by Scott Muniz | Aug 13, 2020 | Uncategorized
This article is contributed. See the original author and article here.
As a Microsoft Managed Desktop sales specialist, I regularly meet with 5,000-seat organizations that invest heavily in security expertise, training, tools, and services to keep their endpoints secure and up-to-date. I also talk with 20,000-seat organizations that invest precious IT resources elsewhere, as they perceive a low risk of attracting the notice of hackers.
Wherever a given organization falls on this spectrum, there’s usually a moment when the discussion turns to security monitoring – a “magic” moment when executives and IT pros alike truly begin to realize the scale of the security expertise and infrastructure protecting Microsoft Managed Desktop customers.
I’m excited to share this engaging 4-minute video about Microsoft Managed Desktop security operations because it makes that magic moment accessible to organizations beyond our individual customer conversations.
The video does a great job of explaining how Microsoft Managed Desktop:
- extends Microsoft’s own protections to improve the security of user devices
- reads billions of signals from across Microsoft cloud services to identify threats
- supports customers in protecting the rest of their IT environment, and
- helps customers improve their protection against security risks over time.
I think you’ll enjoy this animated video. I’m especially interested to hear if you reach the same magic moment my customers experience in our live conversations. If so, I hope you’ll connect with your Microsoft account team to find out whether Microsoft Managed Desktop could be a fit for your organization.
If you’re interested in Microsoft Managed Desktop, be sure to share the video with your colleagues, subscribe to our blog, and contact us to learn more. What do you think about Microsoft Managed Desktop’s sophisticated security? Please leave a comment and join the discussion!
by Scott Muniz | Aug 13, 2020 | Uncategorized
This article is contributed. See the original author and article here.
Today’s post offers guidance around the tools that will eliminate potential ‘”slow downs” or blockers in your Windows 10 update planning and deployment efforts—and enable you to reduce the cost, effort, and time associated. The goal is help you achieve greater efficiency so you can focus on more transformational projects, and accelerate future update deployments, as was the case for Schweitzer Engineering Laboratories and others.
In previous blog posts, I provided suggestions on how to deploy Windows in a remote world, and how to deploy Windows with the use of a servicing calendar. These articles provide a structured approach to planning, preparing, and deploying Windows 10 feature updates and helping to identify where blockers or bottlenecks occur that could delay a feature update from reaching the endpoint.
If you are tasked with ensuring devices are kept up-to-date in your organization, attempting to streamline the process and accelerate your deployment cadence using existing processes or tooling can often be unsuccessful. We have found that the best way to accelerate deployment may be, paradoxically, to first spend time to stop and consider. Reflecting on how much effort should be invested to reduce the time, exertion, or cost that it takes to deliver a new feature update to a device is the first step towards efficient and painless update acceleration.
What follows is guidance on choosing specific tools. Any of these might be appropriate for your environment:
In conversations with enterprise customers and partners, we find that deployments are often “stuck” or “bogged down” on a common set of tasks both in the prepare and the deploy phase of a Windows 10 feature update, such as:
|
Phase
|
Task
|
|
Prepare
|
Validating the compatibility of applications and devices
|
|
Validating infrastructure to support feature updates
|
|
Selecting devices for pilot deployment
|
|
Reviewing and implementing policy changes for devices and users
|
|
Ensuring supportability for non-Microsoft applications
|
|
Deploy
|
Monitoring feature updates on pilot devices
|
|
Broadening deployment scale
|
|
Configuring devices for C-suite users
|
These delays affect different organizations in different ways. Some face delays at the prepare phase, but have an optimized deployment process, while others are ready to deploy feature updates but struggle to deploy them as quickly as they would like. Organizations that have recently transitioned from Windows 7 may find delays across both phases as they try to move away from old habits formed on the legacy platform.
Optimizing preparations
As I mentioned in my post on Transform Windows feature updates with a servicing calendar, during the prepare phase, we update infrastructure and configuration to support deployment of the feature update. We also validate critical applications, and select devices/users for the pilot deployment during this phase.
Validating the compatibility of applications and devices
When preparing for a Windows 10 feature update, we recommend that you validate critical applications and devices ahead of pilot and broad deployment. In some cases, people attempt to reduce compatibility risk by validating all applications in their environment. This can have the adverse effect of extending the deployment by months or even years. One great solution is to use Desktop Analytics.
Desktop Analytics streamlines the application compatibility and validation process through a data-driven approach. It reduces the need for manual compatibility testing by providing compatibility readiness insights for applications. Using Compatibility Risk, you are able to assign importance to applications to understand which applications are critical in the environment. You can ensure they are tested during pilot deployment, and you can then deploy feature updates to production devices when the critical application has been validated. To leverage Desktop Analytics, your environment needs to meet certain prerequisites, including network connectivity, a current Configuration Manager license, and, for end user devices, an enterprise-level license.
