now the difference between those two is the semiannual channel is going to get those new feature releases every six months with the quality updates every single month. The semiannual channel targeted is also going to do the same thing, but they’re going to get that couple of months before the semiannual channel is released. So you get the actual package that’s going to be delivered to all of your end users and you can start testing it a couple of months ahead of time.

Now there are certain systems where having new features released every six months is going to cause great concern, right? Certain verified systems and certified systems that just can’t tolerate that in those scenarios we have what’s called the long term servicing channel. Now the long term servicing channel gets new features released every two to three years, similar to how we’re used to working with it. But not only that, from the time that it’s released it gets five years of mainstream support and five years of extended support for the release, so it makes it much better. Now understand why you would want to use this, right? If I have, for example, a piece of medical equipment, maybe we’re biotic computer that does surgery, you certainly wouldn’t want to be introducing new features to that device every six months, because some of those features may impact the functionality of that device.

So that’s where things like the long term servicing channel will come into play so they can install a stable release on that environment and have it for an extended period of time.

2. What are Windows 10 Deployment Models?

In the past when you wanted to deploy a new version of Windows, there were very limited ways to actually accomplish the goal. Now with Windows Ten, we have lots of different deployment models. We have the ability to go out there and use something called modern deployment and we’ll talk about some of those features and the capabilities, the dynamic deployment capability where we can leverage some of the built in functionality in Windows Ten are that traditional method where we typically go out and do that image based deployment. Let’s talk about all of these a little bit in detail so we can understand what each one of them brings to the table. We’ll start off with this notion of the modern deployment capability.

This is a nice way to be able to actually go out there and push out the Windows Ten environment. And with the modern deployment method, there’s actually two different options or two different ways to do what some would consider a modern deployment of the Windows Ten operating system, both autopilot and an in place upgrade environment. Now, with the autopilot environment, this is really all about the cloud, right? We pre configure the devices. We’ve got devices that we’ve received that already have Windows Ten on them. Devices are actually pre configured. But we put those boxes into that out of box experience set up position.

Now here’s the thing, right? We have the ability now with this autopilot to control what those questions are, what those answers are going to be to those things like the language and the region and all those things. We can prestage those responses so we can control all of those settings as the users going through and actually doing it. Now in order to do this, you have to identify it by the device’s hardware ID. So you’d have to work with the manufacturer of the devices that you’re actually acquiring and have it provide you with the ability to get the hardware IDs. Then we create in Azure ID, we go out there and we create an autopilot deployment profile, right? So that’s where it’s going to link the ID.

So now when the user goes in and they log in either via Intune or if we use the Microsoft Store for business either way. Now when they go out there and they log into their environment using their Azure Active Directory credential, the out of box experience will go out there and apply and notice that the user that’s logging in does not automatically become a local administrator. Whereas if you had the typical out of box experience with a Windows Ten device, that would be the case. So we get an advantage there that we don’t have our users being local admins to those systems out there that we’re actually managing. So it makes life a little bit easier for us.

Now, if we were going through an in place upgrade in this scenario, understand that in the past a lot of people, when they would talk about migrating from one version of Windows to another, they were very hesitant to do an in place upgrade, right? Instead, what they would do is they would go out there and typically do a wipe in load. They’d wipe the entire system out, install the new clean operating system, and then reinstall all the applications or whatever else they needed with Windows Ten. Windows Ten actually goes through every time there’s a feature release. It is, in effect, an in place upgrade, right? So we have the ability now to go out there and do in place upgrades. And it’s a much more stable environment than it used to be because it’s happening all the time now.

That’s the kind of upgrades that we’re actually doing with those feature release updates, right? So it makes things a little bit easier for us to go out there and do it. It preserves all of the data on that system, all of their settings and any drivers, so we don’t have to worry about going out there and reconfiguring all of that information out there in it. So we can do the in place upgrade now from going from, say, one feature release to the next without the concern that we had before. Now, in the event that there is a problem, it actually keeps and replicates the old OS into a Windows old directory. And we do have the ability to roll back to that in the event that we have any problems while we’re going through that in place upgrade. So it makes things kind of nice for us.

Now, the other thing we can do is what’s called a dynamic deployment. In a dynamic deployment scenario, we have a lot of different ways that we can actually accomplish this, right? The first one is with a provisioning package. We have the ability to go out there and use the Windows configuration designer and the configuration designer sort of looks if you’ve ever worked with something like the Windows automated deployment. Toolkit if you ever work with that or automated installation kit the wait kit, you have the ability to go out there and answer all of the questions, even set up and configure things like domain joining and application deployment. And it creates a provisioning package and then all that needs to happen is the user has to run that provisioning package on that system.

