Yesterday we provided you with some free tools to help you get started on your Windows 10 planning and execution. Today we are answering some of the questions from last week’s webinar. If there’s something we missed, please let us know and we will happily guide you through it. As always, you can always head over to our Resources page and re-watch the webinar.
Question: For apps readiness to Windows 10, what factors are taken to run the assessment?
Answer: This series of articles is a great place to start understanding how to utilize Upgrade Analytics to assess your application readiness for Windows 10. As a compliment to the Technet article, I highly recommend the following blogs from Microsoft MVPs:
Windows Upgrade Analytics – Plan your Windows 10 upgrade
Integrate Windows Upgrade Analytics with Configuration Manager
Using Upgrade Analytics Deployment Script with ConfigMgr
Setup a connection between Upgrade Analytics and ConfigMgr Current Branch
Question: We’re currently attempting to use WDS to deploy a Windows 10 image to end users on surfaces, but we’ve had problems with Windows 10 activation, any suggestions?
Answer: Windows 10 activation requires your KMS services to be running on (at least) Windows Server 2012 R2 and the latest rollup package.
Question: Concerning the hardware inventory spreadsheet, was there a data extract that was performed (PowerShell) or was this created manually?
Answer: Data and information captured in the HINV spreadsheet was manually entered. It represents information that exists on any W7/8/10 machine and ConfigMgr environment, so it’s relevance is universal.
Question: I am planning on an In-Place Upgrade to 1607 then another IPU to Creators Update flipping the bits to UEFI. Would this be recommended as a way to speed Deployment?
Answer: For reasons mentioned in the webinar, I would consider waiting for Creators Update to be released (over the next couple of months) before doing deployments to Windows 10 1607. As discussed, you can still make the switch/conversion from BIOS to UEFI/Secure Boot during that migration as well. However, if you must migrate to Windows 10 1607 now – using In-Place Upgrade -, you will not be able to do the BIOS to UEFI/Secure Boot conversion during the upgrade. If the computer in question is currently configured as BIOS, then after the In-Place Upgrade to Windows 10 1607, the machine will still be configured as BIOS. If you choose to upgrade to Windows 10 1607 before Creators Update is released, then yes, the Windows 10 1607 machine can easily be upgraded to Creators Update and do the BIOS to UEFI/Secure Boot conversion during the upgrade.
Question: Is it recommended to do feature updates or a complete wipe and load when the creator’s update?
Answer: Well, it depends on what the desired configuration you’d like for machines to have after the upgrade to Creators Update. One of the points established in the webinar is the importance for enterprises to improve their security posture when defending against cyberattacks. Windows 10 makes a big step in addressing this for customers, and its security features of Windows 10 like Secure Boot, Device Guard and Credential Guard. In order to take advantage of these advanced security features, the machine must be configured as UEFI (and Secure Boot).
Remember, Feature Updates are actually In-Place Upgrades using the Windows 10 Electronic Software Distribution file (.esd) that is installed by ConfigMgr software updates (e.g. Windows 10 Servicing)…but instead of a patch/hotfix, it’s actually a new operating system build that is being installed. The important point to remember about Feature Update deployments is that it is not possible to do BIOS to UEFI/Secure Boot conversion during the upgrade; meaning, if the machine was configured as BIOS before the Feature Update to Creators Update was installed, it will still be configured as BIOS after. Which means the machine, therefore, could not take advantage of the Windows 10 security features e.g. Device Guard, Credential Guard.
In conclusion, given the scenario described, if the goal is to upgrade to Creators Update and take advantage of the advanced security features in Windows 10 during the process – you can still use In-Place Upgrade deployment method, but you will need to use a task sequence to drive the In-Place Upgrade deployment rather than using Windows 10 Servicing to deploy the Feature Update deployed using Windows 10 Servicing.
Question: What about 3rd party disk encryption products – do they have to be disabled prior to W10 upgrade?
Answer: Starting with Windows 10 1607, Microsoft created a new setup.exe command-line parameter called /reflectDrivers, which allows 3rd party disk encryption vendors to have their product to be “slip-streamed” into the setup process, so that the encrypted disk can be read by the Windows 10 setup process. Check with your disk encryption vendor for more details about how they are leveraging /reflectDrivers option or other methods they support.
For more information, check out Pallavi Dheram’s session at Microsoft Ignite 2016 Upgrade to Windows 10: In depth – (fast-forward to 42:45)
Question: Once you are on Windows 10 Servicing going from build to build will having BitLocker or some type of encryption cause a problem during the update? Can we continue to use Ghost to create and distribute Windows 10?
