Last week, Microsoft released the so-called “Convenience Rollup” for Windows 7 Service Pack 1. It’s described in a 5/17/2016 Microsoft KB article entitled “Convenience rollup update for Windows 7 SP1 and Windows Server 2008 R2 SP1.” Hidden amidst the reason it was created and some gotchas inherent in its application is a killer reason to upgrade Windows 7 to 10 instead.
The Intro to KB3125574 explains the convenience rollup quite nicely.
According to the article’s Introduction:
“This rollup package includes almost all the updates that were released after the release of SP1 for Windows 7 and Windows Server 2008 R2, through April 2016. This convenience rollup is intended to make it easy to integrate fixes that were released after SP1 for Windows 7 and Windows Server 2008 R2. We recommend that you include this rollup package in the image creation process to make it easier to quickly set up a computer.”
Long WU Waits Explain Why It’s Smart to Upgrade Windows 7 to 10
Paul Thurrott took the bait on this suggestion, and decided to see how long it would take to clean install Windows 7 on a PC, using both Windows Update from the installation media (avoiding the convenience roll-up), and using that roll-up to try to expedite the process. His results range from scary to downright horrifying, as recounted in his 5/21/2016 story entitled “The Convenience Rollup Makes a Big Difference, But Windows 7 Updating is Still Broken.” His investigation highlights what’s I’m calling the killer reason to upgrade Windows 7 to 10: time!
When boiled down to time required to complete a clean install, those results boil down to 9.5 hours for a clean install without the convenience rollup, over three hours (he declines to provide an exact time figure) using the rollup. Each approach involves very slow download times from Windows Update, but with fewer updates required when using the rollup the amount of time spent waiting for downloads to complete declines substantially. His overall time estimates also include troubleshooting drivers, and downloading and installing Optional Updates as per usual Windows 7 Update practice. Reading his account carefully, however, it’s obvious that much of the time involved is spent waiting for Windows Update to complete!
I performed a clean install of the current Windows 10 Technical Preview last week on a test PC (Version 1511, Build 14342.1000, subsequently upgraded to 14342.1001). The whole effort, including both initial installation and subsequent upgrade, took 25 minutes. All the drivers came out correctly (first time ever for Windows 10 to supply the right driver for my Killer 2200 GbE NIC) so no further post-install cleanup was needed.
I think Thurrott is onto something important in his story, and it represents the “killer reason” to upgrade Windows 7 to 10: time. Who wants to spend half a day to a long day just to perform a clean OS install? or to build a curated image of the OS for multiple such installs? Too much time, too little reward methinks.
As fate would have it, I was on the phone yesterday when my production desktop starting dinging madly, ringing the USB device added (or removed) sound on and off repeatedly. “What in the world?” I thought to myself as I continued on with my call resolving to check things out ASAP once it ended. Sure enough, upon jumping into Event Viewer, I saw the following error events in my event log that flagged a Volsnap error (from the Volume Shadow Copy service, aka VSS):
The phrase “IO failure” tells me exactly what I needed to know.
The drive in question is attached via USB 2.0 to my production PC, and I use it primarily to store my weekly image and nightly incremental backups, so it is kind of important to my system’s overall health and well being. Some quick online research informed me that this means my drive is probably failing, because bad sectors (and attempts to write to them) are what usually triggers this error to be reported.
What This Volsnap Error Means Is…
Apparently, it’s time for me to replace my backup drive. Looking back at my records, I see I bought this drive in 2010, so it is out of warranty. It’s also given me almost 6 years of solid dependable service, so I’m OK with having to rotate it out. The only downside is that it’s home to 1.52 TB of data (it’s a backup drive, remember?) and that’s going to take hours to copy from the old drive to the new one. In the meantime, I’m going to retarget my backup utilities (I use Acronis for nightly incrementals and weekly full backups, and the built-in Windows Backup utility for weekly image snapshots) to a different drive until I can bring in and set up its replacement. Based on the recent Backblaze report, it looks like I should buy a 4TB HGST drive. Looks like I can pick up an HGST Ultrastar from Newegg for about $225. Sure I could spend $75 less and get the Deskstar of the same 4TB capacity, but given that I’m using this drive for backup, I want something that will hopefully last as long as the drive it’s replacing, if not longer.
