In-Depth

Microsoft Q&A for IT Pros Showcases Windows 10 Version 1709

Microsoft's Michael Niehaus and Nathan Mercer field some questions on the status of Windows and highlight some of the new tech coming to the latest version of the OS.

Microsoft shed some more light on Windows 10 version 1709, the "fall creators update," in a Thursday Web presentation for IT pros.

The one-hour talk included Microsoft deployment luminaries Michael Niehaus, director of Windows Commercial, and Nathan Mercer, senior product manager of Windows Commercial. It's now available on demand (with sign-up) at this page. A summary of the technologies discussed can be found in this "Webcast resource guide."

Mercer opened the talk with a post-Halloween scare of sorts. He noted that Window 7's end of support will be occurring in a little more than two years (or "803 days").

Highlighted in the talk were the various technologies that are getting lit up by Windows 10 version 1709, which arrived as a "semiannual channel (targeted)" release earlier this month. That channel release signifies, per Microsoft's update model, that organizations should start testing the operating system in their computing environments.

Within a few days of the Windows 10 version 1709 release, all of the media types were available, as well as the Group Policy Object reference, Administrative Templates (.ADMX), Windows 10 Assessment and Deployment Kit, Windows 10 Remote Server Administration Tools and the Security Baseline, it was claimed, during the talk.

Version 1709-Enabled Technologies
Niehaus and Mercer highlighted the following capabilities supported by Windows 10 version 1709:

  • Windows AutoPilot, a new out-of-the-box end user self-provisioning service that leverages the machine's OEM image to create a corporate desktop
  • Windows 10 Subscription Activation to more easily move from the Pro edition to the Enterprise edition
  • Windows Automatic Redeployment for resetting a PC to its original state without including settings, installed apps and files
  • Windows Defender-branded security technologies
  • Windows Hello and Windows Hello for Business for biometric PC logins
  • Windows Analytics tools, including Upgrade Readiness, Update Compliance (for device status monitoring) and Device Health (shows issues affecting devices before end users might notice problems)
  • Kiosk configuration for organizations wanting to turn Windows 10 devices into a locked-down kiosks
  • Mobile device management (MDM) improvements
  • Always On VPN
  • OneDrive Files On-Demand
  • Server Message Block 1 (SMB 1) removal by default for new installs

One of the mobile device management administration improvements is the ability to include domain-joined devices with Azure Active Directory registration. It's a key new thing that helps with transitioning from traditional Active Directory to "modern management" with Azure AD and mobile device management, rather than using Group Policy, according to Mercer. The capability is documented on TechNet, he said.

The main new networking improvement supported by this Windows 10 release is the Always On VPN feature, according to Mercer, which creates a device tunnel for remotely accessing network resources. Always On VPN lets organizations deploy a virtual private network in much the same way as the older DirectAccess approach. The end user won't have to log on again to connect to the network. Mercer said that Microsoft sees Always On VPN as being simpler to use than DirectAccess, which is restricted to only working with enterprise PCs. Microsoft compares the two approaches in this document.

Microsoft added some configuration options to the OneDrive Files On-Demand feature, which uses placeholder icons for files and folders on the local machine for data stored in the cloud. End users can right click on the file or folder object to specify that storage should be on the machine or in the cloud, Niehaus said. He added that Microsoft is working on adding policies to enable OneDrive Files On-Demand. For instance, in some cases, IT pros may want the files to show up without having to have the user configure things, and so Microsoft is working on a silent configuration for the first-run experience, namely a "Silent Sync Configuration" preview, Niehaus said.

SMB 1, a major security problem in networks, gets removed by default in Windows 10 1709 "clean installs" of the Windows 10 Enterprise and Education editions. On the other hand, Windows 10 Home and Pro editions still include SMB 1 by default, but if SMB 1 isn't used in 15 days with those editions, it'll get uninstalled, Mercer clarified.

During the Niehaus and Mercer talk, Microsoft answered participant questions in a chat window. What follows is an edited summary of that Q&A. It's long, but perhaps not documented elsewhere.

Windows AutoPilot Q&A
Is Windows AutoPilot backward compatible with Windows 10 version 1607 and LTSB [long-term servicing branch] specifically?
AutoPilot works with [Windows 10 versions] 1703 and 1709 and later. LTSB is currently based on [Windows 10 version] 1607, so no AutoPilot won't work.

Does Windows AutoPilot replace provisioning packages or leverage them?
AutoPilot does not use provisioning packages. Instead, the MDM service (e.g. Intune) pushes down the same configuration.

Is Windows AutoPilot only compatible with Azure AD, or can we join to on-premises AD as well?
AutoPilot supports both Azure AD (with 1703) and Active Directory (with 1709), but there is additional work that the MDM services (e.g. Intune) need to do before AD is enabled.

Is Windows AutoPilot exclusive to Intune or can we use something like AirWatch?
All MDM services are supported, as long as they support Azure AD automatic enrollment (AirWatch does support this).

How long would it take after provisioning the device into Windows Store for Business for the computer to get into the Windows AutoPilot service?
Typically, just a few seconds.

Windows Subscription Activation Q&A
Does the auto-update from Pro to Enterprise and setup stuff work on standard AD environments?
Yes, this works for Active Directory and Azure Active Directory. In the Active Directory case, you do need to have AAD Connect set up to sync with AAD.

Windows Automatic Redeployment Q&A
Will the "reset/revert" process of Windows Automatic Redeployment still hold the Windows OS patches that were installed?
It will retain most of the updates. The reset process does discard updates applied in the last 30 days.

