SCCM and updates to Desktop Deployment | Best of Microsoft Ignite 2018


(upbeat music) – Hello, and welcome to
Microsoft Mechanics Live! Coming up, we’re gonna
go through your options for Windows deployment; my
favorite topic, personally. If you haven’t migrated
your desktop in awhile, we’re gonna walk you through how to shift to the modern
desk top with Microsoft 365, with a focus on your deployment options. And we’re gonna talk about
things like what you can do with your existing processes and tools, and harness the Cloud with System Center Configuration Manager; using co-management with Intune, and also next-generation
provision approaches, with updates, using not only ConfigMgr, but also Windows Autopilot, and how those approaches
help you stay current and up to date with Windows
and Office as a service, as well as new updates there as well. So today I’m joined by Rob York, from the System Center
Configuration Manager team. Welcome. – Thanks Jeremy. – Give him a big hand.
(audience applause) – Hi, everyone. – Alright, so today we’re talking about Operated System Deployment. You’re the guy to talk about,
I’ve heard, on all of this. So a lot of people are, maybe haven’t touched OS
Deployment in a while. They’ve been, their last major deployment might have been Windows 7. What are some of the new options in terms of OS deployment these days? – Well, we’re reinventing the
wheel, the MDT wheel that is, to help walk through the main
task of a desktop deployment. For a lot of people this will
be their existing processes incorporated into the wheel
but also some new tools and guidance to help them
make it easier to shift. And as you follow the steps,
once you’ve enventured your device, and app readiness
and you’ve prepped your infrastructure, and you’ve
packaged your apps and you’ve figured out what you need to
do, then you’re ready to look at your User State and then
you’re ready to start deploying your new version of Windows. We have options that span your
existing tools and processes, but the old adage of “If you
want to go fast with Windows, you’ve gotta go fast with ConfigMgr,” that remains true today. You’ve got to be on Current
Branch and really you need to be on the latest
version of Current Branch in order to benefit from the
changes that we’re shipping. – And it’s also important
for your Windows 7 to Windows 10 migrations, so there’s a lot of new
options there as well, right? – Yeah, absolutely. Likewise, you can attach
ConfigMgr to Azure and benefit from the Cloud to augment your existing OM-Prem capabilities
with all of the security and value that the Cloud can bring. – All right, so how should
people then be thinking about their desktop deployments? – Any windows environment
are gonna have machines that fall into three categories; same categories that they’ve
always really fallen into. You have PC Refresh, and here the user typically keeps the same machine
and you either wipe or you upgrade the machine, but
they keep their data in their applications in that case. We also have New PC, slightly
more straight forward. It’s a brand new PC. There’s often less to worry about, especially, for new users
coming into the organization, there’s no data to move in that instance. And then finally, PC replacement. You’re either reassigning
existing hardware to a new user or you’re giving
an existing user a new PC, maybe because it was lost or stolen, so again, data may not be a
consideration in that case. – And so today we are
gonna cover all three of those scenarios: PC Refresh,
new PC, and PC Replacement but these are all really common
to really any environment. What’s new across these
options and why don’t we start with PC Refresh. What’s new there? – So currently if you’re
using ConfigMgr, you’re probably a task sequence and hopefully an in-place upgrade task sequence that preserves user files and settings. Of course we have tasks that are built in to capture and restore User State but increasingly we’re
seeing users opt for that in-place upgrade, especially
in the Windows 10 to Windows 10 scenario, that’s really being made seamless by the Windows guys. – Right, so here you’ve
got a task sequence open. Looks like you’re ready to
edit and show something here. – Absolutely. So we’ve added a task
sequence template into ConfigMgr based on
feedback from our MVP’s, the Microsoft field, and
customers that are deploying at scale, to look at what
they’re doing to make the in-place upgrades work for
them and we’ve built out this template that any IT admin can go and flesh out and provide feedback. – This is kind of important
because we’re gonna do some things like pre-flight checks, we’re gonna do some post
upgrade tasks as well. These are all really common
things if you wanna print out or do, ten thousand or a
hundred thousand deployments this is probably what you are
gonna do for the upgrades, whether you’re going from
seven to 10 or 10 to 10. – [Rob] Absolutely. So here you talked about
the prepare for upgrade, the pre-flight checks, so
we have the check ready for this upgrade but here I’ve
added a compatibility scan. So we’ve added the capability
