IN THIS CHAPTER

Explaining the concept of Windows as a service

Stepping through the Windows 10 deployment options

Simplifying Office ProPlus installation on devices

The day of reckoning is nearing for all businesses still running Windows 7. In less than a year, on January 14, 2020 to be exact, extended support for the Windows 7 operating system will end. Security updates will no longer be available for this version of the operating system when extended support ends. Considering today’s cyberthreat landscape, you do not want to be running a business without security updates.

If you think you’re safe because you’re running Windows 8.1, think again. Mainstream support for Windows 8.1 ended on January 9, 2018. Although security updates are still available through the end of extended support on January 10, 2023, non-security updates will no longer be available. Requests for product design changes and features enhancement are no longer accepted and no-charge support programs are discontinued when mainstream support ended.

But wait—there is good news. Your Microsoft 365 Business license makes you eligible for a free upgrade to Windows 10 Pro! In Chapter 3, you learn that to prepare for a Windows 10 rollout, the first step is to upgrade Windows 7 or 8.1 devices to Windows 10 Pro Creators Update following the instructions here: www.microsoft.com/en-us/software-download/windows10.

After all the devices are updated, the stage is set for an IT admin to perform the Windows 10 deployment wizardry by using the Microsoft 365 deployment advisor and other tools.

If new laptops or desktops pre-installed with Windows 10 Pro from Lenovo, Dell, HP, or Microsoft are being deployed, consider unlocking Master Wizard level for the IT admin. End users will witness magic when they first turn on their device and realize that with a few clicks their device will be fully managed and protected with the technologies in Microsoft 365 Business.

This chapter is all about empowering an IT admin to deploy Windows 10 with the confidence of a wizard. You begin with an overview of the benefits of the operating system that Microsoft considers to be the most secure. Read about what Windows as a service means, and then get down in the weeds and step through two approaches for deployment. You then elevate your wizard level by automating the installation of Office ProPlus on devices during the Windows 10 deployment process.

Making the Case for Windows 10

A notable story in Steve Jobs by Walter Isaacson (Simon & Schuster) is when Jobs complained about the how long it took to boot up a Macintosh computer. When an engineer started to explain and give excuses, Jobs cut him off and asked if he’d shave 10 seconds from the boot time if it meant saving a person’s life, to which the engineer replied, “probably.” Jobs then proceeded to calculate that if 5 million people could save 10 seconds per day booting up their Macintosh computers, that added up to 300 million hours or so per year, the equivalent of at least 100 lifetimes saved per year. Apparently, the engineers came back a few weeks later to report that they’d managed to boot the computer not just 10 seconds faster, but 28 seconds.

So why am I talking about Macs in a book about a Microsoft technology? Well, for one, I have memories of cooking a fried rice dish while waiting for my Windows XP machine to boot way back when. With my Windows 10 device today, it takes no more than 20 seconds to boot my Surface Book 2.

Beyond just boot times, however, Windows 10 saves IT admins tons of hours in deployment and servicing. An IT director for a Fortune 500 company has said that the Windows-as-a-service model has reduced their deployment time by 75 percent. If you consider that time saving against 500 million plus devices running Windows 10 today, you’ll see how much potential lifetimes we’d save per year simply by deploying Windows 10.

Getting cloud-ready with Windows 10

The future is here. Managing devices and identities no longer requires deep technical expertise and expensive infrastructure that takes a long time to build and deploy. Today, all you need are an Internet connection and a subscription to Microsoft 365 Business to have access to Azure AD and Windows 10 for a cloud-based identity and device management.

Windows 10 has built-in intelligent security. It’s intelligent because it uses machine learning and artificial intelligence to combat sophisticated threats from bad actors. Updates are released on shorter cycles at regular intervals to ensure that security holes are plugged and risks are proactively managed.

Cloud-based provisioning in Windows 10 means an IT admin never needs to touch a device to manage it. Management can be in the form of wiping data if the device is lost or stolen, resetting the device to original settings so it can be reissued to another user, or pushing scheduled updates to the operating system. An IT admin can even remotely install the Office suite (Word, PowerPoint, Excel, Outlook, and so on) on a managed device.

The smart people at Microsoft have come up with a simple graphic that encapsulates the difference between traditional IT and modern IT, as shown in Figure 5-1. This is the future of how IT is delivered, and that future is now. Are you in or are you out?

Windows as a service (WaaS) at a glance

Windows as a service (WaaS) is a concept that simplifies how the Windows operating system is managed and maintained. It is designed to be iterative, with additional features and improvements rolled out more quickly than in the past.

