Uncategorized

The Windows 10 Update Treadmill

Posted on

I am often asked which version of Windows 10 an organization should select. I am astounded by the number of IT Pros involved in Windows 10 migrations and deployments that are unaware of the servicing windows for each of the semi-annual feature updates of Windows 10. For background, it is important to understand that Microsoft releases two feature updates to Windows 10 each year through the semi-annual update channel. The versions in this servicing channel are released in the spring ad the fall. Sometimes there is a specific name for the version but lately they have typically been referred to as one of the following:

  1. Spring / Fall Update
  2. March/September Update (Note that the general availability does not always align perfectly to these months
  3. YYMM (E.g. 1903 vs 1909)
  4. H1/H2 (First half vs second half of the year)

Regardless of what you call the update, the impact of your version selection has a big impact on your next mandatory update. Most important to note is that all versions of Windows 10 have an 18 month servicing window with the exception of the September (H2, Fall) update for Enterprises and Education customers which has a 30 month servicing window. This means that there will not be any quality and security updates beyond 18 months for these versions.

If you have access to enterprise or Education versions of Windows 10, you get 30 months of servicing support. Consider that, if you install 1903 the day it is released you will get a shorter support window than if you installed 1809 the very same day.

Pro Tip: Unless you have a compelling reason to use a specific H1 version of Windows 10, you should install an H2 version of Windows 10 Enterprise (or Education) to maximize the servicing window and provide more runway between mandatory upgrades.

Edition 

March* feature updates 

September* feature updates

Windows 10 Enterprise
Windows 10 Education

Serviced for 18 months from release date

Serviced for 30 months from release date

Windows 10 Pro
Windows 10 Pro Education
Windows 10 Pro for Workstations
Windows 10 Home

Serviced for 18 months from release date, however based on your setting, the latest feature update may be automatically installed on your device upon availability.

Serviced for 18 months from release date, however based on your setting, the latest feature update may be automatically installed on your device upon availability.

* Feature updates will be released twice annually with a target of March and September.

Note: There is also a Long Term Servicing Channel that provides five or more years of support to specific Long Term Servicing Branch versions of Windows 10. These versions are outside of the scope of this discussion.

More information about this and related topics can be found in the
Windows lifecycle fact sheet

Surface and Windows 10 in the Enterprise

Posted on Updated on

In 2018 Microsoft became the fifth largest PC vendor in North America. Of course much of this is fueled by Surface lineup that has moved rapidly from an enthusiast or secondary device to become the preferred device of many enterprises. I do a lot of work with the Canadian Federal Government and many departments have chosen the Surface Pro as the standard device for all employees.

Of course the combination of Surface and Windows 10 has some distinct advantages such as:

  1. Windows 10 is tested heavily against Surface Devices
  2. Configuration Manager has a Surface Device Dashboard built in showing device models, firmware, etc.
  3. Configuration Manager uses Surface Devices as pilot devices for prerelease testing
  4. Surface Hardware supports advanced Windows 10 features such as Hello and WiDi
  5. Inking

As the Surface continues to be more heavily deployed in enterprises, administrators have had special concerns about managing the devices. In response, Microsoft has released a series of tools and utilities to ease the management burden.

Tool Description
Cisco EAP Supplicant Installer Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices
SEMM Surface Enterprise Management Mode tools for managing UEFI firmware
SP3_Firmware_Powershell_Scripts.zip Surface Pro 3 firmware deployment scripts
Surface Diagnostics Tools Investigate, troubleshoot, and resolve hardware, software, and firmware issues with Surface devices
Surface Data Eraser Perform a secure wipe of all data from a Surface device
Surface Deployment Accelerator Rapid reimaging environment for Surface devices
Surface Dock Updater Check and update Surface dock firmware
Surface Brightness Control App for managing screens of always on devices like POS and Kiosks
Surface UEFI Configurator and Manager Tool for managing SEMM enrolments
Surface WOL Manage Wake-On-LAN for Surface Devices

The Surface Tools for IT can be downloaded here.

Android Enterprise, Device Management Scenarios and Intune – COPE, BYOD, COBO, CYOD, COFM etc.

