Windows 10 Upgrade Services

Considering a Windows 10 upgrade? Champion Solutions Group has the best tools and resources to guide you on your migration and beyond.

Implementing an upgrade and migration is a significant IT undertaking. As companies evolve to the digital workplace, they have come to understand that Windows 10 is a key component in the strategy.

By making the upgrade, you will have more security and user self-service features, as well as better employee engagement with one experience across devices.

Choosing the right partner to assist you in the deployment of Windows 10 is critical. Champion Solutions Group has the experience to guide you on your journey.

Why Champion

  • Champion’s unique Readiness Assessment will provide your team with a clear understanding of what it will take to migrate, such as time, resources, and technology challenges.
  • Champion has developed the tools and services to fully automate the enablement of UEFI (Unified Extensible Firmware Interface) and 64 bit Windows 10.
  • Champion automates your move while preserving User State and installed software, all while providing 64 Bit OS, UEFI and secure booting features.
  • Champion’s forward-thinking approach goes beyond migration. You will have a platform to manage the lifecycle of your endpoints, including patch management and inventory. Also, should you get audited, our platform solution can give you the tracking of your software licensing to be compliant.

Windows 10 Services

Readiness Assessment: Before performing an upgrade, it’s important to first determine your company’s level of readiness to migrate. During our onsite Readiness Assessment, we uncover what your environment look likes today, and the possible challenges of moving. We provide detailed reports on your endpoints, hardware, software, BIOS, and warranty information. Also, Champion leverages endpoint solutions, such as IBM BigFix, to enable enterprise environments to be able to move from older Windows systems (XP/Win7/Win8), regardless of 32 or 64 bit, into the 64 bit Windows 10, UEFI enabled (remove legacy BIOS), secure endpoints in an automated fashion. Champion can help you utilize your investment in the BigFix platform by leveraging custom reports and analysis. You will have the data at your fingertips to understand where your endpoints are now, which endpoints can be moved, and which require some type of hardware change or BIOS update.

Preparation / Application Transformation: During this process, we ensure application compatibility with the newest version of Windows. Champion analyzes your Windows and web-based applications to determine whether they will run successfully.  We then work with you to re-mediate any applications that might fail to run in an updated environment.

Image Build and Design Services:  Champion will design and test your image making it ready for deployment.

Proof of Concept: After we thoroughly discover, assets, prepare and build out your image, we then perform Proof of Concept in your environment to ensure that all applications are running properly and that all hardware is fully supportive and operational.

Deployment: Champion has proven experience in moving clients to the platform and adding value for Endpoint Management in the entire life cycle of endpoints beyond the migration (Client / Server / Mac / UNIX / Windows / Linux).

Training: We have a comprehensive training platform that includes training videos, including ‘What’s New’, ‘Foundations’, ‘Power Users’, ‘Administration’, and more. Visit www.Office365Training.com.

Adoption Recommendations in 2 Minutes

 A Closer Look at Security & Performance

Helpful Resources

Microsoft Windows 10 Migration

Learn the value of Windows 10, compare to previous versions, understand the improvement in security, and complete a successful migration with Champion Solutions Group.

Forrester Report: Total Economic Impact of Microsoft Windows 10

Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study to examine the benefits organizations may realize after implementing Windows 10. The purpose of this study, the first of two, is to provide readers with a framework to evaluate the potential financial impact of Windows 10. New features and enablers can help improve security, streamline management tasks, and improve employee mobility to help organizations better win, serve, and retain customers. To understand the benefits, costs, and risks associated with a Windows 10 implementation, Forrester interviewed four customers that have years of experience with Windows, were early adopters of Windows 10, and have completed deployment to key teams.

Forrester’s Fresh Approach for Deployment of Windows 10

This document is an abridged version of a case study commissioned by Microsoft titled: The Total Economic Impact Of Microsoft Windows 10, June, 2016 based on interviews with four Windows 10 customers.

Windows 10 Enterprise – The Future of Aviation

The future of aviation is here on Windows 10. See how Boeing, the world’s largest aerospace company, is creating powerful, enterprise-level apps using the Universal Windows Platform.

www.youtube.com

Attend the Windows 10 Migration Webinar on March 7, 2017!

Windows 10 Webinar Invitation hosted by Champion Solutions Group

Windows 10 Comparison Table: Which Option is Right for You?

Find out which Windows 10 edition is right for you.