WaaS has two types of updates:

• Features updates: Released twice annually, usually in the fall and the spring. This release cycle aligns with the feature releases for Office ProPlus (Word, PowerPoint, Excel, Outlook, OneNote, and so on).
• Quality updates: Released monthly with fixes for bugs and other security updates. They contain cumulative updates, so if you have a PC that hasn’t been turned on for three months, it will still get up to the latest version of Windows 10 when the update is applied.

By delivering these updates more often and in smaller packages, the chances of running into huge incompatibility issues with the operating system and your apps are lower.

The updates are rolled out in four stages, as shown in Figure 5-2. With both monthly and semi-annual updates, you can imagine the teams of engineers, project managers, testers, and more orchestrating the overlapping releases on any given day. Or night for that matter. I know. I’ve been there.

• Microsoft engineers: Updates are developed by Microsoft engineers in an iterative process.
• Microsoft employees: Builds (something tangible coming out of a software code) are periodically released to thousands of Microsoft employees who participate in the dogfood (slang for an organization using its own product) program.
• Microsoft Insider Preview members: After the engineers are satisfied with the build after taking feedback from the dogfooders, the update is released to the millions of people who have signed up for the Insider Preview program. During this stage, Microsoft is collecting feedback and feeding it into the development process.
• Windows 10 users: When feature updates are final based on the feedback from the Insider Preview members, the build is released to organizations that have users licensed for Windows 10. Depending on how the servicing is configured, the update may be rolled out to end users in stages or all at once.

When it comes to deploying Windows 10, one size does not fit all. Each organization has its own unique needs. Even small businesses in the same industry with the same number of users will reveal subtle differences in how they use the technology.

In the next sections, I cover two approaches for deployment that would typically meet the needs of SMBs. Note that the steps outlined may require customization based on the business requirements.

Completing the Setup Wizard before Deployment

Before you begin deploying Windows 10, you must first complete the tasks in the Setup wizard from Microsoft 365 Admin Center, as shown in Figure 5-3. If you have completed the email migration as described in Chapter 4, most likely you have already added a domain and therefore the first step (Personalize Sign-In) will not appear.

As you continue through the wizard, you can just click Next if no action is required. For example, in the Add Users step, you can click Next if all users have been added or if you prefer to add them later.

After the Add Users step, the next screen asks you whether you want to migrate email messages, as shown in Figure 5-4. If you choose Migrate Email Messages, you will be taken out of the Setup wizard and directed to the Migration wizard. Don’t worry; you can go back to the Setup wizard later to finish the tasks.

The Migration wizard guides you through the process of migrating email from various sources, as shown in Figure 5-5. Note that you need to complete additional steps outside of the wizard to finish the email migration.

When you have completed the email migration, run the Setup wizard again and it will pick up where you left off.

The next task is to configure the settings for protecting work files on mobile devices under the Protect Data & Devices step. Figure 5-6 displays toggle switches to turn various settings on or off. By default, Protect Work Files when Devices Are Lost or Stolen is turned on. Delete Work Files from Inactive Device After is set to 90 days but you can change that setting.

Each toggle switch has quite a few policies automatically configured in the backend. In the past, configuring those policies would have required a systems engineer with deep technical expertise.

When you’re satisfied with your settings in the Protect Work Files on Mobile Devices screen, click Next to move to the next task: Set Windows 10 Device Configuration.

Like the preceding screen, the Set Windows 10 Device Configuration screen has toggle switches for turning policies on or off, as shown in Figure 5-7. Note that these policies will be applied to all users whose devices are managed when they join Azure AD as part of the Windows 10 deployment.

On the same screen, you can automate the installation of Office ProPlus by toggling the switch to On for Install Office on Windows 10 Devices. When you’re satisfied with the settings, click Next to complete the Setup wizard tasks. You’re now ready to deploy Windows 10.

Manually Deploying Windows 10 Business

For existing devices that have already been upgraded to Windows 10 Pro Creators Update (refer to Chapter 3), follow these steps to deploy Windows 10 Business:

1. On the bottom left of your screen, click the Windows Start icon (Windows logo).
2. Click the Settings icon (gear).

3. In Settings, select Accounts.

   The Your Info page appears.

4. In the left pane, select Access Work or School, as shown in Figure 5-8, and then click Connect.

   The Set Up a Work or School Account window appears.

5. Select Join This Device to Azure Active Directory.

   Do not enter your email address in the box in the window!

   The Let’s Get You Signed In window appears.

