SponsoredbyAppSense®
AppSenseistheleadingproviderofUserEnvironmentManagementsolutionsforthesecureendpoint.ThetechnologyallowsITtosecureandsimplifyworkspacecontrolatscaleacrossphysical,virtualandcloud-delivereddesktops.
AppSensesolutionshavebeendeployedby3,600enterprisesworldwidetoninemillionendpoints.AppSenseisnowapartoftheLANDESKfamilywithofficesaroundtheworld.Formoreinformation,pleasevisit:
www.appsense.com
ConversationalWindows10Migration
ByJohanArwidmark
©2016ConversationalGeek
ConversationalWindows10MigrationPublishedbyConversationalGeekInc.
www.conversationalgeek.com
Allrightsreserved.Nopartofthisbookshallbereproduced,storedinaretrievalsystem,ortransmittedbyanymeans,electronic,mechanical,photocopying,recording,orotherwise,withoutwrittenpermissionfromthepublisher.Nopatentliabilityisassumedwithrespecttotheuseoftheinformationcontainedherein.Althougheveryprecautionhasbeentakeninthepreparationofthisbook,thepublisherandauthorassumenoresponsibilityforerrorsoromissions.Norisanyliabilityassumedfordamagesresultingfromtheuseoftheinformationcontainedherein.
TrademarksConversationalGeek,theConversationalGeeklogoandJ.theGeekaretrademarksofConversationalGeek™.Alltermsmentionedinthisbookthatareknowntobetrademarksorservicemarkshavebeenappropriatelycapitalized.Wecannotattesttotheaccuracyofthisinformation.Useofaterminthisbookshouldnotberegardedasaffectingthevalidityofanytrademarkorservicemark.
WarningandDisclaimerEveryefforthasbeenmadetomakethisbookascompleteandasaccurateaspossible,butnowarrantyorfitnessisimplied.Theinformationprovidedisonan“asis”basis.Theauthorandthepublishershallhaveneitherliabilitynorresponsibilitytoanypersonorentitywithrespecttoanylossordamagesarisingfromtheinformationcontainedinthisbookorprogramsaccompanyingit.
AdditionalInformationForgeneralinformationonourotherproductsandservices,orhowtocreateacustomConversationalGeekbookforyourbusinessororganization,pleasevisitourwebsiteatConversationalGeek.com
PublisherAcknowledgments
Allofthefolksresponsibleforthecreationofthisguide:
Author: JohanArwidmark
ProjectEditor: J.PeterBruzzese
CopyEditor: JohnRugh
ContentReviewer: KarlaReina
NotefromtheAuthor
WelcometoConversationalWindows10Migration.MynameisJohanArwidmark,MicrosoftMVPandChiefTechnologyOfficeratTrueSec,aneliteteamofinfrastructureandsecurityconsultantswhotraveltheglobehelpingcustomersmigratetoWindows10(andotherthings).
InthisbookI'msharingrealworldtipsandtricksandotherusefulinfoaboutWindows10migrations-thingswe’vepickedupoverthepastyearorsoonvariousWindows10migrationprojects.I'llalsogiveyouacrashcourseinthechangesMicrosofthasmadeforWindow10deploymentandmigrations.
Onafinalnote,Iwanttoemphasizethisbookisnotintendedtobeasalespitch.Sure,thereisasponsorbehindit,allowingthegreatteamatConversationalGeektopublishitforfree,butthisbookiswrittentogiveyouvaluableWindows10migrationinfo,andwhattowatchoutforwhenmigratingtoWindows10,notspecificallytosellasolutionorproduct.
JohanArwidmark
Twitter:@jarwidmarkFacebook:http://facebook.com/deploymentresearchBlog:http://deploymentresearch.com
The“Conversational”Method
Wehavetwoobjectiveswhenwecreatea“Conversational”book:First,tomakesureit’swritteninaconversationaltonesoit’sfunandeasytoread.Second,tomakesureyou,thereader,canimmediatelytakewhatyoureadandincludeitintoyourownconversations(personalorbusiness-focused)withconfidence.
Thesebooksaremeanttoincreaseyourunderstandingofthesubject.Terminology,conceptualideas,trendsinthemarket,andevenfringesubjectmatterarebroughttogethertoensureyoucanengageyourcustomer,team,co-worker,friendandeventheknow-it-allBestBuygeekonalevelplayingfield.
