Interview with Michael Niehaus about Windows 10 deployment

I interviewed Michael Niehaus, Director of Product Marketing at Microsoft, at Ignite Australia 2015 about Windows 10 deployment.

Contents

Upgrading to Windows 10
Windows Update for Business
Free upgrade to Windows 10
Windows Update Delivery Optimisation (WUDO)
Enterprise Site Discovery Toolkit
Configuration Manager as a service
Windows version numbers
Windows 10 in-place upgrade
In-place upgrade and third-party disk encryption
Windows 10, Azure AD, MDM, and ICD
Windows on MacBooks
Anything else?

Author
Recent Posts

Paul Schnackenburg

Paul Schnackenburg works part time as an IT teacher as well as running his own business in Australia. He has MCSE, MCT, MCTS and MCITP certifications. Follow his blog TellITasITis.

Latest posts by Paul Schnackenburg (see all)

Azure Sentinel—A real-world example - Tue, Oct 12 2021
Deploying Windows Hello for Business - Wed, Aug 4 2021
Azure Purview: Data governance for on-premises, multicloud, and SaaS data - Wed, Feb 17 2021

Upgrading to Windows 10

PS: This interview is going to end up on the 4sysops.com blog, I don’t know whether you’ve seen that blog, it’s pretty popular. I am a journalist but I’m primarily a techie, I’m a Microsoft certified trainer etc. so don’t hold back on the technical answers.

All right, so I attended your session yesterday and I’ve listened to a couple of your Ignite US sessions looking at Windows 10 deployment. As far as IT professionals go, what is the main thing we need to be aware of when it comes to Windows 10 deployment?

MN: Well, in the session yesterday we talked about two different deployment motions. One is how do I get from Windows 7, Windows 8, Windows 8.1 to Windows 10, and then once I’m on Windows 10 how do I stay current.
So, getting to Windows 10, we would typically tell customers to use an in-place upgrade because it’s easy. But if you’re going to make other changes wholesale, like new Office suite and upgrading a whole bunch of other apps then maybe you’d choose instead to do a traditional wipe and load deployment. That works equally well to get from Windows 7 to say, Windows 10.

But going from Windows 10 forward when we’re releasing new feature upgrades two to three times per year, we want customers really to look at that as being an easy motion to go through, which if you do an in-place upgrade to go from say, the original Windows 10 release to the one that came out last week, it’s pretty easy. It preserves all your apps, data settings etc, and now you’re running the latest release. So, that becomes the recommended path moving forward, to keep doing that two to three times per year as we release new versions.

The biggest challenge then is what about the apps, and understanding that we’re not making significant changes two to three times per year, we’re just adding some new features, so as a result we shouldn’t break things. Customers still are very conservative, so they would look at this as a new Windows release. Yes, to a certain extent it is a new Windows release but if they were to retest all their applications two to three times per year, that’s exceedingly expensive and time-consuming to go through. So, we’re trying to really change the mechanism to the same way that we’ve changed our own, kind of, the deployment behind Windows 10 where we start off internally, then go to the insider preview, and then out to the general population.

We want customers to do the same thing in the business environment, so initially do a pilot deployment, then go out to a larger group and then just keep expanding your deployment over a period of months until you’ve deployed the new feature upgrades to all the machines. So, instead of testing everything you just test the critical stuff – your business would fail if this list of applications doesn’t work. And for the rest of it just react to any issues that come up, which is assuming that there aren’t going to be very many issues.

We’ve talked to customers that have tested thousands of apps and found very few issues so we expect that will apply for most customers. Hopefully with each of the new feature releases that we come out with that continues to be the case, and once we get into that type of a rhythm it becomes fairly routine. A new feature upgrade comes out, you test your critical apps, you start your pilot deployments, you start working your way out to the whole organisation, it becomes, kind of, a non-event. Four months later the next one comes out, you repeat the cycle so you just keep going through that rhythm. You have lots of smaller deployment projects, two or three a year versus what companies typically do today as one big deployment project every three to five years.

PS: So, is there an education component of this? Because this is obviously in some ways based on your own internal experience of Microsoft as well as pushing out Windows 10 and Windows 8.1 to consumers over the last few years, and essentially you’re doing the same thing. You have the early adopters, the Windows insiders, they get it earlier and then if there are any big problems there you would feed that back and adjust.

