Embed Size (px)
Citation preview
Keeping Current with Windows as a Service
Jon Anderson
Senior Systems Consultant, Now Micro
@ConfigJon on Twitter
April 23rd, 2019
Device Lifecycle Company
•
•
•
Get Involved
Join or Start your local user group
Participate in forums
Technet
MyItForum
Microsoft Tech Community
Etc…
Get on Twitter
Not just for celebrities and presidents
Keep a Blog
Agenda
Introduction
Windows as a Service
Quality Updates
Feature Updates
Windows Update for Business
SCCM - In-Place Upgrade Task Sequence
A new way to build, deploy and service Windows
A single cumulative update each month with no
new features
• Security fixes, reliability fixes, bug fixes, etc.
• Supersedes the previous month’s update
Twice per year with new capabilities
• New features and innovation APIs and security
capabilities
• Very reliable, with built-in rollback capabilities
• Simple deployment using in-place upgrade, driven
by existing tools
• Try them out with Insider Preview
Quality Updates Feature Updates
With Windows 7 and 8, servicing choices added complexity and cost, increased fragmentation, and reduced quality
Typical Windows 7 PC:
Selectively Patched
Windows 7 Test Lab PC:
Fully Patched
What customers
are running
What we
are testing
Y
YY
Quality Updates (QU):
Express with QUs
Couple challenges:
Full
Update
Delta+Full
Update
Express
Update Files
Download Comparison: Full LCU vs. Express vs. New Model
Up
date
Siz
eto
PC
Quality Update
for 1809
Currently Supported
Quality Update types
Up
date
Siz
e t
o D
Ps/
WSU
S
Quality Update
for 1809
Currently Supported
Quality Update types
Full
Update
**Express update size as depicted is the best-case scenario with the assumption that the device stays up-to-date each month.
Delta+Full
Update
Express
Update
Full
Update
Delta
Update Express
Update**
How to get started
Available in the 1809
Supported with WSUS and ConfigMgr
Supported for OEMs/ODMs
Extra reading material
https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-next-for-Windows-10-and-Windows-Server-quality-updates/ba-p/229461#M207
A new way to build, deploy and service Windows
A single cumulative update each month with no
new features
• Security fixes, reliability fixes, bug fixes, etc.
• Supersedes the previous month’s update
Twice per year with new capabilities
• New features and innovation APIs and security
capabilities
• Very reliable, with built-in rollback capabilities
• Simple deployment using in-place upgrade, driven
by existing tools
• Try them out with Insider Preview
Quality Updates Feature Updates
Semi-Annual Channel
Benefits from new features, monthly quality updates
Information workersGeneral population
Long Term Servicing Channel
Specialized systems
Early visibility to new innovation, features and functionality via continuous feature updates
Windows Insider Preview
IT, developers, selected business owners
STAGE
NU
MB
ER
OF D
EV
ICES
Key attribute of usage scenario:
Feature and Functionality Never Changes, receives monthly quality
updates
System solution based on SW and HW considerations
Semi-Annual Channel Long Term Servicing Channel
Ongoing security updates for the lifetime of the channel version
1st party browsing choices
Support for new hardware & silicon
Support for Office Pro Plus
10 years of servicing support
Latest features as they are released
Capabilities
Recommended Enterprise use scenario
General information worker systems; salesforce, etc.
Special systems: Air Traffic Control; MRI, etc.
