Last week, Microsoft Support released an article to TechNet that details “Top Support Solutions for Windows 10.” While many of them apply to power users and IT professionals alike, there are several categories of information aimed directly at IT professionals facing or contemplating larger-scale Windows 10 roll-outs. These should be of great potential help to those looking to avoid the top Win10 deployment issues that MS Support has already encountered.
The banner from this 5/3/16 TechNet article says it all.
Here’s a snapshot of the relevant content with links to details about top Win10 deployment issues, straight from that source (numbered items are renumbered in sequence for readability):
- Solutions related to inability to activate Windows:
- Windows 10 Volume Activation Tips
- Error 0xC004F015 when you try to activate Windows 10 Enterprise on a Windows Server 2012 R2 KMS host
- How to Activate and resolve common Product key issues in Windows 10
- Windows 10 activation errors
- Solutions related to installing Windows updates or hotfixes:
- Windows 10, WindowsUpdate.log and how to view it with PowerShell or Tracefmt.exe
- How to read Windows Update logs in Windows 10
- Solutions related to common setup, installation, and deployment issues:
- Troubleshooting common Windows 10 upgrade errors and issues
- How to manage Windows 10 notification and upgrade options
- Sysprep fails after removing or updating Windows built-in Windows Store apps
- Deploy Windows 10 with the Microsoft Deployment Toolkit
- Upgrade to Windows 10 with the Microsoft Deployment Toolkit
- Getting Started with Windows 10 for IT Professionals
- Windows 10 Deployment Guide
- Solutions related to Windows Volume Activation:
- Windows 10 Volume Activation Tips
- Error 0xC004F015 when you try to activate Windows 10 Enterprise on a Windows Server 2012 R2 KMS host
List Items from Top Win10 Deployment Issues of Interest to IT Pros
In particular, the entries under items 3 and 4 are likely to be of great interest to those IT Pros inclined to work with the Microsoft Assessment and Deployment Toolkit (ADK) and/or who face potential issues related to volume licensing and activations via a Key Management Server (KMS) for Windows 10 Enterprise. These items also point to important documentation related to the ADK, and should help IT Pros get a running start into planning for, piloting, and eventually rolling Windows 10 out into production. Please take advantage of this opportunity to gain insight from the folks at Microsoft support about the top Win10 deployment issues they’ve already been asked to help out on by early adopters.
In Q4 2015 Terry Halvorsen, the Chief Information Officer for the US Department of Defense decreed that all branches of the military needed to migrate to Windows 10 by Q1 2017. As it often does, the US Marine Corps (USMC) volunteered to go first in this effort. In all the DoD has around three million desktops (including both physical and virtual machines) to update, so it made sense for the smallest of the four major military branches (Army, Navy, Air Force, and Marines) to go forth as a kind of initial pilot group anyway. Alas, along the way the USMC found that it encountered an unexpected Win10 update snag: the target hardware platforms lag far enough behind current technology that remote, unattended upgrades have proved more problematic than initially projected.
Older hardware makes no-touch Windows 10 upgrades less likely to succeed.
As reported in a May 12 story from FederalNewsRadio.com entitled “Outdated hardware snags Marines’ migration to Windows 10” the service found that only about 10 percent of its computers were amenable to remote, no-touch upgrades to Windows 10. They had been expecting that this approach would work with somewhere between 60 and 70 percent of the computers on the Marine Corps Enterprise Network (MCEN). Thus, this result comes as something of an unpleasant and potentially expensive surprise. In proffering an explanation for the Win10 update snag at a meeting of the Washington, DC chapter of the AFCEA, USMC CIO Brigadier Dennis Crall said:
Our challenges are with hardware, and hardware that is older than a couple years is having more difficulty accepting Windows 10 than hardware that is new. And when you look at what ‘new’ means within DoD, we purchase yesterday’s technology tomorrow. A lot of our brand-new systems are having difficulty with the upgrade as soon as they come out of the box, and we didn’t anticipate that.
What’s Causing the Win10 Update Snag?
