Windows 10 delivers many new security and enterprise deployment improvements. Windows 10 also includes new options to improve and automate deployments and upgrades to keep pace with the fast release of feature updates. We will show some important improvements in deployment in the new Redstone branch.
Improvements in deployment since Windows 10 1511
Windows 10 1607, also known as Anniversary Update
With the introduction of the 1607 release, the upgrade Update Progress UX was refined and visually adapted to a multi-boot update process. At first look, you will hardly spot the differences. Before this change, the upgrade UX was just like the bare-metal setup process. with a black screen and grey round circle.
Together with this refining, the upgrade process itself was also improved. It is now 15-20% smaller and therefore faster. When compared to previous upgrade times between 60 and 120 mins, since 1607, it is down to between 30 and 90 minutes, and on very fast hardware down to 17 minutes.
Before this release, the Start menu was customizable, but not the taskbar. Now there is the possibility to pin/exchange up to five icons on the taskbar. But you will need to recreate the required XML files.
Besides the graphical changes, pay attention to the new driver signing requirements for better security.
Starting with new installations of Windows 10 beginning with version 1607, the previously defined driver signing rules will be enforced by the operating system, and Windows 10 version 1607 an up will not load any new kernel mode drivers which are not signed by the developer portal. OS signing enforcement is only for new OS installations; systems upgraded from an earlier OSes to Windows 10 version 1607 will not be affected by this change: https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/.
Windows 10 1703/1709, also known as Fall Creators Update
With Windows 10 1703 the Windows Imaging and Configuration Designer (WICD) was re-branded to Windows Configuration Designer (WCD) and its Wizards were re-designed. The possibility to modify the Image itself, mainly a OEM feature, was removed and Wizards for more Windows SKUs were added. A closer look to WCD will be done in next chapter.
Windows 10 1703 introduces the Unified Update Platform (UUP) under the hood.
To recap, one of the biggest benefits that UUP brings to our customers is a reduction in the download size of build updates on PCs. We’ve converged technologies in our build and publishing systems to enable differential downloads for both PC and mobile.
A differential download package contains only the changes that have been made since the last time you updated your device, rather than a full build. Differential download packages rely on reusing files on your current OS to reconstruct the newer OS. This could include copying files that have not changed between builds as is, or it could involve applying binary deltas or diffs to old files to generate newer files. Differential download packages are smaller and can take a shorter amount of time to download: https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup.
A differential download package contains only the changes that have been made since the last time you updated your device, rather than a full build. Differential download packages rely on reusing files on your current OS to reconstruct the newer OS. This could include copying files that have not changed between builds as is, or it could involve applying binary deltas or diffs to old files to generate newer files. Differential download packages are smaller and can take a shorter amount of time to download: https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup.
To benefit from this reduced download size of build updates, you will need a UUP-enabled build as footprint. The first enabled build was Insider Build 14959. To benefit from official releases, you need to roll out 1703 and upgrade to a newer version.
So which is the first release that will benefit from UUP? As UUP needs a base footprint of the previous OS to work on, you will get this benefit only if upgrading from Windows 10 1703 or newer. If you skipped 1703 and are directly jumping from 1607 to 1709, you will miss the required known footprint of the previous OS and so cannot use this feature until the next upgrade.
It was planned to leverage this feature to Windows Update (WU), WSUS, and SCCM including third-party deployment solutions. In Windows 10 1709 the new UUP is only enabled when using WU as a update source. Support for WSUS, SCCM and 3rd Party will follow earliest in Windows 10 1803.
To get a impression which savings are possible in first release a estimated size graph was released together with announcement of UUP. Saving is approx 50-60% over WIM size and still even more than 35% over ESD size.
Another deployment feature added with Windows 10 1703 and enhanced with 1709 is the new Windows AutoPilot. This feature enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 and enable end users to take a brand-new Windows 10 device and get a fully-configured business device with just a few clicks. Users will walk through the self-service deployment of their new Windows 10 device without needing IT assistance.
IT will (optionally) pre-configure settings like privacy settings, OEM registration, Cortana setup, OneDrive setup and choosing between personal or work device and preventing the account used to set-up the device from getting local administrator permissions.
The device needs to be registered to your organization. IT will need to acquire the device hardware ID and register it. Microsoft is actively working with various hardware vendors to enable them to provide the required information to organizations or upload it on behalf of them. In the meanwhile there is a script to gather these information available at https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo.
The end user will unbox an turn on his new device. He just needs to configure a few simple steps:
- Select a language and keyboard layout
- Connect to the network
- Provide Azure AD email address and password
All settings configured by IT will be skipped. Following this process the device will be joined to Azure AD and enrolled into Microsoft Intune or other third-party MDM service configured.
With Windows 10 1703 it is already possible to joint into Azure AD and MDM. With the release of 1709 or short after it is planned to enable self-service deployment to Active directory domain-joined devices and enhancements to the OOBE to offer a highly-personalized and specific OOBE. Additionally there is a Windows AutoPilot Reset capability planned to enable organizations to easily reset their configured devices while still maintaining MDM enrollment and the Azure AD join state to get the device back into business ready state very fast.
A always up-to-date documentation of Windows AutoPilot including the new features as soon as available can be found at http://aka.ms/WindowsAutoPilot.