Posted on Updated on

Microsoft just announced preview support for Corporate Owned Fully Managed Android Enterprise devices. What does this mean for the administrator of these devices? Well the landscape has been changing a lot lately in the device management space. So before going on to the new stuff let’s review the classic scenarios

COBO – Corporate Owned Business Only – In this scenario, the enterprise buys the device and issues it to an employee. The device is intended for business use only and there is no/minimal personal use or data on the device. In this scenario the device can be wiped at the discretion of the owner (the enterprise). This scenario commonly has a small number of standard devices to ease procurement and management.

BYOD – Bring Your Own Device – In this scenario employees supply their own device and connect to corporate services with it. If the device is managed there is usually some segregation or containerization of personal and corporate data and apps. If the employee changes devices or leave the organization, the enterprise typically only wipes the corporate portion of the device leaving personal apps and data intact as the device is personally owned. It can be difficult to manage BYOD as there is minimal control over the types of devices employees may use.

CYOD – Chose Your Own Device – This scenario is very similar to BYOD with the exception of a set list of supported devices is provided by the employer and the employee must chose from that list. Often there is a small allowance allocated to help offset the cost to the employee to offset the increased cost associated with the loss of choice. This typically has an element of standardization associated with it by design.

COPE – Corporate Owned Personally Enabled – This scenario has the employer purchasing and owning device with the employee having the ability to use personal apps and data. This typically requires some segregation between corporate and personal apps and data. In this scenario the ability to wipe the device may or not differentiate between personal and corporate apps and data depending on the corporate policies.

Until recently, the most common secured Android platform was Samsung Knox which leveraged available Android APIs to create a secured container and additional management policies and restrictions. This eased the administration scenarios that required some form of corporate and personal segregation. In many cases MDM vendors created their own container models to provide similar experiences on non-Knox devices.

Android Enterprise changes the landscape once again by providing much of the functionality of Knox across devices from dozens of Android vendors. There is an ever growing list of Android Enterprise Recommended devices. Notice that Samsung is on the list as well. It’s not clear to me at this time what the future of Samsung Knox is however in my most recent testing of Android Enterprise controls I found that they were at best a subset of the controls available in Knox. This is a rapidly changing landscape and I expect parity or near parity very quickly as hardware vendors expose more to the Android Enterprise APIs.

So to circle back to the Microsoft announcement – In short it means that Intune now supports the Android Enterprise version of COBO.

Troubleshoot Windows 10 upgrades with SetupDiag.exe

Posted on Updated on

There’s a great standalone tool that you can use to help troubleshoot Windows 10 upgrade issues. This tool only works on Windows 10 with .Net Framework 4.6 installed. You can download the tool from here.

Setupdiag.exe is a command line tool that parses all of the log files associated with windows upgrades and looks for known failure signatures. Simply running the command on a windows 10 system will page up all of the log files into a zip file in the directory from which the command was run.

There are many command line switches (some for controlling output destinations) and as usual you can get a list of the options by typing SetupDiag.exe /?.

Here are some examples of the output from SeupDiag.exe on a system that had a successful upgrade:

Note that I use the Configuration Manager Trace Log Tool as my default log file viewer. More on the setupdiage.exe can be found here.

Portal Kombat

Posted on Updated on

As Microsoft has integrated previously independent products evolved into a massive cloud service provider, disparate access methods and portals developed by individual product teams has lead to a an overwhelming number of different ways of accessing your MS cloud services. Examples include Office365, Azure AD, Dynamics, OMS, Intune and of course Azure.

While I applaud Microsoft’s movement to simplified, streamlined and unified portals where they make sense, it has been a bumpy ride. Up until earlier this year both Azure and Intune had two portals for a period. If that’s not confusing enough, not all functions are/were available in both portals. Some features are/were only available in the classic portal while others are/were only available in the modern portal.

To make it even more difficult for administrators, because of the Silverlight dependency, the classic portal does not support all modern browsers.

Here’s an article that outlines the browser support for each portal.