Here’s an odd fact of Windows 10 life: MS has made much of Windows Hello for biometric identification including support for fingerprint readers at login. But if you try to set up Windows Hello on a properly equipped PC, you must first define a personal identification number (PIN) as an alternate login technique to supplement your password, before you can access the Windows Hello capabilities (including fingerprint set-up). That’s right: using a fingerprint reader requires PIN login in Windows 10! Otherwise, you may beat your head against the wall for some time before figuring out that something is missing from the PC local set-up. Here’s an illustrative screen cap from Settings –> Accounts –> Sign-in options from my Surface Pro 3 tablet, equipped with a Type Cover with Fingerprint Reader.
The proximity of PIN and Windows Hello is apparently no accident here!
No PIN, No Hello: Yes, Fingerprint reader requires PIN login!
In reading over a variety of forum posts at TenForums and social.microsoft.com recently, this point was forcefully brought home to me. I had dithered about with the new Type Cover when I purchased it late last year, but it didn’t dawn on me until seeing those posts that it is apparently impossible to take advantage of Windows Hello (whatever biometric device you might choose to use) without first creating a PIN as an alternate login method.
Fortunately, this is easy to do. Click your way through the Settings –> Accounts –> Sign-in sequence in Windows 10. If you haven’t defined a PIN on the current PC, you’ll see a portion of the UI that looks like this:
A PIN is a string of numbers (usually 4 in count).
Once a PIN has been defined, the fingerprint or other biometric devices will show up and you can start configuring and using them. Go ahead, knock yourself out!
Last week, Microsoft Support released an article to TechNet that details “Top Support Solutions for Windows 10.” While many of them apply to power users and IT professionals alike, there are several categories of information aimed directly at IT professionals facing or contemplating larger-scale Windows 10 roll-outs. These should be of great potential help to those looking to avoid the top Win10 deployment issues that MS Support has already encountered.
The banner from this 5/3/16 TechNet article says it all.
Here’s a snapshot of the relevant content with links to details about top Win10 deployment issues, straight from that source (numbered items are renumbered in sequence for readability):
- Solutions related to inability to activate Windows:
- Windows 10 Volume Activation Tips
- Error 0xC004F015 when you try to activate Windows 10 Enterprise on a Windows Server 2012 R2 KMS host
- How to Activate and resolve common Product key issues in Windows 10
- Windows 10 activation errors
- Solutions related to installing Windows updates or hotfixes:
- Windows 10, WindowsUpdate.log and how to view it with PowerShell or Tracefmt.exe
- How to read Windows Update logs in Windows 10
- Solutions related to common setup, installation, and deployment issues:
- Troubleshooting common Windows 10 upgrade errors and issues
- How to manage Windows 10 notification and upgrade options
- Sysprep fails after removing or updating Windows built-in Windows Store apps
- Deploy Windows 10 with the Microsoft Deployment Toolkit
- Upgrade to Windows 10 with the Microsoft Deployment Toolkit
- Getting Started with Windows 10 for IT Professionals
- Windows 10 Deployment Guide
- Solutions related to Windows Volume Activation:
- Windows 10 Volume Activation Tips
- Error 0xC004F015 when you try to activate Windows 10 Enterprise on a Windows Server 2012 R2 KMS host
List Items from Top Win10 Deployment Issues of Interest to IT Pros
In particular, the entries under items 3 and 4 are likely to be of great interest to those IT Pros inclined to work with the Microsoft Assessment and Deployment Toolkit (ADK) and/or who face potential issues related to volume licensing and activations via a Key Management Server (KMS) for Windows 10 Enterprise. These items also point to important documentation related to the ADK, and should help IT Pros get a running start into planning for, piloting, and eventually rolling Windows 10 out into production. Please take advantage of this opportunity to gain insight from the folks at Microsoft support about the top Win10 deployment issues they’ve already been asked to help out on by early adopters.
