What's New in Deploying Windows 10
Before the spread of RTM, Windows 10 remains quite a bit, and in this post I would like to briefly describe the innovations in the deployment of Windows 10, as well as some features in the tools and OS installation processes that you should pay attention to. Basically, the material is intended for those who plan to deploy Windows 10 in a corporate environment. Additional information can be found in the first module of the course “ Windows 10: Deployment, Management, Security ”.
Formal hardware requirements are listed here . In fact, we can say that if Windows 7, Windows 8 or Windows 8.1 is running on your hardware, Windows 10 will work as well. There is perhaps one subtlety regarding the 64-bit version. Starting with version 8.1, Windows uses some processor instructions that are not supported by the Pentium D. On these processors, the 64-bit version of Windows 10 will not work. However, I hope you have no such processors for a long time.
In terms of application compatibility, everything looks pretty good. In Windows 10, there are quite a few changes and improvements, but for the most part they do not affect the Win32 subsystem in which applications are launched. We assume that at least 90% of the existing desktop applications will work without problems even under Windows 10. But life is complicated, and developers are creative people, so no, not 100%. In addition, in some cases, even if the application is working properly, it is necessary that the company-developer (ISV) officially confirmed support / certified its software for the new OS. Or released a new version.
')
With regard to Windows Store applications, automated tests have been developed that verify the compatibility of modern applications with Windows 10, detect potential and real problems, and send this information to the appropriate OS development teams. We are sure that the overwhelming majority of problems in this direction will be eliminated even before you see them.
And here there are several important points that are worth paying attention to.
First, as you probably know, Windows 10 will have two browsers built in - Microsoft Edge (formerly Project Spartan) and Internet Explorer 11. The first is for browsing modern websites with HTML5 support and the latest standards, the second is mainly for compatibility with existing ones. web applications. The use of IE11 is especially relevant in a corporate environment where you use your own customized portals and websites or web applications that use Silverlight. Let me remind you, Microsoft Edge does not support Silverlight.
Secondly, starting January 12, 2016, support for older versions of IE in Microsoft OS will end . The table below shows the combinations of OS and IE versions, which will be supported after 01/12/2016.
This means that if you quietly use Windows 7, say, IE9, and don’t even plan to upgrade to the top ten in the coming months, you need to start testing your web applications for compatibility with IE11. Because with the new year, IE11 will be the only version of Internet Explorer supported on Windows 7.
Immediately, I note that you can use all the usual approaches and deployment tools, including the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager (SCCM), for Windows 10. The new OS will have three main deployment options available:
The first, well-known option involves booting the machine using a prepared Windows PE image, creating / formatting partitions on the hard disk of a computer, deploying a customized Windows 10 image, installing the required drivers, installing the necessary software. If you want to save user data and settings, the User State Migration Tool (USMT) is launched before formatting, which copies (for example, a network shared folder) user’s files and settings, and after installing the software, restores the collected files and settings in Windows 10.
The second option is also not fundamentally new and is an on-site update of the system. In this case, not only user data and settings are saved, but all installed applications.
The third option is provisioning - the know-how of Windows 10. It is intended to “transform” a new device from Windows 10 into a corporate device, with the appropriate settings, applications and OS editing.
Further a little more detail about each of the options.
As I said, this option has long been well known. And as in the case of previous OS releases, in order to support Windows 10, it will be necessary to update existing deployment tools. Namely:
Only SCCM vNext will support all the new features of Windows 10, however, as can be seen from the table, you can deploy an image and customize management using current versions of SCCM.
In-Place Upgrade is available for many releases. It's no secret that IT departments prefer to use a clean install (Wipe-and-Load), especially after XP migration experience with Vista. Understanding this, the Windows team did a lot of work to improve the upgrade process. The results of the transition of users from Windows 8 to Windows 8.1 showed that the efforts were not in vain. In addition, pilots were conducted with a number of customers to upgrade "on the spot" from Windows 7 to Windows 8.1, which revealed additional vectors of application of the efforts of the developers.
As a result, the "dozen" supports In-Place Upgrade for Windows 7 SP1, Windows 8, Windows 8.1, that is, for most of the currently supported versions of client Windows.
The upgrade process to Windows 10 consists of 4 phases.
1. Down-level . During the first phase, Setup checks whether the updated computer complies with the requirements of Windows 10, collects information about drivers, user settings, installed applications. Detected applications are checked with the Compatibility Database for compatibility. At the last step, the WinRE image (winrm.wim) is formed, to which boot critical drivers specific to this computer are added, if necessary. At the end of this phase, the first reboot is performed.