“GeekintheMirror”Boxes
Weinfusehumorintoourbooksthroughbothcartoonsandlightbanterfromtheauthor.Whenyouseeoneoftheseboxesit’stheauthorsteppingoutsidethedialogtospeakdirectlytoyou.Itmightbeananecdote,itmightbeapersonalexperienceorgutreactionandanalysis,itmightjustbeasarcasticquip,butthese“geekinthemirror”boxesarenottobeskipped.
WithintheseboxesIcansharejustaboutanythingonthesubjectathand.Read’em!
AnOverviewofWindows10Adoption
Windows10isofftoaflyingstart.Infact,ithas,byandlarge,beenadoptedbyorganizationsmorequicklythananyWindowsreleasebefore.ThisismostlyduetothefactthatWindows8/8.1wasnotlikedbythemasses,butalsobecauseofthewide-spreadtestingphasesandfeedbackprocessesthatwereaccomplishedviatheWindowsInsiderProgram.TheseledtoasolidOS.
Almost7millionpeopleprovidedfeedbackpriortothefirstWindows10releasebackinsummer2015.Thefeedbackdidn'tstopthere;theInsiderProgramisstillveryactiveandcontinuestoprovidegreatfeedbacktoMicrosoft.
TheWindowsInsiderProgram,whichstartedSeptember2014,wasledbyGabeAul(@gabeaulonTwitter)foralmosttwoyears.Nowit’sDonaSarkar(@donasarkaronTwitter)wholeadstheprogram.Youshouldbefollowingboth:)
WithWindows10,MicrosoftchangedalotintermsofhowtheOSisupdated(serviced).Thecompanyalsointroducednewdeploymentoptions,mostnotablyprovisioningpackagesandthein-place-upgradescenario.
Inadditiontothis,eventhoughthecorehardwarerequirementsdidn'tchangemuchcomparedtoWindows7,therearemanyWindows10features(mostofthemsecurityfeatures)thatrequirechangesinthehardwareconfiguration.Yes,I'mtalkingaboutswitchingfromlegacyBIOStoUEFI.I’llgetbacktothegorydetailsonthatafewpagesahead.
ThenewStartMenuinWindows10
Another“interesting”factaroundWindows10ishowmuchnetworkbandwidththat’sneededtokeepituptodate.TheWindows10updatesarereleasedatleastoncepermonth
(sometimesmore),andaregettingverybig,currentlybetween500-700MB.
Andthenyouhavetheevenlargerupgrades,whicharealmostlikeanewWindowsversion,thatarebetween2-3GBinsize.Theseupgradesarereleasedabouttwiceayear(sofar).
Here’stheshortstory:Windows10isgoingtohityournetworkquitehard,requiringfourtofivetimesthecapacityrequiredtoupdateWindows7.Thereasonforthesizeincreaseisnotonlychangestotheservicingmodel;thereisnopickandchooseanymore,itsonegiantupdate,whichisalsocumulativefrompreviousmonths.
Thismeansyouonlyneedtoapplyoneupdate(andsometimesaservicingstackupdate)togetthemachineintoanupdatedstate.ThiswayofservicingWindows10updatesobviouslyintroduceschallenges,especiallyifyouhaveadistributedenvironmentwithslow,orjustheavilyused,WANlinks.
Don'tworry,keepcalm,therearesolutionsinplacetohelpyoudistributeWindows10updates/upgradesquiteefficientlywithoutkillingyournetwork.Peer2Peersolutionsforcontentdistributionhavebeenaroundformanyyears,andevenMicrosoft,thoughlatetothegame,isstartingtoimplementtheseintheirmanagementsolutionsaswespeak.Coincidence?Ithinknot:)
Windows10EditionsAswithpreviousWindowsreleases,Windows10comesinabunchofdifferentversions,someforendconsumers,andsomefororganizations.TheversionyoushouldbeusingisWindows10Enterprise,becausethatversioncontainsallthenewsecurityfeatures,andalsohasnumerousdeploymentand
managementcapabilities.Therareexceptionisifyouworkinaneducationtypeoforganization,thenyouprobablyusetheWindows10Educationversion,whichhasthesamefeaturesasWindows10Enterprisebutislicenseddifferently.