I’ve got to give General Crall credit for the wonderful tagline bolded in the preceding quote (emphasis mine), but this upgrade effort faces serious problems for several reasons:
- Increasing the level of human interaction means more time, effort, and expense in achieving the overall upgrade. Add more expense for refreshing those machines that remain unable to be upgraded despite the added effort.
- The services now have to juggle the cost of the added expense for human effort against the costs of purchasing newer Win10-ready hardware. In cases where the cost of effort surpasses that for new gear, it makes more sense to “buy up,” but that was clearly not part of the original budgetary equation.
- Some upgrades will not be able to exploit all of Windows 10’s advanced security features (for example, only UEFI machines can use Secure Boot and only machines that support the latest virtualization features can use Credential Guard). This means not all upgraded machines — especially older ones — may not be able to comply fully with the DoD’s “secure host baseline.” This is a common set of security configurations across the many millions of PCs under its aegis. Making exceptions for security poses well-known problems, too.
Virtualization appears to offer a partial remedy to the Win10 update snag. Bill Marion, deputy CIO for the Air Force, questions the need for thick clients for all circumstances, and observes that “the cost of a traditional desktop and office software and the security that goes around that is pretty expensive.” The USAF is pondering more use of “mobile devices[s] with a containerized cloud application [that is] lightweight, better encrypted, [and] easier to defend” as a possible alternative, he says. Admittedly, virtualization is better suited for what he describes as a “garrison environment” but native hardware appears better suited for the “tactical environment” for field operations. This approach could provide some much-needed relief for the services upgrade effort, though, and let the military concentrate on hardware upgrades where they could do the most good and create the greatest impact for the expense involved.
In general the military seems convinced that Windows 10 is a much more secure OS than earlier Windows versions, and fairly eager to get to that platform so as to benefit from what Halvorsen calls “security baked in from the beginning.” He remains positive that 80-plus percent of the DoD’s laptops and desktops will meet the January 2017 upgrade deadline, because most of them reside in offices on military bases and are managed through the Navy-USMC Intranet or the Air Force AFNET. The remaining 20-odd percent is another story, and may have to stay where they are on waiver status for years because they are integrated into weapons systems that might be at sea, are outside the USA, or are engaged on active military service missions. Thus, for example, the Navy has shipboard platforms still based on Windows XP that probably won’t be upgraded for years to come. Let’s hope that such systems never get exposed to external penetration attempts! But that means the Win10 update snag appears poised to persist for some time for specific hard-to-upgrade systems.
[Note: thanks to Cluster Head at TenForums.com who brought this story to my attention: Danke Schoen, mein Freund!]
The converged and hyper-converged infrastructure markets have gotten a lot of lip service lately, especially with respect to supporting VDI deployments.
There are several reasons hyper-converged infrastructure (HCI) could be the right choice for companies looking to deploy virtual desktops. Hyper-converged platforms offer tightly integrated storage, networking and compute that are software-defined and tailored to run virtualization workloads. They also come with a management interface that can help IT administrators deploy, control and troubleshoot virtual desktops. All these advantages make it fast and easy to deploy VDI quickly, and shops can add more components as their deployments grow. And when all the pieces come from the same vendors, companies can rest assured that they’ll work together well, and there’s one throat to choke when something goes wrong.
But for shops that have already deployed VDI, investing in an HCI stack might not be the smartest or most cost effective choice. If there’s an opportunity to repurpose the servers and other hardware that used to support VDI when a business brings in HCI, then it could be worth it. Otherwise, companies could end up with a shiny new stack to support VDI while the old servers collect dust. Additionally, there are some personnel changes—and potential challenges—that admins should prepare for. HCI unites disparate hardware, so companies often find that they need fewer people to manage their new systems.
There are a lot of moving parts to consider and options to weigh. Deciding whether to deploy HCI goes beyond the question of use case. Companies must also consider which vendor to buy from. Get started with the decision making process with our three-part guide to hyper-converged infrastructure for VDI, VDI Hums on Finely Tuned Hyper-Converged Infrastructure.