It can do things like take a Windows Ten system that was set up as a home version, make it a Pro and join it to the domain, install a couple of applications with a simple click of a button, right? So it’s a very simple process to go out there and apply all those settings to the device without having to rewrite the entire image every time you wanted to change something out there. So there’s no need to do a full reinstall of that Windows environment, which makes life a little bit nicer for us out there, right? So we can go out there and do it with provisioning packages. We also have the ability to go out there and do it with what’s called subscription activation.

So if you have a Windows Ten E Three or E Five subscription and I assign that license to a user, when they sign in with their Azure Ad credential, it’ll actually automatically upgrade it from a Windows Ten Pro to a Windows Ten Enterprise. Now, do note that they have to be starting at a Windows Ten Pro level, right? But once they have that Windows Ten Pro and they log in with their Azure Ad, it automatically upgrades them to a Windows Ten Enterprise so they get all of the Enterprise features without having to reboot the system. They’re not going to have to go through any of that to be able to take advantage of that. And then the other way we can do the Dynamic enrollment is through the Azure Ad join with Automatic Mobile Device Management. So we have a device that we join to Azure Active Directory and we’ve configured Azure Active Directory that when a device joins, that to automatically enroll it into Intune.

And now that we have it in Intune, we can actually enforce our policies and compliance on that system and we have the ability to upgrade it from Pro to Enterprise as well. All of that using Dynamic without having to do a full reinstallation of the operating system out there. And of course, we also still have the way that we’re used to working, right, the traditional deployment model where we can go out there and create the images and then push the images out through whatever environment we’re used to working with, whether it be System Center, Configuration Manager, Windows Deployment Server. If you’ve got some other third party service that you use for your software management systems, for your imaging, you have the ability to do that with new devices.

It doesn’t have an operating system on it, so we’re going to want to wipe it and redeploy it with the exact way that we want it configured and it’ll give us the ability to go out there and do that. Now, if we’re on a device refresh where we already have users using that device, but we want to deploy a new operating system to it, we’re going to want to go out there and do a user state migration, right? So we have the user state migration tool, which will let us copy all of that users information to a different location, all of their profile information, install the new operating system, and then transfer all that information back so they don’t lose all of their configuration information.

If we’re going to replace their device, we can actually do the user state migration there too. So we go out there, we install it on a new system for them, we use USMT on their old device to take all of their profile and their settings. And then we run it on the new device device to copy it down to there so that they have the ability to leverage it. So there’s lots of different ways that we can go out there and actually enroll this and deploy this environment out to our users using that Windows deployment model. That traditional method of working with it.

3. Planning Your Subscription Activation Strategy

With your client computers. One of the things you have to think about is how do you activate them so that you have the users to have a license activated product? In the past, we had multiple choices, right? One of the things we could do is we could use a Kms or Key Management server, so when we had a device on our network, it could find the Kms server, and if we had a license available, it would automatically activate that device for them. We also had the ability to use Mac keys or multiple activation keys, where you’d have one key that would have a certain number of activations available to it, and we could go through and activate 1500 of our devices using that same key, making life very easy for us to manage.

And of course, we also had the ability to go out there and have a retail key where we just go out and have a single key that we use once. Now, Windows Ten has changed things a little bit in that we have the ability with Windows Ten to go out there and actually use subscription activation. Right now, with subscription activation, if we go out there and get a Windows Ten subscription in our environment, we have the ability to go out there and upgrade a Windows Ten Pro system to an enterprise. But understand that we have to start with a device that has Windows Ten Pro 16, seven or newer on it.

When we do that, it will automatically upgrade it. If I have a license assigned to that user, it can automatically upgrade it to a Windows Ten enterprise solution out there. Now, it does have to be joined to Azure Active Directory or to my on premises Active Directory Domain Services, and then that adds will have to be synchronized with Azure Active Directory. So in order to meet that, you have to have a license. So if I have an E Three license or above, each user that will be included in that license will actually have the ability to go out there and upgrade on up to five different Windows Ten Pro devices to convert them into enterprise devices.

Now, should that user lose their license, if they’re no longer with us, if it’s a personal computer that they had upgraded and they’re going to keep it just like that, we remove the license from them. After a period of 90 days of not having a license, that system will actually revert back to Pro. They don’t have to wipe their device and start over or anything like that. It’ll just automatically roll it back to the Pro Pro version so that they can continue to work with it in that manner until such time as maybe they get another subscription activation from a new employer that they might be working with.

4. Resolving Windows 10 Upgrade Errors

With the Windows as a service environment we’re in now, we’re actually going through a lot of upgrades with our Windows Ten devices. Every time we go from one feature release to another, that in effect is an in place upgrade. So it’s going to be important that we understand how to mitigate some problems that we typically would would see stopping us from having a successful in place upgrade. Some of those mitigation factors that we might want to look into include the ability for us to be able to go out there and remove any software that’s not essential, any hardware devices that are not essential with that.