ForasolidlistofalleditionsofWindows10withafeaturecomparisonacrossalleditions,checkWikipedia(theyhaveagreatchart):https://en.wikipedia.org/wiki/Windows_10_editions
TheWindows10Proversionmaynotbegoodenoughforsomeorganizations,becauseit’smissingmanyimportantfeatures:FeatureslikeAppLockertoblockaccesstoWindows10applications,DirectAccessforremoteworkers,granularUXcontrolfordeployment(startmenucustomizationsetc.)andmostofthenewWindows10securityfeatures,justtomentionafew.Atthesametime,duetotheexpenseoftheEnterpriseedition,someintheretailandeducationspaces(whomaynotneedallthefeaturesinEnterprise)willappreciatetheProedition.
Thereisanotherversionyoumaystumbleacross,andthatisWindows10EnterpriseLTSB(LongTimeServicingBranch).Thatversionisspeciallytargetedtoenvironmentsthatcannotchange,likeamachinecontrollingapowerplant,oremergencyequipmentatahospital.TheLTSBversionisnotfornormaluse,eventhoughitmaybetemptingtotryit.
Tolearnmoreaboutthedifferenteditionsandcomparethefeatures,youcancheckwithMicrosoftonthefollowingpage:http://tinyurl.com/p99ohhs
Microsoftprovidesfeaturecomparisonchartsforclarity
TheBigTakeawaysWindowsversionsworthdeployingonagrandscaletendtotaketheleapfrogapproach.Forexample,Windows95(awesome),Windows98(notsogreat),Windows98SE(solid),WindowsME(cough…cough…next!),WindowsXP(unforgettable),WindowsVista(forgettable),Windows7(gold),Windows8/8.1(bronze)andlast,butnotleast…Windows10.ThefutureforMicrosoftintermsoftheOSlookandfeel,functionalityandmore.
Ultimately,thedesiretomovetoWindows10isgoingtocausemanyorganizationstohavetofigureoutthebestwaytomigratetheirexistingsystems.Andthatleadstoournextchapter.
MigrationStrategyforWindows10
Migrating(orupgrading)asingledesktoporlaptoptoanewerflavorofWindowscanbeachore.DoingittohundredsorthousandsofsystemscanoverwhelmITadminsand/ordesktopadminstaskedwiththeresponsibility.
Butit’snotliketheolddayswhereyouhadtodoitmanuallywitheachsystem.Therearetoolstoautomatetheprocess,someofwhichareprovidedbyMicrosoftandothersthroughthird-partyprovidersseekingtomaketheprocesssimplerfortheircustomers.Let’sreviewsomeoftheoptionsprovidedbyMicrosoft.
Windows10andIn-placeUpgradesAsImentionedearlier,MicrosoftintroducedanewdeploymentscenariowithWindows10,thein-place-upgrade
scenario.Andeventhoughthisscenariohasbeenusedbymorethan300millionend-consumersbynow,ithasnotbeenadoptedmuchinorganizations.Mainlybecauseofthemanylimitations,butalsobecauseorganizationshaveseenWindows10asawaytostartfresh,andleavelegacyconfigurationsbehind.Imean,afterall,thein-place-upgradewillupgradethemachinesexactlyastheyare;thereisnopickandchoosehere.
Sowhataretheselimitations?Well,forastart,youcannotuseyourowncorporateimageinanin-place-upgrade.YouhavetousethedefaultMicrosoftimageandmodifywiththeUpgradeTaskSequenceEditor.ThedefaultsetupmechanismdoesnotallowforswitchingfromBIOStoUEFIduringanin-placeupgrade.Thereareworkaroundswiththirdpartysolutionsand/orcreativehacks(somelesssupportedthanothers).
AWindows10in-placeupgradetasksequence.
Inaddition,theremayalsobesoftwareinstalledontheboxthatpreventsyoufromrunningtheupgrade.Softwarelikethird-partyantivirusordiskencryptionareknownformakingtheWindows10upgradeprocessquiteupset.Itcanalsobethatyouareonadifferentlanguageorarchitecture,forexampleyoucannotupgradeaWindows7x86toWindows10x64.Thereareafewmorelimitations,buttheoneslistedherearethemostcriticalones.