Microsoft Edge, IE 11
Support for Win 32 Office & ability to load universal apps
Support for Surface hardware
IE 11
Continual improvements: New
features twice per year, adding
value and improving
productivity
Minimized end-user disruption
by having less change with
each releaseWindows XP Windows 7 Windows 10
Disruption Improvements
Windows 10 gets Better with each ReleaseWith enhanced security, more tools for IT
and end user productivity features
1511
Mobile Device Management
AAD Join
Windows Store for Business
Windows Update for Business
Mail, Calendar, Photos, Maps, Groove, Skype
Windows Defender Antivirus
Windows Hello
Microsoft Edge
Device Guard
Credential Guard
BitLocker
SmartScreen
Windows as a service
In-place upgrades
Continuum
Cortana
Windows 10 core
+
160
7 Windows Information Protection
Windows Hello for Business
Windows Analytics Upgrade Readiness
App-V, UE-V
Hybrid Azure Active Directory Join
Windows Ink
Mobile Device Management
AAD Join
Windows Store for Business
Windows Update for Business
Mail, Calendar, Photos, Maps, Groove, Skype
Windows Defender Antivirus
Windows Hello
Microsoft Edge
Device Guard
Credential Guard
BitLocker
SmartScreen
Windows as a service
In-place upgrades
Continuum
Cortana
Windows 10 core
+
170
9 Windows Defender Exploit Guard, System Guard, Application Guard, Application Control
Mobile Device Management
Windows Analytics Update Compliance
Windows Analytics Device Health
Co-management
Enterprise search in Windows
Continue on PC
OneDrive Files On-Demand
Narrator
Mixed Reality Viewer
Windows Autopilot
Windows Defender ATP
Windows Defender Security Center
Express update delivery
Hyper-V
Windows 10 Subscription Activation
Windows Insider Program for Business
Paint 3D
Cortana at work
Night light, mini view
Windows Information Protection
Windows Hello for Business
Windows Analytics Upgrade Readiness
App-V, UE-V
Hybrid Azure Active Directory Join
Windows Ink
Mobile Device Management
AAD Join
Windows Store for Business
Windows Update for Business
Mail, Calendar, Photos, Maps, Groove, Skype
Windows Defender Antivirus
Windows Hello
Microsoft Edge
Device Guard
Credential Guard
BitLocker
SmartScreen
Windows as a service
In-place upgrades
Continuum
Cortana
Windows 10 core
+
180
3 Windows Analytics – Spectre & Meltdown, Delivery Optimization, Application Reliability Logon HealthWDATP Automated RemediationConditional Access based on WDATP device riskThreat AnalyticsEmergency Outbreak UpdatesAdvanced huntingCloud Credential GuardDiagnostic data viewerWindows Autopilot enrollment status pageWindows 10 Enterprise in S modeShared Windows DevicesNearby SharingDictationTimelineWindows Defender Exploit Guard, System Guard, Application Guard, Application ControlMobile Device ManagementWindows Analytics Update ComplianceWindows Analytics Device HealthCo-managementEnterprise search in WindowsContinue on PCOneDrive Files On-DemandNarratorMixed Reality ViewerWindows AutopilotWindows Defender ATPWindows Defender Security CenterExpress update deliveryHyper-VWindows 10 Subscription ActivationWindows Insider Program for BusinessPaint 3DCortana at workNight light, mini viewWindows Information ProtectionWindows Hello for BusinessWindows Analytics Upgrade ReadinessApp-V, UE-VHybrid Azure Active Directory JoinWindows InkMobile Device ManagementAAD JoinWindows Store for BusinessWindows Update for BusinessMail, Calendar, Photos, Maps, Groove, SkypeWindows Defender AntivirusWindows HelloMicrosoft EdgeDevice GuardCredential Guard BitLockerSmartScreenWindows as a serviceIn-place upgradesContinuumCortanaWindows 10 core
+
Windows Autopilot
Windows Defender ATP
Windows Defender Security Center
Express update delivery
Hyper-V
Windows 10 Subscription Activation
Windows Insider Program for Business