So if it’s got a docking station, if you’ve got some USB devices plugged into it, you probably want to disconnect those so you don’t run into any driver errors out there, right? With the system drive, you want to make sure that there are no errors on that and if so, you can attempt repair on those so you have a clean install with your environment, Windows troubleshooting, you can run through that and see if it points out any issues that you might have within the environment. And maybe if you have some system files that are having some problems repair or restore those files for you in the environment, you want to go ahead and run the Windows update on it and make sure that you’re running with the current patch level, and then you’ve gone through the installation and restarted it so that when we start the upgrade process, when we go through that feature upgrade, we’re not going to have any pending restarts or older upgrades that we’re waiting on in that environment.

If you have it stopping you, if you’re trying to do the upgrade and it’s not going through and you have a non Microsoft AV product installed, that is a common place where we might want to go ahead and uninstall that because it sometimes blocks the installation of the operating system. In addition to that, if you have any other nonessential software on there and that software has some compatibility issues that may be causing you some problems when you go through and do your upgrade. So you may want to remove that as well. Now, we also want to go ahead and update our firmware and our drivers on our systems. The firmware for a lot of people, they have computers and when I look at some of these desktops and laptops, they’ve never updated their firmware. There may be new features and functionalities that they’re not getting because of the fact that they haven’t applied the upgrade. So by all means you want to update that firmware in your drivers.

You want to go out there and ensure that the download install updates option is being used so that we go out there and get those recommended updates at the start of that upgrade process in that environment. We’re going to need to have sufficient storage space. Now 16 gigs for a 32 bit, 20 gigs for a 64 bit. Microsoft is reevaluating what they believe to be is the appropriate amount of storage space necessary, so these numbers may go up a little bit. In addition to that, when we go through this upgrade, windows Ten setup is going to create a bunch of log files for us, right? And we have the ability now to go out there and analyze those log files to see exactly what’s going on with that upgrade. But those log files can get very big and sometimes it’s very hard for us to understand exactly what they’re telling us as a separate download for Microsoft download.

So it’s not included in windows. Ten. It’s not part of a standard installation. You can download the setup diag tool. The Setup Diag tool can actually examine your log files to figure out what the root cause of an upgrade failure is. There are currently 41 different rules that it’s going to match known issues in your log files to and can help lead you down the path as to why you’re having problems actually completing your upgrade in your environment. As I said, you do have to download that from Microsoft Download in order to actually use it. Now it’s also helped to understand where that error is actually happening in your upgrade process. In the upgrade process, you have a down level phase.

The down level phase, I’ve got my old operating system still running, right? We’re in the process of going out there and downloading some new software onto the system, but the old operating system is doing upgrade areas typically aren’t seen there because we’re still running under the old operating system out there. We just need to make sure Windows set up source and drivers are available so that we have the ability to download all of the new files that we need into that system. And of course, make sure that the system that we’re trying to upgrade to does meet the Windows Ten system requirements there for us to be able to do that. Now after we go through the down level phase, we go into the Safe OS phase. This is where it’s going to go out there and it’s going to boot into a Windows PE, right? So it’s taking a preinstallation environment, typically running in a Ramcached environment.

And this is where we’re going to see things like firmware issues, hardware issues. If maybe your system was using a nonmicrosoft disk encryption, some third party disk encryption solution that we may have to remove from that, this is where we’ll see those in the Safe OS phase out there. We have the ability to go out there and do the OS rollback, so it’s going to prepare the OS rollback. So if we have a problem during the upgrade, we can go out there and actually get back to that pre upgrade spot if we wanted to. And if we had to restore it back or roll it back in that environment. Now, after the Safe OS, it’s going to go out there, configure the system, reboot the system into that first boot phase.In the very first boot phase, right?

This is where typically boot failures aren’t going to be that common, but if you’re having any boot failures at all, it’s usually going to be tied to a device driver. And that’s where we want to, again, make sure that we’ve removed any unnecessary hardware devices from the system and also try to upgrade any of the device drivers that we have out there to make sure that everything is there, basically keyboard, mouse, display, and try to do the upgrade. Now, after we go through that first boot phase, it’s going to reboot again and it’s going to actually go out there. And all of the final parts of the Windows Ten upgrade are being placed here. Now, this is typically where if we’re having a boot failure, the second boot phase would typically be as a result of AV. It’s not uncommon to see antivirus software, non Microsoft AV cause a problem at this layer. So that’s where you’re going to want to go out there and actually think about it and go through the process of uninstalling that before you go through your upgrade again.