Oftentimes,whenWindows10setupmisbehaves,youneedtochecktoensurethecauseisnotathirdpartyantivirusordiskencryptionsolution.
TraditionalDeploymentScenariosNow,Windows10stillsupportsthethreeclassicdeploymentscenarios:Baremetaldeployments,refresh(wipe-and-load),andreplace(side-by-side).MeaningyoucancontinuetodeployWindows10inthesamewayyoudeployedWindows7orWindows8/8.1,withyourowncorporateimage(referenceimage)andinacompletelyautomatedfashion.Herefollowsomemoredetailsoneachscenario:
• Newcomputer.Abaremetaldeploymentofanewmachine.Again,thisscenarioassumeyoudon’twanttokeepanydata.
• Computerrefresh.Areinstallofthesamemachine(withuser-statemigrationandanoptionalimagebackup).
• Computerreplace.Areplacementoftheoldclientwithanewclient(withuser-statemigrationandanoptionalfullimagebackup).
Thetraditionalscenariodoesnotrequire,fromatechnicalpointofview,thatyouhaveareferenceimage,butyoureallyshouldhaveone.Thebestwaytobuildreferenceimages-Andthisisnotrelatedtohowyoudeploythemlater,orwhatsolutionyouuse–IstousethefreeMicrosoftDeploymentToolkit(MDT).MDTisremarkablygoodatcreatingreferenceimagesthatarecompatiblewitheverydeploymentsolutionoutthere.Ithelpsyoucreateatrulygenericimage,andinanautomatedfashion.
WhenautomatingbuildofWindowsreferenceimageswithMDT,youoftenstumbleacrosstheterm“ImageFactory”,whichisexactlywhatitis:)
Indeploymentprojectswefighthardtokeepasomewhatthinreferenceimage,becausethatallowstheimagingprocesstobeflexibleatdeploymenttime.Forexample,youcandynamicallygeneratelistsofapplicationstoinstallfordifferentdepartmentsetc.By“thinimage”Imeananimagethatisfullyuptodate,andthathasalltheruntimesupport(VisualC++and.NET),butdoesn’thavemanyapplications.TherareexceptionisifeveryoneintheorganizationisusingOffice,andthesameversionofOffice,Itypicallyincludethatintheimageaswell.ThereasonisbecausetheOfficesetupisquitebig,anditcanbeupdatedwhenbuildingthereferenceimage,ratherthanatdeploymenttime.Thissavesbothtimeandnetworkbandwidth.
However,sometimesyouhavetobuildthickerreferenceimages,meaningimageswithlotsofapplicationsinthem,simplytomeetaServiceLevelAgreement(SLA).Anexamplewouldbetheabilitytodeployaschoolclassroomoverlunch,becausethenextclassneedsadifferentsetup.Pleasenotethatthemoreapplicationsyouputintoanimage,thecostlieritbecomestomanage,andthemorefrequentlyyouneedto
updatetheimage.Ineithercase,toolsliketheMDT,andSystemCenterConfigurationManagercanassistwithupdatingimages.Bothhavetheabilitytosequenceouttasks(suchasinstallingOffice)toautomatethis.
TaskSequenceforaWindows10referenceimagewithOffice.
LevelofAutomationBacktotheactualdeployment.NomatterwhatsolutionyouusetodeployWindows10,it'syouwhodeterminesthelevelofautomation.Someorganizationsprefertopre-stagealldeployment,someprefertogeneratesettingsontheflyduringdeployment,andsomeprefertopromptforinformationatdeploymenttime.Ingeneral,Iprefertohaveinfopre-staged,becauseitallowsafullyautomateddeployment,andminimaltechniciantime,butthereisnorightorwronganswer.Yousimplychoosethelevelofautomationthatfitsyourorganizationthebest.
PromptingforwhatWindowsversiontodeploy.
