Demystifying Windows as a Service – Wake Up!

Great article on WaaS. It is a changed mindset on how Windows 10 is feed and water by all users. Yes, Windows 10 needs to be upgraded more frequently, but the total management time is reduced compared to the traditional operating systems.


Microsoft 365 Enterprise Tech Series – Enterprise Deployment & Management Technical Workshop L300

Microsoft 365 Enterprise Tech Series – Enterprise Deployment & Management Technical Workshop L300

November 30-December 1, 2017 | Auckland, New Zealand

A 2-day Training on the Complete, Intelligent, Secure Solution that Empowers Employees

What is Microsoft 365 Enterprise Tech Series?

Microsoft 365 is a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely. The Enterprise Tech Series will help empower your team, safeguard your business, and simplify IT management with a single solution, purpose-built for your business

What to Expect from Training:

Understand the Microsoft 365 Vision
Dive into Modern IT Deployment
Learn about Traditional IT Transformation
Feel equipped to fully manage Microsoft 365 environments

How to: Enable Windows 10 Biometrics (Facial and Fingerprint) Logon

Enable all of these policies and set the registry key to enable the Windows 10 facial and fingerprint logon feature.

Group Policy settings:

Computer Configuration\Administrative Templates\System\Logon

  • Turn on convenience PIN sign-in (Enabled)

Computer Configuration\Administrative Templates\Biometrics

  • Allow the use of biometrics (Enabled)
  • Allow users to log on using biometrics (Enabled)
  • Allow domain users to log on using biometrics (Enabled)

Computer Configuration\Administrative Templates\Biometrics\Facial Features

  • Use enhanced anti-spoofing when available (Disabled)

Computer Configuration\Administrative Templates\Windows Hello for Business

  • Use a hardware security device (Enable)
  • Use biometrics (Enabled)

Group Policy Preference settings:



Inside the Windows 10 Fall Creators Update: The MVP Perspective Q and A

Highlights from the Windows 10 MVP Q&A

Question: How do you propose I should keep 4,500 desktop and laptops across 90+ separate physical schools updated in an 18 month period?
Answer: This is a longer conversation and I would be happy to have it with you offline. The problem breaks down into 4 categories.
1.Hardware being compatible (Analytics Upgrade readiness will help here)
2.Software being tested and compatible (Windows Analytics really helps you focus here). Lots of FUD here that can easily be scoped.
3.Infrastructure – look for software solutions to reduce the number of servers and eliminate the network impact
4.User process – scheduling and control by the end user to ensure your timing is not disruptive (WOL is always a good call for education)

Question: So every windows 10 upgrade will be a clean install or it just retain the state with all settings and applications as in the previous version?
Answer: Upgrade is in place and leaves user state and applications 1untouched. Upgrades are the recommend path once you are windows 10 with UEFI. You will have the ability to back-out and upgrade assuming your space cleanup process has not run yet. There are several triggers for cleanup like running out of space. As for a clean install, you can use Imaging via SCCM to ensure that process is available for break-fix, new hire, replace, or security-based issues.I would be happy to talk more about the 4 major categories of Operating System Deployment (OSD).

Question: When will Windows 10 1703 go Current Branch for Business?
Answer: The term for Current Branch for Business (CBB) has been replaced by Semi-Annual Channel.  The process to promote a deployment from Semi-Annual Targeted to Channel is based on you testing targeted in your environment than going broad.

Question: Can windows S be patched using SCCM? Can we define these folders via GPO? Why not protect them all?
Answer: I believe Windows 10 S Enterprise is to be managed via Intune as S does not allow you to run non Store applications.  I have not seen any mention of SCCM/ConfigMgr in regards to Windows 10 S Enterprise.

Question: There are a lot of features not required in Enterprise which is making LTSC more attractive for a stable build to avoid build change cost.
Answer: Long Term Saving Branch is for very specific scenarios.  I would not recommend LTSB for any internet connected device as there are too many exploits coming to quickly. LTSB has had issues with RSAT, software compatibility, MDM, windows hello, DoD requirements, lack or new hardware support (LTSB only supports silicon from when it was released), etc. That being said, LTSB does have very specific use cases as long as you are aware of all the pitfalls.