Benefits of using Desktop Analytics include:
- Reduced administrative effort by removing manual compatibility testing and identifying critical versus important applications.
- Reduced user disruption by preventing updates from being unsuccessfully deployed on applications and devices that are not compatible.
- Reduced time required to reach deployment stage, by efficiently pinpointing which devices are ready to move forward and which are not.
- Enhanced ease of deployment as enterprises are better equipped to support updates, test fewer applications, and trust third party application developers to be up to speed.
Validating infrastructure to support feature updates
During the prepare phase, it’s a good time to ensure that your deployment, management, software update management and security tooling can support the deployment of a Windows 10 feature update. On-premises management solutions, such as Microsoft Endpoint Configuration Manager, should be updated to support a new Windows 10 feature update. In some cases, your prepare phase could be delayed as you validate third-party tooling. You could also experience delays in deployment preparation when you try to download and deploy updates across multiple languages with traditional software update management tooling, such as Windows Server Update Services. To help improve this process, consider transitioning software update and policy workloads from on-premises solutions to cloud-based solutions, such as Windows Update for Business and Microsoft Intune.
Windows Update for Business allows you to keep Windows devices up-to-date with the latest Windows 10 quality and feature updates by utilizing Microsoft’s global bandwidth, scaled infrastructure, and local distribution points. You can manage updates by controlling which updates are offered to devices in your organization’s ecosystems. You can even defer the installation of feature and quality updates to allow time to validate deployments as they are pushed to devices.
Intune provides you with the ability to manage devices and configure policies, such as those that control apps. You can create unique configuration profiles for different devices to complete different tasks. Intune also offers flexible device management options, such as mobile device management (MDM), mobile application management (MAM), or both, and can integrate with Azure Active Directory to control who has access and what they can access. We understand this may not be a scenario applicable to all, but we recommend you review Intune’s capabilities and move workloads there where applicable. As workloads transition, you will be able to experience the benefits of cloud-only management infrastructure over time, such as:
- Reduced administrative effort. Cloud-based infrastructure management tools need no on-premises or client-side products.
- Accelerated deployment time. Streamlining the preparation phase means that time required to reach pilot deployment stage is shortened.
Selecting devices for pilot deployment
Before deploying a feature update to the larger organization, you need to validate applications, device drivers, configurations, and business process operations with a select group of users who can relay feedback ahead of the broader deployment. You may have access to a known group of users who have critical applications and a mix of devices they can leverage to test the feature update. If you do not have such a group, you may spend time searching for testable devices or users that can represent these validation concerns that you identified in your critical application testing. To help you make an informed decision on whom to select, we suggest using Desktop Analytics to establish a statistically relevant pilot group.
Desktop Analytics can identify pilot devices that provide the widest coverage of critical applications. It provides a recommended list of devices to pilot, based on the hardware and application needs of your organization. Desktop Analytics is capable of supplementing devices to test should you need that functionality. Otherwise, it draws from the devices and users you select—likely from your own IT team, application owners, IT-friendly users, pilot volunteers, and desktop support. Based on your specific needs, you also have the flexibility to determine the size of your pilot.
The primary benefit of using Desktop Analytics to select your pilot devices and users is reduced administrative effort since it can populate a data-driven list of devices that would be most efficient for pilot deployment per feature update. This approach ensures that the right devices are piloted as the IT environment changes over time.
Reviewing and implementing policy changes for devices and users
As you further move through your prepare phase, you naturally consider what policies should be enabled, disabled, or remain “not configured” when a new feature update is introduced. Many enterprises can struggle to identify relevant configurations. The range of configuration options available through Group Policy for Windows 10 doesn’t include configuration options for productivity applications, such as Microsoft 365 Apps for Enterprise, and browsers, such as Microsoft Edge. So if you are trying to select configurations appropriate for you, the process can potentially lengthen the effort and time to deploy. To reduce this time and maintain security on the platform, consider using the predetermined set of baselines made available with every feature update, specifically Windows security baselines and the Windows 10 Update Baseline as they both draw from expert knowledge and customer feedback.
Windows security baselines helps to keep apps and devices secure while remaining compliant with security standards defined by the organization. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers and supports environments currently leveraging Group Policy. The baselines are easily downloadable through the Security Compliance Toolkit and include tools that will help you manage them.
The Windows 10 Update Baseline allow you to fine-tune your update deployment processes by looking at data to see what is working and what needs troubleshooting. The Windows 10 Update Baseline includes recommendations on configuration settings, tooling for feature update deployments, guidance on customizing the baselines to meet your organization’s specific needs, and best practices to increase the velocity of feature update deployments.