MN: Yes, we’ve been going through phases of education, initially the focus was on what is Windows as a service. So, we posted two main pieces of documentation: one that describes what Windows as a service is; and the second one that talks about preparing to deploy Windows 10. So, that kind of sets the groundwork for what is it. The next layer, which comes immediately for most customers is why, why do I want to do that? So, we’re trying to provide more materials around why, what are the benefits?

Really the benefits are reduced costs overall and smaller incremental costs spread across a longer period of time. Plus you get new features and benefits from these future releases when they come out. So, first what, then why, then how? That’s the piece that we’re working on at this point, to educate customers how do I do that. They pretty much know how to get from Windows 7, 8 and 8.1 to Windows 10. They could do that the traditional wipe and load, and okay, they understand in-place upgrade and they know how to do that. But when you then want to do your own deployment rings using Windows Update, using Windows Update for Business, using WSUS, using Configuration Manager, how do you do that? So that’s our next level, adding that additional detail on how to do it, that’s what we’re working on now.

Windows Update for Business

PS: That makes sense, can you describe a little bit about what Windows Update for Business is, contrasting it with Windows Server Update Services?

MN: That’s been one of the biggest surprises to most of the people that we’ve explained it to, because initially we announced Windows Update for Business, Terry announced it on stage – I forget what event that was but probably a year before any pieces of it even showed up. So, in that period of time people formulated their own mental ideas of what Windows Update for Business would be, and it seems like the prevailing opinion was it’s going to be kind of like Intune but just for updates.

Well, no, what we were hoping for is to build something that’s really easy, so that you could… they’ve been referring to it in the engineering teams as passive updating. So you can just define the rules to say I want to create my internal rings, this one deploys on day zero, this one deploys after a month, this one deploys after two months, this deploys after three. You define those rules via polices applied either via Group Policy or using mobile device management settings, and then you just sit back and let it happen.

So, it’s Windows Update as the back end service providing the bits, but new policies on the client that configure the Windows update agent to tell it, you see that new feature upgrade, don’t deploy it right away, deploy it after a month, after two months, after three months. We give you a range, we can specify via policy one to eight months delay for each feature upgrade, and then we also added the ability to delay the monthly updates as well, the patch Tuesday updates so you could say, install it right away or wait a week, wait two weeks, wait three weeks, wait four weeks. After that it doesn’t make sense because the next one’s come out already. It gives you the flexibility to create your rings, so you still had to go through the effort of figuring out what machine should be in each group. But once you’ve done that you just create different polices to each group and then just sit back and let it run itself.

You can do that with Windows Update for Business with no on-premises infrastructure, point all your machines to the Cloud, leverage the delivery optimisation capabilities that we have to have one machine download the bits and then provide it to all the other machines inside your network. It’s really designed to be easy, but it’s still, kind of, incremental capabilities being added. So, it doesn’t have any reporting capabilities with it yet, or any compliance validation checks. You can’t look at a dashboard and see I have 10,000 machines and 9,900 of them have already been updated.

As a result of that a lot of customers are going to look at it and say well, what I have today with WSUS or with Configuration Manager or with whatever other third party solution they’re using to update Windows, what I have today is okay. I’m going to continue doing what I have today, except maybe for some outlying systems. We had a talk with one of the banks in Australia, they said they have branches all over the Pacific for machines in Australia, or PCs in Australia, New Zealand. Places that have lots of infrastructure and connectivity they’re going to use Configuration Manager and that’s going to do all of their patching. But for branches on Fiji, they had no infrastructure in Fiji. They have an internet connection so they just want to take that small set of machines, point them to Windows Update, set the Windows Update for Business Policies and just sit back, because it will be better than what they get today.

So Windows Update for Business provides that infrastructure of doing the rings type of deployments, but you can do the exact same thing with WSUS. In WSUS you create computer groups and then you can specify an automatic approval rule for the first group, the upgrade shows up, approve it. And then for the other groups manually approve it after 30 days, after 60 days, after 90 days.