Trends & Best Practices for Windows 10 Migrations

http://www.championsg.com/services/windows-10-upgrade Champion Solutions Group CEO speaks with Champion’s Windows 10 Engineer about the Windows 10 landscape, things to consider when migrating, and explaining UEFI vs. BIOS.

www.youtube.com

Windows 10 Readiness Assessment

Migrating to Windows 10 is a significant project. Champion recommends starting with our Windows 10 Readiness Assessment, which delivers the key information needed to help you determine your company’s level of readiness. This document outlines the assessment services provided by Champion for businesses that are considering to migrate and adopt the Microsoft Windows 10 platform, and enable the security features such as Secure Boot. If you are a BigFixuser today, Champion’s goal of this endeavor is to ensure you are getting the most value for your investment by showing you how to take advantage of the BigFixplatform. If you are not a BigFixuser today, Champion’s “Security in a Box” can show you an easy-to-run POC for enabling Endpoint Management with a focus around migration to Windows 10, UEFI (Unified Extensible Firmware Interface), and secure booting.

The End Game for Passwords and Credential Theft

www.youtube.com

Security: Comparing Windows 7 to Windows 10

Windows 7 has been the most successful and ubiquitous operating system in Microsoft history. While it has served us well for the last five years, the reality is that it doesn’t offer the level of protection you need to deal with the new security threats that we’re all facing. Although you can add layers of defense with 3rd party products, keep in mind that all of the organizations we’ve been reading about in the news already did that and it wasn’t enough. These modern challenges require a new platform. Here are some of the ways in which Windows 10 provides that platform

Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!

Disrupting the revolution of cyber-threats requires a platform with revolutionary security capabilities, and Windows 10 is rising to the occasion. In this session, we talk about technologies that can truly end the use of passwords and make multi-factor authentication the default, provide an easy to use and deploy data loss prevention (DLP) capability right in the platform, and technology that enables organizations to virtually eliminate malware threats to the Windows platform including those that come by way of the browser.

www.youtube.com

Worried About Cybercriminals?

The threat landscape has evolved dramatically in recent years. It seems every day we hear another headline about an organization getting breached. We’ve responded by changing the architecture of Windows 10 so that we’re not just building bigger walls against these attacks; we’re locking the criminals out. Windows 10 provides a comprehensive set of protections against modern security threats.

10 Reasons to Upgrade to Windows 10: WINDOWS HELLO

Ready to say “Hello” to Windows Hello? On Windows 10, your PC recognizes you for a more personal experience. It greets you by name as it lights up in recognition, providing a faster and more secure way to log in – because you are the password.

www.youtube.com

NASCAR Transforms Race Management with Windows 10 & Microsoft Cloud

During the Toyota/Save Mart 350 at Sonoma Raceway on June 26 NASCAR unveiled the Race Management app, a custom app built on Windows 10 that will transform the way they manage and officiate races. They have also started to embrace the Microsoft Cloud to make it even easier and more efficient for the team at NASCAR to scale and analyze large amounts of data in real time.

www.youtube.com

Caesars Entertainment Group Enhances Guest Services with Windows 10 & Microsoft Cloud

Designed to help bring together all aspects of guests’ stay into a single system controlled from a sleek device, The Cromwell, Caesar’s newest boutique hotel located in the heart of Las Vegas strip, is piloting “The Connected Room” solution using the Universal Windows Platform.  Learn more: https://aka.ms/caesars

www.youtube.com

Marshall & Megan Dostal do Great Things with Windows 10

Megan and Marshall Dostal founded and operate Further, a line of high-quality, green personal care and cleaning products. The couple’s environmentally-friendly soaps, candles and lotions are made from recycled kitchen oil from some of the country’s most-renowned restaurants. Windows 10 helps the Dostal’s do great things together, and apart. Marshall is in charge of the down-and-dirty processing and production work. Meanwhile, Megan leads marketing, sales and creative decisions. Learn more about how the new Windows 10 features help their company, and how they can drive your business, too at windows.com.

www.youtube.com

Alaska Airlines Takes to the Sky With Windows 8.1 Tablets

As part of a plan to upgrade its in-flight entertainment, improve customer loyalty, and enhance its overall passenger experience, Alaska Airlines deployed 7,000 tablets running Windows Embedded 8.1 Industry. The tablets include offerings from Xbox games and movies to the latest TV shows and magazines.

www.youtube.com

Windows 10 Upgrade Path & UEFI for a Secure Windows 10 Environment

http://www.championsg.com/services/windows-10-upgrade Champion’s VP of Virtualization and Cloud speaks with Champion’s Windows 10 Engineer about the upgrade path and benefits for Windows 10, UEFI for a secure Windows 10 environment, and the tools we utilize for analytics and automation around the process of securing your environment prior to migrating to Windows 10.

www.youtube.com

Gartner Report: Preparing For Windows 10 PC Deployment

Endpoint computing managers should plan to spend six to nine months learning about Windows 10, developing new environments and testing their applications. Such preparation will significantly lessen time and effort spent on migration and support.