In Q4 2015 Terry Halvorsen, the Chief Information Officer for the US Department of Defense decreed that all branches of the military needed to migrate to Windows 10 by Q1 2017. As it often does, the US Marine Corps (USMC) volunteered to go first in this effort. In all the DoD has around three million desktops (including both physical and virtual machines) to update, so it made sense for the smallest of the four major military branches (Army, Navy, Air Force, and Marines) to go forth as a kind of initial pilot group anyway. Alas, along the way the USMC found that it encountered an unexpected Win10 update snag: the target hardware platforms lag far enough behind current technology that remote, unattended upgrades have proved more problematic than initially projected.
Older hardware makes no-touch Windows 10 upgrades less likely to succeed.
As reported in a May 12 story from FederalNewsRadio.com entitled “Outdated hardware snags Marines’ migration to Windows 10” the service found that only about 10 percent of its computers were amenable to remote, no-touch upgrades to Windows 10. They had been expecting that this approach would work with somewhere between 60 and 70 percent of the computers on the Marine Corps Enterprise Network (MCEN). Thus, this result comes as something of an unpleasant and potentially expensive surprise. In proffering an explanation for the Win10 update snag at a meeting of the Washington, DC chapter of the AFCEA, USMC CIO Brigadier Dennis Crall said:
Our challenges are with hardware, and hardware that is older than a couple years is having more difficulty accepting Windows 10 than hardware that is new. And when you look at what ‘new’ means within DoD, we purchase yesterday’s technology tomorrow. A lot of our brand-new systems are having difficulty with the upgrade as soon as they come out of the box, and we didn’t anticipate that.
What’s Causing the Win10 Update Snag?
I’ve got to give General Crall credit for the wonderful tagline bolded in the preceding quote (emphasis mine), but this upgrade effort faces serious problems for several reasons:
- Increasing the level of human interaction means more time, effort, and expense in achieving the overall upgrade. Add more expense for refreshing those machines that remain unable to be upgraded despite the added effort.
- The services now have to juggle the cost of the added expense for human effort against the costs of purchasing newer Win10-ready hardware. In cases where the cost of effort surpasses that for new gear, it makes more sense to “buy up,” but that was clearly not part of the original budgetary equation.
- Some upgrades will not be able to exploit all of Windows 10’s advanced security features (for example, only UEFI machines can use Secure Boot and only machines that support the latest virtualization features can use Credential Guard). This means not all upgraded machines — especially older ones — may not be able to comply fully with the DoD’s “secure host baseline.” This is a common set of security configurations across the many millions of PCs under its aegis. Making exceptions for security poses well-known problems, too.
Virtualization appears to offer a partial remedy to the Win10 update snag. Bill Marion, deputy CIO for the Air Force, questions the need for thick clients for all circumstances, and observes that “the cost of a traditional desktop and office software and the security that goes around that is pretty expensive.” The USAF is pondering more use of “mobile devices[s] with a containerized cloud application [that is] lightweight, better encrypted, [and] easier to defend” as a possible alternative, he says. Admittedly, virtualization is better suited for what he describes as a “garrison environment” but native hardware appears better suited for the “tactical environment” for field operations. This approach could provide some much-needed relief for the services upgrade effort, though, and let the military concentrate on hardware upgrades where they could do the most good and create the greatest impact for the expense involved.
In general the military seems convinced that Windows 10 is a much more secure OS than earlier Windows versions, and fairly eager to get to that platform so as to benefit from what Halvorsen calls “security baked in from the beginning.” He remains positive that 80-plus percent of the DoD’s laptops and desktops will meet the January 2017 upgrade deadline, because most of them reside in offices on military bases and are managed through the Navy-USMC Intranet or the Air Force AFNET. The remaining 20-odd percent is another story, and may have to stay where they are on waiver status for years because they are integrated into weapons systems that might be at sea, are outside the USA, or are engaged on active military service missions. Thus, for example, the Navy has shipboard platforms still based on Windows XP that probably won’t be upgraded for years to come. Let’s hope that such systems never get exposed to external penetration attempts! But that means the Win10 update snag appears poised to persist for some time for specific hard-to-upgrade systems.
[Note: thanks to Cluster Head at TenForums.com who brought this story to my attention: Danke Schoen, mein Freund!]
The converged and hyper-converged infrastructure markets have gotten a lot of lip service lately, especially with respect to supporting VDI deployments.