You can do the same thing with Configuration Manager 2012 and 2012 R2. You create collections, you then target the update to the collection. The first one can be automatically approved, but then you would have to manually deploy for each of the other ones. That’s what they’ve been working on for Configuration Manager 2016, is a way to automate that. So you can go through feature upgrade, a wizard, basically, where you could say with this collection, any time a new feature upgrade comes out deploy it within zero days. With this collection deploy it within 45 days, with this one 55 days, whatever range you want for each group of machines. And then it’s going to do the automatic approvals but at that point in time, so it gives you the flexibility of just laying out your rings and then targeting at the appropriate machines.

PS: So, with Windows Update for Business it sounds a bit SMB at the moment then because it doesn’t have the reporting capabilities. I can certainly see a small business that doesn’t have infrastructure anyway, oh yes, this gives me a little bit more control, that’s nice, thank you.

MN: Yes, in the longer-term we’d like to add additional capabilities to it with a type of a backend dashboard to show our compliance and other information about your environment, leveraging some of the telemetry that we collect to build out a pretty complete dashboard. But that’s still something that we’re working on.

Free upgrade to Windows 10

PS: So, who is getting the free upgrade? You’ve got an offer and there’s a free upgrade for a year from Windows 7 and above to Windows 10, a little icon shows up if you’re a consumer and you reserve it, so obviously it works for the home version and for the Pro version. Does that mean that if I’m a small business with 20 Windows 7 clients today, can I just hit my reserve button and that’s a free upgrade for me?

MN: You can, there are no restrictions on the free upgrade, and everyone running Windows 7, 8, 8.1 and home or pro can upgrade for free within that year period. One of the challenges that we had with that was that we had some customers say well, I prefer doing wipe and load deployments. I want to build my own custom image and do a clean install on Windows 10, but based on the licence terms that you laid out you said we had to go through the Windows store and do the upgrade. After we do the upgrade then we have a licence provided through the Windows store so that we could then do a clean install of our own image. But we had to go through that upgrade first to get the licence.

We did make some changes to our policies starting in November to say that well, we’ll give you an easier way. If you’re in one of our trusted volume licence programmes, the higher programmes where we have a relationship with you and we trust you, we can sign an agreement that basically says you have the rights to Windows 10 under the licence, then you can do a clean install directly activating it using keys or KMS or any of the other volume activation mechanisms that are available. That just makes it a little easier for the larger customers who happen to have lots of Pro version installations and they don’t want to do individual machine in-place upgrades, instead they just want to do it across the fleet. That is an option that’s available, so customers can talk to their account teams to sign the paperwork and do that.

PS: Yes, but the enterprise SKU is not a free upgrade?

MN: The enterprise SKU is provided as part of software assurance, which is a subscription. As long as they continue to pay for the subscription they have rights to take all the new releases that come out.

Pushing Windows 10 on PC

PS: So, there’s been a fair bit of criticism around pushing Windows 10 as an upgrade to people. Especially here in Australia we’ve had some issues around bandwidth and bandwidth caps and people blowing their download limits, can you comment on this?

MN: Well, there are two pieces, one is just the monthly cumulative updates that we push out to each of the machines. They are cumulative with Windows 10 so they tend to be a little larger than they were with Windows 7, 8, 8.1, but it does mean that you only have to apply one. If you have a machine that hasn’t been patched in six months you just apply one update to it and then it’s current. So, we think that’s a better approach overall with that cumulative update just containing all the fixes, security fixes, bug fixes, reliability fixes all bundled together to make it easier to update existing systems.

Then we have the feature upgrades that come out two to three times per year. At present those feature upgrades are full in-place upgrades, so it’s going to download a full copy of the media and then use that to upgrade to the new release. We are looking at ways that we can potentially shrink that further down the line, but that’s still something that we’re studying. It will download the full media to do that upgrade, but using the delivery optimisation it can download once and then share with a whole group of machines that are on the same network segment, and potentially even share among different people with the same ISP. So, it’s leveraging a variety of technologies to identify what’s close to you in providing the bits to other machines that are nearby.

PS: I haven’t seen this myself. I read somewhere that there were systems, consumer systems and business systems, where people hadn’t actually said yes, reserve my copy of Windows 10, and they were still getting stuff downloaded to them.