US Department of Defense Commits to Upgrade 4 Million Seats to Windows 10

With more than 76% of our enterprise and education customers in active pilots of Windows 10 and more than 200 million active devices running Windows 10, we’re seeing accelerated and unprecedented demand for Windows 10 amongst enterprise customers.One of the largest enterprises anywhere – the US Department of Defense (DoD) – has joined the ranks of enterprise customers planning swift Windows 10 deployments. According to the Office of the DoD CIO the Secretary of Defense has directed all U.S. DoD agencies to begin the rapid deployment of the Microsoft Windows 10 throughout their respective organizations for information systems currently utilizing Microsoft Operating Systems. From laptops to desktops to mobile devices, including Surface devices, the DoD is targeting its Windows 10 upgrade for completion in a year, an unprecedented move for a customer with the size and complexity of the DoD.The Rising Importance of Security for Government AgenciesToday’s government agencies face new and emerging challenges that range from a constantly shifting threat landscape to managing multiple platforms and devices in the enterprise environment. And the modern threat landscape has never been more challenging – driving tremendous costs and risk to the security of critical information. Security breaches can take 200+ days to detect and industry experts predict there will be over two million new malware apps by the end of the year. Clearly, these are driving factors in President Obama’s action plan announced last week to improve cybersecurity across government systems and devices.Terry Halvorsen, CIO for the DoD, also shared this fall that more tools were needed for automated cyber defense, highlighting significant security challenges to the DoD networks. Halvorsen singled out software integration as a challenge to his mission and was quoted as saying, “If you have an impending need to survive you will innovate,” adding that DoD networks are “getting shot at” virtually every day. With the DoD spending approximately $38 billion annually on cybersecurity and IT, Halvorsen said the DoD needed to deploy innovation faster to ensure systems are more secure, more efficient and cost-effective, and standardized on one platform.Because the U.S. Department of Defense is a prime target of cyber criminals and one of the largest and most complex organizations in the world, its leaders know the importance of securing its baseline systems.Department of Defense Bets on Windows 10The DoD’s intention to move to Windows 10 began in earnest in November when Halvorsen issued a memo directing all Combatant Commands, Services Agencies and Field Activities to rapidly deploy Windows 10 to improve the Department’s cybersecurity, lower the cost of IT and streamline the IT operating environment.Further demonstrating a strong vote of confidence for the platform, Windows 10 has been certified as meeting specific government criteria and standards. The National Information Assurance Program, the arm of the US government responsible for evaluating commercial IT products for use in National Security Systems has certified Windows 10 against the Mobile Device Fundamentals Common Criteria protection profile. Additionally, Microsoft’s Surface family of devices have been certified and are available through the Defense Information Systems Agency (DISA) Unified Capabilities Approved Products List and can be easily worked into deployment plans. This means that Surface has met the strict security and interoperability requirements required by the DoD.As the Department upgrades, it may incorporate some of the following Windows 10 security features:Windows Hello: One of the greatest weaknesses in any security environment is the use of passwords, which can easily be hacked and used to gain access to secure resources and data.  With Windows 10, agencies can identify individuals and restrict access through integrated multi-factor authentication using biometric mechanisms like facial recognition or fingerprints using the Windows Hello and Windows Passport features.Enhanced threat resistance and device security. Working from a crypto-processor, Trusted Platform Module (TPM) -approved chip, tools include familiar features like Secure Boot, which helps prevent malware from embedding itself within hardware or starting before the OS, and Trusted Boot which helps maintain the integrity of the rest of the operating system. Device Guard ensures that only signed applications and code can run on these devices. And Credential Guard safeguards credentials inside a hardware-based virtualized environment and breaks the popular “pass the hash” used in many major breaches.Windows Defender, provides anti-malware service, which currently protects almost 300 million Windows devices every day.Enterprise Data Protection, currently in testing with enterprise customers and available soon, provides separation between both corporate and personal data and prevents corporate data from being copied out of corporate files to non-corporate files and locations, such as public website or social channels. Additionally, when EDP is used with Rights Management Services, it can protect data locally adding another layer of protection even when data roams or is shared.It is exciting to see adoption of Windows 10 by so many enterprise customers, including those with the highest of security demands, such as the Department of Defense.YusufUpdated February 17, 2016 3:18 pm

