Microsoft Q&A for IT Pros Showcases Windows 10 Version 1709 -- Redmondmag.com

Microsoft Q&A for IT Pros Showcases Windows 10 Version 1709

Microsoft's Michael Niehaus and Nathan Mercer field some questions on the status of Windows and highlight some of the new tech coming to the latest version of the OS.

By Kurt Mackie
11/03/2017

Microsoft shed some more light on Windows 10 version 1709, the "fall creators update," in a Thursday Web presentation for IT pros.

The one-hour talk included Microsoft deployment luminaries Michael Niehaus, director of Windows Commercial, and Nathan Mercer, senior product manager of Windows Commercial. It's now available on demand (with sign-up) at this page. A summary of the technologies discussed can be found in this "Webcast resource guide."

Mercer opened the talk with a post-Halloween scare of sorts. He noted that Window 7's end of support will be occurring in a little more than two years (or "803 days").

Highlighted in the talk were the various technologies that are getting lit up by Windows 10 version 1709, which arrived as a "semiannual channel (targeted)" release earlier this month. That channel release signifies, per Microsoft's update model, that organizations should start testing the operating system in their computing environments.

Within a few days of the Windows 10 version 1709 release, all of the media types were available, as well as the Group Policy Object reference, Administrative Templates (.ADMX), Windows 10 Assessment and Deployment Kit, Windows 10 Remote Server Administration Tools and the Security Baseline, it was claimed, during the talk.

Version 1709-Enabled Technologies
Niehaus and Mercer highlighted the following capabilities supported by Windows 10 version 1709:

Windows AutoPilot, a new out-of-the-box end user self-provisioning service that leverages the machine's OEM image to create a corporate desktop
Windows 10 Subscription Activation to more easily move from the Pro edition to the Enterprise edition
Windows Automatic Redeployment for resetting a PC to its original state without including settings, installed apps and files
Windows Defender-branded security technologies
Windows Hello and Windows Hello for Business for biometric PC logins
Windows Analytics tools, including Upgrade Readiness, Update Compliance (for device status monitoring) and Device Health (shows issues affecting devices before end users might notice problems)
Kiosk configuration for organizations wanting to turn Windows 10 devices into a locked-down kiosks
Mobile device management (MDM) improvements
Always On VPN
OneDrive Files On-Demand
Server Message Block 1 (SMB 1) removal by default for new installs

One of the mobile device management administration improvements is the ability to include domain-joined devices with Azure Active Directory registration. It's a key new thing that helps with transitioning from traditional Active Directory to "modern management" with Azure AD and mobile device management, rather than using Group Policy, according to Mercer. The capability is documented on TechNet, he said.

The main new networking improvement supported by this Windows 10 release is the Always On VPN feature, according to Mercer, which creates a device tunnel for remotely accessing network resources. Always On VPN lets organizations deploy a virtual private network in much the same way as the older DirectAccess approach. The end user won't have to log on again to connect to the network. Mercer said that Microsoft sees Always On VPN as being simpler to use than DirectAccess, which is restricted to only working with enterprise PCs. Microsoft compares the two approaches in this document.

Microsoft added some configuration options to the OneDrive Files On-Demand feature, which uses placeholder icons for files and folders on the local machine for data stored in the cloud. End users can right click on the file or folder object to specify that storage should be on the machine or in the cloud, Niehaus said. He added that Microsoft is working on adding policies to enable OneDrive Files On-Demand. For instance, in some cases, IT pros may want the files to show up without having to have the user configure things, and so Microsoft is working on a silent configuration for the first-run experience, namely a "Silent Sync Configuration" preview, Niehaus said.

SMB 1, a major security problem in networks, gets removed by default in Windows 10 1709 "clean installs" of the Windows 10 Enterprise and Education editions. On the other hand, Windows 10 Home and Pro editions still include SMB 1 by default, but if SMB 1 isn't used in 15 days with those editions, it'll get uninstalled, Mercer clarified.

During the Niehaus and Mercer talk, Microsoft answered participant questions in a chat window. What follows is an edited summary of that Q&A. It's long, but perhaps not documented elsewhere.

Windows AutoPilot Q&A
Is Windows AutoPilot backward compatible with Windows 10 version 1607 and LTSB [long-term servicing branch] specifically?
AutoPilot works with [Windows 10 versions] 1703 and 1709 and later. LTSB is currently based on [Windows 10 version] 1607, so no AutoPilot won't work.

