Windows 10 Gives IT Pros New 'Modern Management' Tools
In a recent Web presentation, Microsoft officials detailed the new "modern management" capabilities in Windows 10 version 1803, also known as the April 2018 Update.
Presiding over the talk (now available on demand here) was Nathan Mercer, senior product manager of Windows Commercial, and Pieter Wigleven, a senior product manager at Microsoft. They started by describing the rise of so-called "modern IT" in contrast to the old "firefighting" IT approach.
"In organizations, they are striving for this thing called 'modern IT' and it consists of several components," Wigleven said. "What we see typically is multiple devices. It's not just one device or one operating system -- it's all over the place. We see a mix of applications that are user or business owned. We see a variety of different application types as well, and then an increasing amount of automation."
The old firefighting IT model is reactive, instead of being proactive like the modern IT approach, Wigleven contended, but that traditional approach is still being practiced.
"We're still living in this world of classical and traditional IT," Wigleven said." "We still have a lot of people using images, for example. We hear the stories over and over where IT is doing nothing but maintaining images is the reality of today. So we're on this journey to getting to a world of modern IT."
Maintaining images is just a waste of time, he suggested. Instead, organizations can just simplify things, and it'll also improve security, too. In addition, the more frequent Windows 10 feature update releases (arriving twice per year) improves security over Microsoft's older Windows update model that delivered new operating system updates every three to five years, he contended.
"People are really understanding what it means by doing a feature update to increase your security, rather than just doing a quality update," Mercer said.
At one point during the talk, Wigleven described some of the feedback he typically gets from customers about Microsoft's Windows-as-a-Service approach with Windows 10, in which major feature updates get delivered twice per year, along with monthly updates.
"Typically when I have customer conversations, they bring up two things," he said. "One is the size of the feature updates -- you know, four gigs per client every six months. It's simply gotten scaled. A lot of the network lines out there are just not capable of handling that. So that's the main issue I'm hearing. The second is the time it takes to install a feature update. Depending on your hardware, it could take anything between fifty minutes to a few hours if you have a really slow hard drive or low-memory PCs. So those things are high on our radar and we are spending a lot of engineering resources to improve this."
Organizations using Windows Update are already getting so-called "Express Feature Updates," which reduce the update sizes to 1GB to 2GB per client, he said. Microsoft also has a "Unified Update Platform" for users of System Center Configuration Manager or Windows Server Update Services management systems. It will "just pull the bits that are required to update to the latest feature update and hopefully will improve the distribution or the load we take on the network," Wigleven explained.
Mercer said that the feature installation time is "a lot faster now" compared with how it worked about two or three years ago. With the April 2018 Update, Microsoft moved things that used to happen offline into the online mode, he explained. Wigleven commented that "I think we can expect dramatic improvements in the fall."
These faster updates using the online process were described for Windows 10 version 1803 in an earlier announcement by John Cable, director of program management for Windows servicing and delivery.
One common objection not dealt with during the talk was quality assurance (QA) for Microsoft's more frequent updates with Windows 10. Organizations want to avoid updates that cause problems, and they typically have difficulty in tracking Microsoft's many monthly updates and understanding exactly what they do, and even have difficulties delaying them. However, according to a response during the Windows 10 Ask Microsoft Anything session, Microsoft's QA program is the Windows Insider Program plus its internal software use (known as "dogfooding") of the Windows 10 releases, which should be good enough for organizations.
"What more QA do you want?" commented Dan Stout, a Microsoft Tech Community contributor, during the AMA session.
DISM and Other Updates
Microsoft has a new version of the Deployment Image Servicing and Management (DISM) command-line tool for managing feature updates.
The new tool will let IT pros "configure the amount of time that the OS can be installed," Mercer said. "If you need to roll back after a particular amount of time, you can set that up beforehand," he added.
In the early days of Windows 10, Microsoft had initially set the rollback recovery period to 30 days, after which a major Windows 10 feature update would become established, and a wipe-and-replace type of operation would be needed to go back. However, now organizations and individuals appear to have just 10 days by default in which to roll back the OS, according to this Microsoft support document.
Windows Update for Business now permits users to pause updates and roll back or uninstall problematic updates if they are using Microsoft Intune, Mercer said.
He also described some scripting options during Windows 10 setup.
"Windows setup itself is a new .INI text file that you can put into your Windows 10 image that allows you to run custom scripting actions, and those actions also get rolled forward into the new feature updates, so you only have to add them once," Mercer said. "And we also had some new command lines for BitLocker that you can use to control what happens to BitLocker during a feature update as well."