Let’s focus on Intune for now. Until the Windows 7 End of Life in January 2020 Microsoft will need to continue to support the classic Silverlight based portal to continue to provide support for Windows 7 devices that rely on agent based management. As organization move away from Windows 7 no agent required as OMA-DM is baked into Windows 10 the Azure service based version of the Intune portal can be used exclusively.

Figure 1- Classic Silverlight based Intune Portal

Figure 2- Azure “Ibiza” Portal

License Management

It’s hard to believe that something as simple (and revenue generating for Microsoft) like license assignment can be confusing. Intune has additional confusion beyond the two Intune specific portals in that license management can be done from either the Azure AD blade or from within Office365.

Of course, you can also assign the licenses using PowerShell from a computer with the Azure Active Directory Module for Windows PowerShell installed. I like this option as it can be integrated into a more complete automated user provisioning process. For example, you could create a PowerShell script that does the following:

  1. Create a user in AD (or Azure AD)
  2. Add the user to appropriate groups
  3. Assign an Office 365 license
  4. Turn on MFA
  5. Create a mailbox
  6. Assign an Intune Licence

 

 

 

 

 

 

 

 

 

In this short video I’ll show you three ways to assign Intune (or EMS) licenses to users:

  1. Office365 Portal
  2. Azure Portal
  3. PowerShell

Apologies, the video link is not working.  will be up again shortly.

Windows 10 Support Changes

Posted on Updated on

I previously posted about changes to Microsoft’s Windows 10 support and things are changing again.  While Microsoft continues with twice yearly feature releases of Windows 10 Microsoft has announced that it will now provide 30 months of support for Enterprise and Education versions of Windows 10 released in the fall and 18 months of support for Pro and Home versions. Spring releases stay the same at 18 months. Is that confusing? Remember that the twice yearly releases are targeted for release in March and September and as such are referred to as Year+Spring and Year+Fall or YYH1 and YYH2 releases. So the release targeted for March 2018 would be referred to as Spring 2018 or 18H1. Understanding that, here’s a table to help sort out the support models:

Version Release Support
Windows 10 Enterprise H1 (Spring) 18 Months
H2 (Fall) 30 Months
Windows 10 Education H1 (Spring) 18 Months
H2 (Fall) 30 Months
Windows 10 Pro H1 (Spring) 18 Months
H2 (Fall) 18 Months
Windows 10 Home H1 (Spring) 18 Months
H2 (Fall) 18 Months

It’s great that organizations that can’t keep up with the 18 month upgrade pace either permanently or temporarily can opt for slowing down once on a fall release. Organizations that want the feature upgrades faster (often for updated new security features) can still upgrade before the 30 month end of support either to a spring or a fall release depending on the cadence that they want to adopt. This gives them an option to mix and match with fully supported upgrade cycles that can be 6,12,18,24 and 30 months as required.

This is great news for Windows 10 customers but there are still many organizations struggling to upgrade from Windows 7 before extended support runs out on January 14, 2020. As part of the same post Microsoft also released information about paid Extended Security Updates (ESU) for Windows 7 until 2023.

SEMM – Surface Enterprise Management Mode

Posted on Updated on

As Microsoft Surface devices continue to gain use in enterprise environments, Microsoft has been releasing tools to ease the management of these somewhat unique devices and enable administrators to use more modern technologies in a streamlined way.

One of the biggest security improvements in Windows 10 (and Windows 8.1) over Windows 7 is UEFI. It ahs traditionally been difficult to automate the move from BIOS based firmware to UEFI without some form of manual intervention. Microsoft addressed this with specialized task sequences in SCCM. Microsoft has improved the ongoing management of the UEFI firmware once again with Surface Enterprise Management Mode (SEMM).