to not need to download the package payload to do
the compatibility scan. We can do that by connecting
to the content on a share. We then move in to the next phases of the prepare-for-upgrade and
I know that my application, my Contoso line of business application, that’s not gonna work on my new version of Windows so we go
ahead and uninstall that. Once we’ve passed all of
those pre-flight checks, we go and do the upgrade, the
fairly straight forward bit, and then we have our post-processing. So we can do some specific config for our new version of Windows. We can even then reinstall the new, shiny version of the application
that we just installed that we do know works on
the new version of Windows, and then we can also install Office 365. – And some of the cool things here, some of the things to really note, first off, pre-flight wise, things to pay attention
to, hard disc encryption. Is your hard disc encryption gonna work? Can you pause it, I guess, coming from say a Windows 7 machine that’s got third party disc encryption and what’s it gonna look like when you come out of that in Windows 10? Are there apps that you
have to replace, then, as part of the task sequence. How does that work? And then finally, if you got
things like VPN or AV software, what do those look like
on the Windows 7 side into the Windows 10 side,
and sometimes even the 10 to 10 side depending on the vendors of the VPN or the AV products. And then one of the cool
things I think with upgrade that wasn’t really possible
in the past because you would’ve normally paved the
drive or replaced a lot of files, is that you can actually roll back, – Absolutely.
– and upgrade. – So that’s where we are now. If the worst happens, we have
the ability to intelligently realize in the task sequence
and pick up on that failure. So first of all, we can go ahead
and reinstall that previous version of Contoso line of
business apps so that the user gets the application back that we removed, but then also to help you
with your troubleshooting. So we’re gonna go and collect the logs. I’ve added some steps to specify the username and password that is
specific to my environment. Capture the logs, store them
off to a server share in a particular location and then
finally we can run set up diag. We’ve worked with the set up
diag team to make sure that that runs natively and works and is supported within the task sequence, again, to simplify your troubleshooting when the worst happens. – And one thing I want to point
out here as well that we’re gonna see it in a bit, is
the Office customization tool now has an option that
lets you basically remove the MSI versions of Office. So, let’s say you’ve
got a Windows 7 machine with Office 2010 installed,
if you use the remove MSI versions of Office
as the default setting, literally in the OCT that
we’ll see in a minute, that’s actually gonna remove, it’s gonna run effectively what
you may have run in the past with things like Offscrub, then install the
click-to-run build of Office so then you’re up and running with the new version of
Windows, with the newest version of Office and ready to go. – Absolutely, and that runs as part of my post-customization. So office 365 is installed and
the setting specified in the Office customization tool
mean that we’ll go and remove Office 2010, if it’s there. – So what are the, what kind
of upgrade packages do we then use when, we’re gonna
actually do an upgrade because it is different
than an installed .wim or something you might have customized. How does that work? – [Rob] Absolutely. So in the upgrade operating system stack, we’re actually using what we call an Operating System Upgrade Package. If people are familiar
with 2007 it’s the same as what we used to call operating
systems in-store packages. It’s an extract of the ISO,
so it contains all the source media for the new version of Windows. We support you injecting updates and customizing via DISM, the .wim file, but it’s not supported to make
custom customizations that require you to recapture the image. So don’t think that you
can layer in applications as part of that in-place upgrade. – Alright, so you’ve see
the whole process, we’ve talked about the package
type for the upgrade. Now we’re ready to actually
move on to the next step and we’ve seen that, the logs as well. So the other things that you can do after the ConfigMgr part’s over, you can use it for a normal replacement task sequence as well, and that’s just what you would normally do, not using
the upgrade task sequence if you do wanna replace
what was on the drive. And the nice thing with the templates, in this case, because it is a template, some of these folders might
be empty to start with but at least we’re giving a nice, kind of, trail of clues, effectively,
as to what you would put in there and suggestions, effectively, as to what you’d put in those templates. And these are all things that we’ve heard from UserVoice, from the ConfigMgr sites, so thank you if you’re part of
UserVoice and giving us that feedback because a lot of the
