Location
  • San Luis Obispo,
  • California,
  • United States

Top Contributors

Windows 10 migration in the Enterprise, step 1: CB, CBB or LTSB?

First off I apologize if I should not be posting here.. I didn't feel as though this was a 'question' per say.  Asking for opinions as an EE Question usually nets nil.


My company has around 400 employees in 4 states.  95% of our user base is running Win764Ent for bitlocker, I need to determine the best (meaning most stable and compatible) release of Win10 to migrate to over the course of 2016.

Having dealt with Microsoft for over a decade I know they release buggy and problematic updates more often than they should.  IMHO opinion if we 'have' to go to Windows 10 I'd think LTSB is the way to go.  I don't see business users needing Cortana, Edge and in no way the Windows Store!

However I am looking for actual opinions from people in similar boats. I've only just begun reading about the differences and while I'm confident those detrimental parts above could be disabled via GPO after teh fact I'd prefer to just not have them involved.  However my boss is worried that Edge might be needed in the near future.  I have no yet found where Edge can be installed on LTSB but it wouldn't surprise me if some intrepid person figure it out at some point.

Anyway please toss me your comments, suggests and advice on this.

Thanks
View Previous CommentsLoad All Comments (9)
Rank: Wizard

Author Comment

Ben Hart2016-02-09 05:13 AMID: 1894555
Thanks David, So I've changed my sights to CBB.. after further reading yes it makes more sense than LTSB. The first couple sites I found only mentioned CB and LTSB for whatever reason.
So what about Deployment?  I have an MDT server in both of our large sites and with no SCCM that's going to be the way we do it but what do ya'll think about in-place upgrades versus a user state migration, format, install routine?  I've never been a fan of upgrading an OS but has Microsoft really made the upgrades a viable option these days in terms of stability?
0
Rank: Savant

Expert Comment

remember that every 3 months or so you should update MDT and ADK as these will be updated on a regular basis and use the in-place migration option. (hard link migration)
0
Rank: Genius

Expert Comment

Nick672016-02-09 11:53 AMID: 1894639
I've never been a fan of upgrading an OS but has Microsoft really made the upgrades a viable option these days in terms of stability?
I did the in-place upgrades because we had OEM O/S and in-place is required for the free upgrade.

Don't.
Not if you don't have to.

We haven't seen any of the vaunted performance benefits of Win 10 -- perhaps because we upgraded, and did not clean install.
Video drivers were a consistent issue as the generic MS driver gets blown in during install, and replaced with the first Windows Update ? WSUS run.  It's time consuming.  The upgrade is stable enough, and while the OS is half-baked (Devices & Printers UI, anyone?) it is functional.

The biggest PITA with the upgrade was it conflated the Enterprise Admin account with the local admin account...
AND BY DEFAULT THE BUILT-IN ADMIN CANNOT RUN STORE-STYLE APPS AND CONFIGURATION PANELS!?!
So you can't configure the admin desktop icons, or run MS Edge or a whole host of other things, until you hack that setting with SecPol

run secpol.msc > local policies > Security Options > User Account Control: Admin Approval Mode for the Built-in Administrator Account > Enabled _________________________________
 Also need to check >
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
 EnableLUA is set to 1

That was a dreadful annoyance.

Build images and deploy them.
For 400 machines, it will be worth the effort.
In-place upgrade was ~90 minutes per machine with a USB stick.

However my boss is worried that Edge might be needed in the near future.
It will be, unless you are using Chrome -- which isn't the world's most stable thing.
IE11 is what we use, but we are seeing increasing instances where it doesn't play nicely (script errors!) and Edge does.
Our bank's site is presently using IE 10 compatibility for its secured functions.
One can foresee that being moved to Edge at some point

With WSUS, the edition does not even matter, you have full control when/if what updates are deployed.
That appears to be fundamentally mistaken.
https://technet.microsoft.com/en-us/library/mt598226(v=vs.85).aspx
The cumulative nature of all Windows 10 releases

It is important to note that, in order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10 will be cumulative. This means new feature upgrades and servicing updates will contain the payloads of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 servicing update. For example, if a servicing update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes.  

In fact, when planning to deploy Windows 10 on a device, one of the most important questions for IT administrators to ask is, “What should happen to this device when Microsoft publishes a new feature upgrade?” This is because Microsoft designed Windows 10 to provide businesses with multiple servicing options, centered on enabling different rates of feature upgrade adoption.  In particular, IT administrators can configure Windows 10 devices to:
•Receive feature upgrades immediately after Microsoft makes them available publicly, so that users gain access to new features, experiences, and functionality as soon as possible. For more information, see Immediate feature upgrade installation with Current Branch (CB) servicing.

•Defer receiving feature upgrades for a period of approximately four months after Microsoft makes them available publicly, to provide IT administrators with time to perform pre-deployment testing and provide feature upgrades releases with additional time-in-market to mature. For more information, see Deferred feature upgrade installation with Current Branch for Business (CBB) servicing.

•Receive only servicing updates for the duration of their Windows 10 deployment in order to reduce the number of non-essential changes made to the device. For more information, see Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing.

The breakout of a company’s devices by the categories above is likely to vary significantly by industry and other factors. What is most important is that companies can decide what works best for them and can choose different options for different devices.

If you don't trust MS to push out useful, bug-free new features, then LTSB is likely your branch.  Note that it seems what updates you get will be monolithic, that is to say, you'll get ALL the security updates that MS pushes out for a feature.  No more pick and choose to skip certain updates to a feature.  You either update a feature entirely, or not at all.
0
Rank: Savant

Expert Comment

John2016-02-09 12:04 PMID: 1894640
We haven't seen any of the vaunted performance benefits of Win 10 -- .....

Windows 10 is much faster than Windows 7. I use commercial machines and video (normally Intel) has not been an issue.  The built-in Admin is disabled and I do not try to use it.

I have had to refresh drivers on every upgrade and that requirement existed prior to Windows 10 so nothing new there, but driver upgrades normally work.

I replaced my Windows 7 desktop with a new Windows 10 Desktop (to have a newer machine) and both my Windows 10 computers are working fast and efficiently.

Where it makes sense to upgrading, I am upgrading machines. I do not have a fleet of 400 machines, however.
0
Rank: Genius

Expert Comment

Nick672016-02-09 01:10 PMID: 1894647
perhaps because we upgraded, and did not clean install.
I have given that the benefit of the doubt, and suggested that clean installs are probably the way to go, as upgrades do not seem remarkably faster.
Ours all commercial machines with Intel, NVidia or AMD/ATI graphics (Dell and a couple of HPs)
And when things like a NIC don't work, well then you need to be on the box as a local admin.
Not that that was really the issue.
The upgrade process saddled the ENTERPRISE ADMIN accounts on the box with that inane policy.
The local admin, that might be understandable, but not domain admin accounts.

And finding out you can't use any of the new UI comes as a bit of a shock if you encounter that.
Because there's a lot of stuff to do on a new box as an admin if you aren't in a big enough shop to justify WDS or its successors.
Clean installs are likely to avoid that issue, as the joining to the domain, and subsequent adding of domain admin accounts, will come after the install is complete.
0
Rank: Wizard

Author Comment

Ben Hart2016-02-11 07:02 PMID: 1895118
Thanks everyone.  I'm still ironing out a couple MDT issues, I hope to attempt both an inplace upgrade and a USMT/format/install sequence by tuesday.
I think we've decided to stick with CBB and restrict all the non-business nonsense with GPO.
0