Thanks again to everyone for joining Nawzil Najeeb and me for the Windows 10 Creators Update MVP Webinar last week. There were so many questions—and lots of great ones! I hope I have answered them to your satisfaction, but please reach out to us if we missed something or if you need more information. If you'd like to learn more about the update and Windows as a service, we have another webinar next week with the CTO of Juriba. This webinar will go through what the latest updates mean for your organization. Register for that here.
In the meantime, you can re-watch our MVP webinar and check through the Q and A below.
Question: Is Peer-Caching full production or still kind of pre-release? I asked the same question of the windows and ConfigMgr team. They have stated that they do NOT plan to add more features but only to work through some bugs. There may be some new features in the next server release. There is a Windows Insider for Server program as well.
Answer: Peer Cache – PC is an SCCM only feature. Save for the name, it is almost identical to the SCCM 2007 Branch Distribution Points (BDP). This means you do get some features of peer sharing but not until after your hardware inventory (HINV) is submitted. The location sharing is based on your last HINV so if you are on wifi and change subnets a lot… bad juju. Be aware any downloads or sharing are done via BITS. This means you will want to actively throttle BITS to your worst case scenario. Lots of other issues with Peer Cache. With Windows 8 and newer there is Branch Cache but that looks to be phased out by Delivery Optimization. Delivery Optimization does a lot of cool things but doesn't support anything older than Windows 10 1703. Basically, you will end up in a mess of support, with lack nor transparency (no reports until 1710 DO), and lots of overhead. There is a 3rd party solution that works in all of these scenarios and is in full compliance of SCCM. That is 1E's Nomad alternative content provider (ACP). A great solution that doesn't have kernel mode drivers, java, or breaks Microsoft requirements for support.
Question: ATP – is this feature available for Win Pro (in the enterprise)?
Answer: Check it out here!
Question: Can you please supply a link to windows release date info?
Answer: Sure. Nawzil talked about this link and this is for the Microsoft native website.
Question: Seems like they're actually only supported for 16 months, not 18 since they never release on time. ie: 1709 still isn't out. Do you know if they'll make 1709 supported until April or may to make it an actual 18 months of support?
Answer: Microsoft says 18 months. You are right though those dates are still in flux. They have yet to announce the end of support date of 1703 which is the first on the SAC cadence. WAAS is a new concept and there is a video by Michael Niehaus that details it here.
Question: Any noticeable performance impact with the Advanced Protection feature for Windows Defender?
Answer: ATP is in the Native 1709 code so there is no additional agent and all analysis is completed in the cloud. The largest impact is the pause while ATP does investigation and analysis. Most articles you'll find about performance state is less than malicious code in your environment, well yea, but that is anecdotal. Several articles have popped up recently showing that the investigation timeout can be configured.
Question: Are the updates cumulative? e.g. Can you go directly from version 1511 to 1709 or do you need to update from one version to next?
Answer: You do not need to step through intermediate builds. You can go directly to the build you desire. This will be a focus of some enterprises until they are updating SCCM CB 3 times a year and W10 twice a year.
Question: Businesses cannot keep up with 18-month cycles. It takes 6 – 12 months to test and deploy!
Answer: Time to retire your windows 7 process and to design your new Windows as a Service (WAAS) process. Assuming you are already on W10 the testing process can be extended by using Windows Update for Business (WIP4Biz), Windows Analytics, and Upgrade Readiness. I have seen companies do all LOB application testing in the WIP4BIz and then complete deployments with end-user scheduling in less than 2 months. If you are not yet at W10 then review your BIOS to UEFI (Secure boot) strategy. You have until Jan 2020 to be on Windows 10.
Question: Insider is not possible for us. We have hundreds of apps and multiple hardware formats. There is no way to test early Win 10 releases without severe disruption. It still takes MS 3 – 6 months to make the latest release stable with constant updating.
Answer: All problems appear insurmountable until you are able to scope the issues. I would strongly suggest reviewing telemetry (Scripts exist for OS's prior to Windows 10). Then you can use Windows Analytics to review your Upgrade readiness. This includes details on software and hardware to help you understand your environment. As for MS patch stability, that is always a consideration, for example, the delta updates for
Oct 2017 patches were incorrectly released to SCCM and WSUS and broke many with ADR rules. We will always have a degree of due diligence issue.
However, I would rather spend my time worrying about having a process agile and fast enough to react than be in analysis paralysis. Side note: Agile does not mean fast. Nor does fast mean agile. You need both to be Modern. There is a lot more to unpack in this question. I would really like to follow up with you offline to talk about your environment. I have a feeling we could post some great anonymous follow-up blogs.
Question: We don't have the resources to utilize Insider programs. We have to wait until SCCM can handle the new OS and the VLSC edition is published. By the time we get one out we have to start another. Too disruptive and expensive! No time to improve processes, solve user problems, all we do is update Win 10!
