Windows 10: IT wants to manage PCs like phones
- 12 June, 2017 18:45
When three large government departments merged to create the Australian Department of Human Services, it took the new department almost three years to migrate to Windows 7. Having gone through those “three hard years,” the IT team was determined not to fall behind again, says Mike Brett, the department’s general manager for information communication technology infrastructure. Not only did the department start its Windows 10 migration as soon as the operating system came out, but it’s also committed to adopting new releases of Windows 10 as they come along.
“It’s our intention not to get out of date and fall behind again, so we don’t have to have a big-bang Windows upgrade again,” says Brett. “We’re keen to stay current — especially where there’s an advantage to moving forward — and we’re keen not to have to do that kind of remediation again. We want to stay ahead of the game rather than playing catch-up.
“It’s a culture change for the team, but we’re trying to make it part of business as usual. Really, it’s just good IT practice.”
Which is exactly how Microsoft is hoping businesses will think about Windows as a Service, according to Michael Niehaus, director of product marketing for commercial Windows. “We’re suggesting changing Windows deployment from a project that customers do every three to five years to thinking about deployment as a process. You move to Windows 10 and then continually stay up to date with the new features as released, and the benefits are that you get security capabilities faster, you get less disruption, you get a simpler deployment process.”
Getting used to change
Updating Windows regularly might be less disruptive, but moving to this model is itself a big change. “On the one hand, organizations see this as potentially disruptive. At the same time, they say disruption can be good if it gets them out of the problems of the past,” Niehaus says.
With long deployment cycles, there’s a temptation to defer problems. “They’d build up technical debt,” says Niehaus. “They’d say, ‘We’re not going to deal with this now; we’ll take care of it with the next Windows upgrade in three years’ time.’ But when you do that with your apps and infrastructure, that takes the Windows upgrade project — which most organizations already thought was a big enough job — and makes it that much bigger, because now it’s not just upgrading to the next version of Windows but upgrading your infrastructure and your apps and dealing with all that technical debt.”
The solution isn’t just keeping up with Windows, says Niehaus, but modernizing IT habits generally. “Organizations need to make sure that the application owners and the business groups take responsibility for keeping line-of-business apps up to date as well. That way they can avoid this ‘kick the can down the road’ syndrome they’ve typically encountered.”
Many organizations are coming round to this point of view, says Gartner analyst Steve Kleynhans. “Everybody realizes there is a necessity to keep up, and so the majority of the customers I talk to are working at developing a process so they can keep up with feature updates as they come out.”
This acceptance comes after some initial denial, Kleynhans notes, but more frequent change is the new normal. “Lots of companies suggested to us that Microsoft is not really going to do this. Of course they are; this is just the nature of how things have changed.”
He suggests that feature updates might even arrive more quickly. “This is a very fluid market. There are new competitive pressures. This is not the last time we will have a change in what the cadence of updates is going to be and how it is going to work. We are entering a market where change is going to be continuous in every aspect of what we do.”
That can be a positive thing for IT teams, Brett suggests. “Internally, the project was a great opportunity for the staff to feel that they were playing in IT again. We had been risk-averse, and to be at the leading edge has been invigorating for them.”
Current means semiannual
Craig Dewar, senior director for commercial Windows at Microsoft, estimates that most customers that are adopting Windows as a Service have some 90% of their PCs running the Current Branch for Business (CBB, which Microsoft is renaming the Semi-Annual Channel, because it will now come out twice a year, on a fixed schedule to match Office and System Center). “They typically have something like 9% of their machines on the latest release, and then 1% on Insider builds” (referring to the Insider for Business program).
“Enterprises want to start piloting a new release as soon it comes out, starting with the IT organization, to see how productivity and line-of-business apps and devices work with it,” Niehaus notes. Typically, customers decide the new releases are ready for broad deployment after four months, he says.
The support life cycle for Windows 10 pushes businesses in this direction. With Windows releases now coming in March and September every year, the rather complicated formula of servicing for the two most recent CBB releases plus a 60 days’ grace period becomes a much clearer 18 months of support.
Kleynhans cautions against trying to use the Long Term Servicing Branch (LTSB, soon to be known as the Long Term Servicing Channel) as a way to avoid updating Windows 10. LTSB releases come out every two to three years and are supported for ten years (much longer than other branches), but this branch is intended only for specialized systems that perform a single important task and need stability more than the latest features. LTSB devices only get quality updates, they can’t run Edge or Windows Store apps (including the inbox apps such as Mail and Cortana), and you can only use an LTSB release on PCs with the CPUs that were shipping when that branch was released.