Trusted Platform Module Technology Overview

Brian Lich|Last Updated: 1/9/2017Applies toWindows 10Windows Server 2016This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.Feature descriptionTrusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:Generate, store, and limit the use of cryptographic keys.Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.Help ensure platform integrity by taking and storing security measurements.The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses.Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the TCG Web site.Automatic initialization of the TPM with Windows 10Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, TPM.msc. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see Clear all the keys from the TPM.In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across operating system installations, this TPM information is stored in a location in Active Directory that is separate from computer objects.Practical applicationsCertificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and cannot be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards.Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process.Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see TPM Group Policy Settings.New and changed functionalityFor more info on new and changed functionality for Trusted Platform Module in Windows 10, see What’s new in Trusted Platform Module?.Device health attestationDevice health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.Some things that you can check on the device are:Is Data Execution Prevention supported and enabled?Is BitLocker Drive Encryption supported and enabled?Is SecureBoot supported and enabled?The device must be running Windows 10 and it must support at least TPM 2.0.Supported versionsTPM versionWindows 10Windows Server 2016TPM 1.2XXTPM 2.0XX

Managing Windows 10 Device Guard with Configuration Manager

We are excited to share information on how to deploy Device Guard on Windows 10 devices managed by Configuration Manager, using existing capabilities in System Center 2012 R2 Configuration Manager SP1.Why Device Guard?Device Guard is a new feature of Windows 10 that provides better security against malware and zero-day attacks by blocking anything other than trusted apps. You are in control of what apps Device Guard considers trustworthy, either via vendor or Windows Store digital signatures, or via an easy process by which you can sign apps to be trusted by Device Guard.Device Guard can use hardware technology and virtualization to further isolate the Windows components which determine whether apps are trustworthy, which helps provide protection from attackers or malware that have elevated privileges. This gives Device Guard a significant advantage over traditional anti-malware and app control technologies like AppLocker, which can be subject to tampering by elevated users or processes.See the following article for more information on Windows 10 Device Guard: https://msdn.microsoft.com/en-us/library/dn986865.aspx.Manage Device Guard with Configuration ManagerYou can use Configuration Manager today to help deploy Device Guard and Device Guard-enabled apps in your environment. Configuration Manager assists with the following scenarios:Determine which clients meet the prerequisites to support Device GuardEnable Device Guard settingsDeploy Device Guard policyDeploy Device Guard-enabled appsLet’s look each of these in more detail.Determine applicable systemsWindows 10 clients must have specific properties to ensure that they will successfully enable Device Guard. These system attributes can be reported using a Compliance Baseline or custom hardware inventory. We’ll use the latter to show what is needed.Open the Configuration Manager Console, switch to the Administration workspace, and select Client Settings. For purposes of this demonstration, let’s just open properties of the Default Client Settings (but understand that you could create a custom client device setting for this purpose).Select the Hardware Inventory group, and then click Set Classes.Device Guard includes a WMI class to query its configuration and management state, which can be added as a custom hardware inventory class. Click Add.Click Connect. If you are running the console on a Windows 10 client, then keep the local computer name. Otherwise, you will need to specify the name of a remote Windows 10 client. In either case, the WMI namespace is rootMicrosoftWindowsDeviceGuardSelect the Win32_DeviceGuard classClick OK to save everything.Once clients run the hardware inventory cycle they will start reporting back the new Device Guard class. You can see it in Resource Explorer against a Windows 10 client:With this inventory data you can build custom reports or create collections.  