Demystifying Windows as a Service – Wake Up!

Great article on WaaS. It is a changed mindset on how Windows 10 is feed and water by all users. Yes, Windows 10 needs to be upgraded more frequently, but the total management time is reduced compared to the traditional operating systems.

https://blogs.msdn.microsoft.com/daviddasneves/2017/06/18/demystifying-windows-as-a-service-wake-up-please

Advertisements

Microsoft 365 Enterprise Tech Series – Enterprise Deployment & Management Technical Workshop L300

Microsoft 365 Enterprise Tech Series – Enterprise Deployment & Management Technical Workshop L300

November 30-December 1, 2017 | Auckland, New Zealand

A 2-day Training on the Complete, Intelligent, Secure Solution that Empowers Employees

What is Microsoft 365 Enterprise Tech Series?

Microsoft 365 is a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely. The Enterprise Tech Series will help empower your team, safeguard your business, and simplify IT management with a single solution, purpose-built for your business

What to Expect from Training:

Understand the Microsoft 365 Vision
Dive into Modern IT Deployment
Learn about Traditional IT Transformation
Feel equipped to fully manage Microsoft 365 environments

Windows 10 – Switch from BIOS-to-UEFI Webinar

If you’re planning your Windows 10 migration, the switch from BIOS-to-UEFI is a hugely important piece of the puzzle.

Unless all your Windows machines are configured to UEFI, your organization cannot take advantage of the special Windows 10 security features. Microsoft’s ‘MBR2GPT’ tool still only gets you part of the way there.

This webinar was hosted live from Redmond by Microsoft MVP Jörgen Nilsson and Jim Bezdan, will ensure you know how to complete the BIOS-to-UEFI process fully, securely and automatically.

The full webinar recording can be viewed here: https://www.1e.com/on-demand-webinar/automate-bios-to-uefi-2018-edition/

Microsoft Services Tech Hui

This year the focus topic is Security which we all know is a major topic and concern for any organisation – yours and your customers! Hence the catch phase – Security is the New Black! But we will also have a lot of other sessions and opportunities for your team to talk to SMEs in many technologies.

As part of the services we provide to our Premier customers, the New Zealand Services team is excited to announce the return of Premier Tech Hui (previously TechDay).
Agenda
Stream 1 Stream 2
Anatomy of a Cyber-Attack
Come and listen to Insomnia, a specialist security company, as they, and Microsoft’s very own Account Managers, talk about what a security attack can look like, and what you can do about it!
Office 365 Email Security Azure Automation
Just how sure are you that your email is secure? Gain a new understanding of what your exposure maybe, and what technology Microsoft has to help you. Explore Azure Automation Runbooks and DSC, and configure an Automation Portal with a Workflow Approval process.
EMS (Enable BYOD during your lunch break) Azure Scaffolding
Exploring Mobile Application Management. What is it, and how do I get started? Azure Scaffold is a lightweight cloud governance framework for Azure Subscriptions. Watch how ARM Policies, ARM Templates, Visual Studio Team Services and PowerShell can provide security, compliance and cost control without slowing development teams down.
Ask the Experts
Ask our expert speakers all your burning questions!
Windows 10 Deployment Digital Transformation
Windows 10 modern management. What is the future of deploying and managing the modern desktop and how does it compare to traditional management? Managing Change in the Digital era – The Microsoft Story.
AI & Machine Learning Art of Coding a Conversation: Designing Bots
Get your head in the AI/ML space, with some awesome overview demo’s by one of our local PFE’s. In this session, we will take a deep dive into Microsoft Bot Framework and Cognitive Services and share our experiences from building bots with customers in Aus/NZ.
Azure Stack Mixed Reality
Azure Stack is an extension of Azure to your on premises environment. Start your ramp up now with a Microsoft Senior Technical Evangelist! Learn the basics of what Windows Mixed Reality is, and how to get started developing applications with it.
What is it?
A day for Techs, Architects and anyone else within your organisation with an interest in all things IT! Tech Hui is about coming together as a group, sharing information, learnings, and good vibes.

Our Field Engineers and other subject matter experts will be presenting on a variety of topics in their specialist fields. As well as this year’s keynote.

Auckland

8.30am – 5.00pm

Wednesday 1st November

Langham Hotel

 

How to: Enable Windows 10 Biometrics (Facial and Fingerprint) Logon

Enable all of these policies and set the registry key to enable the Windows 10 facial and fingerprint logon feature.