Paint 3D
Cortana at work
Night light, mini view
Windows Information Protection
Windows Hello for Business
Windows Analytics Upgrade Readiness
App-V, UE-V
Hybrid Azure Active Directory Join
Windows Ink
Mobile Device Management
AAD Join
Windows Store for Business
Windows Update for Business
Mail, Calendar, Photos, Maps, Groove, Skype
Windows Defender Antivirus
Windows Hello
Microsoft Edge
Device Guard
Credential Guard
BitLocker
SmartScreen
Windows as a service
In-place upgrades
Continuum
Cortana
Windows 10 core
+17
03
180
9
Windows Defender ATP new attack surface area reduction controlsInvestigation and remediation across Office 365 ATP and Windows Defender ATPWeb Authentication in Microsoft Edge Windows Hello with FIDO 2.030 months of support for September releasesWindows Autopilot Self-deploying modeWindows Autopilot Hybrid Azure AD joinS Mode Block SwitchMicrosoft Edge kiosk modeDesktop Analytics (Preview) – Intelligent Pilot Selection and ConfigMgr IntegrationReadyforMicrosoft365.com Microsoft Edge experience improvementsAccessibility enhancementsAccess the clipboard across devicesYour PhoneWindows Analytics – Spectre & Meltdown, Delivery Optimization, Application Reliability Logon HealthWDATP Automated RemediationConditional Access based on WDATP device riskThreat AnalyticsEmergency Outbreak UpdatesAdvanced huntingCloud Credential GuardDiagnostic data viewerWindows Autopilot enrollment status pageWindows 10 Enterprise in S modeShared Windows DevicesNearby SharingDictationTimelineWindows Defender Exploit Guard, System Guard, Application Guard, Application ControlMobile Device ManagementWindows Analytics Update ComplianceWindows Analytics Device HealthCo-managementEnterprise search in WindowsContinue on PCOneDrive Files On-DemandNarratorMixed Reality ViewerWindows AutopilotWindows Defender ATPWindows Defender Security CenterExpress update deliveryHyper-VWindows 10 Subscription ActivationWindows Insider Program for BusinessPaint 3DCortana at workNight light, mini viewWindows Information ProtectionWindows Hello for BusinessWindows Analytics Upgrade ReadinessApp-V, UE-VHybrid Azure Active Directory JoinWindows InkMobile Device ManagementAAD JoinWindows Store for BusinessWindows Update for BusinessMail, Calendar, Photos, Maps, Groove, SkypeWindows Defender AntivirusWindows HelloMicrosoft EdgeDevice GuardCredential Guard BitLockerSmartScreenWindows as a serviceIn-place upgradesContinuumCortanaWindows 10 core
+
Attackers take advantage of periods
between releases
Stay ahead of the attackers with continual
software improvements
Staying Secure with Agile Servicing
TIME
CA
PA
BIL
ITY
PROTECTION GAP
PRODUCT RELEASETHREAT SOPHISTICATION
W10 Servicing Timeline (Semi-Annual Channel)
2017 2018 2019 2020
Additional Servicing (ENT/EDU Only)
2021 2022
12 months18 months
2023
Windows Insider Program
6 months 12 months18 months
6 months 12 months18 months
6 months 12 months18 months
6 months 18 months
6 months 12 months18 months
Windows 10 1607
Windows 10 1703
Windows 10 1709
Windows 10 1803
Windows 10 1903
Windows 10 1909
12 months6 months 18 months
Windows 10 1809
*Conceptual illustration only
Plan and
Prepare
IT/Developer
Targeted Pilot
Validation
Deploy and Use
Canary Self Select Sample Production
Ready for Windows
Get links to Windows 10 ISV
support statements
Get usage information for every
app version, and use that to target
testing
http://www.readyforwindows.com
We are actively engaged with
ISVs, to ensure full support for
Windows as a service
Windows AnalyticsA suite of tools to reduce deployment and support costs
Upgrade Readiness Device Health*Update Compliance
Plan upgrades by identifying devices that are ready and identify and resolve top app/driver compatibility blockers