AllMicrosoftdeploymentsolutionsoffercustomizationsfortheautomationlevel.It’sallintheMicrosoftDeploymentToolkit(MDT),whichanadminwouldfindat:http://microsoft.com/deployment
DealingwithUserStateForthelasttwoscenariosintheprecedingsection,thecomputerrefreshandcomputerreplacescenarios,thedesignbehindthemassumesyouareinterestedintakingcareofuserdataandsettings.Note:userdataisfilesbothwithinaprofile,butalsooutsidetheprofile.LikeaC:\MyStufffolder.Settingscanbefoundintheregistry,infiles,indatabases,incertificates,andothermechanismsaccessiblethroughanAPI.
And,takingcareofuserstate,meaninguserdataandsettingsonthemachine,isoftenafactorthatgetsneglected.IhaveseenmanyITorganizationssimplyfallingbacktocompanypoliciesthatmaysayusersarenotallowedtostoreanydata
locally.Butwhatiftheydo?Wellnobodyblamesyou,thesysadmin,butifdataislostthereisstillacostfortheorganizationasawholetorestoreit.Youcanavoidthatcost,andenduserfrustration,byusingthemigrationenginesthedeploymentsolutionprovidesorbylookingatthirdpartyoptionstohelpwithmigratinguserdataandsettings.
AsImentionedearlier,theonescenariowhereyoudon'thavetoworryaboutuserstateatallistheWindows10in-place-upgradescenario,becausewhenthatscenarioisused,itwillmigrateovereverysingleapplication,allthedata,andalltheusersettingstothenewsetup.Thereisnopickandchoosehere,it'severything.Thatalsomeans,thatifyou'realreadynotsuper-happyaboutthecurrentenvironment,in-placeupgradeisnotforyou.
ComputerRefreshWorkflow
Sohowdoesthecomputerrefreshreallywork?Well,here’sthehighleveloverview:
1. You,asanadmin,pushoutadeploymenttoanexistingmachine.Thisdeploymentstartsrunningthroughaseriesofstepsneededtodrivetherefreshscenario.Note:Howyouaccomplishthisdependsonthedeploymentsolution,butinthecaseofSystemCenterConfigurationManager,theadmingoestotheConfigMgrconsole,andcreatesadeploymentjobthattargetsacollectionofcomputers.IfusingMDT,theadmininitiatestheprocessontheactualclientbyrunningtheLitetouch.vbsscript.MDTstandaloneisnamedMDTLiteTouchdeployments.
2. Ifthebackupsolutionusedisrunningonlinethat’stypicallythefirstthingthathappens.Thisbackupisnormallystoredlocallyusinghardlinks,forperformance
reasons,butI’veseenconfigurationswherethedatahasbeencopiedtoafileserverasanextrabackup.
3. NextstepisthatthedeploymentstagesaWindowsPreinstallationEnvironment(WinPE)ontheharddrive,andrebootsthemachinesoitstartsinWinPE.
4. IntheWinPEphase,anyofflinebackuphappens.Thatcaneitherbeuserstate(unlessrunonline),and/orafullimagebackupwheretypicallyaWIMfileoftheentireharddriveiscreated.
5. NextstepistoapplytheWindows10image,fixupanybootloaders,andthendoanotherreboot.
6. Afterthereboot,thedeploymentinstallsanysoftwareupdatesmissingfromthereferenceimage,aswellasanyapplicationsthathavebeenassigned.
7. Asafinalconfiguration,theprevioususerstatebackupisrestored,sothemachineiscompletelyreadyfordeployment.
ComputerReplaceWorkflow
Thatwasthecomputerrefreshscenario,butwhataboutthecomputerreplacescenario?Well,it’squitesimilartothecomputerrefreshscenario,butsinceyouarereplacingcomputers,youcannotreallystorethebackuplocallyonthemachine,somosttimesyoueitherslingshotthebackuptothenewclientdirectly,oruseafileserver,anNAS,anotherclient,USBmediaetc.tostorethebackupinbetween.Soforcomputerreplace,thestandardprocessisdividedintotwomainparts,abackupjob,andthenanormalbaremetaldeployment.Thebackupprocessbreaksdownlikethis:
1. You,asanadmin,pushoutadeploymenttoanexistingmachine.Thisdeploymentstartsrunningthroughaseriesofstepsneededtodrivethereplacescenario.
2. Ifthebackupsolutionusedisrunningonline,that’stypicallythefirstthingthathappensalsointhisscenario.However,forthereplacescenario,thisbackupisnormallystoredanywherebutlocally,againforexample,afileserver.