As I learn more about the built-in Windows command line tool for Deployment Image Servicing and Management, aka DISM, I’m always amazed at its many capabilities. As anybody who’s upgraded Windows installations knows, Windows sometimes fails to produce the right device drivers during that process. As it happens, DISM can help with that. You can use the utility to export all of the current drivers to a folder on another storage device before performing the upgrade, then return to that folder once the upgrade is done to recover drivers that Windows may not have been able to supply on its own. Experts recommend using a USB flash drive for this purpose, but any Windows-compatible storage device will do. When DISM exports drivers it references their OEMnn.inf files as stored in the Windows DriverStore folder though, so you may also want to use a tool like DriverStore Explorer (RAPR.exe) to map those arbitrary names to specific devices and the drivers that go with them.
Syntax Details When DISM Exports Drivers
Here’s the syntax for performing this action:
dism /online /export-driver /destination:R:\DriversW10.1511.218
Let me explain a little more about what’s going on when DISM exports drivers, in list form:
- The /online switch tells DISM to work from the windows image that’s currently running
- The /export-driver switch tells it to grab the contents of the DriverStore folder in Windows. Its complete path is C:\Windows\System32\DriverStore.
- The /destination switch tells DISM where to write the drivers it finds in DriverStore. Note that the R: identifies the drive to which I wrote those files for this example on my PC. You’ll need to change it to target your chosen destination instead. Note further that the folder into which the drivers get written — DriversW10.1511.218 identifies Windows 10, Version 1511, Build 218 — must exist for DISM to do its thing. That means you must create it yourself in advance before running this command.
- Don’t forget to launch DISM from an administrative prompt (“Run as administrator”). Otherwise, it won’t work.
- You might also run RAPR to produce a list of all the OEMnn.inf files in DriverStore, and the devices to which they correspond. Take a screenshot to preserve that mapping for later reference. Stick it in the same destination directory for easy access later on.
I got a screencap of this from my production desktop to illustrate the output from running this command:
Apparently, I’ve got 25 drivers on my production PC that come from a source other than Microsoft.
Quick inspection of that output shows why I like to grab and save a RAPR listing of the same stuff (it tells you where to go looking for stuff in Device Manager to figure out which drivers to grab following an upgrade):
The Oemnn.inf names make more sense when you can map them to Driver Provider and Class information.
With the free upgrade deadline for Windows 10 approaching on July 29, more businesses are thinking about migrating to that desktop OS version. But the vast majority of commercial concerns — particularly those with thousands of users and OS licenses — already obtain Windows from Software Assurance or Volume Licensing contracts. They aren’t under the same time pressure to take advantage of “free” upgrades because they pay over the life of their contracts anyway. For such organizations, the real concern is to make sure that key applications and services work properly in Windows 10. They don’t want production desktops and environments to be adversely affected by its rollout and deployment. That’s why initial testing and experimentation in the form of a Windows 10 pilot program can play an important role.
Now’s a Good Time for a Windows 10 Pilot Program
Moving from an old runtime regime to a new one is a demanding task. It takes considerable time and effort, and inevitably ends up costing money. But even for organizations that jumped onto Windows 8 (and market research says there were precious few of them), Window 10 will probably be a necessary migration. That’s because Windows 10 introduces a new model for upgrades and updates, which will keep coming at regular, fairly closely-spaced intervals from now on. That’s in stark contrast to a new major version once every two or three years since Windows NT made the scene in the mid-1990s, now over 20 years ago (Windows NT 4.0 appeared in 1996). Many commercial concerns and large organizations adopted an informal “every-other-release” migration plan in the past because of the time, effort, and expense involved. But it seems that Windows 10 is a matter of “when,” not “if,” for most outfits simply because it’s slated to stick around for a long, long time.
That makes 2016 a great year for organizations that haven’t already started piloting Windows 10 in-house to get going. Organizations can track behind the leading edge of Windows 10, which is simply called the “Current Branch” and represents the most current release of Windows 10 (Version 1511) plus the most current cumulative update and all subsequent interim updates (Build 10586.218 as I write this post). The first milestone after that is called the Current Branch for Business (CBB) which is also based on Version 1511, but which currently rests at Build 10240 at the moment. It’s designed to support staged deployments of new features to match scheduled rollouts typical in most production commercial environment. It tracks about 90-180 days behind the Current Branch, to give organizations time to test and vet upcoming updates, and to plan workarounds for updates that won’t work if put into production. The last stage in the branch structure is the Long Term Servicing Branch, which tracks one year or longer behind the Current Branch, and receives no new features but gets security and other updates necessary for proper operation. It’s aimed at factory floor machinery, POS systems, automated teller machines (ATMs), and other tightly-managed and locked-down systems.
