Interview: Windows 10 deployment insights (Part 2)

If you would like to read the first part in this article series please go to Interview: Windows 10 deployment insights (Part 1).

Introduction

In the previous article here on WindowsNetworking.com I began an interview with Johan Arwidmark and Mikael Nyström, two well-known Windows deployment experts based in Sweden. This present article concludes my interview and I’ve also included their bios at the end along with a link where you can buy their latest book “Deployment Fundamentals, Vol. 6: Deploying Windows 10 Using Microsoft Deployment Toolkit.”

The Interview (Part 2)

MITCH: Are there any other ways that the Windows-as-a-service model of periodic Windows 10 updates may impact how organizations should plan and implement Windows 10 deployments using MDT?

Mikael: Yes. The Windows as a Service model will slightly change Windows 10 for each release. That means many things, for example you will need to test new versions of Windows 10, create new images, verify applications, and you will need to do that 4 times a year. This means that the focus should be on “Make Windows 10 secure, stable and working” and not on modifying the user interface.

MITCH: MDT 2013 Update 2 now supports the new In-place Upgrade deployment option for Windows 10. In your own experience what sort of customers are using this approach when they deploy Windows 10 with MDT?

Johan: As long as you not affected by the many limitations of the In-place Upgrade scenario it works very well. Here is a list of scenarios where you cannot use the In-place Upgrade.

MITCH: There are still some organizations out there that have Windows XP deployed. Can they use MDT to migrate their computers to Windows 10 or will they need Configuration Manager or some other solution?

Mikael: Since Windows XP is not supported anymore, all scenarios that involve Windows XP are no longer supported or tested. It should be possible to perform a refresh. However, I have not tested that. Actually, I have not seen Windows XP for a long time.

MITCH: Some organizations may not want certain “prebundled” default universal apps on their Windows 10 computers. Is there a way they can remove these apps from their reference images before performing their deployment? Can you show us how?

Johan: Technically you can use a PowerShell script to remove most of the applications (but not all). However that is a less tested scenario, and I have already heard of this breaking Sysprep in some scenarios. For now I recommend using AppLocker to restrict access to universal applications. Anyway, Michael Niehaus has a great blog post regarding this.

MITCH: Can organizations customize the default start menu, pinned taskbar items, and start screen when building their Windows 10 images? What customizations are possible and which ones are not possible? Can you walk us through an example of how one can do something like this using a MDT task sequence?

Mikael: This is a bit tricky. Almost all of these modifications are either complicated to do or are blocked. As an example, pinning to the taskbar was possible in the first release by loading Explorer as a COM object and executing the “pin” function, but Microsoft modified this so it is now impossible. We recommend that customers avoid such modifications if possible, but adding/removing applications is fine.

MITCH: Many organizations are starting to become concerned about some of the security and privacy features (or lack thereof) in Windows 10. For example, some organizations would like to have the new Wi-Fi Sense feature disabled by default when they build their reference images for Windows 10 deployment. Can you walk us through how they can do this?

Johan: I wouldn’t do that in the reference image, I would do that at deployment time instead. A custom GPO that sets the AutoConnectAllowedOEM registry value should be enough.

[EDITOR’S NOTE: See KB3085719 “How to configure Wi-Fi Sense and Paid Wi-Fi Services on Windows 10 in an enterprise” which is found at https://support.microsoft.com/en-us/kb/3085719 for more information concerning this.]

MITCH: What are some other image customizations organizations might want to implement if they have any security or privacy concerns with Windows 10 when building their reference images?

Mikael: I don’t like locking down a reference image, I prefer to do that at deployment time and in that case customers should implement the Security Guidelines for Windows 10 as there are ready-made templates for Windows 10.

[EDITOR’S NOTE: You can find out more about Microsoft’s security baseline settings for Windows 10 in the following post on the Microsoft Security Guidance blog on TechNet]

MITCH: For corporate reasons let’s say we need to deploy Office 2013 and not Office 2016 with my new Windows 10 deployments. Your book describes how to deploy Office 2016 using the Office 2016 Deployment Tool. Can Office 2013 be deployed the same way or would we need to use a different approach? Please explain.