Once devices are enrolled with SEMM you can enable or disable the following devices:

  • Docking USB Port
  • On-board Audio
  • DGPU
  • Type Cover
  • Micro SD Card
  • Front Camera
  • Rear Camera
  • Infrared Camera, for Windows Hello
  • Bluetooth Only
  • Wi-Fi and Bluetooth
  • LTE

You can configure the following advanced settings with SEMM:

  • IPv6 support for PXE boot
  • Alternate boot order, where the Volume Down button and Power button can be pressed together during boot, to boot directly to a USB or Ethernet device
  • Lock the boot order to prevent changes
  • Support for booting to USB devices
  • Enable Network Stack boot settings
  • Enable Auto Power On boot settings
  • Display of the Surface UEFI Security page
  • Display of the Surface UEFI Devices page
  • Display of the Surface UEFI Boot page
  • Display of the Surface UEFI DateTime page

The configurations are changed by running configuration packages on enrolled devices. Of course, you can uses System Center Configuration Manger to send the enrollment and configuration packages to managed devices.

Windows Autopilot vs System Center Configuration Manager

Posted on Updated on

I previously mentioned that I was excited to compare Windows Autopilot with System Center Configuration Manager (SCCM). Well, we finally have more details about Windows Autopilot and I’m finally able to give you a comparison of Autopilot and SCCM for Windows 10 deployments.

System Center Configuration Manager

Before I dive into Windows Autopilot, let us review the typical use cases for SCCM so that we have a basis for comparison. SCCM is an on premise tool that performs many functions in addition to Operating System Deployment (OSD) however; I will just focus on the OSD portion for now. Here are the three most common OSD scenarios:

Scenario 1 – Boot Media

This is a Light Touch deployment requiring physical access to each device. It is well suited to small remote offices or a small staging area without OSD infrastructure (Distribution Points etc.).

  1. SysAdmin creates a custom Windows Image, driver package(s) and task sequence
  2. SysAdmin either creates boot media
  3. Boot media is distributed to required locations
  4. Each device is booted with the boot media and the task sequence builds the device
  5. Applications can be added in the task sequence or post OSD through SCCM’s Software Deployment functionality

Pros

  • Minimal network impact
  • Minimal infrastructure requirements

Cons

  • Requires visiting each device (Light Touch)
  • Boot media management overhead

Scenario 2 – PXE Boot

This is a Light Touch deployment requiring physical access to each device to enter PXE boot – This can be made Zero Touch if the boot order is set to PXE first however, this is not a sustainable configuration. It is well suited to a large staging are or small remote offices with OSD infrastructure (Distribution Points etc.).

  1. SysAdmin creates a custom Windows Image, driver package(s) and task sequence
  2. Sysadmin deploys task sequence to a collection of devices
  3. Devices are booted and forced into network boot
  4. The device finds a boot image from the SCCM Distribution Point and
  5. Each device is booted with the boot media and the task sequence builds the device
  6. Applications can be added in the task sequence or post OSD through SCCM’s Software Deployment functionality

Pros

  • No media management
  • Easy modification of task sequences, boot images and driver packages

Cons

  • Requires visiting each device (Light Touch)
  • Requires complex infrastructure

Scenario 3 – Deployed Task Sequence

This is a true Zero Touch deployment that can be used a Self-Service option as well as a scheduled mandatory deployment. It can even be coupled with Wake-on-Lan to target devices that are powered off (but still connected to the network. This is well suited to upgrading or refreshing large numbers of devices currently in use as it requires that each device is already managed with SCCM.

  1. SysAdmin creates a custom Windows Image, driver package(s) and task sequence
  2. Sysadmin deploys task sequence to a collection of devices
  3. Task sequence is executed on device (Self-serve or scheduled)
  4. Required files are copied to the device and the device reboots and the task sequence deploys the operating system
  5. Applications can be added in the task sequence or post OSD through SCCM’s Software Deployment functionality

Pros

  • No requirement to visit each device (True Zero Touch)
  • No media management
  • Easy modification of task sequences, boot images and driver packages
  • Supports Self Service
  • Supports Scheduling

Cons

  • Requires complex infrastructure
  • Only available to existing SCCM clients

Windows Autopilot

Windows Autopilot is a cloud-based service that does not require any special infrastructure. Here’s a typical OSD scenario using Windows Autopilot:

  1. SysAdmin creates device profile(s)
  2. Sysadmin registers the device(s) with the Windows Autopilot service
  3. SysAdmin assigns a profile to the device(s)
  4. Device is booted end user
  5. Device is connected to network (any Network – home, work, public)
  6. User provides enterprise credentials, Language and Keyboard settings
  7. Device self configures based on assigned profiles
  8. If the organization uses Intune additional polices and applications may be delivered to the device

Pros

  • No requirement to visit each device (Near Zero Touch)
  • No media management
  • Easy modification of profiles
  • Supports Self Service

Cons

  • Cloud service (may be a con for some organizations)
  • Eliminates requirement of staging areas and internal device shipping
  • No support for system upgrade (maintaining user data and state information)
  • No support for complex configurations (multi partition, etc.)