“For a lot of companies, rolling out LTSB beyond the relatively few targets in their environment where it’s required will actually create more problems with keeping up to date,” he says. “The problem is that LTSB is only certified for things that were shipping the day LTSB shipped. Any new processors, potentially any new versions of applications — for anything that comes out after LTSB ships — there's the potential that it won’t work with that LTSB and you’ll have to move to a new LTSB. You might end up having to update to a new LTSB every year. How is that better? Outside of a very narrow target, LTSB could be much harder to manage in your environment long term than just sticking with CBB.
“It's not the good old days. It’s not the Windows 7 model; what a lot of people were thinking was that LTSB would take them back to the Windows 7 model, and it’s not. It’s something different, and it’s not going to get them what they want.”
The message seems to have gotten through: The most recent survey that Microsoft did of commercial Windows customers showed only a single-digit percentage looking at LTSB for broad deployment, according to Niehaus.
Making this regular process work means striking a balance between getting experience with new features from Insider builds and not wasting time on bugs that won’t be in the final release, cautions Kleynhans. “Everybody wants access to code as early as possible, so they can start their testing processes and their familiarization processes as easy as possible. But they don’t want to get started with stuff that's breaking and causing problems that are not going to be there in production code. Organizations want to be testing their issues, not Microsoft’s issues.”
New controls in the Insider program that let IT teams see feedback and usage of Insider builds within their organization will give more control. They may also give them more influence with Microsoft. “From our side, this allows us to weight feedback more accurately,” Dewar explains. “We understand that not all feedback is equal, and one piece of feedback can represent a very large installed base. If you leave three pieces of feedback but you represent a large organization with 80,000 PCs, we would probably listen to your feedback on a security or business feature more than a home user with a single PC. Before, we didn’t have the ability to do that.”
The smaller, simpler monthly updates for security and quality make this more palatable as well. If you want more time to test non-security fixes you can now get those a couple of weeks before the monthly Cumulative Update, and System Center Configuration Manager now supports Express Updates, which download only the updates that are new to a Windows client, rather than the full Cumulative Update package. And if you want to switch to deploying updates without administrators approving them manually, you can use Windows Update for Business for that while still updating third-party and line-of-business apps through Windows Server Update Services (WSUS) using Dual Scan. (Introduced with Windows 10 version 1607, Dual Scan is being updated for version 1703 to give businesses more control over which updates are applied and when.)
Manage like mobile
As they shift the way they handle deploying Windows, many organizations are also taking the opportunity to manage those Windows PCs rather differently — more like the BYOD phones and tablets employees have been adopting than the desktop PCs of old, especially as more two-in-one devices such as the Surface Pro show up in the enterprise.
“The methods that organizations use to manage Windows devices have been more or less unchanged for the last decade or more,” Niehaus points out. “We’ve been telling the modern IT management story for a couple of years, which is that you probably have groups of employees who are mobile, who are never connected to the corporate network, who could be treated differently than the traditional corporate network-connected, workstation tower under the desk.”
Some customers experimented with this approach but there hadn’t been a significant shift in PC management until Windows 10 built in an MDM client that adds new policy options with each release.
“The big change with Windows 10 is that customers are coming back to us and saying, ‘We’ve been taking that approach for our mobile devices — and if we’re able to take a step back from our heavy-handed policies, maybe we can make that work for our entire population and take a much lighter-weight approach that’s really focused on keeping the organization safe and productive, where we don't have to be in control of everything.’”
Some organizations are already shifting to this approach, using Azure Active Directory and an MDM service such as Intune rather than Active Directory and group policy and System Center Configuration Manager, says Niehaus, but “others are plotting that course over potentially a period of years.”
According to a recent survey by analysts CCS Insight, this switch will bring desktop and mobile management teams into a single group inside IT organizations. Among respondents to the survey, 83% said that operational convergence would happen within three years, and 44% said that would happen within 12 months. That also means moving from MDM tools designed for phones to services such as Microsoft Intune and EMS that can manage both phones and PCs, noted Nicholas McQuire, vice president of enterprise research at CCS Insight.
Even though the MDM client in Windows 10 supports many of the same options as group policy, you need to think carefully about how many of those policies you apply. Mike Brett suggests IT teams approach this by asking, “How do we make the experience better? Previously we would lock everything down, which is a very easy approach for IT. Now it’s, What do we lock down that protects us, and what do we do that enhances the user experience?”