If your mission is to deploy Windows 10, you want to read this!
In the deployment part of the Windows 10 As A Service MVA Jumpstart, host Simon May brought in Michael Niehaus to talk about Windows 10 deployment, and in this post I summarize the key takeaways from that presentation. For a start, if you have been living under a rock the last 20 years, you probably missed that Niehaus has been, and I think still is, the deployment guy at Microsoft, doing deployment for some 20 years, and saying in the session that people get blank faces when he mentions deploying from deploying Windows 95 from floppy disks 🙂
Simon May and Michael Niehaus.
Deploying Windows 10
Anyway, Michael started with mentioning that Windows 10 still supports all scenarios that you are used to, and know how they work (bare metal, computer refresh, and computer replace), but added, as you probably know, that Windows 10 is adding in a new deployment scenario, the inplace upgrade scenario, which at this point in time has been tested by millions of Windows Insiders around the globe.
For a start, the inplace upgrade is quite interesting in the way it technically doesn’t require any new infrastructure, no new ADK, no new boot images etc. it’s simply running setup.exe with some command line switches, and you can upgrade from Windows 7, Windows 8, and Windows 8.1. This scenario also makes sure all apps and data are still there when the machine is upgraded. For consumers this is done via Windows Update, but organizations typically want more control so they will download the media and use upgrade task sequences via MDT or ConfigMgr. Simply to get the best experience from the inplace upgrade.
The inplace upgrade is well tested for consumers (millions of insiders), but Microsoft are also working with some TAP (Technical Adoption Program) to get real world feedback on how the inplace upgrades works in the Enterprise. A work that started with these customers got updates that allowed for Windows 7 to Windows 8.1 upgrades, and then continued to improve that process for Windows 10.
Also, in the session, the Windows 10 media creation tool was mentioned, a utility created mainly for consumers to assist the free Windows 10 inplace upgrade process, but can of course be used within an organization too, even though they typically will use real deployment solutions to drive that process (with volume license media etc.).
A Windows 10 upgrade task sequence, the preferred way for organizations to deal with inplace upgrades.
Inplace upgrade considerations
However, in the session it was also mentioned that there are a few gotchas to the upgrade process, meaning it may not be for everybody. For a start you can’t use an reference image that already have applications in it, you have to use the Microsoft media. There are restriction for 3rd party antivirus and disk encryptions, that typically have to be uninstalled, but in the session it was mentioned that one ISV recently provided guidance to have their disk encryption to work with inplace upgrade ( Simon and Niehaus didn’t say the vendor name, but it was McAfee, more info here: http://kc.mcafee.com/corporate/index?page=content&id=KB84962 ). Other restrictions mentioned was not being able to go from x86 to x64 (and vice versa), not going from MBR to UEFI, and not upgrade Windows to Go, Boot from VHD, or dual-boot / multi-boot systems.
Note #1: Not being able to change to EUFI during inplace upgrade may not sound like a big deal, but some of the security features in Windows 10 does require UEFI.
Note #2: During the session it was mentioned that some creative people (not me), had used an unsupported workaround to upgrade Boot from VHD. They had simply attach the VHD to a virtual machine, upgraded the virtual machine, and then put the upgraded VHD back.
So, you are on Windows 10, then what?
Inplace upgrades are going to be even more important once you have upgraded to Windows 10, because that’s ( at least initially) how major Windows 10 updates will be delivered. This is not for the cumulative updates (three released so far), but larger upcoming service releases.
Reference images and Sysprep
If you are using the traditional scenarios, you can create reference images with MDT 2013 Update 1, but they can’t be used for the inplace upgrade scenarios (bare metal, computer refresh, and computer replace). You also cannot deploy your Windows 7 SP1 image, upgrade it to Windows 10, and then run sysprep. Sysprep is not supported on an upgraded machine.
Management and Deployment Matrix
In terms of managing and deploying Windows 10, the following matrix was presented:
Provisioning
Another new technology added with Windows 10 is the provisioning feature, where you can take an existing device and transform it into an enterprise device. Meaning rather than rebuilding the machine as soon as you get it out of the box, you can apply your enterprise configuration to it. For example change the SKU from Pro to Enterprise. As a comparison a phone was mentioned, in where you typically don’t reimage the phone before starting to use it.
Hardware and Software Compatibility
In general, if a machine can run Windows 7 or Windows 8.1, it will run on Windows 10 just fine. Same goes for apps, you’ll find that most desktop apps that works on Windows 7 and Windows 8.1 will work on Windows 10. In fact, most apps that runs on Windows 10, unless they have a specific manifest for Windows 10, will think they are running on Windows 7. Also since Microsoft have access to all the hundreds of thousands apps in the Microsoft store, and can run automated tests for them, meaning they are very likely to work too.
Note: Like usual when there is a new Windows version, low level software like antivirus and VPN clients typically have to be updated.
Web pages and web applications
The biggest challenge in Windows 10 is making sure all your web pages and web applications works in Internet Explorer 11. If you already done the work with IE Enterprise Mode for IE 11 on Windows 7, you are already good to go. If not, you have to start that work now. In fact, if you are on Windows 7 right now, and have not started the Enterprise Mode configuration you better hurry. Older versions of Internet Explorer are going out of support in January, 2016.
Note: There is also an option to redirect users using the new Microsoft Edge browser to IE 11 if they navigate to a site that needs to run in Internet Explorer.
Activation
Windows 10 does require new KMS and MAK keys, and updates to your Windows Server 2012 / Windows Server 2012 R2 KMS servers to support the new KMS keys. The update needed is the http://support.microsoft.com/en-us/kb/3058168 update. Active Directory Based Activation is still supported too.
Note: There will be updates for KMS Servers running Windows Server 2008 R2 in October, but really, get rid of that legacy server and move into the 21st century (my own comment 🙂 ).
Group Policy ADMX Templates
To manage Windows 10 using group policy, you need to get the updated ADMX templates. Those ADMX templates can be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=48257. Simon also mentioned the group policy search site in Azure which you find here: http://gpsearch.azurewebsites.net
The group policy search site.
MDOP Updates
To support Windows 10 with the various MDOP packages you need the following versions (will be released in the next few days): AGPM 4.0 SP3, App-V 5.1, DaRT 10, MBAM 2.5 SP1 (2.5 works), and UE-V 2.1 SP1.
Reset/Refresh Changes
You no longer need a recovery partition, and Windows instead restores from (patched) side-by-side store. OEM’s (or you) can provide provisioning packages with drivers and apps, captured with USMT.
Happy Deployment, Johan