Another modern management prong concerns shared devices. Wigleven described a few improvements in that respect brought by the Windows 10 April 2018 Update.
"With the April update, you will be able to deploy and configure those shared devices using a mobile device management solution like Microsoft Intune, or you can use a configuration package," Wigleven said. "Another improvement and also based on feedback is the fact that you can now deploy against group memberships and not just user accounts."
Another April 2018 Update addition to Windows 10 is the ability to reset a device that's managed using Azure Active Directory without losing control over it, which was previously a problem.
"Right now, you can reset the device and it will maintain the enrollment in Azure AD and the management of Intune," Wigleven said.
Wigleven touted the benefits of using the Windows Hello biometric user authentication feature with Windows 10 for shared devices. The April 2018 Update of Windows 10 is bringing support for the FastIDentity Online 2.0 (FIDO 2) Web authentication standard at the preview stage, which lets users bring a key (called a "portable Trusted Platform Module" by Mercer) to authenticate.
"Users will be able to log on to any shared device that's joined to the same Azure AD tenant," Wigleven said. "So you don't have to use a password. You don't have to preregister or pre-enroll with Windows Hello. You have an external security key -- could be an external smart card, could be a USB key. You walk up to a device, you plug in a key, you perform a certain action and you are authenticated, which is great for shared devices as well."
Wigleven defined Windows AutoPilot, which lets original equipment manufacturers ship PCs directly to end users for self-provisioning, as "a collection of technologies to set up and preconfigure new devices and get them ready for productive use." It's a better way of provisioning new devices than spending six months to create and maintain an image, he suggested.
"The whole concept here is that I can order a PC directly from the OEM and it gets shipped to my end users and I don't need to reimage it," Mercer said. "The PC basically builds itself from the cloud."
Mercer added that Windows AutoPilot now has a new enrollment status screen that will allow IT pros to make sure that all of their policies are followed. "So that's a great new feature that makes sure the user is going to be able to use the device the way the IT professional wants it to be configured," he said.
Current Windows AutoPilot OEM participants include Dell, Lenovo and Microsoft. Mercer said that HP, Toshiba, Panasonic and Fujitsu "are coming soon."
Microsoft is working toward an easier transition to cloud-based management by providing some on-premises management options in the cloud, according to Mercer. He said that there are "152 new Mobile Device Management CSPs, or Configuration Service Providers." One of them is called "MDM Windows Over DB," he added.
"There's also work to enable "hybrid AD join as well in conjunction with Configuration Manager Comanagement, so you can start to move some of your device management from on-prem into the cloud," Mercer said.
"We'll also have a bunch of things that are going to make it easier for Windows to keep itself up to date from the cloud or on premises," he added.
The rest of the talk focused on Microsoft's many security solutions that can be used with Windows 10, although they typically are an added cost to use. Mentioned was Windows Defender Exploit Guard, a host intrusion prevention capability within Windows 10.
Windows Defender System Guard offers runtime and firmware protection. There's also Cloud Credential Guard, which protects cloud credentials. Windows Defender Security Center now has added support for modern authentication. Windows Defender Application Guard in Microsoft Edge has been improved and is available in Windows 10 Pro.
There was some bragging that Microsoft's Windows Defender anti-virus, which is included in Windows 10 at no extra cost, has achieved a 100 percent malware protection score. It's reflected in December AV-Test results, for instance. Microsoft built in its acquired Hexadite technology into Windows Defender anti-virus, which can enable automatic remediation when security problems are detected. Alternatively, a person can be alerted to take an action.
Don't Call It 'Telemetry'
Microsoft has had lots of conversations with organizations about Windows 10 privacy concerns because of the information that Microsoft collects, which is known as "telemetry." Microsoft wants to move away from that term and call it "diagnostic data," Mercer and Wigleven explained.
It's possible to go to "Settings" and "Privacy" in Windows 10, where all local diagnostic data can be deleted. When that's done, the system will reach out to Microsoft to delete all of the data in Microsoft's cloud, too.
Another tool that can be used is the Diagnostic Data Viewer, an application that can be downloaded from the Windows Store. This app will show real-time insights on all of the telemetry or diagnostic data shared with Microsoft, and it aligns with Microsoft's public documentation. It also integrates with a Feedback Hub so that users can tell Microsoft if something was collected that shouldn't have been collected.
The telemetry issue came up in this Windows 10 AMA discussion segment, where it was noted that the telemetry information disclosed by Microsoft is not comprehensible by the general public. The data are understandable by Windows developers, perhaps. In response, Wigleven offered no assurances that it would be made comprehensible, claiming that users would clamor for getting raw telemetry information.