3. NextstepisthatthedeploymentstagesWinPEontheharddrive,andrebootsthemachinesoitstartsinWinPE.
4. IntheWinPEphase,anyofflinebackuphappens.Thatcaneitherbeuserstate(unlessrunonline),and/orafullimagebackupwhereaWIMfileoftheentireharddriveistypicallycreated.
Thisendsthefirstpartofthereplacescenario.
Thenextandfinalpartisanormalbaremetaldeployment:
1. PXE-booting,orbootingfromUSBmedia,tostartWinPE.
2. ThentheWindows10imageisapplied,bootloadersconfigured,andthenareboothappens.
3. Afterthereboot,thedeploymentinstallsanysoftwareupdatesmissingfromthereferenceimage,aswellasanyapplicationsthathavebeenassigned.
4. Asafinalconfigurationstep,theprevioususerstatebackupisrestored,sothemachineiscompletelyreadyfordeployment.
Fortherefreshandreplacescenarios,youtypicallyspendquiteabitoftimefiguringoutwhatdataandsettingstomigrate,becausethereissimplynoone-size-fitsallconfiguration.It'sdifferentforeveryorganization.I’mreferringtotheuseofanytoolsthatbacksupuserstate,theyneedtobeconfigured.Forexample,iftheUserStateMigrationToolfromMicrosoftis
used,youconfigurethebackuptemplatesforwhatfiles/foldersandevenregistrysettingstoincludeinthebackup
ProvisioningPackagesAnotherinterestingtechnologythatwasintroducedwithWindows10isprovisioningpackages,apackagecontainingfileassetsandsettingsforWindows10.Forexample,aprovisioningpackagecancontainanapplicationinstall,instructionstojoinamachinetoadomain,tosetacomputername,installacertificate,orenrollthemachineintoamanagementsolution.
Theveryideabehindtheprovisioningpackageswasthatausershouldbeabletogoshippingandabuyamachineinanystoreoftheirchoosing.ThatmachinewouldobviouslynotbedeployedwithWindows10Enterprise.Itwouldnotbepartoftheorganization’sdomain,etc.Butrunningtheprovisioningpackagewill"fixup"themachineforcorporateuse.
ConfiguringProvisioningPackagesinWindowsICD
ProvisioningpackagescanalsobeusedtosimplyapplyWindows10policies.Forexample,youcansetapolicytocontrolifyouareallowedtousethecameraonacomputer,orhowWindowsDefendershouldbeconfigured.Manyofthese
policiesoverlapwithwhatyoucandowithWindows10grouppolicies,butnotallofthem.
Theideabehindprovisioningpackagesisreallygood,butpleasenotethatthisaveryelementaryversion1.0solution.What'sworse,it'snotyetintegratedwiththedeploymentsolutionsavailable.
Windows10andGroupPolicyAndspeakingofgrouppolicies,someofthemoreinterestingthingsyoumaycomeacrosswhenmigratingtoWindows10,areexistingWindows7orWindows8/8.1grouppoliciesbreakingthingsinWindows10.
I’veheardsomesaythatGroupPoliciesareabitofanightmare,especiallywhentryingtoapplyalevelofgranularityatscale,usingfiltersorpreferences.HereiswhereversioninghandlingviathirdpartyorMicrosoftMDOPcanhelpinmanagingGPOsinlargerorganizationswheremultiplepeoplearedoingchanges.
Forexample,inoneofourmorerecentprojects,usershadbeenusingAppLockertolockdownapplications,andthewaytheyhaddoneitwasbasicallywhitelistingapplicationsthatwereallowedtorun.Now,inWindows10,boththesearchandstartmenusareapplications,andtheendeffectoftheAppLockerpolicywasthattheycouldnotusethestartmenu,andtheyalsolockeddowncommandprompts,sotheadministrationwaslimited:)
WithWindows10youwanttostartfreshongrouppolicies.Afterall,inmanyenvironments,grouppolicieshavebeen
aroundsinceWindows2000,whengrouppolicieswasreleased.AndorganizationshavesimplyaddedmoreandmoreasWindowsXP,WindowsVista,Window7andWindows8/8.1weredeployed.