MN: There were a small number of systems where we did see that happening. I don’t recall what the root cause was determined to be but it wasn’t intentional. It was never a case where it downloaded and installed it, it was always just a case where it downloaded the bits where it didn’t need to. It’s not something that we want to routinely do because sending out bits to a lot of machines that don’t want those bits costs us money. All of the internet traffic that we’re generating as a result of that is something we pay for, so we’re not just going to send out Windows bits to millions of machines, even if those machines are going to use them. There have been a few instances where it’s gone out to some extra machines.

Windows Update Delivery Optimisation (WUDO)

PS: So, tell me a little bit more about how this… so I’m a small business, I’ve got 20 client machines, one of the machines downloads the updates from Windows Update. How do the other machines find out that I’ve got bits that they could download from me rather than from Windows Update?

MN: It’s managed by the Windows Update Service, there is an FAQ that we posted for that delivery optimisation feature. It’s basically looking from the Windows Update Service perspective what does it see as a single network. If you look at most organisations they have a single connection to the internet, probably with a single public IP address, and then everything else sits behind it and goes through a firewall. That firewall provides network address translation from the internal IPs to the internet IPs. As far as the Windows Update Service goes, all of those machines are coming through one IP address that appears, so it will automatically share content with every other machine that’s showing with that same NAT IP address.

That’s good and that’s bad. If it’s a SMB where they’re physically all in the same office, perfect, because then that one IP, all machines that are sitting under that IP address are able to share their update content. But think of a large company, even Microsoft is a good example, we have one internet connection that all of our proxy traffic goes through. That would mean the Windows Update Service that’s controlling all this is going to look and say all Microsoft internal machines are able to provide content to all other Microsoft internal machines, so with that it would potentially download content to a PC in China and then share it with a PC in South America, which is maybe better than pulling it from the internet but it’s certainly going to be leveraging our WAN more than we would care to. So we did define some additional delivery optimisation group policy settings where you can tag groups of machines with unique identifiers to say this group of machines can share, this group of machines can share, this group of machines can share, but this one can’t share with that one, which gives you more control.

PS: Is this on by default, do I need to do anything?

MN: Delivery optimisation is turned on by default. There are policies to control the level of sharing, either none or with other machines on the same network, or with other machines on the internet as well. Plus then there are the enterprise focus policies that let you define your own groups, a few other policies to control behaviour as well.

PS: Okay, so this isn’t your area, Mr deployment, but I’m going to throw this one in because it affects our Windows 10 experience. What’s with this whole Windows OneDrive with unlimited storage space, and then all of a sudden it disappears?

MN: Yes, I couldn’t tell you. I read through some of the discussions around it but that’s all I really know about it.

Enterprise Site Discovery Toolkit

PS: The Enterprise Site Discovery Toolkit, you mentioned it briefly in your talk yesterday, I also heard about it in the US talks. It seems like an interesting way for a medium-to-large business to have some insight into what’s going on.

MN: Yes, if you think of web apps the same way you think of desktop applications you probably have an inventory of your desktop apps. You know what people are using and therefore you can prioritise and figure out what to compatibility test, but you might not have such a list for web apps, so that’s where the Site Discovery Toolkit comes in, it’s to try to build that inventory. There are other ways to do the same thing, maybe a proxy server log or maybe you actually have some internal processes that help you build up that list of important websites. But the Site Discovery Toolkit is just an easier way for those that don’t already have such a list to build up a list of what’s important.

Configuration Manager as a service

PS: So, you also mentioned Configuration Manager as a service, could you describe a little bit what that’s going to mean for IT professionals?

MN: Well, the main challenge with Configuration Manager is it’s designed to manage Windows releases and features within those releases. So, if Windows is going to upgrade itself two to three times per year then Configuration Manager has to deal with new Windows releases and features two to three times per year. They didn’t want to require new Configuration Manager releases two to three times per year because it’s not unusual for an organisation to take six months to deploy a new Configuration Manager service pack. That’s too long with releases coming out more frequently than that, so what they’ve built is the ability to have Configuration Manager basically update itself.