There are several reasons hyper-converged infrastructure (HCI) could be the right choice for companies looking to deploy virtual desktops. Hyper-converged platforms offer tightly integrated storage, networking and compute that are software-defined and tailored to run virtualization workloads. They also come with a management interface that can help IT administrators deploy, control and troubleshoot virtual desktops. All these advantages make it fast and easy to deploy VDI quickly, and shops can add more components as their deployments grow. And when all the pieces come from the same vendors, companies can rest assured that they’ll work together well, and there’s one throat to choke when something goes wrong.
But for shops that have already deployed VDI, investing in an HCI stack might not be the smartest or most cost effective choice. If there’s an opportunity to repurpose the servers and other hardware that used to support VDI when a business brings in HCI, then it could be worth it. Otherwise, companies could end up with a shiny new stack to support VDI while the old servers collect dust. Additionally, there are some personnel changes—and potential challenges—that admins should prepare for. HCI unites disparate hardware, so companies often find that they need fewer people to manage their new systems.
There are a lot of moving parts to consider and options to weigh. Deciding whether to deploy HCI goes beyond the question of use case. Companies must also consider which vendor to buy from. Get started with the decision making process with our three-part guide to hyper-converged infrastructure for VDI, VDI Hums on Finely Tuned Hyper-Converged Infrastructure.
As I learn more about the built-in Windows command line tool for Deployment Image Servicing and Management, aka DISM, I’m always amazed at its many capabilities. As anybody who’s upgraded Windows installations knows, Windows sometimes fails to produce the right device drivers during that process. As it happens, DISM can help with that. You can use the utility to export all of the current drivers to a folder on another storage device before performing the upgrade, then return to that folder once the upgrade is done to recover drivers that Windows may not have been able to supply on its own. Experts recommend using a USB flash drive for this purpose, but any Windows-compatible storage device will do. When DISM exports drivers it references their OEMnn.inf files as stored in the Windows DriverStore folder though, so you may also want to use a tool like DriverStore Explorer (RAPR.exe) to map those arbitrary names to specific devices and the drivers that go with them.
Syntax Details When DISM Exports Drivers
Here’s the syntax for performing this action:
dism /online /export-driver /destination:R:\DriversW10.1511.218
Let me explain a little more about what’s going on when DISM exports drivers, in list form:
- The /online switch tells DISM to work from the windows image that’s currently running
- The /export-driver switch tells it to grab the contents of the DriverStore folder in Windows. Its complete path is C:\Windows\System32\DriverStore.
- The /destination switch tells DISM where to write the drivers it finds in DriverStore. Note that the R: identifies the drive to which I wrote those files for this example on my PC. You’ll need to change it to target your chosen destination instead. Note further that the folder into which the drivers get written — DriversW10.1511.218 identifies Windows 10, Version 1511, Build 218 — must exist for DISM to do its thing. That means you must create it yourself in advance before running this command.
- Don’t forget to launch DISM from an administrative prompt (“Run as administrator”). Otherwise, it won’t work.
- You might also run RAPR to produce a list of all the OEMnn.inf files in DriverStore, and the devices to which they correspond. Take a screenshot to preserve that mapping for later reference. Stick it in the same destination directory for easy access later on.
I got a screencap of this from my production desktop to illustrate the output from running this command:
Apparently, I’ve got 25 drivers on my production PC that come from a source other than Microsoft.
Quick inspection of that output shows why I like to grab and save a RAPR listing of the same stuff (it tells you where to go looking for stuff in Device Manager to figure out which drivers to grab following an upgrade):
The Oemnn.inf names make more sense when you can map them to Driver Provider and Class information.
With the free upgrade deadline for Windows 10 approaching on July 29, more businesses are thinking about migrating to that desktop OS version. But the vast majority of commercial concerns — particularly those with thousands of users and OS licenses — already obtain Windows from Software Assurance or Volume Licensing contracts. They aren’t under the same time pressure to take advantage of “free” upgrades because they pay over the life of their contracts anyway. For such organizations, the real concern is to make sure that key applications and services work properly in Windows 10. They don’t want production desktops and environments to be adversely affected by its rollout and deployment. That’s why initial testing and experimentation in the form of a Windows 10 pilot program can play an important role.