Question: Does it reinstall Store Apps?
Answer: During an upgrade, applications would not change.  However, new features may be added.

Windows AutoPilot Deployment

Microsoft has announced that Windows AutoPilot Deployment – a new cloud service that enables IT professionals and partners to customize the Windows 10 out of box setup experience. It used cloud configuration, delivering a self-service deployment experience with new Windows 10 Pro devices. It is now available through CSP.

For Windows AutoPilot Deployment feature overviews and demos please see below:

Windows 7 Pre-Provision Bitlocker Not Working

After updating Configuration Manager 2012 R2 and adding the Windows 10 ADK, task sequences will no longer pre-provision BitLocker


With WinPE 10 it uses the AES-CBC 128-bit encryption method.


Add the following Run Command Line steps after Format and Partition and before Pre-provision BitLocker.

  1.  Set EncryptionMethodWithXtsFdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsFdv /d 3 /f
  2. Set EncryptionMethodWithXtsOs – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsOs /d 3 /f
  3. Set EncryptionMethodWithXtsRdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsRdv /d 3 /f

Available Encryption Methods in WinPE 10

  1. Value Data: 3 (Description: AES-CBC 128-bit)
  2. Value Data: 4 (Description: AES-CBC 256-bit)
  3. Value Data: 6 (Description: XTS-AES 128 bit)
  4. Value Data: 7 (Description: XTS-AES 256-bit)

MDT WSUS Windows 10 Updates Failing 0x8024401C

Had an issue with MDT failing to install Windows 10 via WSUS. I kept getting the 0x8024401C error.

I upgraded my WSUS on the Windows Server 2012R2 to version 4.0. Then upgraded the host to Windows Server 2016. Still receiving the same error.

After some more googling and trial and error I made the following changes to the IIS server for the WSUS  Application Pool:

  • Queue Length: From 10000 to 25000
  • Limit Interval (minutes): From 5 to 15
  • “Service Unavailable” Response: From HttpLevel to TcpLevel
  • Private Memory Limit (KB): From 18342456 to 0

Build is now receiving updates from the WSUS server.

Add Updates to Windows 10 Images

Due to the issues with the Windows 10 1607 build and WSUS updates, I have added the April 2017 Cumulative update into my Windows 10 image (install.wim).

Here are the steps that I completed:

  1. md C:\mount\Windows
    Dism /Mount-Image /ImageFile:"C:\Servicing\Images\install.wim" /Index:1 /MountDir:C:\Servicing\mount\Windows
    Dism /Add-Package /Servicing/Image:C:\Servicing\mount\Windows /PackagePath:C:\Servicing\MSU\windows10.0-kb4016635-x64_2b1b48aa6ec51c019187f15059b768b1638a21ab.msu /LogPath C:\Servicing\AddPackage.log
    Dism /Unmount-Image /MountDir:C:\Servicing\mount\Windows /Commit

Once completed the Windows 10 WIM image will have the latest cumulative update installed.

best practices

Some light reading for the bus ride home:

Download Whitepaper on Top 10 Best Practices on Windows 10 OSD with SCCM ConfigMgr

Enable BitLocker on Azure AD Joined windows 10 Device

Windows 10 devices will automatically encrypt the local drive when joining to Azure Active Directory (AAD). The device must be InstantGo capable.

InstantGo (formerly known as Connected Standby) is a very low power state that some devices support. It’s very like your mobile phone, it’s almost switched off but still can receive text messages, e-mails and switch to a different power state when receiving phone calls.

How do you check this?

Open a command prompt, type powercfg /a

Devices that have InstantGo support will return “Network Connected”:


 Where do I find the recovery key?

Users can retrieve their recovery key by going to, select Devices and select the device for which they would like to get the recovery key: