Notes from Implement Windows as a Service: Understand how to do it (BRK3136)

Here are notes from the Implement Windows as a Service: Understand how to do it (BRK3136) session at Microsoft Ignite 2016, compiled by Ami Casto (@MDTPro).

Video: http://www.youtube.com/watch?v=VYu0LHTH20c

Why do we adjust the way Windows is delivered?

• Security threats
• Improving productivity
• Faster adoption of new technologies
• Get rid of the big deployment projects

What is Windows as a Service?

• Building
  • Continual on going development
  • Deliver new features 2x year
  • Insider preview 
    • Validate in your environment
    • Give early feedback to adjust the direction of the platform
• Deploying
  • Stay current with simple, automated update process
  • Application compatibility
  • Flexible timelines, methods, tools
• Servicing
  • Simplified process ensures:
    • Consistency
    • Stability
    • Reliability
• Delivered using CU
• Eliminate platform fragmentation

Windows as a service: Deploying Windows

• Insider preview branch
  • See what's coming
  • Run small pilots
• Current Branch (10-20% of your PCs should be in this ring)
  • Pilot deployments allow you to iron out issues immediately
    • Validate apps and infrastructure
• Current Branch for Business (remaining population of PCs in your environment)
  • Signifies readiness for broad deployment 4 months after Current Branch
  • Risk of waiting means you don’t have MS resources available for identifying and remediating fixes
• Long Term Servicing Branch
  • Specialized systems
  • Mission critical systems
  • No need for frequent changes/update to the system
  • Expensive – becomes a large deployment project just to stay current
• Expected process
  • Insider preview
  • Pilot (CB)
    • Group 1 IT
    • Group 2 volunteers who will call the helpdesk when they have issues, not call a VP
  • Broad deployment (CBB)
  • Break up into cross sections of business groups
• Patching
  • Windows 7/8.1 selective patches causes fragmentation
  • Windows 10 “pick a patch model” goes away – each new one supersedes the previous one so you only need to install the latest to be fully patched
  • This is why you want ring deployments so you can find the issues in small population and work internally and with MS to fix it

Types

• Quality updates
  • Single update each month
  • Security fixes
    • Bug fixes
    • Reliability fixes
  • Supersedes previous month
  • No new features
  • Third Tuesday patching of non-security releases also
  • Can use the MS SUVP program
  • Link: http://technet.microsoft.com/en-us/security/gg309155
• Feature updates
  • Twice per year (Target) providing new capabilities
  • Very reliable
  • Built-in rollback options
    • 1511 30 days
    • 1607 10 days
  • Simple to deploy In-place upgrade leveraging existing tools
  • Can be tested through Insider Preview

Windows as a service: timelines

• Insider preview: 6 months active development
• Current Branch: 4 months
• Current Branch for Business: 12 months
• MS will always support 2 CBB releases at 1 time.  So if there are 3 in the market, the oldest drops service – after a 60 day grace period
• Can I skip from 1507 to 1607?
• Can't deploy the newest until it's released, but you need to finish deployment by the end of 6 months of 1507 grace period

How to do Windows as a service

• What needs to change?
  • Traditional deployment project
    • 3-5 years
    • A lot of man-power
    • Eliminate imaging expense – don’t need a golden image to move from feature to feature because you will use in-place upgrade
    • Golden image is only needed for bare-metal deployments
    • Lighter dependencies on Active Directory
    • Simplify the way to keep ConfigMgr up to date
    • Drivers are preserved by the upgrade process
• Deployment Strategy
  • Configure Insider PC
    • Lab or secondary PC
    • Enough to explore new features
    • Measure compatibility
  • Identify Special PCs
    • Deploy Windows 10 Enterprise LTSB
    • Limited numbers of this version installed, if at all
  • Recruit volunteers for pilots
    • Willing participants who will provide feedback (not tell on you)
    • Cover the broadest set of apps/devices/users as possible
  • Divide broad population of PCs
    • Standard deployment best practice
    • Focus on risk reduction which minimizes disruptions

Compare Servicing Choices

Understand LTSB

• Remove anything that has the ability to change – that is why it is for specialized systems
• Will be basically patched at the security level only – extremely minimal feature patching available
• No Cortana, Edge, Store, and almost all inbox apps (minus settings app) – make sure  you know what you're giving up if you go with this solution

Specifying a preference for what comes next (what does this PC get next)

• Devices are/are not considered CB/CBB
• Windows 10 release transition from one to the next
  • Starts as CB, progresses to CBB
• Devices specify when they prefer to move to the next FU
  • Specify to defer updates
• Each deployment or management tool can implement this idea differently

Implementing a deployment process

• Validate critical apps and infrastructure
  • Ensure new release works with business-critical apps and core infrastructure tools
• Begin pilot deployments
  • Start with IT, expand to broader volunteer audiences for app and hardware validation
• React as needed to feedback
  • A few issues are expected to have a remediation plan in place
• Deploy to the broad population
  • Focusing on risk reduction, minimizing disruption through scheduling, segmentation

Compatibility in Windows 10

• Most apps will just work due to minimal changes to Win32 APIs
• Crash data is analyzed through telemetry/feedback
• 2 browser model in Windows 10 is to help with legacy web compatibility
  • Improved Enterprise mode capabilities in Win10
  • Edge will actually have the best compatibility options
  • Enable a policy that redirects an incompatible website to IE, and when in IE if it doesn't require compatibility it gets redirected back to Edge
• Support statements
  • ISV declared supported on Windows 10
    • ReadyforWindows.com
      • Searchable directory for vendor/app for the ISV support statement
      • Integrated into Windows Upgrade Analytics service (below)