Ensure update and antimalware compliance with timely reports for all your devices (even those on the road)
Reduce support costs by proactively identifying and remediating top
end-user impacting issues
*Only available with Windows 10 Enterprise edition
Optimizing bandwidth usage
Challenges
Caching - Shift network traffic to edges
Optimize the Network
Distributed CachingPeer to Peer (DO)
Payload PackagingDiff technology
Downloaders (BITS, DO)
Centralized CachingWSUSConfigMgr DPs
Networking Layer (LEDBAT)
LEDBAT: Low Extra Delay Background Transport
LEDBAT: How to get started
https://blogs.technet.microsoft.com/netwo
rking/2016/07/18/announcing-new-
transport-advancements-in-the-
anniversary-update-for-windows-10-and-
windows-server-2016/
Downlevel Compat ChecksGather
Operations
Mount/extract
SafeOSApply NewOS
User settings
and data
migration occurs
Run offline sysprep specialize
plugins
Run offline migration plugins
Prepare new
boot
environment
Reboot
SafeOS (WinRE)
First BootRun sysprep
specialize
plugins
Run migration
plugins
Configure/install
devicesReboot
OOBE BootRun remaining
provider operations
User settings and data migration
Provisioningmigration
OOBE LoginFISA screens
(Enterprise)
APPX
registrationDesktop
• Updates up to 63% faster by reducing the amount of time your device is offline
“Online”
“Offline”
Moved “Online”
Reboot
Progress over Win10 Releases
1703 1709 1803 1809
Pre 1703, 82.24 mins
50th Percentile 51.7 mins
50th Percentile 33.7 mins
50th Percentile 30.2 mins
Fastest, 3.05 mins Fastest, 2.44 mins
0
10
20
30
40
50
60
70
80
90
0xC1900101 – 0x30018
How to get started & Future Plans
https://docs.microsoft.com/en-us/windows/deployment/upgrade/setupdiag
Windows Update
for Business
Servicing from the cloud• Built on top of Windows Update for global scale
• Implemented through additional policies configurable via
Group Policy, Intune (or other MDM services), Configuration
Manager
• Controls for deferring feature updates, quality updates
• “Active Hours” to specify when users are likely away
Windows Analytics for compliance
reporting
Here is a sample listing of the files and directories
Run (Migrate) Run Once (Do not migrate)
C:\Windows\System32\update\run\GUID\preinstall.cmd
C:\Windows\System32\update\run\GUID\precommit.cmd
C:\Windows\System32\update\run\GUID\failure.cmd
C:\Windows\System32\update\run\GUID\reflectdrivers\foo.inf
C:\Windows\System32\update\run\GUID\reflectdrivers\foo.sys
C:\Windows\System32\update\runonce\GUID\preinstall.cmd
C:\Windows\System32\update\runonce\GUID\precommit.cmd
C:\Windows\System32\update\runonce\GUID\failure.cmd
C:\Windows\System32\update\runonce\GUID\reflectdrivers\bar.inf
C:\Windows\System32\update\runonce\GUID\reflectdrivers\bar.sys
• Use Microsoft defined folder structure for adding enterprise scripts
• Scripts in “run” folder gets migrated every update
• Preinstall scripts will be synchronously executed before setup starts
• Precommit scripts will be synchronously executed before setup commits/finalize
• Post –OOBE switch to run scripts after install
Demo
Windows 10
Servicing with
SCCM
Best support in System Center Configuration Manager Current Branch 1602+
Requires WSUS 4.0 (Windows Server 2012 or above) with KB3095113
Existing versions (2012, 2012 R2), as well as SCCM Current Branch, can still use task sequences to perform Windows 10 upgrades (much easier in SCCM Current Branch)
Servicing Plans
System Center Configuration Manager
Windows 10 Servicing with SCCM
In-Place Upgrade Task Sequence
Offers the most control over the process
Customization
Scheduling and deployment
Reporting
Demo
Questions?
Jon Anderson
Senior Systems Consultant, Now Micro
April 23rd, 2019
Thank you for attendingKeeping Current with Windows as a
Service