Having a collection is beneficial as that can then be used to target deployments. SELECT SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client FROM SMS_R_System INNER JOIN SMS_G_System_DEVICE_GUARD ON SMS_G_System_DEVICE_GUARD.ResourceId = SMS_R_System.ResourceId WHERE (SMS_G_System_DEVICE_GUARD.AvailableSecurityProperties like “%1%” and SMS_G_System_DEVICE_GUARD.AvailableSecurityProperties like “%3%”)Deploy Device Guard ConfigurationsDevice Guard configurations can be applied to a device during initial deployment of Windows 10, or can be deployed to a Windows 10 device that is already operational. There are two primary ways to accomplish this: write a script and deploy that via a package or application, or use the Configuration Manager task sequence. We recommend including the configuration steps into your Windows 10 deployment task sequence so that Device Guard is enabled by default.The first prerequisite is Hyper-V Hypervisor (Microsoft-Hyper-V-Hypervisor feature), which is used by Device Guard to protect and isolate specific Windows components and processes from the high-level OS. Currently, the task sequence does not support installation of the Hyper-V Hypervisor feature because it requires two restarts. Your options for enabling the Hyper-V Hypervisor prerequisite are:If you have a custom image of Windows 10, enable Hyper-V Hypervisor in the captured imageEnable the Hyper-V Hypervisor feature in a custom Unattend.xml answer file during the Windows 10 deploymentFor an operational system that does not already have this feature enabled, create a simple script which calls DISM to enable the Hyper-V Hypervisor feature, and deploy that script as a package or application.(NOTE: you do not need the entire Hyper-V feature or even the entire Hyper-V Platform, just the Hyper-V Hypervisor feature.)The second requirement is generating the Device Guard policy. See the Device Guard documentation for more information on this process. From here on out, this policy file is SIPolicy.p7b.Once the Hyper-V Hypervisor is installed, the following task sequence steps are needed to enable Device Guard settings and apply the Device Guard policy.Device Guard Task Sequence Steps:All of the following steps except the last are of type Run Command Line.Enable Isolated User Mode Featuredism.exe /NoRestart /Online /Enable-Feature:IsolatedUserMode /AllEnable Virtualization Based Securityreg.exe add “HKLMSYSTEMCurrentControlSetControlDeviceGuard” /v “EnableVirtualizationBasedSecurity” /t REG_DWORD /d 1 /fRequire Platform Security Featuresreg.exe add “HKLMSYSTEMCurrentControlSetControlDeviceGuard” /v “RequirePlatformSecurityFeatures” /t REG_DWORD /d 2 /fEnable Hypervisor-Enforced Code Integrityreg.exe add “HKLMSYSTEMCurrentControlSetControlDeviceGuard” /v “HypervisorEnforcedCodeIntegrity” /t REG_DWORD /d 1 /fInstall Code Integrity Policyxcopy \servershareSIPolicy.p7b C:Windowssystem32CodeIntegrity /yNOTE: you will need to put the SIPolicy.p7b file on a real file share and update the path accordingly. Also remember that the task sequence runs under the context of Local System, so you need to make sure that the computer account (for example, domaincomputername$) has permissions to the share and file.Restart ComputerBe sure to set the option, “The currently installed default operating system”You can configure the notification and timer options as needed.NOTE: ongoing management and enforcement of these settings and the policy file can be configured via Active Directory group policy under Computer Configuration > Administrative Templates > System > Device Guard.Deploy a Device Guard-enabled AppOnce Device Guard is enabled and the policy applied, Windows 10 will now restrict the apps that can launch on the device. (NOTE: Applications that are signed by the Windows Store are not subject to Code Integrity policy. To whitelist/blacklist Windows Store signed apps, use AppLocker.) For applications that are not digitally signed or signed with a certificate that is not include in the Code Integrity policy, the Device Guard documentation details a process by which you can generate a catalog file that defines the app for Device Guard. This catalog can then be signed and distributed along with the app to allow it to run on a Device Guard-protected system.You can easily distribute signed catalogs by leveraging the inherent capabilities of a Configuration Manager application. Put the catalog into the same directory as the app installation source.Create the application (in this demonstration we’re using 7-Zip)Create one deployment type with the command line to install the app per normalCreate a second deployment type (script) using the same content directory with the following command line:cmd /c xcopy 7Zip-InspectedPackage.cat C:Windowssystem32catroot{F750E6C3-38EE-11D1-85E5-00C04FC295EE} /yOther options that can be configured on this DT to fully leverage the capabilities of the Configuration Manager application model:Detection Method: the catalog file exists in the catroot folderRequirements: Operating system is Windows 10Make the first “install” DT dependent upon the second DT. This will cause the catalog to be copied and then the setup command line runConclusionAs we said above this can be used right now with in-market versions of Configuration Manager to support Device Guard. We are investigating more integrated support for Device Guard in a future release of Configuration Manager.Contributors:Aaron Czechowski, Senior Program Manager, Enterprise Client ManagementDune Desormeaux, Program Manager, Enterprise Client ManagementNazmus Sakib, Program Manager, Windows Enterprise and SecurityJeffrey Sutherland, Principal Program Manager Lead, Windows Enterprise and SecurityConfiguration Manager ResourcesDocumentation Library for System Center 2012 Configuration ManagerSystem Center 2012 Configuration Manager ForumsSystem Center 2012 Configuration Manager Survival GuideSystem Center Configuration Manager SupportSubmit Configuration Manager Product IdeasReport Configuration Manager Product IssuesThis posting is provided “AS IS” with no warranties and confers no rights. The current branch (version 1610) of System Center Configuration Manager now supports macOS Sierra (v10.12). macOS Sierra support requires… Continue readingAll right, it’s time for some  more mandatory fun! Chad here again kicking off 2017… Continue readingWe have created a 10-minute video to demonstrate the basics of deploying and configuring the… Continue reading