You effectively have desktop management as a service, where Configuration Manager gets periodic new updates delivered directly into the console so you can just right click and say install this latest update to add support, the latest features that have come out. They’re just adjusting their release mechanism and cadence to match Windows. They’ve already done that with Intune, Intune gets updated monthly because all of the different OSs that Intune supports generally get updated fairly frequently, so Intune always has something new to add every month. Configuration Manager primarily is to support Windows clients so it doesn’t have to be quite monthly, but it does need to be able to deal with the new feature upgrades that come out two to three times per year.

PS: So, if I’m a System Center administrator and I’ve experienced the quality issues around updates over the last couple of years to System Center 2012 R2 and 2012, I’d be a little bit concerned about having a right click in my Configuration Manager console deploy and, sort of, fingers crossed this is going to be okay. Have you guys changed your internal processes at all to ensure that we don’t end up in bad places again?

MN: Well, there are two pieces to that, one is on the Windows update side and then the other is Configuration Manager itself. With Configuration Manager they’ve built in the ability to do a pilot deployment of those new features so that you can test them out on a subset of machines. They would also typically recommend that you have a parallel lab infrastructure set-up so that you can test out the new features segregated from your production network. Since you have one system, Configuration Manager, managing all the PCs in the environment you can afford to set up a little bit of extra infrastructure to test out new capabilities offline so that you can investigate and learn how they work and do all that good stuff before you do a single click on the production environment.

From a Windows perspective, a lot of the issues that we had run into were just… they’re interesting because if you look at the issues they would be issues that we typically hadn’t encountered in our own testing. When we would build Windows updates and test them internally and out through some early adopters as well, most of the testing that we would do would be on a fully-patched system. So, take a Windows 7 machine with SP1, apply every update that we’ve ever released to that, and then apply the new ones on top of it and make sure nothing breaks.

The challenge is enterprises don’t deploy every update we release, so that means that the real world has a whole lot more variance to it than our testing environment. We can’t possibly test every possible combination of something like 250 different updates that have been released since Windows 7 SP1, so as a result we have some issues like that happen.

With Windows 10 we changed the way we release updates to avoid that. The cumulative updates bundle all that together into one update released each month. The next month when a new update comes out it supersedes the previous one, so we have exactly one configuration to test against. We take the current machine patch of the previous month’s update, apply the new month’s update to it. We’ve cut our number of unique configurations from here down to a very small manageable number, so that’s designed to improve the reliability overall with just Windows 10 in general. So, that’s really the challenges that we’re dealing with on the client side, just that patchwork of patching with organisations saying I’m going to deploy that fix but not those other five.

Windows version numbers

PS: That makes perfect sense.

So the version numbering issue for Windows 10, going from 6.1, 6.2 etc up to 10, I know you guys you mention in your talk and in the US, you guys had some internal issues around this. Is this something that IT professionals should be looking out for as they look to deploy Windows 10 now, testing scripts and things?

MN: Most of the issues around Windows version numbers have historically affected apps, so we fixed that with Windows 8, Windows 8.1 and Windows 10 by doing everything we can to deceive the applications. We pretty much flat-out lie to the application, if it asks what version of Windows are you running on we’ll say Windows 7. Unless that application contains a manifest that says I understand Windows 10, if they then ask they’ll be told you’re running on Windows 10. But if they don’t have a manifest at all, or if they have a manifest that says well, I understand up to Windows 8, then they’re going to get an answer of Windows 7 or Windows 8. It’s one of those things where we always tell developers you really don’t need to know what version of Windows you’re on, but still they put in the checks anyway, so we can work around now with those types of issues.

From a scripting perspective there are a variety of ways that you can check version numbers, and some of those we basically lock the version at 6.3 just to avoid compatibility issues. But there are a few like WMI queries where it will show 10.0, and just because of the nature of those queries it’s looking at it as a string instead of a number. So, 10.0 is less than 6.3 so things like WMI filters on group policy objects potentially cause a few little issues where the filters need to be tweaked, but usually those are discovered pretty quickly by IT pros and they’re fairly easy to fix.

PS: So, can you talk me through the versioning number, Windows 10 is now 15/11, so Configuration Manager is going to be the same thing, there might be a 16/02?

MN: Configuration Manager, yes, they want to adopt the same basic month/year pattern just to indicate which release you’re running. The product overall they just want to call it System Centre Configuration Manager but because you need to be able to differentiate which one have I clicked the install button on, then they’ll tag it just with the month and year that it was released.