Answer: BitLocker poses no problems for Windows 10 Servicing, as it will automatically disable and (re)enable BitLocker throughout the upgrade process. For 3rd party disk encryption vendors, see the previous response. As for Ghost, I’d imagine it would work because it copies disk sectors rather than the file system itself. However, you are likely to run into issues with UEFI Secure Boot and Measured Boot, if enabled. With that said, it would be good to understand why use Ghost vs. ConfigMgr OSD to deploy Windows 10?
Question: Do you have a security scan report that you can run on Windows 7 prior to upgrading to Win10?
Answer: If you’re wanting to know if a Windows 10 readiness dashboard and the associated ConfigMgr HINV extensions can be applied to Windows 7 computers, the answer is yes. The 1E HINV extensions for Windows 10 Readiness have been created to run on down-level Windows 7 & 8/8.1 machines, as well as older Windows 10 builds.
Question: Have you seen many driver issues with moving between CBB versions? Do we have to consistently update our Driver Packages moving forward?
Answer: I’ve not experienced any driver issues between CBB build versions. The driver situation in Windows 10 has improved tremendously since the RTM release. It is a recommended best practice to keep up with the latest drivers provided by the hardware manufacturers. Read Daniel Ratliff’s (@PotentEngineer) blog about inventorying and reporting on driver versions. This blog post is key in making driver management business-as-usual (BAU).
Question: Is this dashboard specific to 1E deployments or can be made using SQL query with SCCM? Can you share the spreadsheet with attendees?
Answer: The SQL query available for download and is not proprietary to 1E. It does not require 1E products to be deployed. The only requirement is that the associated ConfigMgr HINV extensions are first enabled in your environment. The spreadsheet detailing the HINV extensions and the associated instructions are also available for download.
Question: How to do you deal with challenges like systems not supporting Device Guard / Credential guard?
Answer: Assuming the computer is running Windows 10 Enterprise, Education or LTSB editions, the most likely reason a computer does not support Device Guard or Credential Guard is due to incompatibilities likely found in older hardware models not supporting the prerequisite configurations noted in my blog Device Guard: The Practice. If you support computers that are not capable of these configurations, then there’s not much that can be done towards making the computer compatible. Time to replace…
There are two other blogs in the series that are worth reading:
Device Guard: The holy grail of endpoint security?
Device Guard: The theory
Question: Following on from the question about Web Applications – do we know if there are any plans to make Config Manager Software Center compatible with Edge? Currently only functions with IE11.
Answer: Microsoft intends to merge Software Catalog into Software Center, thus doing away with the dependencies on Silverlight. That’s as much as I’ve found which has been publicized about the plans. You can vote it up on UserVoice to help prioritize the plans. I’d be remiss not to mention or encourage you to have a look at 1E Shopping as a full-featured app-store for the enterprise: Shopping Product web page, Online Demo.
Question: In-Place upgrades sequence only uses the default wim, how do you handle updates after the process so it won’t impacting the user as cu updates are getting larger?
Answer: Add an Install Software Update step after the after the Upgrade Operating System This will ensure the Windows 10 install has the latest software updates installed before completion. Another option would be to do an offline servicing of the default wim, which will slipstream the latest software updates into the wim before the In-Place Upgrade is made available to the targeted computers. To offline service the default wim, you only need to slipstream the latest available software update downloaded from WSUS (.msu file). This is so because all Quality Updates for Windows 10 are accumulated, meaning all previous software updates are included in the latest and most recent software update.
Question: Can Dell BIOS updates be automated, and if so, can it be zero-touch, or just light-touch?
Answer: Yes, the Dell BIOS updates can be delivered through your Zero-Touch task sequence. You MUST disable BitLocker if you are using it prior to a BIOS update. Also note that there are some rare cases depending on how far behind on your BIOS version you are, you may need to first install a release up to a certain data / version before being able to go to the latest. This will be covered in more detail during the next webinar on March 15.
If you’re attending Midwest Management Summit (MMS) in May, be sure to attend Mike Terrill’s sessions for more details on a slick method he’s developed toward automating BIOS updates during OSD
Question: When more and more computers are using VPN, what strategy do you propose to deploy Win10 to these?Answer: The In-Place upgrade method will allow you to deploy to VPN clients. You should precache the Win 10 content to the systems prior to the deployment.