stuff Rob, Erin from the team have actually built into the product. So what are some of the
other updates that we can do from a ConfigMgr aspect
to help with PC Refresh? – Network optimizations
are a big one that improve OSD and all the other features. ConfigMgr peer cache, we’ve added native peer-to-peer capabilities so that you can share content between clients on the same subnet in a
branch office location and to serve that content
to one another without the need for a local distribution point. This also works within Windows PE, so once the client’s got,
once the first client in the subnet’s got the
content, it will then become the peer of the clients that
are being built alongside it. And then, recently, we’ve added support for Windows Server 2016 LEDBAT, and if you’ve not looked into LEDBAT, this is a true network optimization that uses the most of the available bandwidth without impacting foreground traffic and affecting your user and their
line of business activities. – So the nice thing here,
as well, is basically what’s happening with LEDBAT, it’s
one of my favorite things. It’s actually yielding to
all foreground traffic, it’s letting, basically, ConfigMgr use the background traffic, as much of the the network bandwidth as possible, not quite a 100% but almost there, and then basically it will
yield to any foreground tasks. There’s even, it’s even really
easy to actually get that configured in Configuration Manager. It’s just part of the general tab, if you’re using a new
build of Current Branch, part of the reason why
you’re gonna wanna go to Current Branch builds of Config Manger. But, I know there are other options in terms of connecting SCCM and ConfigMgr or ConfigMgr to Azure services. So what are some of the options there? – Absolutely. We want to allow customers to
bring the value of the Cloud to their OM-PREM existing
SCCM environment, and traditionally ConfigMgr was limited to the local network, maybe to the VPN to give
you management of your clients as they are on the internet, but now, with Azure
Cloud services and SCCM, you can manage those clients
wherever they are in the world. As long as they have
an internet connection we’re able to manage them
through Cloud Management Gateway and Cloud Distribution Point. One of the big changes that
Cloud Distribution Point represents for customers is a
move from a fixed-price model of buying a server and putting
it on a network location to having this pay-as-you-go Cloud service where you’re paying for the content that you’re delivering to your clients. But with the customers
that I’ve spoken to, the risk of sticker
shock hasn’t translated to actual sticker shock. Really it’s the fear of the unknown. So look at the pricing for
Azure and you’ll see that data is very, very cheap and actually it works out very cost
efficient for customers to manage those internet facing clients. – And the nice thing is here,
as you can see here with the Cloud Manager Gateway,
basically, you can use this to actually configure the Cloud
DP as well in one, in one, module here that we see. If you’ve got the CMG
running, that’s gonna proxy into your on-premises policies and Cloud DP obviously
lets you use, basically, Azure as a distribution point to be able to deliver
packages to any client, however they’re connected to
the Internet, effectively. – Absolutely. In 1806, we’ve merged
the two roles so you can have a Cloud Management gateway
and a Cloud Distribution point in the same Azure role. It reduces the complexity, it reduces the number of
certificates that you need. Just makes it easier for
you to deploy one thing, have internet-based client management and the other cool thing is that the content is coming from
Azure block storage. So it makes the Cloud
DP very, very scalable. It’s not being delivered
via the VM that sits at the front of the
Cloud Management Gateway. The clients are being redirected
to Azure block storage. It’s really, really fast and
really, really efficient. – And remember, most of these
updates, you’re gonna need ConfigMgr Current Branch. Is everybody in here on
Current Branch right now? Pretty much? So if you’re not on Current Branch this is where some of
this new stuff lights up. Stuff like LEDBAT, that’s the update tier to Cloud Management Gateway
and those configurations. So, let’s move on, though, to another common Windows
deployment scenario. We’ve just talked about PC Refresh. That gonna be it for a lot of people, maybe 80% of their estate
as they move to Windows 10. What about new PC? This is usually when
you purchase a new PC, the user might not have User
State or might not wanna keep or retain that User State. What do we do there in
terms of new PC scenarios? – So customers can continue to use SCCM, an operating system deployment, as they’ve been used to for
probably the past decade. That’s not going anywhere. But what this often has
meant is that IT admins are spending a lot of
time, money, and expense, creating, maintaining and just
generally looking after the images that they need to roll
out into their environment. So, we developed Windows