PS: Is that going to spread to other applications as well?

MN: It could, we wanted something where you could actually look at the system and be able to tell a support person I’m running X. But we don’t want it to do so numerically based, that you worry about oh I’m running Windows 10 or 10.1 or 10.2 or anything like that. Instead Windows 10, 16/02 particular feature release, so it’s a way of making it clear to the administrator or the helpdesk person or someone like that, but the end-user doesn’t care. 15/11 is just obscure enough that people would look at that and say I don’t even know what that means but it’s descriptive enough for the IT pro.

Windows 10 in-place upgrade

PS: How is the in-place upgrade scenario and now the Windows 10 to Windows 10 in-place upgrade scenario working out in the real world, what’s your telemetry because one of the benefits of the in-place upgrade is that if something does go wrong you’re just going to end up exactly back where you started from.

MN: Overall if we look at the historical success rates that we had gathered from Enterprise customers doing traditional wipe and load deployments, they could generally get up to 97-98% success rates. The others were just random failures, hard drive failed or someone pulled a network cable or there was a power outage in the office, a whole bunch of various causes for an extra 2-3% of failures, so getting above 97-98% is just typically an impossibility for organisations. The goal is to get in-place upgrades to the same point, we should at least be able to get the same success rate with in-place upgrade.

We have overall success metrics collected through the telemetry coming back from machines upgraded through Windows Update where we’re pretty close to that, and we also see our own internal deployment success rates as well where we’re using Configuration Manager to run task sequences to do in-place upgrades of existing Windows 7, 8, 8.1 and 10 systems. It’s all pretty much in that same ballpark of the high 90% success rate. The biggest change is if there is a problem, that if there’s a failure it rolls back and people just, kind of, shrug their shoulders and say I don’t know what just happened but I don’t care either because I can sign in and be productive. Their helpdesk volume has gone down even though the success rate is pretty much about the same.

PS: Okay, is the free Windows 10 upgrade going to be extended past the first year?

MN: I have no idea, that would be a question for our executives. We’re assuming that a deadline is a deadline, so the end of July 2016, there may be a last minute rush to get all the machines upgraded.

In-place upgrade and third-party disk encryption

PS: Yes, I’m thinking if you were a consultant that would be a good business to be in that last free month, we’ll help you do your "free" upgrades. So, you mentioned briefly yesterday as well, you talked about the third-party disk encryption software and the issues with the in-place upgrade etc. and that you’re working together with providers of… is that something that you see, have you got figures, like out of 1,000 Windows systems out there how many are on BitLocker and how many are on a third party disk encryption?

MN: We have rough ideas but we don’t have any hard numbers because Windows 7 Enterprise installation doesn’t send any information to us for us to really know what type of encryption might be in use, so it’s kind of squishy, we think that it’s probably… it could be up to half of the Enterprise machines but we don’t know for sure. It’s something that’s come up in a lot of customer conversations, we know that there are a lot of customers running BitLocker and they’re happy and successful with BitLocker and it just works. So, it’s really been a question of the other products, those that are running other third party products, what products are they running and do we have a solution for those products. The biggest one has always been McAfee so now we work closely with them, to document how to do that.

Windows 10, Azure AD, MDM, and ICD

PS: Okay, so can you step me through the Azure Active Directory Windows 10 directory join and then the MDM enrolment happens there versus the ICD scenario, which one should I choose?

MN: The end result for both of them is to take a device and configure it so that it can be used by whatever end-user’s going to pick up that PC. When you provision from the Cloud using Azure AD, plus an MDM service you basically configure Azure AD to tell it at the time this machine joins Azure AD, also enrol in this MDM service. So you have to configure URLs for the MDM service and it takes care of the rest.

So, that makes it really simple for the end-user, to the point where they can do it themselves. They put in their ID and password, then the machine sets itself up. That leverage is the MDM to push down apps, settings, configurations, all of that down to the device.

PS: And that can do the Pro to Enterprise SKU upgrade as well?

MN: Yes, we’ve got MDM settings where you can put in a key that says change the key with this, push that device, turns it from pro to enterprise, reboots the machine and activates to a KMS server. Or you could put in a mak key and push the mak key down to the device, it installs, it reboots, changes the management point to the Cloud. Either of those approaches works fine using Intune or some other third party MDM service.