The real bleeding edge is the Insider Preview Branch, which tracks new features as they appear (and which may never go into production).
[Source: TechNet: Windows 10 servicing options]
Despite the appeal of hanging back as far as the Long-Term Servicing Branch, most businesses will be served best by focusing on the Current Branch for Business. Power users and those working on Windows 10 evaluations going forward should stick to the Current Branch for a more forward-looking take on upcoming Windows 10 stuff. But only non-production machines should ever play host to Insider Preview releases.
At the same time, the Windows 10 pilot program can also try out new PCs. This might include some of the latest hybrid 2-in-1 devices (tablet + keyboard such as the Surface Pro 4 or Surface Book) or latest generation laptops (such as the Dell Latitude 13 7000 series). Ditto for desktops (something with a 1151 socket, a Skylake CPU, and an NVMe SSD). This is also a great opportunity to dig into Microsoft’s Azure Active Directory, which provides seamless integration for Office 365 via Azure AD accounts. Interested admins will find lots of cool new features and functions to play with.
The Perpetual Windows 10 Pilot Gets Underway
The most important aspects of any pilot program are to assess the impact of migration on key line-of-business applications and services, and to determine what must change (and what can be maintained) while keeping workers productively and constructively engaged. This also means testing deployment tools, provisioning and rollout tools and methods, and getting everything ready to take into the field. It will actually turn into an ongoing process that happens continuously going forward, because working with Windows 10 means keeping a forward-looking pilot project constantly engaged to track upcoming changes and releases from the Current Branch (or Insider Preview) that will ultimately propagate into the Current Branch for Business.
At the outset of 2015, Microsoft announced it would offer a free upgrade to Windows 10 for devices running Windows 7 and 8.1. (Here’s a Terry Myerson blog post devoted to that topic, dated 1/21/2015.) That update was always planned to last one year from the release date for the new desktop OS. And sure enough, MS has now stated that the free Win10 upgrade ends on July 29, 2016, exactly one year to the day from that initial release date. MS Corporate VP Yusuf Mehdi stated this clearly in his May 5 post to the Windows Experience blog entitled “Windows 10 Now on 300 Million Active Devices — Free Upgrade Offer to End Soon.”
Here’s the relevant language, which appears at the tail end of the afore-cited blog post:
…today, we want to remind you that if you haven’t taken advantage of the free upgrade offer, now is the time. The free upgrade offer to Windows 10 was a first for Microsoft, helping people upgrade faster than ever before. And time is running out. The free upgrade offer will end on July 29 and we want to make sure you don’t miss out. After July 29th, you’ll be able to continue to get Windows 10 on a new device, or purchase a full version of Windows 10 Home for $119.
The actual MSRP for Home is $119.99. For those interested in Windows 10 Pro instead, the “full version” MSRP is $200 in the USA. You can also find OEM versions of that license (good for installation on a single computer, but not transportable from one computer to another like the full version) for $140 or thereabouts. But according to Microsoft, that’s what it will take to jump on the Windows 10 bandwagon after the 7/29 deadline comes and goes.
Here’s the word, straight from MS Corporate VP Yusuf Mehdi.