Windows 10 Deployment Scenarios

Michael Niehaus|Last Updated: 9/13/2016Applies toTo successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task.In-place upgradeFor existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure.Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences.The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process.Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.)There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include:Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.Changing from legacy BIOS to UEFI booting. Some organizations deployed earlier versions of Windows on UEFI-enabled systems, leveraging the legacy BIOS capabilities of these systems. Because changing from legacy BIOS to UEFI requires changing the hardware configuration, disk configuration, and OS configuration, this is not possible using in-place upgrade.NoteWindows 10 does not require UEFI, so it would work fine to upgrade a system using legacy BIOS emulation. Some Windows 10 features, such as Secure Boot, would not be available after doing this.Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.Devices that use third-party disk encryption software. While devices encrypted with BitLocker can easily be upgraded, more work is necessary for third-party disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process (check with your ISV to see if they have instructions), but if not available a traditional deployment would be needed.Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS.Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken.Dynamic provisioningFor new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this.The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include:Changing the Windows edition with a single reboot. For organizations that have Software Assurance for Windows, it is easy to change a device from Windows 10 Pro to Windows 10 Enterprise, just by specifying an appropriate product or setup key. When the device restarts, all of the Windows 10 Enterprise features will be enabled.Configuring the device with VPN and Wi-Fi connections that may be needed to gain access to organization resources.Installation of additional apps needed for organization functions.Configuration of common Windows settings to ensure compliance with organization policies.Enrollment of the device in a mobile device management (MDM) solution, such as Microsoft Intune.There are two primary dynamic provisioning scenarios:Azure Active Directory (Azure AD) Join with automatic mobile device management (MDM) enrollment. In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed.Provisioning package configuration. Using the Windows Imaging and Configuration Designer (ICD), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see Configure devices without MDM.Either way, these scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios).While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts.Traditional deploymentNew versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the Windows Assessment and Deployment Kit, Windows Deployment Services, the Deploy Windows 10 with the Microsoft Deployment Toolkit, and System Center Configuration Manager.With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them.The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary:New computer. A bare-metal deployment of a new machine.Computer refresh. A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).Computer replace. A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).New computerThis scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD).The deployment process for the new machine scenario is as follows:Start the setup from boot media (CD, USB, ISO, or PXE).Wipe the hard disk clean and create new volume(s).Install the operating system image.Install other applications (as part of the task sequence).After taking these steps, the computer is ready for use.Computer refreshA refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario.The deployment process for the wipe-and-load scenario is as follows:Start the setup on a running operating system.Save the user state locally.Wipe the hard disk clean (except for the folder containing the backup).Install the operating system image.Install other applications.Restore the user state.After taking these steps, the machine is ready for use.Computer replaceA computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored.The deployment process for the replace scenario is as follows:Save the user state (data and settings) on the server through a backup job on the running operating system.Deploy the new computer as a bare-metal deployment.NoteIn some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk.