2. WinRE . The machine is loaded using the WinRE (Recovery Environment) image, a kind of minimalist environment, the task of which is to copy the files of the original (down-level) version of Windows to the Windows.old folder, expand the "dozens" image from the install.wim distribution file, create the required directory structure, Add the necessary drivers for the first boot of the new OS and reboot the machine. During this phase, the computer is in some intermediate state, when the old version of Windows is no longer in use, the new one is just being prepared for use.
3. 1st boot to New OS . In terms of its content, the phase is very close to the Specialize stage in the Wipe-and-Load deployment option. In this phase, the first boot of the new OS occurs, the drivers are installed, all necessary settings are applied, applications are restored (the corresponding registry branches and binary files are copied, if any instructions for particular applications were found in the compatibility database, they are used, etc. ). Upon completion, another reboot occurs.
4. 2nd boot to New OS . In the final phase, all migration processes are completed, and a welcome screen, known as OOBE (Out-Of-Box Experience), appears before the user, where, at a minimum, the terms of the license agreement should be accepted. This completes the OS update process.
I would like to highlight a few important points related to In-Place Upgrade.
One of the innovations is that the upgrade "in place" to the "top ten" provides the ability to roll back all changes and return to the original version of Windows. Moreover, a rollback is possible both during any phase in the update process (for example, in the event of a failure), and after the update is completed (for example, if something does not suit the new system).
As a result, in the first phase, during the analysis of computer parameters, Setup calculates the required disk space taking into account the need to store the Windows.old folder for possible rollback. If there is not enough disk space, the user can provide external storage media (and this is another innovation) where Windows.old will be created. And yet, on the C: drive, there should be enough space to accommodate the% SystemRoot% of the “dozens” itself.
In order to perform an in-place update in the corporate environment using traditional tools, a new task sequence (update task sequence) has been added to SCCM vNext and MDT 2013 Update 1. Details on how to implement this task sequence in SCCM 2012 R2 SP1 can be found here .
When using MDT or SCCM, companies typically prepare their pre-configured OS image. For a successful "on-site" update, you must use the standard install.wim. The main reason is the preservation of installed applications when upgrading. If the IT department has added an application to the Windows 10 image, and the application (of the same or a different version) is already installed on the updated machine, the OS installer will not be able to correctly merge the files and settings of this application. He simply does not know how to do this. As a result, the association of file extensions of the application may be broken, the application may not work stably or may not work at all.
There are a number of restrictions on using In-Place Upgrade:
In summary, we first recommend the option of deploying In-Place Upgrade for corporate networks ... at least a try. Possible skepticism is understandable. But we tried to make this option as convenient as possible for IT, comfortable for the user, reliable for the system. Test on several machines with a typical hardware and software configuration and make a decision.
The essence of deployment option provisioning (training) is easiest to explain with an example. Suppose for mobile employees a company buys several new tablets with Windows 10 Professional. In order for employees to start working on these tablets, the IT department must apply a number of settings to new devices: upgrade to the Enterprise version, include in the domain and / or connect to Microsoft Intune (or another MDM solution), apply policies, download the necessary certificates, create Wi-Fi and VPN profiles, install corporate applications, etc.
Practically all this can be implemented by group policies. But the latter require the inclusion of machines in the domain, and for a number of mobile scenarios, it may be more convenient to leave such devices outside the domain. In addition, the inclusion in the domain is either performed by an IT officer or by the user himself, who must have the appropriate authority and knowledge. Script? Quite possible. And if the task is similar, but we are talking about smartphones?
Provisioning allows an IT administrator to prepare a file containing all the necessary settings, and, if necessary, an application. Depending on the size, such a file can be sent by e-mail, placed on a web portal, on a network folder, on a flash drive. All that is required of the user is to launch such a file on the desired device by double clicking. The settings specified in the file are applied to the system, and after a few minutes or even seconds, the device is fully operational.
The same approach is applicable to Windows 10 smartphones. Instead of double-clicking the mouse, NFC tags can be used, or the smartphone is connected via USB to a computer, displayed as an icon in the explorer, and the required file is simply transferred to the icon using drag-and-drop.
You can create as many configuration or provisioning files as you need for different scenarios, different types of devices, etc. To create such files, use the Windows Imaging and Configuration Designer (Windows ICD) - a new tool from the ADK package. The principle of using Windows ICD is quite simple - in the left part of the screen all available settings and parameters are displayed, in the middle part of the screen for the parameters you need you specify values, in the right part the selected and formed settings are displayed.
