Top Questions from Ask the Experts – Windows 10 deployment, servicing, and provisioning (BRK3140)

Here are the top questions from our Ask the Experts – Windows 10 deployment, servicing, and provisioning session (BRK3140) at Microsoft Ignite 2016, compiled by Ami Casto (@MDTPro) who also helped out answering the questions coming in via Twitter (If you're not on Twitter, get on Twitter).

Link to video: Ask the Experts – Windows 10 deployment, servicing, and provisioning

From left: Michael Niehaus, Johan Arwidmark, Brian McNeill, Rob York, Mikael Nystrom, Pallavi Dheram, and Marc-Andrea Klimaschewski.

Q #1. We have ConfigMgr, and would like to service Windows 10 with provisioning, like with Intune. What's the best practice today, if bring say 100 surfaces onboard, and don't want to image them, but still want them to be part of ConfigMgr, join the domain etc.?

• You can apply a provisioning package, that makes the needed changes to the machine. If done by an IT person, during OOBE screen at first boot, hit Windows key five times and browse to USB location with provisioning package, which in turn can AD join, name the computer, even potentially install the ConfigMgr client
• Once domain joined, you can use a startup script in AD to push ConfigMgr client to endpoint (Best example is on Jason Sandy's blog: http://configmgrftw.com/)
• You can use Azure MDM enrollment into Intune, but there is nothing native that can push the ConfigMgr client from Intune.

Q #2. For the service updates, what is the best way to uninstall and block updates if I run into issues? And is it the same procedure for quality updates as for feature updates?

• For quality updates, if you have an issue, and want to keep it from coming down, it's going to vary depending on the tool you are using. If using Windows Update for Business you have the ability to roll back, but if you want to prevent it from coming down again, you can defer those updates, and that goes for both feature and quality updates.
• If using WSUS you can decline the update, revoke the approval. With ConfigMgr you have the same options.
• The uninstallation is trickier, it's quite ok with legacy Windows versions, but trickier with Windows 10.

Q #3. When joining domain during OSD, can you specify a specific domain controller to use (for example if there is slow replication)?

• The apply network settings just takes the settings to Unattend.xml which OOBE processes, has no parameters to specify DC.
• Separate scripted join can target a DC however

Q #4. How to automate BIOS to UEFI

• Check out the session from Mike Terrill (1E). Here is the video:  Prepare for Windows 10 and UEFI
• Basic steps, change firmware of device, change disk layout, deploy OS
• For ConfigMgr – use OEM utilities in task sequence, backup disk, redeploy
• ConfigMgr 1609 TP has a step that allows 3rd party tool for BIOS – UEFI conversion. Still requires you to wipe the box to change disk format
• If machine ships in BIOS mode, UEFI might not work – you need UEFI 2.3.1

Q #5. When using third party disk encryption, and want to do BIOS to UEFI conversion, and want to upgrade to Win10. What can I do?

• 3rd party vendor support, you need their drivers, ability to pause encryption during the upgrade process
• You can either decrypt, wait, capture state, reload, re-encrypt, or  switch to UEFI, wipe drive, bare metal deployment, restore from USMT backup, be happy.
• There is also a new setup switch in Windows 10 v1607 allowing you to install third part encryption drivers, that might help.

Q #6. Is there going to be more cooperation between Microsoft and third party vendors, to make features updates (Windows servicing) easier?

•   Yes, the /reflectdrivers switch to the setup, is a good first step since it enable to stage encryption drivers on the disk ahead of time.

Q #7. Can we use dynamic updates for Windows 10 with ConfigMgr?

• First, the dynamic updates has three parts, updated drivers, and updated compatibility database, and updates to address specific upgrade issues.
• ConfigMgr has a check box to enable dynamic update, which temporarily changes the policy on the client, so it's not talking to WSUS/SUP, then does the upgrade, and then flips it back to WSUS/SUP again. Please note that this will download a quote large chunk of data to the client.
• If you want the latest compatibility database, you can also use upgrade analytics to pull down the latest database to the system.

Q #8.  When using ConfigMgr to manage Windows 10 machines, do you still need MDM?   

• If you install the ConfigMgr agent on a system, it disables the MDM enrollment options, because the ConfigMgr client will register on the system to say that this machine is externally managed. You don't really need two management authorities fighting over the same PC and configure the same settings.
• ConfigMgr can set the same MDM settings via Compliance Settings / Configuration items, using the WMI Bridge that exists. Kent Agerlund has a nice post about that here:

Q #9. During a W7 to W10 inplace upgrade, Windows.old takes up too much space on smaller drives, what can be done to clean it up to get space back?