6. Enter your email address for Microsoft 365 Business, and then click Next.

7. Enter your password, and then click Sign In.

   The Make Sure This Is Your Organization window pops up, as shown in Figure 5-9.

8. Click Join.

   The You’re All Set! page appears.

9. Click Done.

   The Access Work or School page reappears.

10. Select Connected to [your company name] to display the Info and Disconnect button.
11. Click the Info button to get the sync status and verify that the device is synching with Azure AD.
12. On the Managed by [your company name] page, click the Sync button to make sure the latest device management policies are applied to the device.

Now that you’ve deployed Windows 10 to the device, the next step is to log in to the device with your Microsoft 365 credentials and start using the device with all the features that come with your Microsoft 365 Business subscription. Here’s how.

1. Click the Windows Start icon.

2. Right-click the icon for the current account logged into the device, and then select Switch account.

   The Windows 10 login page appears.

3. Log in with your Microsoft 365 Business credentials.
4. If you see the “Another user is signed in” notification, click Yes.
5. Verify that Windows 10 Pro has been upgraded to Windows 10 Business by clicking the Windows Start icon and then selecting System.
6. In the left pane, click About.

7. Under Windows Specifications, make sure that the edition is Windows 10 Business, as shown in Figure 5-10.

   Congratulations! You’ve just deployed Windows 10 manually!

If you follow the preceding steps — including additional steps Microsoft might require from updates — and the edition does not display Windows 10 Business, restart your computer. If the issue persists, submit a ticket to Microsoft (if licensing directly with Microsoft) or through your licensing provider’s support channel.

Deploying with Windows AutoPilot

To deploy Windows 10 by using Windows AutoPilot, Azure AD first must know that the company owns the device. This means that the device will need to be registered in Microsoft 365 Admin Center with the device’s hardware ID. After the device is registered, it is ready for Windows AutoPilot deployment. I cover the steps for registering the device in this section.

Capturing the device ID

If you want to repurpose a computer or laptop for Windows AutoPilot, you must first extract the device ID of the device by using PowerShell, a utility tool installed on any Windows 10 device.

In this exercise, you will be doing some geeky stuff, but don’t worry. No prior coding experience is required. The only skill required is the ability to read and type.

Capturing the device ID involves three steps:

1. Get the script that will extract the information from the device.
2. Save the script in a shared folder or a USB flash drive for later access.
3. Run the script on the device from which you want to extract the device ID.

Step 1: Get the PowerShell script

I’m all for not reinventing the wheel, so I recommend using a PowerShell script that’s already been shared and tested in the geek community. Here’s how to get the script that seasoned professionals use:

1. From a device already running Windows 10, click the Windows Start icon and then type PowerShell.
2. Right-click Windows PowerShell and choose Run as Administrator, as shown in Figure 5-11.
3. Copy and run the following commands, which are the Get-WindowsAutoPilot script:

   Set-ExecutionPolicy Unrestricted
Save-Script -Name Get-WindowsAutoPilotInfo -Path
Install-Script -Name Get-WindowsAutoPilotInfo

4. Accept the change by typing Y in the Execution Policy Change section, as shown in Figure 5-12, and then press Enter.

   The PowerShell window displays an error in red.

5. In the PATH Environment Variable Change section, type Y and press Enter.
6. In the Nuget Provider Is Required to Continue section, type Y and press Enter.

7. Under Untrusted Repository, enter Y and then press Enter.

   After the command has run successfully, the last line in PowerShell will be

   PS C:WINDOWSsystem32>/

8. Close the PowerShell window by clicking the X in the upper-right corner.

Step 2: Save the script

After you complete the preceding steps, you can add PowerShell in your IT admin’s toolkit — and be able to honestly add to your resume your experience using the tool. That’s just the beginning. Next, let’s save the script so you can it to capture the device ID.

1. Open File Explorer by clicking the folder icon on the taskbar, and then navigate to

   C:Program FilesWindowsPowerShellScripts

2. Verify that the Get-WindowsAutoPilotInfo.ps1 file is there, as shown in Figure 5-13.

3. Copy the file to both a shared location such as OneDrive for Business or a document library in SharePoint and to a USB flash drive.

   You will need to access that script from the device for which you want to capture the device ID.

Step 3: Run the script

Now that the script is readily accessible, let’s capture the device ID. You will step through two scenarios in this process:

• Scenario 1: Capture the device ID from a device that is already in use.
• Scenario 2: Capture the device ID from a new device that has not been turned on yet and has not gone through the Out-of-the-Box Experience, or OOBE.