Autopilot to help you get out of that business of
developing and maintaining your images, and this allows
you to work with your OEMs to ship the device directly to
the user, with that signature image, so that they can have
a device provisioned straight into a secure and productive
state without the need to go through that time and expense
of creating, shipping, and maintaining those images. – Right, and the nice thing is, you also get Azure AD
Join as part of this. So the great thing is, once
these PCs are in, then basically as they’re kinda
reassigned to other people, they will have the benefit
of basically having a build that’s going to be
compliant to your policies. The Autopilot service will
then see them, configure them, and make them business ready
as it would normally do as part of the new PC scenario, even as you reassign those to other users. So, now I wanna show you
how this is all set up actually on the Intune side. So here in my PC, I’ve actually got, I’ve got the device
management portal open. By the way, if you’re not using
the device management portal it’s
devicemanagement.azure.portal.com–portal.azure.com, sorry device.management.portal.azure.com So this will actually
give you all of the device management and kind of the
client OS and Ops management, set up tasks up there
in the left hand column. The nice things is, so
let’s go through Autopilot. It’s part of the Windows
enrollment process and here you can see we’ve got
Windows enrollment selected. I’m just gonna click
into deployment profile and show you how the
process works in general, as to how we would basically
create an Autopilot profile. Here, I’ve got one already
created, but just to show you some of the properties and
settings that we have here. What I wanna be able to do in
the Autopilot case is really streamline the user experience. So this basically says I’m gonna hide, I’m gonna hide, in this case,
the EULA so that the users don’t see end-user licensing agreement. I can hide the privacy settings, I can make sure that, that I can get rid of any of the account options. In this case we wanna, maybe we wanna go to standard users for
every user that actually gets an Autopilot provisioned PC. And the nice thing is
usually on a Windows machine, as you guys probably all know, the first user who initiates
the install’s gonna be a local Admin on that box. Now with Autopilot we have
the ability to make sure that that first user is a standard user. So once they connect to the internet, once we see that that device has been basically attached to our
tenant, our Azure AD Tenant, then we’ll say okay let’s
customize the install process, let’s customize OOBE,
and now it’s gonna apply all these setting to that machine. The user goes through a
customized experience, Intune sees it, enrolls the device, does all the rest of
the policy management, the app provisioning, all of those things until it’s business ready. So, the other cool thing
with this is we’ve got, we’ve got a lot of
great partners on board. Right now we got Surface on
board doing this right now from Microsoft, as well as
Lenovo and Dell, that are, that are ready with more coming. So the second step is part
of the deployment profile. We just announced there’s
a way to do dynamic device assignment as well with this. So let’s say, for example,
you have an order ID, you might be a big company that’s got lots of different departments
ordering hardware, and you want the finance team to be part of a certain group of machines, you can have them get a certain set of images that are different than maybe the engineering
team or human resources team. So there’s a lot of great
capabilities there; a lot of great ways to kind of
customize that experience. – There’s also a really great
immediate value you can get form enabling co-management
in ConfigMgr because in a co-manage state the device
is enrolled into Intune. You can use Intune to automatically apply an Autopilot profile to your existing non-Autopiloted devices. Intune can automatically
register them with Autopilot so if that device does
needs to get re-provisioned or it gets reset for whatever reason, the user presses it and they don’t realize what they’re doing, it’s gonna take them through the Autopilot experience. So it give you a great way of mirroring the experience that you’ve
deployed for your new devices, in Autopilot, for your existing devices that have been around for
six months, 12 months, however long they’ve been around. So it’s really great immediate value you can get from co-management. – Let’s show what that looks like here. So, here, we have a way
to actually use ConfigMgr in the task sequence
to do something called Autopilot for existing devices. The nice thing is we can
actually have ConfigMgr run the entire task sequence. It’s effectively, as I was mentioning, dropping in, in fact, a small
JSON file here that does all the things it needs to get the Autopilot bits and configuration on that machine. That will then enroll
it, it will again make it attached to part of
Azure active directory. And then, again, upon reassignment