Now’s a Good Time for a Windows 10 Pilot Program
Moving from an old runtime regime to a new one is a demanding task. It takes considerable time and effort, and inevitably ends up costing money. But even for organizations that jumped onto Windows 8 (and market research says there were precious few of them), Window 10 will probably be a necessary migration. That’s because Windows 10 introduces a new model for upgrades and updates, which will keep coming at regular, fairly closely-spaced intervals from now on. That’s in stark contrast to a new major version once every two or three years since Windows NT made the scene in the mid-1990s, now over 20 years ago (Windows NT 4.0 appeared in 1996). Many commercial concerns and large organizations adopted an informal “every-other-release” migration plan in the past because of the time, effort, and expense involved. But it seems that Windows 10 is a matter of “when,” not “if,” for most outfits simply because it’s slated to stick around for a long, long time.
That makes 2016 a great year for organizations that haven’t already started piloting Windows 10 in-house to get going. Organizations can track behind the leading edge of Windows 10, which is simply called the “Current Branch” and represents the most current release of Windows 10 (Version 1511) plus the most current cumulative update and all subsequent interim updates (Build 10586.218 as I write this post). The first milestone after that is called the Current Branch for Business (CBB) which is also based on Version 1511, but which currently rests at Build 10240 at the moment. It’s designed to support staged deployments of new features to match scheduled rollouts typical in most production commercial environment. It tracks about 90-180 days behind the Current Branch, to give organizations time to test and vet upcoming updates, and to plan workarounds for updates that won’t work if put into production. The last stage in the branch structure is the Long Term Servicing Branch, which tracks one year or longer behind the Current Branch, and receives no new features but gets security and other updates necessary for proper operation. It’s aimed at factory floor machinery, POS systems, automated teller machines (ATMs), and other tightly-managed and locked-down systems.
The real bleeding edge is the Insider Preview Branch, which tracks new features as they appear (and which may never go into production).
[Source: TechNet: Windows 10 servicing options]
Despite the appeal of hanging back as far as the Long-Term Servicing Branch, most businesses will be served best by focusing on the Current Branch for Business. Power users and those working on Windows 10 evaluations going forward should stick to the Current Branch for a more forward-looking take on upcoming Windows 10 stuff. But only non-production machines should ever play host to Insider Preview releases.
At the same time, the Windows 10 pilot program can also try out new PCs. This might include some of the latest hybrid 2-in-1 devices (tablet + keyboard such as the Surface Pro 4 or Surface Book) or latest generation laptops (such as the Dell Latitude 13 7000 series). Ditto for desktops (something with a 1151 socket, a Skylake CPU, and an NVMe SSD). This is also a great opportunity to dig into Microsoft’s Azure Active Directory, which provides seamless integration for Office 365 via Azure AD accounts. Interested admins will find lots of cool new features and functions to play with.
The Perpetual Windows 10 Pilot Gets Underway
The most important aspects of any pilot program are to assess the impact of migration on key line-of-business applications and services, and to determine what must change (and what can be maintained) while keeping workers productively and constructively engaged. This also means testing deployment tools, provisioning and rollout tools and methods, and getting everything ready to take into the field. It will actually turn into an ongoing process that happens continuously going forward, because working with Windows 10 means keeping a forward-looking pilot project constantly engaged to track upcoming changes and releases from the Current Branch (or Insider Preview) that will ultimately propagate into the Current Branch for Business.
At the outset of 2015, Microsoft announced it would offer a free upgrade to Windows 10 for devices running Windows 7 and 8.1. (Here’s a Terry Myerson blog post devoted to that topic, dated 1/21/2015.) That update was always planned to last one year from the release date for the new desktop OS. And sure enough, MS has now stated that the free Win10 upgrade ends on July 29, 2016, exactly one year to the day from that initial release date. MS Corporate VP Yusuf Mehdi stated this clearly in his May 5 post to the Windows Experience blog entitled “Windows 10 Now on 300 Million Active Devices — Free Upgrade Offer to End Soon.”
Here’s the relevant language, which appears at the tail end of the afore-cited blog post:
…today, we want to remind you that if you haven’t taken advantage of the free upgrade offer, now is the time. The free upgrade offer to Windows 10 was a first for Microsoft, helping people upgrade faster than ever before. And time is running out. The free upgrade offer will end on July 29 and we want to make sure you don’t miss out. After July 29th, you’ll be able to continue to get Windows 10 on a new device, or purchase a full version of Windows 10 Home for $119.