Most of what you can do through Intune you could then also do via a provisioning package, not everything, and there are a few things that you can do with provisioning packages that you can’t do via MDM. If you look at the way ICD and provision packages work, they’re a layer on top of the MDM, so effectively you’re configuring MDM polices into a standalone package and then pushing them into the MDM agent on the machine and telling it to make it so.

They’ve added a few extra things to provisioning packages to let you copy content to the machine, to run scripts, to run arbitrary command lines. There are a few things with provisioning packages that are a little broader than what you can do via MDM. With MDM you can install apps, modern apps, MSIs, but if you had a setup.exe type installer, Intune won’t do that. So, provisioning package could, Intune couldn’t, just because of what’s provided by the MDM agent versus what’s provided through the provisioning layer that sits on top of it, so there are a few differences between them.

The biggest difference though is how you get the configuration to the device. If you use ICD to create a provisioning package, you then have to figure out how am I going to get that provisioning package to the machine, is it the USB key, email, are you going to put it on a file share somewhere, am I going to insert it into my image? There are different ways that you can deploy it, but it’s not as smooth as that from the Cloud scenario where you just put in your ID and password and sit back and watch.

PS: Okay, so that’s more or less what I had understood. It was interesting, I’m sort of circling back to when you started talking in the beginning, it seems to me that the way you guys are thinking about updates, Perry Clark stood on stage at some conference not so long ago and he was asked about what the benefits were of the new versions of Exchange, and he said well, there’s less entropy, meaning there is less change in the environment. That’s, sort of, tying back a little bit to what you were talking about, rather than doing big upgrades every three years or five years or whatever you do smaller upgrades as you go along, because there is less change. And with less change there are less things that can go wrong.

It also ties in with the whole BYOD landscape that we now live in as opposed to we have 10,000 corporate controlled desktops and that’s what’s being handed out, and those are the only machines we have to worry about and that’s it. Well, that’s not a reality for most IT professionals today, so it seems to me that the whole way you’re doing updates and updating Windows etc seems to fit more into this modern world.

MN: Yes, and I think in a lot of cases that maps to the workforce as well. 20 years ago it was very standard for the workforce to be told you have a choice of PCs, that one or that one, that’s it. And it’s completely locked down, you can’t make any changes to it, it’s fully managed by the organisation, take it or leave it.

Now though we’ve shifted to the millennial generation and they’ve grown up with consumer devices that are upgraded all the time, they’re almost throwaway devices sometimes. If they get to the point where they’re tired of it they throw it away and they buy a new one. That’s a much different type of workforce because they expect to be able to use what they want to use, to use it the way they want to use it. We want to move to that model as well, to support that type of workplace because imagine you’re an organisation hiring people fresh out of college and you walk into the interview with a PC that’s running an operating system that’s four years old. They might look over at you and say do I really want to work here? So, you really need to be able to adjust to those types of expectations, they expect to be running the latest and greatest of everything.

Windows on MacBooks

PS: I heard this from a Microsoft presenter, this brilliant story from a company, I think it was an advertising company. They really wanted to attract the young and the hip people, so they said we’re only going to use MacBooks or the Air one, whatever it’s called, the shiny looking one that looks great. We’re only going to use that, and then they hadn’t realised that none of their apps of course ran on that thing, so in the end what they ended up with was these beautiful looking devices running Windows XP or Windows Vista, an old operating system because that was the only thing they had tested that all their apps ran on. That would be a bad experience I think.

MN: Yes, fortunately MacBooks run Windows really well.

Anything else?

PS: Yes, they do. Anything else you would like to tell IT professionals about Windows 10 and the upgrade process etc?

MN: Given the point that we are in the cycle we’re just encouraging organisations to start piloting. Most organisations are somewhat conservative, somewhat slow so the amount of internet in Windows 10 already is very high, which is good, so it gives them the incentive to take the next step and start looking at how would this work inside my environment? Let’s take a few hundred machines, move them to Windows 10 and see how everything goes, see how our applications work, get our infrastructure up-to-date and then branch off from there. That’s what our field is focussed on right now as well, is trying to get those pilots going, to have everyone try it out and see how it all works.