Considerations When Deploying Windows 10

Michael Niehaus|Last Updated: 9/13/2016Applies toThere are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications.For many years, organizations have deployed new versions of Windows using a “wipe and load” deployment process. At a high level, this process captures existing data and settings from the existing device, deploys a new custom-built Windows image to a PC, injects hardware drivers, reinstalls applications, and finally restores the data and settings. With Windows 10, this process is still fully supported, and for some deployment scenarios is still necessary.Windows 10 also introduces two additional scenarios that organizations should consider:In-place upgrade, which provides a simple, automated process that leverages the Windows setup process to automatically upgrade from an earlier version of Windows. This process automatically migrates existing data, settings, drivers, and applications.Dynamic provisioning, which enables organizations to configure new Windows 10 devices for organization use without having to deploy a new custom organization image to the device.Both of these scenarios eliminate the image creation process altogether, which can greatly simplify the deployment process.So how do you choose? At a high level:In-place upgradeWhen you want to keep all (or at least most) existing applicationsWhen you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)To migrate from Windows 10 to a later Windows 10 releaseTraditional wipe-and-loadWhen you upgrade significant numbers of applications along with the new Windows OSWhen you make significant device or operating system configuration changesWhen you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCsWhen you migrate from Windows Vista or other previous operating system versionsDynamic provisioningFor new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is requiredWhen used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific appsMigration from previous Windows versionsFor existing PCs running Windows 7 or Windows 8.1, in-place upgrade is the recommended method for Windows 10 deployment and should be used whenever possible. Although wipe-and-load (OS refresh) deployments are still fully supported (and necessary in some scenarios, as mentioned previously), in-place upgrade is simpler and faster, and enables a faster Windows 10 deployment overall.Note that the original Windows 8 release is only supported until January 2016. Organizations that do not think they can complete a full Windows 10 migration by that date should deploy Windows 8.1 now and consider Windows 10 after Windows 8 has been removed from the environment.For existing Windows PCs running Windows Vista, you can perform wipe-and-load (OS refresh) deployments when you use compatible hardware.Note that to take advantage of the limited-time free upgrade offer for PCs running Windows 7, Windows 8, or Windows 8.1, you must leverage an in-place upgrade, either from Windows Update or by using the upgrade media available from the Windows 10 software download page to acquire a new Windows 10 license from the Windows Store. For more information, refer to the Windows 10 FAQ.For organizations with Software Assurance for Windows, both in-place upgrade or wipe-and-load can be leveraged (with in-place upgrade being the preferred method, as previously discussed).For organizations that do not take advantage of the free upgrade offer and are not enrolled in Software Assurance for Windows, Windows 10 upgrade licenses are available for purchase through existing Volume License (VL) agreements.Setup of new computersFor new computers acquired with Windows 10 preinstalled, you can leverage dynamic provisioning scenarios to transform the device from its initial state into a fully-configured organization PC. There are two primary dynamic provisioning scenarios you can use:User-driven, from the cloud. By joining a device into Azure Active Directory and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Azure Active Directory account and password (called their “work or school account” within Windows 10). The MDM service can then transform the device into a fully-configured organization PC. For more information, see Azure Active Directory integration with MDM.IT admin-driven, using new tools. Using the new Windows Imaging and Configuration Designer (ICD) tool, IT administrators can create provisioning packages that can be applied to a computer to transform it into a fully-configured organization PC. For more information, see Windows Imaging and Configuration Designer.In either of these scenarios, you can make a variety of configuration changes to the PC:Transform the edition (SKU) of Windows 10 that is in use.Apply configuration and settings to the device (for example, security settings, device restrictions, policies, Wi-Fi and VPN profiles, certificates, and so on).Install apps, language packs, and updates.Enroll the device in a management solution (applicable for IT admin-driven scenarios, configuring the device just enough to allow the management tool to take over configuration and ongoing management).For computers already running Windows 10 on the Current Branch or Current Branch for Business, new upgrades will periodically be deployed, approximately two to three times per year. You can deploy these upgrades by using a variety of methods:Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet.Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update). Note that this will require updates to WSUS, which are only available for Windows Server 2012 and Windows Server 2012 R2, not previous versions.System Center Configuration Manager task sequences (with Configuration Manager 2012, 2012 R2, and later versions).System Center Configuration Manager vNext software update capabilities (deploying like an update).Note that these upgrades (which are installed differently than monthly updates) will leverage an in-place upgrade process. Unlike updates, which are relatively small, these upgrades will include a full operating system image (around 3 GB for 64-bit operating systems), which requires time (1-2 hours) and disk space (approximately 10 GB) to complete. Ensure that the deployment method you use can support the required network bandwidth and/or disk space requirements.Over time, this upgrade process will be optimized to reduce the overall time and network bandwidth consumed.Windows 10 servicing optionsWindows 10 compatibilityWindows 10 infrastructure requirements