The actual MSRP for Home is $119.99. For those interested in Windows 10 Pro instead, the “full version” MSRP is $200 in the USA. You can also find OEM versions of that license (good for installation on a single computer, but not transportable from one computer to another like the full version) for $140 or thereabouts. But according to Microsoft, that’s what it will take to jump on the Windows 10 bandwagon after the 7/29 deadline comes and goes.
Here’s the word, straight from MS Corporate VP Yusuf Mehdi.
How to beat the “free Win10 upgrade ends” restriction, if you must
Users running Windows 7 or 8.1 who don’t wish to migrate to Windows 10 before the expiration date hits can trade some time and effort against the future expense of buying a license thereafter. How’s that? Simply by upgrading, making a snapshot, then rolling back to the pre-upgrade machine state. In somewhat more detail, here’s a 10,000-foot overview of that process:
- Start by making an image backup of your current running Windows 7 or 8.1 environment
- Perform the upgrade install from that current environment to Windows 10
- Apply all pending updates to that Windows 10 install, then make another image backup of the new Win10 environment
- Restore the original image backup of your current running Windows 7 or 8.1 environment
You’ll be back where you started, but you’ll be out the time and effort required to make those backups and perform the upgrade. After July 29 comes and goes, you’ll be able to restore the image of the Windows 10 environment you created to exercise your free upgrade offer before the expiration date passed. You’ll also be out the storage space necessary to keep that upgrade image in suspense until you’re ready to wake it back up. If my experience is any guide, this will take 3-4 hours of your time, and somewhere between 20-25 GB of disk space on the low end, and probably no more than 100GB of disk space on the high end (YMMV, though, depending on how much stuff you allow Windows to keep in the Photos, Pictures, and Documents folders in the Windows Library environment). If you need more time, don’t let the free Win10 upgrade ends deadline catch you either napping or unaware!
I was amused to read Mary Jo Foley’s latest report at ZDNet this morning. She relays that Microsoft has dropped the ability for Windows admins to keep blocking Store access in Windows 10 Pro. Their reasoning is apparently two-pronged:
- According to Microsoft, Store access is “required for all versions of Windows 10 except Enterprise and Education ‘by design'”
- Those organizations that really want clamp-down capability on Windows 10 desktops should buy licenses for Enterprise, not Pro
Though KB3135667 looks like troubleshooting advice, it’s really a policy statement (not Group Policy, either).
Why Blocking Store Access for Win10Pro Is Valid No Mo’
The official change is covered in KB Article 3135667. It is entitled “Can’t disable Windows Store in Windows 10 Pro through Group Policy.” In asking MS to confirm this change, MJ Foley asked why blocking Store access in Windows 10 Pro is no longer supported. IMO, that response is a masterwork of doublespeak:
Microsoft is focused on helping enterprises manage their environment while giving people choice in the apps and devices they use to be productive across work and life. Windows 10 Enterprise is our offering that provides IT pros with the most granular control over company devices. Windows 10 Pro offers a subset of those capabilities and is recommended for small and mid-size businesses looking for some management controls, but not the full suite necessary for IT pros at larger enterprises. The ability to block access to the Windows Store is typically for organizations who want more control over corporate-owned devices. This fits into the value of Windows 10 Enterprise.
My translation: to maintain complete control over your Windows deployments, don’t buy the retail-oriented Windows 10 Pro. Instead, you must sign up for a volume license agreement, and jump on the Windows 10 Enterprise bus. Any questions? MJ Foley’s summation of the forces driving this change is also a gem: “Driving visibility and use of Windows Store has been one of Microsoft’s goals with Windows 10.” Given that OS revenues are dropping, and that commissions on Windows Store sales are turning into a cash cow, I guess this makes sense — at least, to Microsoft. I’m wondering if business customers who’ve shied away from volume licensing until now feel the same. Having myself recently been inducted into the Microsoft Volume Licensing Service Center, I think the answer is “probably not!”
[Thanks to Shawn Brink over at the News Forum at TenForums.com for bringing this matter to my attention. Keep up the good work!]