Windows 10 deployment tools, techniques, and processes
The must-know concepts for IT professionals deploying Windows 10 are deployment, management, and security. With more than half of our Windows 10 Partner Technical Roadshow events under our belts, it's a good time to address common questions we've heard about Windows 10 deployment techniques and tools. To deploy Windows 10 in a customer’s organization, it is important to understand the different ways it can be deployed with new scenarios and the mix of devices that have multiple versions of Windows already installed.
In this post, I'll provide you with a primer that includes the terminology and resources to help you get started.
Our final two Windows 10 Partner Technical Roadshow events are in Atlanta on November 9-10 and New York on December 15-16.
- Register for Atlanta on November 9-10 (use registration code MPN)
- Register for New York on December 15-16 (use registration code MPN)
There is also our 7-part online workshop series, Windows 10 Deployment Masters. Catch up on the first three sessions on demand, then sign up for the remaining webcasts.
Deployment techniques
In-place upgrade
This option is meant for newer modern operating systems like Windows 7, Windows 8, and Windows 8.1. It is used for a less complex upgrade option without a multifaceted deployment plan or process. It automatically preserves all data, settings, applications, and drivers from the existing operating system version.
Dynamic provisioning
There are two dynamic provisioning scenarios:
- Azure AD Join with automatic mobile device management enrollment.
- Provisioning package configuration without mobile device management. This is mainly used in bring your own device scenarios where there is no restriction to choose available and certified devices within the organization.
Traditional deployment (wipe and load)
This is the traditional deployment method where in the device OS is wiped off and cleanly installed. It's used in three scenarios: newly purchased, refreshed, and a computer replace.
Deployment tools
Now that you have the basic deployment techniques and scenarios, the next step is to understand available tools and how they are used in different deployment scenarios.
The Windows Assessment and Deployment Kit (Windows ADK) contains these core assessment and deployment tools:
- Deployment Image Servicing and Management (DISM)
- Windows Imaging and Configuration Designer (Windows ICD)
- Windows System Image Manager (Windows SIM)
- User State Migration Tool (USMT)
- Volume Activation Management Tool (VAMT)
- Windows Preinstallation Environment (Windows PE)
- Windows Assessment Services
- Windows Performance Toolkit (WPT)
- Application Compatibility Toolkit (ACT)
Download the Windows Assessment and Deployment Toolkit (Windows ADK) Learn more about Windows deployment tools
Here is guidance for deciding which technique to use.
When should you use in-place upgrade?
- The existing computer OS is Windows 7, 8, 8.1, or RTM Windows 10
- When application compatibility tests passed
- Upgrading to a standard Windows 10 image
- Where you need automatic rollback to the previous OS
When is in-place upgrade not recommended?
- Changing from Windows x86 to x64
- Systems using Windows To Go, boot from VHD
- Changing from legacy BIOS to UEFI
- Dual boot and multi-boot systems
- Where there is image creation processes involved (can’t sysprep after upgrade)
- Using certain third-party disk encryption products
For a comprehensive look at Windows 10 deployment use cases, visit the Windows IT Center.
Windows as a service
With Windows as a service, now a feature in Windows 10, customers can get Windows updates like software updates. There are different ways to service normal users, business users, and critical users. You may not want to service business users the same way as critical users or normal users. And, one update process may not fit all. In the past, with Windows Server Update Services (WSUS), it was either full update or no update, with policies that controlled the number of updates and when to update.
Here is the terminology that defines update processes with Windows as a service.
Current Branch (CB)
- Features are released to broad market
- Customers are up to date with features as they are released after broad preview validation
- Opportunity for enterprises to test and validate new features
- WSUS, SCCM, and WU for Business can be used for managing delivery of updates
- Security updates and fixes are delivered regularly
Current Branch for Business (CBB)
- Business customers can start testing as soon as preview features are released via Windows Insider Program
- Business customers can wait to receive feature updates for an additional period of time, testing and validating in their environment before broad deployment
- Within the deferral period, you can flight these features and updates in your organization and provide feedback
- WSUS, SCCM, and WU for Business can be used for managing delivery of updates
- Security updates and fixes are delivered regularly
Long Term Servicing Branch (LTSB)
- Security updates and fixes are delivered regularly
- Customers on Long Term Servicing Branch receive security and critical fixes only for ten years
- Customers can move from one LTSB to the next one via in-place upgrade and can skip one LTSB as well
- Customers manage updates via WSUS
Learn more about Windows as a service
Windows Update for Business
Windows Update for Business is one of the Windows as a service servicing tools available to IT pros. It's a free service available for Windows Pro, Enterprise, Pro Education, and Education. Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service.
Windows Update for Business allows for:
- The creation of deployment and validation groups, where administrators can specify which devices go first in an update wave, and which ones will come later (to ensure any quality bars are met)
- Selectively including or excluding drivers as part of Microsoft-provided updates
- Integration with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune
- Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution
Windows Update for Business provides three types of updates to Windows 10 devices:
Feature Updates
Previously referred to as upgrades, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released at a slower cadence, every 4 to 8 months.
Quality Updates
These are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as Microsoft Updates and devices can be optionally configured to receive such updates along with their Windows Updates.
Non-deferrable updates
Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred
Learn more about servicing tools Learn more about using Windows Update for Business
Partner training and resources
Windows 10 Deployment Masters online workshops Windows and Devices competency technical learning path Windows 10 at Ignite [Video]
Windows and Devices Partner Community
We look forward to continuing the conversation with you about the Windows 10 opportunity. We use our Windows and Devices Partner Community calls, blog posts, and Yammer group to share information and connect with you. If you’re serious about building and sustaining a profitable Windows practice, and want in-depth assistance, email WinRecruit@microsoft.com or post your question in the Yammer group.