App Validation Process

• Directory of all business apps used across the org
  • Much narrower subset of an application whitelist which can be thousands of items
• Prioritize by level of critical
  • Will the business shut down if these apps don't work
  • Do the rest via pilot
• Windows Upgrade Analytics
  • Leverage telemetry through a portal to make decisions and drive deployment
  • Free tool based on OMS and Azure service
  • Requires PCs to send telemetry and if you tag it to your org, you can use the dashboard to get specifics for your organization
  • Identify PCs that are pilot candidates
  • Identify which apps are ready to go
  • Identify specific application uses
  • ISV known issues
  • MS known issues found through internal testing and fixes if available
  • Lists can be imported into ConfigMgr to build the collections to move forward with the process
  • Link: http://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics

Distributing content using P2P tools

• Shift network load from center (bottle neck) out to the edges by enabling:
  • BranchCache
  • Delivery Optimization
  • Enable/Disable/Tweak BITS throttling
• Immediate ROI
  • 90% of network traffic is shifted away from the core
  • Controls and policies are immediately available to set/tweak

Identifying a tool to use

Windows Update for Business

• Allows a set and forget it scenario
• Still have controls to mitigate problems
• Simplifies infrastructure because capabilities are all built-in to the OS
• Control over granular deployment scenarios and deferrals
• Drivers can be optionally excluded
• No WSUS integration is required
• MDM (Intune) or GPO (AD/AAD) settings for control

For More Info:

http://technet.microsoft.com/en-us/windows/mt763932

http://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb

• Find out where to get information on WUFB, including white papers, etc. in an auto-response email. 
  • WUfBInfo@Microsoft.com 
• Are there features that you need to make WUfB better? Let us know here. 
  • WUfBIdeas@Microsoft.com 
• Not finding what you need to know? Put your question in the email and we’ll help you find the answer. 
  • WUfBQuestions@Microsoft.com 

WSUS 4.0

• Deploy feature updates (requires server 2012 + hotfix)
• Create computer groups for ring deployment
  • Admin driven creation process – not automated
• Broad deployment
  • Auto approval rules
  • Deadline rules
• Anything that needs to be complex, must be done manually

System Center Configuration Manager

• Servicing plans for Windows 10
  • Provides automation through rules driven collections
  • Can be "set and forget"

Q&A

Q: If I'm using ConfigMgr – registry change to indicate CB or CBB? 
A: in 1511 – configure defer upgrades and updates policy – if enabled it's CBB if not enabled, it's CB. 1607 – look under windows updates to set these ones ConfigMgr doesn't use deferral settings

Q: Compare Windows 10 servicing in ConfigMgr vs. Task Sequence based approach 
A: Both perform in-place upgrade process Task Sequence allows pre/post processing (steps before/after).Task Sequence requires media. Servicing plan uses WU packages DL through WSUS and distributed through ConfigMgr – smaller

Q: Configurability of servicing plan 
A: more flexibility around scheduling or pre/post requires TS based approach

Q: WaaS – CBB broader adoption – does MSFT recommend a self-service option with an expiration? 
A: MSFT has seen some customers have success with self-service.  Not seen too often so push mode is best to ensure everybody gets it

Q: Any plans to control the size of the update package to be used in a task sequence or bare metal deployment? 
A: Process will remain as is FU will install the same way as always and looking into mechanisms to reduce the footprint of the package.

Q: Upgrade Analytics – threshold between insufficient data, adopted, and highly adopted 
A: readyforwindows.com will show a legend for what each means

Q: P2P sharing – performance tradeoff for devices participating 
A: DO will only pick very capable PCs (disk, RAM), GPO to target/exclude PCs BC will send out broadcasts + whoever responds quickest gets it – there are config options to influence BC to pick one over the other, GPO to target/exclude PCs ConfigMgr – you can declare super peers On modern hardware, this should be invisible to the end user – on older hardware, yes you might notice performance lag

Q: WUfB compliance reporting tools 
A: Intune, ConfigMgr , OMS will have the tools needed to report back

Q: How do I make sure I'm always up to date? 
A: always deploy the most recent FU

Q: How long will an FU take to complete install 
A: rough timeframe ~1 hour but timing varies – older hardware will take longer – download will not impact end user performance

Q: Does P2P work well for a mobile workforce? 
A: If there is not a peer available for an update, it will failback to Windows Update. It depends on the tool – DO is internet based so it will always look online for a peer. BranchCache – only find peers when on the corporate network. ConfigMgr all depends on the options that are set

Q: WU4B does it have P2P functionality? 
A: WUfB will use DO that is already built in to the OS

Q: PCs in small remote offices with no supporting infrastructure – how to get updates to them? 
A: If there is no need to pull updates from a corporate network, then point them to MS through Windows Update for Business – you still can set controls about when and how by MDM/GPO even though they are internet based

Q: Pausing updates – what happens when the updates are unpaused in a scenario where the updates were paused on day 3 of a 5 day window 
A: Calculates based on when patches release – so all rings could potentially go immediately when unpaused – but maintenance windows/ active hours still apply so it may not be instant

Q: Defer upgrades – does that delay from CBB date or CB release 
A: Deferring updates puts you on CBB – it's defer from that CBB point forward, not the original CB