Group Policy settings:

Computer Configuration\Administrative Templates\System\Logon

  • Turn on convenience PIN sign-in (Enabled)

Computer Configuration\Administrative Templates\Biometrics

  • Allow the use of biometrics (Enabled)
  • Allow users to log on using biometrics (Enabled)
  • Allow domain users to log on using biometrics (Enabled)

Computer Configuration\Administrative Templates\Biometrics\Facial Features

  • Use enhanced anti-spoofing when available (Disabled)

Computer Configuration\Administrative Templates\Windows Hello for Business

  • Use a hardware security device (Enable)
  • Use biometrics (Enabled)

Group Policy Preference settings:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
“AllowDomainPINLogon”=dword:00000001

 

Inside the Windows 10 Fall Creators Update: The MVP Perspective Q and A

Highlights from the Windows 10 MVP Q&A

Question: How do you propose I should keep 4,500 desktop and laptops across 90+ separate physical schools updated in an 18 month period?
Answer: This is a longer conversation and I would be happy to have it with you offline. The problem breaks down into 4 categories.
1.Hardware being compatible (Analytics Upgrade readiness will help here)
2.Software being tested and compatible (Windows Analytics really helps you focus here). Lots of FUD here that can easily be scoped.
3.Infrastructure – look for software solutions to reduce the number of servers and eliminate the network impact
4.User process – scheduling and control by the end user to ensure your timing is not disruptive (WOL is always a good call for education)


Question: So every windows 10 upgrade will be a clean install or it just retain the state with all settings and applications as in the previous version?
Answer: Upgrade is in place and leaves user state and applications 1untouched. Upgrades are the recommend path once you are windows 10 with UEFI. You will have the ability to back-out and upgrade assuming your space cleanup process has not run yet. There are several triggers for cleanup like running out of space. As for a clean install, you can use Imaging via SCCM to ensure that process is available for break-fix, new hire, replace, or security-based issues.I would be happy to talk more about the 4 major categories of Operating System Deployment (OSD).


Question: When will Windows 10 1703 go Current Branch for Business?
Answer: The term for Current Branch for Business (CBB) has been replaced by Semi-Annual Channel.  The process to promote a deployment from Semi-Annual Targeted to Channel is based on you testing targeted in your environment than going broad.


Question: Can windows S be patched using SCCM? Can we define these folders via GPO? Why not protect them all?
Answer: I believe Windows 10 S Enterprise is to be managed via Intune as S does not allow you to run non Store applications.  I have not seen any mention of SCCM/ConfigMgr in regards to Windows 10 S Enterprise.


Question: There are a lot of features not required in Enterprise which is making LTSC more attractive for a stable build to avoid build change cost.
Answer: Long Term Saving Branch is for very specific scenarios.  I would not recommend LTSB for any internet connected device as there are too many exploits coming to quickly. LTSB has had issues with RSAT, software compatibility, MDM, windows hello, DoD requirements, lack or new hardware support (LTSB only supports silicon from when it was released), etc. That being said, LTSB does have very specific use cases as long as you are aware of all the pitfalls.


Question: Does it reinstall Store Apps?
Answer: During an upgrade, applications would not change.  However, new features may be added.

DHCP Policies and Custom Vendor Classes

Many organisations still have legacy BIOS devices that do not support UEFI boot. So setup DHCP to provide both BIOS or UEFI boot files depending on what the device BIOS uses.

By using DHCP policies and custom vendor classes for the following DHCP Options:

Option 60
Option 66
Option 67

Assume that you have CM configured with a PXE enabled distribution point and a valid and configured DHCP server. You should therefore be at a configured state where you are able to PXE boot BIOS based devices.

Create Custom Vendor Classes for Use with your DHCP Policy

Think Custom Vendor Classes as Detection Method’s used to determine how devices are requesting a boot image from the DHCP server.

Open the DHCP Console and expand the IPv4 Node
Right-Click on ‘IPv4 Node’ and select ‘Define Vendor Classes’
Click ‘Add’
Create the UEFI 64-Bit Vendor class first by entering the following information
Enter the following information for the respective fields:
DisplayName: PXEClient (UEFI x64)
Description: PXEClient:Arch:00007
ASCII: PXEClient:Arch:00007
Click ‘OK’
Click ‘Add’
DisplayName: PXEClient (UEFI x86)
Description: PXEClient:Arch:00006
ASCII: PXEClient:Arch:00006
Click ‘OK’
Click ‘Add’
DisplayName: PXEClient (BIOS x86 & x64)
Description: PXEClient:Arch:00000
ASCII: PXEClient:Arch:00000
Click ‘OK’