At the end of editing, a provisioning file with the ppkg extension is generated, which remains to be delivered to the device in any available way.
Provisioning will be devoted to a separate post (perhaps not one), but in the meantime I would like to highlight a few important points.
The most important. Provisioning is designed for devices on which Windows 10 is already installed , but I would like to quickly and without any special administrative effort to configure these devices to work in certain scenarios.
Windows 10 provides the option to upgrade Professional to Enterprise Edition by entering the appropriate key, without reinstalling the system. Only one reboot is required. And the key can be specified in the ppkg file.
After the ppkg file has been applied to the device, you can delete it from the device (unless you explicitly forbade the user to do this). When you delete a file, all policies that were applied to the device during provisioning are deleted.
The ppkg file can be applied both during device operation (runtime) and when a new device is first turned on at the OOBE stage, for example, on removable media.
You can configure the system so that the ppkg file remains in the system and is applied automatically after a factory reset. Then the necessary settings will be applied to the device even after resetting to factory settings.
Provisioning, therefore, will be of particular interest to organizations that allow the use of a wide range of devices. Preparing a large number of pre-configured images and an innumerable set of drivers for such organizations can be very difficult, if not at all, achievable. In contrast, ppkg files provide a reasonable balance of features and ease of implementation.
I hope you have the first idea of ​​what options and tools for deploying Windows 10 will soon be or already at your disposal. Well, we will return to this topic more than once in our blog on Habré, as well as in online and offline events.
Hardware requirements, application compatibility
Formal hardware requirements are listed here . In fact, we can say that if Windows 7, Windows 8 or Windows 8.1 is running on your hardware, Windows 10 will work as well. There is perhaps one subtlety regarding the 64-bit version. Starting with version 8.1, Windows uses some processor instructions that are not supported by the Pentium D. On these processors, the 64-bit version of Windows 10 will not work. However, I hope you have no such processors for a long time.
In terms of application compatibility, everything looks pretty good. In Windows 10, there are quite a few changes and improvements, but for the most part they do not affect the Win32 subsystem in which applications are launched. We assume that at least 90% of the existing desktop applications will work without problems even under Windows 10. But life is complicated, and developers are creative people, so no, not 100%. In addition, in some cases, even if the application is working properly, it is necessary that the company-developer (ISV) officially confirmed support / certified its software for the new OS. Or released a new version.
')
With regard to Windows Store applications, automated tests have been developed that verify the compatibility of modern applications with Windows 10, detect potential and real problems, and send this information to the appropriate OS development teams. We are sure that the overwhelming majority of problems in this direction will be eliminated even before you see them.
Internet Explorer
And here there are several important points that are worth paying attention to.
First, as you probably know, Windows 10 will have two browsers built in - Microsoft Edge (formerly Project Spartan) and Internet Explorer 11. The first is for browsing modern websites with HTML5 support and the latest standards, the second is mainly for compatibility with existing ones. web applications. The use of IE11 is especially relevant in a corporate environment where you use your own customized portals and websites or web applications that use Silverlight. Let me remind you, Microsoft Edge does not support Silverlight.
Secondly, starting January 12, 2016, support for older versions of IE in Microsoft OS will end . The table below shows the combinations of OS and IE versions, which will be supported after 01/12/2016.
| Windows platform | Internet Explorer Version |
|---|---|
| Windows Vista SP2 | Internet Explorer 9 |
| Windows Server 2008 SP2 | Internet Explorer 9 |
| Windows 7 SP1 | Internet Explorer 11 |
| Windows Server 2008 R2 SP1 | Internet Explorer 11 |
| Windows 8.1 | Internet Explorer 11 |
| Windows Server 2012 | Internet Explorer 10 |
| Windows Server 2012 R2 | Internet Explorer 11 |
This means that if you quietly use Windows 7, say, IE9, and don’t even plan to upgrade to the top ten in the coming months, you need to start testing your web applications for compatibility with IE11. Because with the new year, IE11 will be the only version of Internet Explorer supported on Windows 7.
Deployment options
Immediately, I note that you can use all the usual approaches and deployment tools, including the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager (SCCM), for Windows 10. The new OS will have three main deployment options available:
- Wipe-and-load
- In-place
- Provisioning
The first, well-known option involves booting the machine using a prepared Windows PE image, creating / formatting partitions on the hard disk of a computer, deploying a customized Windows 10 image, installing the required drivers, installing the necessary software. If you want to save user data and settings, the User State Migration Tool (USMT) is launched before formatting, which copies (for example, a network shared folder) user’s files and settings, and after installing the software, restores the collected files and settings in Windows 10.