How much network traffic is generated by the first login or reset process for a school that wants to refresh all their systems at once?
There is minimal network traffic generated by the reset process. The first logon itself doesn't generate any significant traffic either, but app updates can then begin installing as soon as the user logs in. (That traffic will use Delivery Optimization for peer-to-peer transfers.)

Does Windows Automatic Redeployment remove "Metro" apps? Does it also remove full client applications (e.g., Adobe Acrobat, Microsoft Office)?
It is a full PC reset, so all apps (modern) and programs (Win32) will be removed.

Will Windows Automatic Redeployment reset BitLocker as well?
It will suspend BitLocker at the start so that it can be resumed later.

Can Windows Automatic Redeployment be run remotely?
Not currently, but that is a feature we are looking at implementing in a future release.

Can resetting be initiated from the System Center Configuration Manager Console?
For Automatic Redeployment, no, not today.

For Windows Automatic Redeployment, is it possible just to have a service account instead of a global administrator's account?
Yes, today the account can be anyone that has the ability to add devices to AAD [Azure Active Directory].

For device refresh/reset, is LAPS [Local Administrator Password Solution] supported?
With Automatic Redeployment, only AAD [Azure Active Directory] is supported today. Typically with AAD, the local admin account is not used. For "normal" reset, the local account is typically left disabled after going back through OOBE [out-of-box experience].

Is there a benefit for "resetting" over a much faster reimage?
Resetting is easier.

Windows Analytics Q&A
Is Windows Analytics still free?
Windows Analytics Upgrade Readiness and Update Compliance are free. Device Health requires a Windows E3 license.

Will Windows Analytics show me which builds are being used in my environment? Or would I need to do something else?
Yes, Windows Analytics Update Compliance will show feature update levels, patch levels, AV definition status, etc.

Security Q&A
Will all these new security features be manageable via SCCM [System Center Configuration Manager] in the next release?
Yes, you'll see a lot of these popping up in the latest Tech Preview 1710 of ConfigMgr.

We turn off Windows Defender in order to use third-party A/V software. Will turning Defender off prevent us from using all these new Windows Defender features? What about the "rebranded" ones (like Credential Guard and Device Guard)?
Controlled Folder Access from Windows Defender Exploit Guard requires WDAV [Windows Defender Antivirus] with real-time scanning enabled.

So with all the Windows Defender improvements, is it preferable to not run other virus protection software concurrently?
It's not a best practice to use multiple AV products with real-time scanner enabled concurrently.

How would we uninstall or disable Windows Defender, if we are using third-party AV at this time? Is that a GPO we can deploy, or something else?
Third-party AV vendors will register themselves with Windows, which causes Defender to automatically turn itself off.

Does Application Guard support third party browsers?
No, not currently. Edge only.

Which OS license is needed for Application Guard?
Application Guard requires Windows 10 Enterprise. We'll look to bring it downlevel in the future.

What license is needed for Windows Defender Exploit Guard?
Windows Defender Exploit Guard is available in Pro as well; however detailed visibility from WDATP [Windows Defender Advanced Threat Protection] console is available with Enterprise E5 only.

Can schools purchase Windows Defender Advanced Threat Protection separately instead of in a bundle, like Microsoft 365?
Today, it appears that this is only available via Microsoft 365 Education A5. Contact your account team or licensing representative for more details.

Always On VPN Q&A
Are you discontinuing support for DirectAccess?
Always On VPN is the direction we are investing in, since it caters to BYOD/non-domain join, cross-platform, and doesn't require Enterprise version of Windows client.

Can Always On VPN work with third-party VPN providers?
Yes, as long as those VPN providers create plug-ins for the built-in Windows 10 VPN platform.

Can Always On VPN replace the need for the Cisco AnyConnect client?
Yes. More info on the way the architecture works here.

Does Always On VPN require on-premises AD-joined machines or will AAD-joined work?
It will work with either. It doesn't require traditional domain joins like DirectAccess does.

Mobile Device Management Q&A
Will Intune replace SCCM [System Center Configuration Manager]?
For some customers, yes, as they move to a modern, cloud-based management infrastructure. But there are no plans to discontinue Configuration Manager.

Has Intune been set up to use the new features in the ADMX files? I want to block the new settings options, that is, Cortana settings, etc.
Intune does have support for ADMX-backed policies.

Do you have a mobile device management compatibility list that works with Windows AutoPilot?
AutoPilot will work with any MDM vendor that supports AAD [Azure Active Directory] automatic enrollment.

Will Azure Intune include all the features in classic Intune like software inventory?
Intune has always run in Azure. You're really asking about the Intune Agent vs. MDM management. When using MDM management (without the Intune agent), there is software inventory, although it may be less complete.

Will sequential/dependency-based application installation capabilities (like those in SCCM) be added to Intune?
That's a great discussion to have with the Intune team. Today, no, Intune does not have that capability.

OneDrive and Files On-Demand Q&A
Will you be able to configure if Files On-Demand will be enabled or disabled from start or can users only do that manually?
There is a group policy to enable this.

Can you apply Folder Redirection to the OneDrive location with Files On-Demand enabled?
You can, yes, but you would want to make sure OneDrive was set up first.

Will you be able to use the new OneDrive features with OneDrive on premises, i.e. auto-login and configuration?
Not with the current version. It will require NGSC [next-generation sync client] which will be in SharePoint 2019.

Featured

comments powered by Disqus

Subscribe on YouTube