Creating Custom DHCP Policies

UEFI 64-Bit DHCP Policy

Right-Click ‘Policies’ and click ‘New Policy’
Give the policy a friendly name that coincides with the your vendor class naming scheme:
PolicyName: PXEClient (UEFI x64)
Description: Delivers the correct bootfile for (UEFI x64)
Click ‘Next’
On the ‘Configure Conditions for the policy’ page click ‘add’
Select the ‘Value’ drop-down box and select the PXEClient (UEFI x64) vendor class that you created in previous steps
Ensure that you check the box ‘Append wildcard(*)’
Select ‘Add’
Select ‘Ok’
Click ‘Next’
If you want the policy to affect only a specific range within your scope configure it, otherwise select no and click ‘next’
On the Configure settings for the policy page ensure that ‘DHCP Standard Options’ is selected from the drop down box
Configure the following scope options:
060: PXEClient
066: IP Address of the SCCM or WDS Service
067: smsboot\x64\wdsmgfw.efi
Cick ‘Next’
On the Summary page click ‘Finish’

BIOS 32-Bit & 64-Bit DHCP Policy

Right-Click ‘Policies’ and click ‘New Policy’
Give the policy a friendly name that coincides with the your vendor class naming scheme:
PolicyName: PXEClient (BIOS x86 & x64)
Description: Delivers the correct bootfile for BIOS machines
Click ‘Next’
On the ‘Configure Conditions for the policy’ page click ‘add’
Select the ‘Value’ drop-down box and select the PXEClient (BIOS x86 & x64) vendor class that you created in previous steps
Ensure that you check the box ‘Append wildcard(*)’
Select ‘Add’
Select ‘Ok’
Click ‘Next’
If you want the policy to affect only a specific range within your scope configure it, otherwise select no and click ‘next’
On the Configure settings for the policy page ensure that ‘DHCP Standard Options’ is selected from the drop down box
Configure the following scope options:
060: PXEClient
066: IP Address of the SCCM or WDS Service
067: smsboot\x64\wdsnbp.com
Cick ‘Next’
On the Summary page click ‘Finish’

UEFI 32-Bit DHCP Policy

Right-Click ‘Policies’ and click ‘New Policy’
Give the policy a friendly name that coincides with the your vendor class naming scheme:
PolicyName: PXEClient (UEFI x86)
Description: Delivers the correct bootfile for (UEFI x86) machines
Click ‘Next’
On the ‘Configure Conditions for the policy’ page click ‘add’
Select the ‘Value’ drop-down box and select the PXEClient (UEFI x86) vendor class that you created in previous steps
Ensure that you check the box ‘Append wildcard(*)’
Select ‘Add’
Select ‘Ok’
Click ‘Next’
If you want the policy to affect only a specific range within your scope configure it, otherwise select no and click ‘next’
On the Configure settings for the policy page ensure that ‘DHCP Standard Options’ is selected from the drop down box
Configure the following scope options:
060: PXEClient
066: IP Address of the SCCM or WDS Service
067: smsboot\x86\wdsmgfw.efi
Cick ‘Next’
On the Summary page click ‘Finish’

Remove Default PXE Options

Ensure that you have removed the 067, 066, 060 options from the default scope options to ensure that the Policies take precedence otherwise you will end up with conflict

As long as you have configured everything correctly you should now have the ability to boot machines from  BIOS or UEFI.

Windows AutoPilot Deployment

Microsoft has announced that Windows AutoPilot Deployment – a new cloud service that enables IT professionals and partners to customize the Windows 10 out of box setup experience. It used cloud configuration, delivering a self-service deployment experience with new Windows 10 Pro devices. It is now available through CSP.https://blogs.windows.com/business/2017/06/29/delivering-modern-promise-windows-10/#7Y0FQE61FUq42yKb.97

For Windows AutoPilot Deployment feature overviews and demos please see below:

Persistent Device Drivers in Reference Image

We needed to keep the Intel USB 3.0 drivers in a Windows 7 reference image.

  1. Import the drivers into MDT and create a selection profile.
  2. Edit the TS and update the Injected Drivers step to point to the selection profile.
  3. Open and edit Unattend.xml. Add the component called Microsoft-Windows-PnpSysprep to Step 3 Generalize.
  4. Edit the PersistAllDeviceInstalls option to be true.
  5. Save the Unattend.xml file and close.

More information here: http://technet.microsoft.com/en-us/library/ff716298.aspx

Group Policy Setting – Delete user profiles older than a specified number of days on system restart

A great user policy that purges old user profiles from devices on reboot. Staggering the setting at 180 on week one, then 90 on week two and finally 30 days in the third week.

This setting can be found under Computer Configuration \ Policies \ Administrative Templates \ System \ User Profiles