The second option is also not fundamentally new and is an on-site update of the system. In this case, not only user data and settings are saved, but all installed applications.
The third option is provisioning - the know-how of Windows 10. It is intended to “transform” a new device from Windows 10 into a corporate device, with the appropriate settings, applications and OS editing.
Further a little more detail about each of the options.
Wipe-and-load
As I said, this option has long been well known. And as in the case of previous OS releases, in order to support Windows 10, it will be necessary to update existing deployment tools. Namely:
- Download and deploy the new version of the Windows Assessment and Deployment Kit (ADK), which will support Windows 7 / 8.1 / 10.
- If you are using MDT: Windows 10 support will be added to MDT 2013 Update 1. At the time of writing this post, a preview version is available .
- If you use SCCM: Windows 10 deployment and management support will be added to different versions of Configuration Manager. For SCCM 2012 and SCCM 2012 R2, Windows 10 support is already implemented in SP2 and SP1, respectively.
| System Center Configuration Manager Version | Supports Windows 10 Management | Supports Windows 10 Deployment |
|---|---|---|
| System Center Configuration Manager 2007 | Yes | Not |
| System Center 2012 Configuration Manager | Yes | Yes |
| System Center 2012 R2 Configuration Manager | Yes | Yes |
| System Center Configuration Manager v.Next | Yes | Yes |
Only SCCM vNext will support all the new features of Windows 10, however, as can be seen from the table, you can deploy an image and customize management using current versions of SCCM.
In-place
In-Place Upgrade is available for many releases. It's no secret that IT departments prefer to use a clean install (Wipe-and-Load), especially after XP migration experience with Vista. Understanding this, the Windows team did a lot of work to improve the upgrade process. The results of the transition of users from Windows 8 to Windows 8.1 showed that the efforts were not in vain. In addition, pilots were conducted with a number of customers to upgrade "on the spot" from Windows 7 to Windows 8.1, which revealed additional vectors of application of the efforts of the developers.
As a result, the "dozen" supports In-Place Upgrade for Windows 7 SP1, Windows 8, Windows 8.1, that is, for most of the currently supported versions of client Windows.
The upgrade process to Windows 10 consists of 4 phases.
1. Down-level . During the first phase, Setup checks whether the updated computer complies with the requirements of Windows 10, collects information about drivers, user settings, installed applications. Detected applications are checked with the Compatibility Database for compatibility. At the last step, the WinRE image (winrm.wim) is formed, to which boot critical drivers specific to this computer are added, if necessary. At the end of this phase, the first reboot is performed.
2. WinRE . The machine is loaded using the WinRE (Recovery Environment) image, a kind of minimalist environment, the task of which is to copy the files of the original (down-level) version of Windows to the Windows.old folder, expand the "dozens" image from the install.wim distribution file, create the required directory structure, Add the necessary drivers for the first boot of the new OS and reboot the machine. During this phase, the computer is in some intermediate state, when the old version of Windows is no longer in use, the new one is just being prepared for use.
3. 1st boot to New OS . In terms of its content, the phase is very close to the Specialize stage in the Wipe-and-Load deployment option. In this phase, the first boot of the new OS occurs, the drivers are installed, all necessary settings are applied, applications are restored (the corresponding registry branches and binary files are copied, if any instructions for particular applications were found in the compatibility database, they are used, etc. ). Upon completion, another reboot occurs.
4. 2nd boot to New OS . In the final phase, all migration processes are completed, and a welcome screen, known as OOBE (Out-Of-Box Experience), appears before the user, where, at a minimum, the terms of the license agreement should be accepted. This completes the OS update process.
I would like to highlight a few important points related to In-Place Upgrade.
One of the innovations is that the upgrade "in place" to the "top ten" provides the ability to roll back all changes and return to the original version of Windows. Moreover, a rollback is possible both during any phase in the update process (for example, in the event of a failure), and after the update is completed (for example, if something does not suit the new system).
As a result, in the first phase, during the analysis of computer parameters, Setup calculates the required disk space taking into account the need to store the Windows.old folder for possible rollback. If there is not enough disk space, the user can provide external storage media (and this is another innovation) where Windows.old will be created. And yet, on the C: drive, there should be enough space to accommodate the% SystemRoot% of the “dozens” itself.
In order to perform an in-place update in the corporate environment using traditional tools, a new task sequence (update task sequence) has been added to SCCM vNext and MDT 2013 Update 1. Details on how to implement this task sequence in SCCM 2012 R2 SP1 can be found here .