Conclusion

InTune has been evolving rapidly over the last few years and has been able to provide much of the same functionality as SCCM such as hardware and software inventory, application management, software updates etc. The one feature that missing was OSD. Coupled with Windows Autopilot, Microsoft InTune is a credible end-to-end lifecycle management platform for many use cases that requires no on premise infrastructure. While it cannot service all of the use cases that SCCM can, it can save time and money for organizations where it is a good fit.

Introducing WinPE Peer Cache

Posted on Updated on

WinPE Peer Cache is a new feature of SCCM CB 1610. It functions in a similar manner to BranchCache however, it is only available for content access from the Windows Preinstallation Environment (WinPE). WinPE Peer cache is configured and managed as part of the SCCM CB client management settings.

A task sequence configured to use Windows PE Peer Cache can get the following content objects from a local peer while running in Windows PE:

  1. Operating system image
  2. Driver package
  3. Packages and Programs (When the client continues to run the task sequence in the full operating system, the client gets this content from a peer cache source if the task sequence was originally configured for peer cache when running in Windows PE.)
  4. Additional boot images

It is important to understand that WinPE Peer Cache is targeted at OSD scenarios and does not replace Distribution Points and BranchCache as locations for other types of content. For example, the following content objects never transfer using peer cache. Instead, they transfer from a distribution point or by Windows BranchCache if you have configured Windows BranchCache in your environment:

  1. Applications
  2. Software updates

WinPE Peer Cache only supports OSD scenarios that include a WinPE boot such as PXE boot or Boot Media.

WinPE Peer Cache is very new and is evolving very rapidly. To avoid possible issues with the model, Microsoft is adding features to create higher deployment success rates. Beginning with SCCM CB 1702, a peer cache source computer will reject a request for content when the peer cache source computer meets any of the following conditions:

  1. Is in low battery mode.
  2. CPU load exceeds 80% at the time the content is requested.
  3. Disk I/O has an AvgDiskQueueLength that exceeds 10.
  4. There are no more available connections to the computer.

Microsoft Education Event – Surface Laptop and Windows Autopilot

Posted on Updated on

At the Microsoft Education Event this past week, there were many announcements that we covered in the Universal Windows Podcast Episode 66. While most of the show was dedicated to the Education sector and Windows 10s, there were two announcements that I was particularly excited intrigued about. Specifically the new Surface laptop and Windows Autopilot.

When I try the Surface Laptop later this month I will check out the lapability but from the specs, there are definitely a couple of missing features that would fit my use cases. I’d really like to see a full USB-C port and built in LTE. From a USB-C perspective, I have run into issues with USB resources with my Surface Pro 3 and I think USB-C is the future. As the Surface Laptop is a premium device, for me to justify the price tag, I’d like to feel like the device has a long useful life ahead whether I keep it myself, hand it down to a family member or sell it. USB-C gives it a longer useful life in my opinion.

As far as LTE, I firmly believe the future is BYON (Bring Your Own Network). We won’t need to be hunting for free WiFi at Starbucks or airports and other locations with unknown risks and tethering while useful can be inconvenient and drain your mobile’s battery. There rumours that an LTE version might be out in the fall.

The most exciting reveal for me was Windows Autopilot. It appears to be a simple to use, Windows 10 mass deployment tool built for the classroom scenario. As I do a lot of work with SCCM, the de facto Enterprise class Operating System deployment tool, I am curious to see how this stacks up. I will do a side-by-side comparison once more details of Autopilot are available. Stay tuned.