How to beat the “free Win10 upgrade ends” restriction, if you must
Users running Windows 7 or 8.1 who don’t wish to migrate to Windows 10 before the expiration date hits can trade some time and effort against the future expense of buying a license thereafter. How’s that? Simply by upgrading, making a snapshot, then rolling back to the pre-upgrade machine state. In somewhat more detail, here’s a 10,000-foot overview of that process:
- Start by making an image backup of your current running Windows 7 or 8.1 environment
- Perform the upgrade install from that current environment to Windows 10
- Apply all pending updates to that Windows 10 install, then make another image backup of the new Win10 environment
- Restore the original image backup of your current running Windows 7 or 8.1 environment
You’ll be back where you started, but you’ll be out the time and effort required to make those backups and perform the upgrade. After July 29 comes and goes, you’ll be able to restore the image of the Windows 10 environment you created to exercise your free upgrade offer before the expiration date passed. You’ll also be out the storage space necessary to keep that upgrade image in suspense until you’re ready to wake it back up. If my experience is any guide, this will take 3-4 hours of your time, and somewhere between 20-25 GB of disk space on the low end, and probably no more than 100GB of disk space on the high end (YMMV, though, depending on how much stuff you allow Windows to keep in the Photos, Pictures, and Documents folders in the Windows Library environment). If you need more time, don’t let the free Win10 upgrade ends deadline catch you either napping or unaware!
I was amused to read Mary Jo Foley’s latest report at ZDNet this morning. She relays that Microsoft has dropped the ability for Windows admins to keep blocking Store access in Windows 10 Pro. Their reasoning is apparently two-pronged:
- According to Microsoft, Store access is “required for all versions of Windows 10 except Enterprise and Education ‘by design'”
- Those organizations that really want clamp-down capability on Windows 10 desktops should buy licenses for Enterprise, not Pro
Though KB3135667 looks like troubleshooting advice, it’s really a policy statement (not Group Policy, either).
Why Blocking Store Access for Win10Pro Is Valid No Mo’
The official change is covered in KB Article 3135667. It is entitled “Can’t disable Windows Store in Windows 10 Pro through Group Policy.” In asking MS to confirm this change, MJ Foley asked why blocking Store access in Windows 10 Pro is no longer supported. IMO, that response is a masterwork of doublespeak:
Microsoft is focused on helping enterprises manage their environment while giving people choice in the apps and devices they use to be productive across work and life. Windows 10 Enterprise is our offering that provides IT pros with the most granular control over company devices. Windows 10 Pro offers a subset of those capabilities and is recommended for small and mid-size businesses looking for some management controls, but not the full suite necessary for IT pros at larger enterprises. The ability to block access to the Windows Store is typically for organizations who want more control over corporate-owned devices. This fits into the value of Windows 10 Enterprise.
My translation: to maintain complete control over your Windows deployments, don’t buy the retail-oriented Windows 10 Pro. Instead, you must sign up for a volume license agreement, and jump on the Windows 10 Enterprise bus. Any questions? MJ Foley’s summation of the forces driving this change is also a gem: “Driving visibility and use of Windows Store has been one of Microsoft’s goals with Windows 10.” Given that OS revenues are dropping, and that commissions on Windows Store sales are turning into a cash cow, I guess this makes sense — at least, to Microsoft. I’m wondering if business customers who’ve shied away from volume licensing until now feel the same. Having myself recently been inducted into the Microsoft Volume Licensing Service Center, I think the answer is “probably not!”
[Thanks to Shawn Brink over at the News Forum at TenForums.com for bringing this matter to my attention. Keep up the good work!]
There’s an interesting problem facing those running Windows 10 on limited storage capacity tablets and similar devices. Given typical eMMC or flash “drives” of 32 GB or less, best practice can dictate that such limited storage be augmented with SDXC cards readily available in sizes from 32 to 256GB. This may also involve relocating all kinds of storage from the primary storage device to that SD card, including user files of all kinds (documents, downloads, and so forth) as well as application and app files of all kinds. Recent reports from the field indicate that some people who’ve moved Windows 10 apps from the Store to SD devices can’t apply updates from the Store to keep them current. If you or your users find that SD-based apps won’t update, there’s a simple but potentially vexing fix you can apply.
Windows 10 is very accommodating about changing locations for all kinds of data, but says nothing about apps needing NTFS formatting to update.
If SD-based apps won’t update on your system, a fix is possible…
The problem apparently stems from conflicting defaults. App Store updates expect to reside on NTFS formatted storage devices, but SD cards are typically formatted using some form of FAT (usually exFAT for larger devices) formatting instead. It seems that Windows 10 won’t propagate app updates into non-NTFS storage devices. Thus, the fix is to reformat the SD device from its current format to NTFS. The downside, of course, is that all relocated apps will then have to be reinstalled onto the newly-reformatted SD card. This takes time and effort, as documented in these CNET and How-to-Geek articles.