Does Windows AutoPilot replace provisioning packages or leverage them?
AutoPilot does not use provisioning packages. Instead, the MDM service (e.g. Intune) pushes down the same configuration.

Is Windows AutoPilot only compatible with Azure AD, or can we join to on-premises AD as well?
AutoPilot supports both Azure AD (with 1703) and Active Directory (with 1709), but there is additional work that the MDM services (e.g. Intune) need to do before AD is enabled.

Is Windows AutoPilot exclusive to Intune or can we use something like AirWatch?
All MDM services are supported, as long as they support Azure AD automatic enrollment (AirWatch does support this).

How long would it take after provisioning the device into Windows Store for Business for the computer to get into the Windows AutoPilot service?
Typically, just a few seconds.

Windows Subscription Activation Q&A
Does the auto-update from Pro to Enterprise and setup stuff work on standard AD environments?
Yes, this works for Active Directory and Azure Active Directory. In the Active Directory case, you do need to have AAD Connect set up to sync with AAD.

Windows Automatic Redeployment Q&A
Will the "reset/revert" process of Windows Automatic Redeployment still hold the Windows OS patches that were installed?
It will retain most of the updates. The reset process does discard updates applied in the last 30 days.

How much network traffic is generated by the first login or reset process for a school that wants to refresh all their systems at once?
There is minimal network traffic generated by the reset process. The first logon itself doesn't generate any significant traffic either, but app updates can then begin installing as soon as the user logs in. (That traffic will use Delivery Optimization for peer-to-peer transfers.)

Does Windows Automatic Redeployment remove "Metro" apps? Does it also remove full client applications (e.g., Adobe Acrobat, Microsoft Office)?
It is a full PC reset, so all apps (modern) and programs (Win32) will be removed.

Will Windows Automatic Redeployment reset BitLocker as well?
It will suspend BitLocker at the start so that it can be resumed later.

Can Windows Automatic Redeployment be run remotely?
Not currently, but that is a feature we are looking at implementing in a future release.

Can resetting be initiated from the System Center Configuration Manager Console?
For Automatic Redeployment, no, not today.

For Windows Automatic Redeployment, is it possible just to have a service account instead of a global administrator's account?
Yes, today the account can be anyone that has the ability to add devices to AAD [Azure Active Directory].

For device refresh/reset, is LAPS [Local Administrator Password Solution] supported?
With Automatic Redeployment, only AAD [Azure Active Directory] is supported today. Typically with AAD, the local admin account is not used. For "normal" reset, the local account is typically left disabled after going back through OOBE [out-of-box experience].

Is there a benefit for "resetting" over a much faster reimage?
Resetting is easier.

Windows Analytics Q&A
Is Windows Analytics still free?
Windows Analytics Upgrade Readiness and Update Compliance are free. Device Health requires a Windows E3 license.

Will Windows Analytics show me which builds are being used in my environment? Or would I need to do something else?
Yes, Windows Analytics Update Compliance will show feature update levels, patch levels, AV definition status, etc.

Security Q&A
Will all these new security features be manageable via SCCM [System Center Configuration Manager] in the next release?
Yes, you'll see a lot of these popping up in the latest Tech Preview 1710 of ConfigMgr.

We turn off Windows Defender in order to use third-party A/V software. Will turning Defender off prevent us from using all these new Windows Defender features? What about the "rebranded" ones (like Credential Guard and Device Guard)?
Controlled Folder Access from Windows Defender Exploit Guard requires WDAV [Windows Defender Antivirus] with real-time scanning enabled.

Featured

How To Fix Problems with Cached Credentials in Windows 11

While the fix might not be obvious, it should only take a few minutes to get back up and running.
Microsoft Constructing $3.3 Billion AI Datacenter in Wisconsin

Microsoft and the Biden administration announced on Wednesday that the company is investing more than $3 billion in a new AI and cloud datacenter in southeast Wisconsin.
Exchange Server Subscription Edition Coming Next Year

Microsoft provided a brief update on Tuesday of its Exchange Server roadmap, including the news that Exchange Server Subscription Edition (SE) will be arriving in the third quarter of 2025.
Biden Administration Releases Global Cybersecurity Initiative

The U.S. Department of State has released a comprehensive cybersecurity framework aimed at international cooperation when targeting cybercriminals and strengthening defenses.
Microsoft Purview Enhanced with AI Security and Compliance Hooks

Microsoft Purview, the company's data governance solution, is receiving a handful of upgrades to help enterprises securely manage their growing AI-related data.