When using MDT or SCCM, companies typically prepare their pre-configured OS image. For a successful "on-site" update, you must use the standard install.wim. The main reason is the preservation of installed applications when upgrading. If the IT department has added an application to the Windows 10 image, and the application (of the same or a different version) is already installed on the updated machine, the OS installer will not be able to correctly merge the files and settings of this application. He simply does not know how to do this. As a result, the association of file extensions of the application may be broken, the application may not work stably or may not work at all.
There are a number of restrictions on using In-Place Upgrade:
- As before, the OS architecture should be the same - the 32-bit version cannot be upgraded to the 64-bit version by this method and vice versa.
- The in-place upgrade does not apply to Windows To Go, as well as the OS loaded from the VHD file.
- The on-site update is not applicable if the computer disk is encrypted using third-party solutions (if BitLocker is used, the update will take place correctly).
In summary, we first recommend the option of deploying In-Place Upgrade for corporate networks ... at least a try. Possible skepticism is understandable. But we tried to make this option as convenient as possible for IT, comfortable for the user, reliable for the system. Test on several machines with a typical hardware and software configuration and make a decision.
Provisioning
The essence of deployment option provisioning (training) is easiest to explain with an example. Suppose for mobile employees a company buys several new tablets with Windows 10 Professional. In order for employees to start working on these tablets, the IT department must apply a number of settings to new devices: upgrade to the Enterprise version, include in the domain and / or connect to Microsoft Intune (or another MDM solution), apply policies, download the necessary certificates, create Wi-Fi and VPN profiles, install corporate applications, etc.
Practically all this can be implemented by group policies. But the latter require the inclusion of machines in the domain, and for a number of mobile scenarios, it may be more convenient to leave such devices outside the domain. In addition, the inclusion in the domain is either performed by an IT officer or by the user himself, who must have the appropriate authority and knowledge. Script? Quite possible. And if the task is similar, but we are talking about smartphones?
Provisioning allows an IT administrator to prepare a file containing all the necessary settings, and, if necessary, an application. Depending on the size, such a file can be sent by e-mail, placed on a web portal, on a network folder, on a flash drive. All that is required of the user is to launch such a file on the desired device by double clicking. The settings specified in the file are applied to the system, and after a few minutes or even seconds, the device is fully operational.
The same approach is applicable to Windows 10 smartphones. Instead of double-clicking the mouse, NFC tags can be used, or the smartphone is connected via USB to a computer, displayed as an icon in the explorer, and the required file is simply transferred to the icon using drag-and-drop.
You can create as many configuration or provisioning files as you need for different scenarios, different types of devices, etc. To create such files, use the Windows Imaging and Configuration Designer (Windows ICD) - a new tool from the ADK package. The principle of using Windows ICD is quite simple - in the left part of the screen all available settings and parameters are displayed, in the middle part of the screen for the parameters you need you specify values, in the right part the selected and formed settings are displayed.
At the end of editing, a provisioning file with the ppkg extension is generated, which remains to be delivered to the device in any available way.
Provisioning will be devoted to a separate post (perhaps not one), but in the meantime I would like to highlight a few important points.
The most important. Provisioning is designed for devices on which Windows 10 is already installed , but I would like to quickly and without any special administrative effort to configure these devices to work in certain scenarios.
Windows 10 provides the option to upgrade Professional to Enterprise Edition by entering the appropriate key, without reinstalling the system. Only one reboot is required. And the key can be specified in the ppkg file.
After the ppkg file has been applied to the device, you can delete it from the device (unless you explicitly forbade the user to do this). When you delete a file, all policies that were applied to the device during provisioning are deleted.
The ppkg file can be applied both during device operation (runtime) and when a new device is first turned on at the OOBE stage, for example, on removable media.
You can configure the system so that the ppkg file remains in the system and is applied automatically after a factory reset. Then the necessary settings will be applied to the device even after resetting to factory settings.
Provisioning, therefore, will be of particular interest to organizations that allow the use of a wide range of devices. Preparing a large number of pre-configured images and an innumerable set of drivers for such organizations can be very difficult, if not at all, achievable. In contrast, ppkg files provide a reasonable balance of features and ease of implementation.
I hope you have the first idea of ​​what options and tools for deploying Windows 10 will soon be or already at your disposal. Well, we will return to this topic more than once in our blog on Habré, as well as in online and offline events.
Source: https://habr.com/ru/post/263223/
All Articles