MyrecommendationistotakeWindows10asagreatopportunitytoreviewyourexistingpolicies.CreateanewWindows10OUstructurefortheWindows10pilotproject,andonlylinkaveryfew(ornone)oftheexistinggrouppoliciestoit.Someyoumayhaveto,likecertificateenrollmentpolicies,WSUSpoliciesetc.,butIrecommendyouberestrictive.
YoualsohavetheoptionofusingWMIfilterstolimitwhatoperatingsystemgrouppoliciesshouldapplyto,butingeneralit’seasiertouseanewOUstructure,atleastduringthepilotproject.
IfyouaregoingtousetheWMIfilterapproachforWindows10andgrouppolicies,pleaserememberthatitisastringcomparison,andthestring“10”isactuallynothigherthan“6.1,6.2or6.3”whichareusedforlegacyWindowsversions.
Windows10DriversandHardwareConfigurationInalloftheWindows10migrationanddeploymentscenarios,youdohavetoworryaboutdrivers.Forexample,iftheWindowssetupprogramdoesnotdetectsuitabledriversduringanin-place-upgrade,itwillabortthesetup.FindingdriverssuitableforWindows10isanartonitsown,butyourstartingpointshouldalwaysbewiththehardwarevendor.
NotonlyaretheyverylikelytohavetesteddriversforWindows10,theywillalsosupportyouifyouhaveanyissueswiththem.Alsothevariousvendorshavegottenincreasinglybetterat
providingdriversthatarereadytobeusedformassdeployment.Herefollowsaquicklist:
ForHPhardwareIrecommendingusingtheHPSoftPaqDownloadManagerutility,whichcandownloadandextractdriversonapermodelbasis,suitableforimportintodeploymentsolutionslikeMTDorConfigMgr.
ForLenovo,youcaneithertryyourluckwiththeThinkVantageUpdateRetrieverutility,orusetheSCCMpackagesavailableontheirwebsite.Thetricktousingtheutilityistofirstdownloadthedrivers,andthenusethemanagementfeaturestoexportthedriversinaflatstructuretobeusedinWindows10deployments.
IntheLenovocase,don'tletthewordSCCMfoolyou.Thesepackagescanbeusedwithanydeploymentsolution.
Dell,whowasoneofthefirstvendorstocomeoutwithgooddriversforWindowsdeploymentingeneral,hasgooddriverpackages(CABfiles)forWindows10deployments.DellalsoprovidesoneofthebestWinPEdriversetsintheindustry.
Regardinghardwareconfiguration,IIshoulddiscussBIOSvs.UEFIconfiguredmachines.Today,mostmachines,sincetheyarerunningWindows7,aresettoruninaBIOS-modeconfiguration,evenifthehardwaresupportsUEFI.Thereasonissimple:dependingonthehardwareinvolved,itcanbequite"interesting"togetWindows7deployed.TryforexampletodeployWindows7toaMicrosoftSurfacemachine,andyouseewhatImean.Thatbeingsaid,somehardwaredoessupportcompatiblemodulesallowingyoutodeployWindows7inUEFI-mode,butthefactis,mostorganizationsarestillrunningtheirWindows7deploymentonmachineinBIOS-mode.
IfyoudomanagetodeployWindows7toaMicrosoftSurface,pleasepingme,Iwouldbereallyinterestedinhowyoudidit:)
WhyUEFIthen?Doyoureallyneedtobother?Theanswerisyes,youdo.MostofthenewsecurityfeaturesinWindows10requiresecureboot,whichinturnrequiresUEFI.Thismeansthatatsomepointyouneedtomakeadecision:ShouldIcontinuetoruninBIOS-modeandmissnew(andupcoming)securityfeatures?OrshouldIgoaheadandswitchmymachinesintoUEFImode?
Well,someorganizationsI'veworkedwithhavemadethedecisiontoswitchassoonasthefirstWindows10imagesarerolledout.Otherorganizationshavedecidedtotakeabitmorelaidbackapproach:theykeepBIOS-basedsetupsfornow,ontheirexistingmachines,buteverytimetheyreplaceabrokenharddrive,orbuynewhardware,theyconfigurethatmachineforUEFI.