Benefits of using baselines include:
- Reduced administrative effort by using downloadable, preset settings populated by Microsoft that have been proven most relevant to keep devices up to date and secure.
- Reduced time that would have been spent filtering through and assigning value to each setting.
- Optimized update settings to ensure devices in the organization are configured to move forward in deployment and receive updates.
Optimizing your deployment
When you’re ready to deploy a Windows 10 feature update across your organization, you typically do so in two parts: first in a pilot deployment and then in a broad deployment. During the pilot devices phase, having your IT staff monitor that pilot can lengthen the update. Also, bandwidth issues can slow an update, as can the need to cater to C-suite users. It is possible to reduce the reach of these issues to a great extent. A good first step is to check the Windows release health dashboard. Known issues with a given feature update are documented in the Windows release health dashboard and enable you to see when they have been resolved or remediated ahead of your deployment to a wider production environment.
Monitoring Windows 10 feature updates on pilot devices
Often, you and your staff can spend a lot of time validating a feature update by gathering feedback from pilot users and then using it to change your broad deployment strategy. To reduce the effort and time associated with this task, consider, again, Desktop Analytics. The data-driven insights offered through Desktop Analytics provide you and support staff with status updates and highlight issues.
During the pilot deployment phase, Desktop Analytics can advise you of any issues that need your attention. such as where a deployment of the feature update to an endpoint failed or hit a roadblock:
The Desktop Analytics deployment status pane
You can also use Desktop Analytics to monitor the health state of your devices and check on factors such as the “percent of devices with crashes” and “percent of sessions with crashes.” Desktop Analytics also notifies you which devices have completed deployment, which need attention, and which have not started or are in progress. Afterwards, you can update the rest of your production environment for the devices that were not included in the pilot. In short, by using Desktop Analytics, you can reduce the administrative effort involved in monitoring the status of your deployment and identify deployment issues quickly so that you can take appropriate actions to resolve them.
Broadening deployment scale
In some environments, you need to consider the network bandwidth available to download and distribute Windows 10 feature updates to endpoints. You might be challenged as you try to increase deployment velocity if you have limited network bandwidth. This can slow down the update adoption speed and add more time to the deployment process. To help address this challenge, we suggest using Delivery Optimization.
Delivery Optimization works by letting you get Windows feature and quality updates from other sources in addition to Microsoft, such as other PCs on your local network or PCs on the internet that are downloading the same files. It does this by breaking down the upload into smaller parts. During the process, Delivery Optimization ensures information is gathered securely from Microsoft and that each update is authenticated if downloaded from other PCs.
Benefits of using Delivery Optimization include:
- Reduced bandwidth consumption. It shares the work of downloading large packages among multiple devices in your deployment.
- Quicker adoption. It gets portions of the update from already updated PCs and parts from Microsoft.
- Reduced deployment window. It makes updates more readily available on all devices.
Configuring devices for C-suite users
During every feature update deployment, it’s important to consider how to cater to C-suite level users. It’s particularly important to ensure disruption is minimized for this group by minimizing the risks associated with the update process. During previous update cycles, for example, a user may have found that their Windows personalizations had been reset and, thus, additional effort was required to reconfigure and maintain the experience to which these users were accustomed.
To improve this, we have continued to enhance the user experience and reduce user disruptions with the latest Windows 10 feature updates. Our aim is to have non-intrusive updates that reduce user downtime and seamlessly integrate into a user’s working environment.
Your update deployment processes should also be considerate of your users’ work processes. For instance, to avoid interrupting workflow, you can control when offline time begins by leveraging Windows Setup command-line options, such as /SkipFinalize and /Finalize. We have also been able to reduce feature update offline time to 16 minutes and get down to a single reboot. As we move forward with improving the Windows 10 update experience with control, quality, and transparency, we continue to reduce that time frame and create a faster installation experience that operates more like a monthly update. This enables you to:
- Reduce administrative effort by allowing your white glove users to get their device ready themselves.
- Reduce downtime for your users by providing a consistent, quality experience and ensuring their personalized configurations are maintained with the update.
Summary
This post has provided recommended Microsoft tooling and processes to help you prioritize investments to accelerate the deployment of Windows 10 feature updates in your environment. To determine the effectiveness of your deployment process, we recommend using tools such as Microsoft Endpoint Configuration Manager, Desktop Analytics, and Update Compliance. To speed up deployment without sacrificing security, we recommend use of tools such as Windows Update for Business, Windows security baselines, the Windows 10 Update Baseline, Delivery Optimization, and others. All of these tools enhance your deployment experience, saving you time and money, and enhance your users’ experience.
We hope you found this article helpful. We are interested to know: What other tasks does your organization face in the deployment process that cause delays and are not covered here? Let us know in the comments below.
Recent Comments