Johan: For the Click-to-Run version of Office 365 (old or new version of Office) it is the same, and if you would like the MSI approach, just download the Windows 2013/2016 bits, import this into the MDT deployment workbench, configure if need be and use that instead. This has not changed.

MITCH: Can you describe a few scenarios where organizations might want to make use of the new provisioning packages option during their Windows 10 deployments?

Mikael: So, provisioning packages are really cool! They are supposed to work for the “from un-managed to managed” scenario. A really good example is if you get a Surface Pro 4 with Windows 10 as you can now use a provisioning package to upgrade this to the Enterprise SKU, set a name based on a rule, and join the machine to the domain. Your infrastructure will take it from there. This way, you don’t need to re-image a perfectly working machine.

MITCH: Can you add applications from the Windows Store for Business when you build your Windows 10 reference image using your MDT-based OS deployment infrastructure? A lot of organizations I know have their standard set of business applications they need to integrate into their Windows 10 reference images and most of them still “don’t get” this whole Windows Store for Business thing and why it’s needed…

Johan: Haven’t looked into the Windows Store for Business options yet for MDT deployments, but Michael Niehaus did a presentation at Ignite in Australia that “should” cover that. Maybe it’s time for a blog post 🙂

[EDITOR’S NOTE: You can find the recording of Michael’s TechEd Australia presentation titled “Using the Windows Store for Business: New Capabilities for Managing Apps in the Enterprise” on Microsoft’s Channel 9]

MITCH: One can add device drivers to boot images using MDT. Can one add BIOS updates similarly? It seems these are being released more and more often nowadays, especially for devices that supposedly “support” Windows 10…

Mikael: Not to the Boot Image as a driver, but it is fairly simple to create a BIOS update script to get the version and then install the update as part of a task sequence, I know I have a blogpost on how to do that and we updated that in one of our books (Deployment Fundamentals Vol 4).

MITCH: PowerShell is a powerful tool for customizing how MDT deploys Windows 10. Can you recommend any PowerShell scripts you’ve used to solve real-world deployment challenges?

Johan: We typically re-use existing VB script for all the old stuff and we write PowerShell script for new stuff. If you search for PowerShell on Mikael’s blog you will find a massive amount of deployment related PowerShell scripts

MITCH: If a student or other reader of your book wants to follow and perform all the exercises in each chapter but they don’t have the hardware available for setting up your OS deployment infrastructure, can they set this up in Microsoft Azure or Amazon AWS if they have a trial account for a public cloud service like one of these?

Mikael: Unfortunately no since Azure currently does not allow Boot from ISO. They can build everything, but it is currently impossible to test OS deployment. So they would need a computer that supports Hyper-V, a machine with 4-8 GB of RAM should work.

MITCH: Thanks very much gentlemen for sharing some of your valuable time with our readers!

About Mikael Nyström

Mikael Nyström is a Principal Technical Architect at TrueSec, with an extremely broad field of competence. He works in-depth with System Center suite, virtualization, cloud platforms, and operating system deployment. Mikael is a very popular instructor, is frequently used by Microsoft for partner training, and speaks at major conferences such as TechEd, Microsoft Ignite, MMS, and TechDays. He also spends a lot of time in communities, like deploymentbunny.com and itproffs.se. Mikael has been awarded Microsoft Most Valuable Professional (MVP) for more than eleven years.

About Johan Arwidmark

Johan Arwidmark is a consultant and all-around geek specializing in Systems Management and Enterprise Windows Deployment Solutions. Johan also speaks at several conferences each year, including MMS and TechEd events around the world. He is actively involved in deployment communities like deploymentresearch.com and myitforum.com and has been awarded Microsoft Most Valuable Professional (MVP) for more than eleven years.

Deployment Fundamentals Vol. 6

Johan and Mikael’s latest book is titled “Deployment Fundamentals, Vol. 6: Deploying Windows 10 Using Microsoft Deployment Toolkit” and it’s available from Amazon here: http://www.amazon.com/dp/9187445212/

You can read my review of their book in Issue #1066 Book Review: Deployment Fundamentals Volume 6 of our newsletter WServerNews which goes out weekly to almost 100,000 IT pros around the world. Subscribe to WServerNews today!

If you would like to read the first part in this article series please go to Interview: Windows 10 deployment insights (Part 1).

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top