• First, windows.old size viewed from File Explorer looks larger than it really is. That's because it has created hard links with a new set of files in the new Windows folder.
• Second, Windows 10 will cleanup that folder on it's own. For Windows 10 v1607 that happens after 10 days, for earlier versions after 30 days.   
• You can also run disk cleanup manually, but you'll only save ~8-10GB because of the hard links    
• Microsoft says don't clean it up immediately on your own, usually because of a broken app you might need to rollback for that user

Q #10. How can I run Gpupdate as part of my ConfigMgr deployment?  

• You can add the SMSTSPost variable to the task sequence, to force a reboot when the task sequence ends, which in turn updates group policy
• You can also have the task sequence install a scheduled task that does it on the machine 2-3 minutes later.

Q # 11. How can we use the state migration point for offline USMT, to avoid needing to use a regular share which needs to be cleaned up etc.? 

• The challenge when using the state migration point, the folder that is created is secured to the Windows PC that created it, and when being offline in WinPE, there is no computer account, so therefore it cannot access the SMP. That's why UDI, which does USMT offline, doesn't use the state migration point. Instead it's using a UNC path. So you basically have the
  use the folder (UNC) approach.    

Q #12.  A BIOS-based machine is detected as UEFI, which obviously breaks a Windows 7 setup. Is there a way to fix that?  

• Figure out what models/bios versions are creating problems, and add a specific condition for them in the task sequence action.   
• Also, if there is an error in the code, like if the detection is wrong, please file a bug for it    
• Could also be related to firmware not being up to date.

Q #13.  Process of feature updates – any plans to change/improve the process?   

• There are no plans to change the essential workflow that behind the scenes it is an inplace upgrade process
• MSFT is looking at ways to optimize how much content needs to be pulled down to PC but still wants to keep it as an Inplace upgrade

Q #14. Is cluster aware updates with ConfigMgr not supported?   

• There is a new server group feature (still in TP), that will work for clusters too. Simply a way to protect a certain group of machines from all being updated at the same time. You can define how many, percentage, and the ConfigMgr orchestrates the updates within that group.
• This can also be used for other scenarios, like VDI solutions

Q #15. Not all default client policies are getting to the endpoints, how can we troubleshoot?

• Use log files on the client to compare on a broken and working system   
• Use PolicySpy in the ConfigMgr toolkit
• Use the ConfigMgr Support Center tool

Q #16. What are the options for handling OSD errors?  

• If it breaks in WinPE there is no fixing it, if it breaks later you can drill down by creating smaller sequences to pin point the failure. ConfigMgr cv1511 does supports launching applications in a separate sequence, useful for testing (this scenario has been working since ConfigMgr 2007, but wasn't supported until ConfigMgr v511).
• You can also use the ServiceUI component from MDT for CMD prompt to rerun scripts: https://deploymentresearch.com/270/Troubleshooting-CM2012-Task-Sequence-Actions-Using-ServiceUI   
• Also, on the ConfigMgr roadmap are nested task sequences (an action to call a task sequence from within a task sequence). You can also use variables in sequences that looks for certain conditions, like a file being present, and then pause the sequence until the variable is met.

Q #17. How to control the inplace-upgrade of ConfigMgr when having multiple primary sites?

• The inplace-upgrade are initiated in the console, but you can set service windows against site servers for the upgrade process.

18.  Provisioning WaaS rings, is there a way to take a cross section of AD groups, or something to make sure we have a good pilot.

• Look for patterns in your inventory to determine pilot and rollout groups. We also recommend to look into the upgrade analytics solution.   
• For applications, try to find the application owner and have them help out. At least for the bigger applications.

Q #19.  Is there a way to run setup scan only option without needing the install.wim file in the package?   

• Today, full package is needed OR you can use upgrade analytics toolkit. In current ConfigMgr TP there is integration with upgrade analytics. Here is a list of the TP 1609 features: http://blogs.technet.microsoft.com/enterprisemobility/2016/09/27/update-1609-for-configuration-manager-technical-preview-available-now/

Q #20. How can we a standard user initiate the rollback, automated, for example via a ConfigMgr package or applications?

• No automation script, and you have to be admin on the PC 
• Not possible to initiate remotely

Q #21. Are there any plans to support operating system deployment for Internet-based clients (IMBC)?

• Don't know of any current plans to support this

Q #22. How can we secure a ICD package, so you cannot open it with 7-zip and see credentials for join domain etc.?

• You can encrypt the package with a password – double click to install will prompt for a password
• If it isn't encrypted, you will be able to get to plain-text credentials

Q #23.  Can you do an inplace-upgrade using a customized image?

• Not supported because of the post OS deployment customizations – need a clean place to migrate the apps into.