Theirgeneralthoughtforthisapproachisthatwithinafewyears,allmachineswillhavebeenswappedout,andwillberunninginUEFI-mode.OthercompaniesI’veworkedwithwantedtousethesecurityfeaturesrightaway.Forexample,arecentcustomerdidafullimplementationofcredentialguardwithWindows10,oneofthefeaturesthatrequiresUEFItowork.
Windows10andApplicationReadinessWindows10hasbeenquiteawesomeinitsapplicationsupport,andafterdoingWindows10migrationprojectsforalmostayear,I’veonlyencounteredafewapplicationsthatdidn’tworkwithWindows10.Notsurprisingly,mostofthemwereVPNclients:)
Anyway,eventhoughWindows10hasreallygreatapplicationsupport,andyoucanmoreorlessassumethatifanapplicationworkonWindows7,itwillworkonWindows10,itstillmakessensetotesttheappsduringtheWindows10pilot,sothatyoucanaddressanyissuesfoundearlyon.
SofarmostissuesrelatedtoapplicationsinWindows10havenotbeenwithnormaldesktopapplications.TheyhavebeenwithwebsitesorwebapplicationscausingissuesbecauseofInternetExplorer11beingusedincombinationwithWindows10.
Sowhatdoyoudoifanapplicationdoesn’tworkinWindows10?Well,ifitsvendorisstillaroundyoutypicallycheckinwiththem.Iftheyarenotaroundanymoretherearemanyapplicationcompatiblytricksyoucantry:shimmingapplications,virtualizingapplications,runningthemremotely,andmanymore.Formoreadvancedapplicationreadinessyoumightwanttoreviewthirdpartyoptionsavailableinthatspace.
TheBigTakeawaysMicrosofthasdoneitsbesttoprovideavarietyofmethodsandtools(liketheMicrosoftDeploymentToolkit,MDT)forupgradingtoWindows10.Thetoolsrequiresomeeffortandtimetomasterandinsomecasesyoumayhavethetimeandpersonneltoaccomplishthis.Inothercases,youmaylooktoassistancefromathird-partysolutiontomakethetaskeasier.
VendorSponsorChapter:AppSense
ThepathtoWindows10isfilledwithchallenges–someyou’llidentifyintheplanningphaseandothersthatonlyreartheiruglyheadmid-migration.AtAppSensewehavemanyyearsofsmoothingandacceleratingmigrationsbetweenWindowsversions,andbetweenphysicalandvirtualdesktopdeployments.
ThisbookhighlightsanumberofareaswheresolutionsfromAppSenseandournewparentcompany,LANDESK,cansimplifythetaskofimplementing,updating,andsecuringWindows10,aswellasmigratingtheapplications,usersettings,anddatathatuserswillexpectintheirshinynewWindows10environment.
GettoWindows10FasterAfaster,moreefficientWindows10migrationisachievablewiththefollowingfeaturesfromtheAppSenseandLANDESKsolutionfamily:
• Filemigration–captureallfiles(evenPSTs!)fromtheuser’solddesktoporlaptopwithoutdisruptingthem,withinstantavailabilityintheirWindows10desktop
• Userprofilecaptureandmigration–precise,automatedcaptureofsettingsanduserpersonathatyouwanttomigratetothenewenvironment
• Granulardesktoppolicy–withoutthecomplexityandoverheadofGroupPolicyWMIfiltersandPreferences
• Securityanddesktoplockdown–mitigateransomware,reducehelpdeskcallsandsoftwarelicensingcostswithapplicationandprivilegecontrol
• Patchmanagement–centralized,advancedcontrolofupdatesfor3rdpartyandMicrosoftappsinadditiontoWindowsandMacOS
• Peer-to-peerdistributionofdiskimages–especiallyinbranchoffices,wheredeliveryofdiskimagestoeachendpointconsumestoomuchbandwidth
• Imagepreparationandcreation–useonelightweightimagewithHardwareIndependentImaging
• Applicationdeployment–deployapplicationstoWindows10desktopsbasedonaper-userinventoryscanofthecurrentdesktopestate
IftheseaspectsofyourWindows10migrationareachallengeforyourorganization,talktothepersonwhogaveyouthisbooktofindouthowAppSenseandLANDESKcanhelp.
NOTES
.