On the other hand, it seems that it might work to copy the contents of the SD card to some temporary location, reformat it to NTFS, then restore those contents onto the newly-formatted drive. I’m going to try this on my Surface Pro 3, as soon as I have enough time to set all this up and try it out. I’ll report back later after I’ve attempted to make this work. My hope is that this will also fix the “SD-based apps won’t update” problem. Stay tuned!
[Thanks to Sergey Tkachenko at Winaero.com, whose recent Fix story provided the impetus and information for this blog post.]
The path to Windows 10 has been full of sunny skies for many companies right out of the gates. The operating system already stakes its claim to second place in the market based on desktop share by version. But what about the organizations that are happy with their earlier versions of Windows?
An OS upgrade just isn’t in the forecast for some companies whether Microsoft likes it or not. And it seems Microsoft does not like that. As a result, some Windows 10 storm clouds have rolled over a few organizations still using their non-Windows 10 umbrellas.
First of all, the OS automatically downloads itself on to some users’ computers when they perform a routine Windows update. Other times, a Windows Update will “recommend” that the user make the move to the new OS. That suggestion does not care who you are or what you are doing, just ask this poor weather woman:
Microsoft has even hidden Windows 10 advertisements in its security updates for Internet Explorer on Windows 7 and 8.1. Not only does the security patch include a Windows 10 ad generator that stamps a Windows 10 upgrade ad at the top of every new tab a user opens, but it also automatically installs a how-to guide on upgrading to Windows 10.
Just like an unwanted snow storm, Windows 10 inserts itself into users’ lives so it is important to keep that in mind as companies consider making the move to the new OS.
Certain advanced security features on Windows 10 work only on machines new enough to boot via the Unified Extensible Firmware Interface (UEFI). These include Secure Boot, Credential Guard, Device Guard, and the Early Launch Anti-malware driver. The wrong installation media or incorrect installation technique produces Windows 10 machines that boot from Legacy BIOS, not UEFI. This applies most often to BYOD laptop and notebook PCs where admins probably didn’t install the OS. What’s the quickest way to confirm or deny UEFI boot-up on Windows 10?
Above and beyond security features, UEFI also supports bigger disks, signed book loaders, plus faster bootup/shutdown/sleep/resume timing.
The Quick Way to Confirm/Deny UEFI Boot-up on Win10 PCs
Run the built-in Windows System Information utility (msinfo32.exe) to find the information you seek on the “BIOS Mode” line. If it reports BIOS, the machine runs Legacy BIOS. If it reports UEFI, the machine runs UEFI for boot-up. If BIOS shows up here, and you want to or security policy requires you to switch to a UEFI boot, a two-step process is needed. Warning: neither of those steps is terribly easy nor is it likely to be quick:
- You must check to see if the target device supports UEFI. The best way to do that is to find the maker’s product page and check for direct confirmation of UEFI support. If it’s absent, the device may not be able to support UEFI. Be sure to check third-party sites such as notebookreview.com, TenForums.com, and so forth to determine if the machine is UEFI-equipped or not.
- If you want a Windows 10 machine to boot from UEFI, there’s no way to switch from Legacy BIOS to UEFI except by a clean re-install of the OS (that’s because the low-level disk format has to be replaced, which usually involves a switch from MBR to GPT formatting and a complete disk wipe along that way). This means that capturing all settings, preferences, and data is a must, and that all applications will need to be reinstalled and reconfigured (and settings, preferences and data restored) following the re-installation of the OS.
Thanks to Shawn Brink at TenForums.com for putting an excellent tutorial together to explain how to determine UEFI boot-up presence or absence on Windows 10 PCs. This same information applies to (and was originally developed) for Windows 8 versions, BTW. One more thing: as Brink observes in that tutorial, the other conclusive method to determine the presence or absence of UEFI boot on a Windows 10 (or 8) PC is to open the Disk Management (diskmgmt.msc) utility. Then, look for the presence or absence something labeled “EFI System Partition” on the system’s Boot drive. If you see such an animal, the target machine can boot from UEFI.