Shields up on potentially unwanted applications in your enterprise

Has your enterprise environment been bogged down by a sneaky browser-modifier which tricked you into installing adware from a seemingly harmless software bundle? Then you might have already experienced what a potentially unwanted application (PUA) can do.The good news is, the new opt-in feature for enterprise users in Windows can spot and stop PUA in its tracks. If you are an enterprise user, and you are running System Center Endpoint Protection (SCEP), or Forefront Endpoint Protection (FEP), it’s good to know that your infrastructure can be protected from PUA installations when you opt-in to the PUA protection feature.  If enabled, PUA will be blocked at download and install time. What is PUA and why bother?Potential Unwanted Application (PUA) refers to unwanted application bundlers or their bundled applications.These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications.Since the stakes are higher in an enterprise environment, the potential disaster that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.Typical examples of behavior that we consider PUA include ad-injection, many types of software bundling, and persistent solicitation for payment for services based on fraudulent claims. PUA protection for enterpriseThe Potentially Unwanted Application protection feature is available only for enterprise customers.  If you are already one of Microsoft’s existing enterprise customers, you need to opt-in to enable and use PUA protection.PUA protection updates are included as part of the existing definition updates and cloud protection for Microsoft’s enterprise customers. No additional configuration is required besides opting into PUA protection. Deploying PUA protectionSystems administrators can deploy the PUA protection feature as a Group Policy setting by the following registry key policy setting according to your product version:System Center Endpoint Protection, Forefront Endpoint ProtectionKey Path:            HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware\MpEngineValue Name:      MpEnablePus Note: The following configuration is available for machines that are managed by System Center Endpoint Protection.Windows DefenderKey Path:            HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngineValue Name:      MpEnablePus The group policy value for MpEnablePus can be configured as a DWORD type as follows:Value (DWORD)    Description 0 (default)Potentially Unwanted Application protection is disabled1Potentially Unwanted Application protection is enabled. The applications with unwanted behavior will be blocked at download and install-time. After enabling this feature, PUA blocking takes effect on endpoint clients after the next signature update or computer restart. Signature updates take place daily under typical circumstances.The user experience can vary according to the policy settings that are configured in your enterprise. However, when enabled, the default behavior is that PUA will be blocked and automatically quarantined. PUA threat file-naming conventionWhen enabled, we will start identifying unwanted software with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.Specific researcher-driven signatures identify the following:Software bundling technologiesPUA applicationsPUA frameworks What does PUA protection look like?By default, PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it meets one of the following conditions:The file is being scanned from the browserThe file has Mark of the Web setThe file is in the %downloads% folderOr if the file in the %temp% folder The user experience of the blocking depends on the product you have installed.With System Center Endpoint Protection deployed, the following dialog box will be shown upon detection:The user can view the blocked software in the History tab. In Windows 10, where its endpoints including Windows Defender are managed, the following dialog box will be shown:PUA protection roll-out scenarioLike all good processes, it is best to plan your PUA protection deployment to get the most out of it. Here are some best practices to plan your PUA protection roll-out.As blocking PUA in your enterprise is an explicit choice, it is best practice to do the necessary due diligence such as having a corporate policy or guidance that defines that potentially unwanted applications are not to be installed or downloaded in your corporate environment.With a corporate policy or guidance in place, it’s recommended to also sufficiently inform your end-users and your IT Helpdesk about the updated policy or guidance so that they are aware that potentially unwanted applications are not allowed in your corporate environment. This will preemptively inform your end-users as to why SCEP or FEP is blocking their download. By informing your helpdesk about your new policy or guidance, they can resolve end-user questions.Finally, if you expect a lot of end-users in your environment to be downloading or installing PUA, then it is recommended that machines be gradually enrolled into the PUA protection. In other words, deploy the PUA opt-in policy to a subset of machines, observe the number of detections, determine if you’d want to allow any of them in your enterprise, add exclusions for them (all exclusions mechanisms are supported – file name, folder, extension, process) and then gradually roll-out the opt-in policy to a larger set of machines Handling false positivesIf you think that an application has been wrongfully identified as PUA, submit the file here, and add ‘PUA’ along with the detection name in the comments section. We look forward to providing you with a great protection experience.Geoff McDonald, Deepak Manohar, and Dulce MontemayorMMPC

Champion Solutions Group has over 35 years of expertise in delivering customized information technology solutions across all platforms for mid-size to large organizations. Take our security self assessment test, and contact us today to learn how our proven methodology can help your organization increase productivity, reduce costs, and mitigate risks.