To capture the device ID from an existing device:

1. From the device, navigate to where the PowerShell script is stored. Copy the file to the C drive, placing it in the root folder for easy navigation in PowerShell.
2. Open Notepad and type the following:

   .Get-WindowsAutoPilotInfo.ps1 -ComputerName {ComputerName} -OutputFile .MyDeviceID.csv

   Make sure to replace {ComputerName} (including the braces) with the name of your computer. Don’t close Notepad. You will need it in Step 5.

   So you and your computer have been buddies for a while, but now you realize that you don’t know your computer’s official name! Fortunately, your computer won’t take offense. Just click the Windows Start button, click Settings, and then select System. In the left pane, click About to find the device name under the Device Specifications group.

3. Run PowerShell as an administrator per the instructions in the preceding section (“Step 2: Save the script”).

   PowerShell will default to the following path:

   PS C:Windowssystems32>

4. Point PowerShell to the folder where the script is saved from Step 1 by entering the following command:

   cd

   PowerShell displays the following path (see Figure 5-14):

   PS C:>

5. Copy the code you wrote in Notepad in Step 2 and paste it after the > character in the resulting PowerShell path (PS C:>) in Step 4. Then press Enter.

   PowerShell runs the script in the background. When it’s finished, it reverts to the C:> path (refer to Figure 5-14).

6. In File Explorer, navigate to Local Disk (C:). You will find the file with the device ID called MyDeviceID.csv, as shown in Figure 5-15.

The .csv file will contain information about the device in the following order:

• Column 1: Device serial number
• Column 2: Windows product ID
• Column 3: Hardware hash

With the device information in hand, you’re ready to register the device in the Microsoft 365 Admin Center for Windows 10 AutoPilot deployment.

Registering the device for AutoPilot deployment

In this step, you upload the .csv file with the device information to Microsoft 365 Admin Center, and then create and assign an AutoPilot profile to the device. Here’s how:

1. In Microsoft 365 Admin Center, find the Device Actions card, and then select Deploy Windows with Autopilot, as shown in Figure 5-16.

   The Prepare for Windows page appears.

2. Click the Start Guide button.

   The Upload .csv File with List of Devices page appears.

3. Click the Browse button to locate the .csv file you created in the preceding section.

4. Navigate to the C drive on the device, select the MyDeviceID.csv file, and then click the Open button.

   The Upload .csv File with List of Devices page appears.

5. Click Next.

   The Assign Profile page appears.

6. Create a new deployment profile by entering a name in the Name Your New Profile box, as shown in Figure 5-17, and then click Next.

   The You Are Done! screen appears.

7. Click X (close).

It will take a few minutes for the device to show up on the list of devices registered for AutoPilot. When it does, the end user will be taken through the simplified out-of-the-box experience (OOBE) for joining the device to Azure AD when he or she turns on the machine.

Stepping through the OOBE

Because Microsoft, HP, Dell, and Lenovo are part of the Windows AutoPilot program, these manufacturers can load the required device ID for your organization in preparation for an AutoPilot deployment. If you purchase new devices from these companies, ask them about loading the device IDs for you. If you prefer to have a Microsoft Partner help you with device purchases and working with manufacturers, contact [email protected].

After the devices are registered for AutoPilot, the end-user’s experience for joining the device to Azure AD for management is greatly simplified.

For the IT admin, the AutoPilot process eliminates the need to even touch the device. So, if you have employees out in the field and one of them loses his device while out on a trip, that employee can basically go to a computer store, purchase a laptop, have the IT admin register the laptop for AutoPilot, turn the device on, enter the credentials, and — voila! — the laptop is now protected and managed.

The following sequence provides a glimpse into the end user experience when users first turn on a new device that has been registered for AutoPilot:

1. The end user selects a language and region.
2. The end user validates the keyboard layout and confirms whether a second keyboard layout needs to be added.
3. The end user connects to the network.
4. The end user enters his or her Microsoft 365 Business credentials, as shown in Figure 5-18.

5. The system finishes the setup (about 5 to 10 minutes) and then displays the default Windows 10 desktop.

   If the IT admin has configured the deployment to also install Office ProPlus, the applications will automatically start to install after a few minutes.

If you followed along with these steps and successfully deployed Windows AutoPilot for your company, congratulations! That was no small feat in the past, requiring deep technical expertise or the hiring of consultants and systems engineers.

If you ran into issues, help is available. If you purchased licenses directly from Microsoft, you can call Microsoft support. If you prefer to have a Microsoft Partner guide you through the deployment process and resolve issues, I would be happy to assist. Please send an inquiry to [email protected].