Answer: This is the fear everyone has. Windows as a Service (WAAS) being a full-time job. There is a multitude of tools that can greatly reduce the infrastructure, process, and items to be focused on. This reminds me of the project triangle. Fast, good, or cheap. In a good organization, you can choose two. In a poor one. Sounds like you have Good locked down. Microsoft is trying to make fast cheaper.
Question: Biggest flop ever! Nobody will want Windows 10 S!
Answer: Windows 10 S and Windows 10 S Enterprise have very specific use cases. Not only do they only use the Modern technologies that Microsoft espouses, but you can easily manage them as frontline workers. I agree with you that due to the lack of enterprise-grade software in UWP that the "S" solution is not a viable solution for everyone everywhere. However, we have to start somewhere and progress is being made. I have a feeling we will see additional developments in this space.
Question: Exploit Guard is in all SKUs.
Answer: Thank you for the clarification. ATP is licensed and your enterprise to do the analysis for exploits. Exploit Guard allows anyone to check against the cloud definitions. Exploit Guard is the native OS solution and replaces the EMET solution.
Question: Will it also upgrade the drivers? (the hardware drivers)
Answer: I am not aware of any specific driver updates. However, you might find this article on why all WHQL drivers are dated June 21st 2006 —Loved this quote: "It's an awesome example of something that seems stupid and insignificant turning out to have a profound purpose."
Question: How do you propose I should keep 4,500 desktop and laptops across 90+ separate physical schools updated in an 18 month period?
Answer: This is a longer conversation and I would be happy to have it with you offline. The problem breaks down into 4 categories.
Question: So every windows 10 upgrade will be a clean install or it just retain the state with all settings and applications as in the previous version?
Answer: Upgrade is in place and leaves user state and applications untouched. Upgrades are the recommend path once you are windows 10 with UEFI. You will have the ability to back-out and upgrade assuming your space cleanup process has not run yet. There are several triggers for cleanup like running out of space. As for a clean install, you can use Imaging via SCCM to ensure that process is available for break-fix, new hire, replace, or security-based issues.I would be happy to talk more about the 4 major categories of Operating System Deployment (OSD).
Question: When will Windows 10 1703 go Current Branch for Business?
Answer: The term for Current Branch for Business (CBB) has been replaced by Semi-Annual Channel. The process to promote a deployment from Semi-Annual Targeted to Channel is based on you testing targeted in your environment than going broad.
Question: Can windows S be patched using SCCM? Can we define these folders via GPO? Why not protect them all?
Answer: I believe Windows 10 S Enterprise is to be managed via Intune as S does not allow you to run non Store applications. I have not seen any mention of SCCM/ConfigMgr in regards to Windows 10 S Enterprise. I have put some feelers out to find out.
a. Controlled Folder Access – can be set via GPO, PowerShell, MDM
b. Why not protect them all – overhead would make the OS experience unfortunate
Question: I'm an insider too, however, I haven't found any concrete info about the programs allowed automatically through controlled folder access, do you guys have more insight about it?
Answer: Until Oct 17th all documents are marked as preview.
Question: If machines are on Windows 10 build 1511, will they be forced to update to RS1/build 1607?
Answer: Depends if you are pointing to Windows Update or controlled via WSUS or SCCM. Assuming your machines are on 1511 right now that would imply they have not auto-updated to a newer build. Are they forced? No. But after 18 months Microsoft stops releasing security updates and will require an upgrade to a supported OS before you can receive support.
Question: How does the feature/threshold update work with BitLocker Encryption?
Answer: BitLocker as a Microsoft solution is handled natively during an update.
Question: If you upgrade from 1511 to 1709, SMBv1 will NOT be turned off?
Answer: March 2017 patches disabled SMBv1. Please remember you have to both patch and reboot for the change to apply. If you install via a bare metal process (NOT upgrade in place) 1709 Education or Enterprise SKUs SMBv1 is not installed by default.
Question: There are a lot of features not required in Enterprise which is making LTSC more attractive for a stable build to avoid build change cost.
Answer: Long Term Saving Branch is for very specific scenarios. I would not recommend LTSB for any internet connected device as there are too many exploits coming to quickly. LTSB has had issues with RSAT, software compatibility, MDM, windows hello, DoD requirements, lack or new hardware support (LTSB only supports silicon from when it was released), etc. That being said, LTSB does have very specific use cases as long as you are aware of all the pitfalls.
Question: Are Microsoft Store apps still only "metro" apps or can traditional desktop apps now also be in the Microsoft store?
Answer: Metro naming was replaced by Modern. Modern is being updated to Flow (project Neon). Modern apps can be either UWP or Desktop Bridge (bridge from Win32 applications). They can be deployed via Microsoft Store, Windows Store for Business, and potentially via SCCM. This is the future direction for Microsoft. The UWP concept and Modern makes me wonder if they aren't trying to retire MSI. That being said MSI is so universal it will never just disappear.
Question: Why wouldn't you just protect all folders by default with controlled folder access?
Answer: Anything in those folders is constantly monitored by Windows Defender
Question: Does it reinstall Store Apps?
Answer: During an upgrade, applications would not change. However, new features may be added.