just like in Autopilot, if you buy a new PC, even
though this is an existing PC in your environment, it’s
gonna have consistent user experience, and
then it’s gonna be able to be reassigned to subsequent users and be enrolled and known to your organization effectively after that. So, pretty cool stuff there as well. – And for those of you that want to have a co-managed state at the end of that, you can have Intune
push the ConfigMgr agent over the Cloud Management Gateway that I was talking about before and that will result in an Autopilot through to the co-managed scenario. – All right, so let’s take
this one step further though. Now, we’ve talked about
all the things that you would do for a new PC, oh sorry, PC Replacement
is one of those things where it’s like a new PC effectively but you’ve got users’
state that you wanna move, maybe, from the old PC into the new PC. How does that work and
what are the options there? – So traditionally, customers
have used USMT to manage their User State of applications and data. Now one thing that you can
consider and attach to the Cloud is use OneDrive and specifically
OneDrive known folder move and you can push a group
policy to your devices that allows you to sync the devices into, sync the data, sorry, into OneDrive for business, which means
that the data is already in the Cloud for the user so that when they get the new PC, the data comes down and you don’t have to
think about data migration as specific stages of the deployment, that data just in the Cloud,
ready for them to consume. – And can everybody saw
here, it’s capturing the desktop folder, the pictures folder, and the documents folder. It’s not migrating the
rest of the User State that USMT would have migrated
in terms of application and Windows settings, but,
it’s really getting the data that, hopefully, people want to take from their old PC into new PCs. The nice thing is you can do this earlier than your deployment, before you start pushing down Windows
images, making sure that everything has had time to migrate, then you can start rolling out upgrades. The other side benefit
here is the files are synced to OneDrive, they’re protected, and you can always do
things like file restore, for example, if you need to or get to them from other devices like mobile, whether it’s
an IOS, or an Android, or another Windows device in a secure way. Now, there’s something else
I think that’s one of the biggest updates that we’ve
had, it’s around the servicing. So let’s, we’ve talked about
now all the three different update or upgrade types and
the OS deployment types, Refresh, new PC and Replacement. Let’s talk about the servicing options that we’ve got as well with Windows 10. Can you show, can you explain,
kind of, what’s up there? What’s new? – [Rob] As you’ve probably
seen, we recently announced that all feature updates of Windows 10 enterprise and education,
that’s the crucial bit, starting with version
1607, will now be supported for 30 months from their
original release date. And going forward, all future,
feature updates starting with 1809 and the target of
September release, will be also supported for 30 months
from their release date. Future, feature updates
that start with 1903, targeting a March
release, will be continued to be supported for 18 months. That’s that split mechanism of 18 and 30, depending on when they’re released. – And that’s also the same
with Office 365 Pro Plus. So lots of really good updates here in terms of the feature
updates and the model there in terms of having more
months of support per build, you can now skip a year,
sometimes two years between major OS releases so we’ve, we’ve
covered all the different deployment options today. Thank you, thank you for joining us. Hopefully this is
enlightening for a lot of people that are looking
at their migration. Of course you can catch more on the Desktop Deployment Center, something that’s brand new, where you can learn about all the steps that we talked about today. We just released this onto GitHub and onto docs.microsoft.com. One other thing I wanna talk about is the brand new Desktop
Deployment Essentials series that we also launched
with Brett Anderson and me presenting all the steps that you just saw on the Desktop Deployment Wheel. So all these things are
available now that you can start looking at, you can
start reading and doing, doing all the research
for your deployment. Hopefully, this will help
you in terms of your journey to get to Windows 10 and staying current in Office 365 Pro Plus. And these are all things
that we’ve built for you, for the IT admins out
there that are getting modernized on, on the
desktop infrastructure. So hopefully this helps you
out in terms of your journey into Windows 10 and Office 365 Pro Plus. That’s all the time we have
for today’s mechanic show. Thank you Rob for joining us today. – Thank you for having me.
– We’ll see you next time. – Thanks everyone. (audience applause)
(music with heavy beat)

You May Also Like

About the Author: Oren Garnes

Leave a Reply

Your email address will not be published. Required fields are marked *