You are browsing the archive for 2015 December.

Azure AD Join: End-to-end User Experience

10:48 am in Uncategorized by nsienaert


Hi All,

Months ago I wrote a blog about Azure AD Join.

Let’s have a look what the user experience is.

I have a lot of questions why a company should do Azure AD Join. Azure AD Join is typically a solution in CYOD or road warrior scenarios where you want to give your users the best experience.

If you talk about Azure AD Join it’s all about Single Sign-On, let’s have a look.

The user logs in with his AD Password into the machine. As from then he has SSO to its resources that are powerd by Azure AD.

User logs in with his AD Password


The machine is still a WORKGROUP machine


User goes to “” without entering any password and can hit the titles to open the app of his choice, again without entering any password.


When opening the Store SSO kicks in again, his Company tab is visible and the user can see which Apps are available to him for installation.


Thanks to Azure AD Join the machine is automatically enrolled into Intune, so the machine is managed as a Mobile Device.


As this is a Hybrid Environment the PC is appearing into Configuration Manager.

OMA-DM is your key to do advanced MDM in case you cannot find specific settings in the UI. I think about Patch Management for instance through MDM Channel.

This was a big challenge for Windows 8.1 non-domain joined tablets for instance.

More info about OMA-DM in Windows 10 you can find here:


Other more general MDM Policies are coming in as well, for instance to set a PIN. (Multi-Factor Auth)


Azure AD Join is a solution for people that don’t get often in the office. These kind of users have typically issues regarding user experience and the administrator has challenges to manage these devices. With Azure AD Join and Intune you have an answer for these challanges.

Till next time!


Configuration Manager: Windows-as-a-Service, some stuff explained

6:04 pm in Uncategorized by nsienaert


Hi All,

Huge milestones are reached regarding Windows 10 and the new version of Configuration Manager.

CM will be THE tool to make sure you can adopt Windows-as-a-service. I receive quite some questions about this new technology and terminology.
So let’s explain some topics.


On the Net you can find already good explanations about the new Deployment Rings so I’m not gonna repeat that. But let me try to summarize them in two sentences each.

Current Branch (CB): 3-4 monthly Windows upgrade deployed to the Consumer landscape. To win some test time it’s advisable that you deploy this ring within your environment, considering it as pre-pilot.

Current Branch for Business (CBB): Typically 3-4 months released after CB, it’s CB made ready for the enterprise. You are allowed to skip one upgrade, if you skip more you will lose support. Taking into account CB test time you have 12 months to upgrade your CBBs.

Long Term Servicing Branch (LTSB): This is the ring you want for systems that you don’t want to upgrade on a cadence as described earlier. Typically Microsoft will release each 2-3 years an LTSB build which offers you 10 year support ( 5 mainstream + 5 extended support)

Moving between branches

You can in-place upgrade LTSB builds to CB or CBB using an upgrade Task Sequence.

If you are on CB\CBB and you want to go to LTSB, you need re-install the machine using typical Bare Metal \ Refresh Task Sequence scenarios.

Updates or Upgrades

This is important to understand well as this might be confusing.

Talking about Updates, we still talk about Security Updates that you deploy through WSUS, as you know if for years.

Upgrades are the 3-4 monthly upgrades that become available to upgrade Windows 10.

These are located in CM under the new Windows 10 Servicing node, notice that they still call it here Windows 10 Updates which can be confusing.

Microsoft has some reasons for that. To reduce confusion though MSFT created a new “Servicing node” and didn’t add these Servicing \ Upgrade under the “Software Updates” node.

In the right pane you can definitely see we are talking about upgrades.


Servicing Plans

Servicing Plans are actually Automatic Deployment Rules (ADRs) that we know from WSUS. Here you determine how your deployment rings will be deployed automatically to your devices. Typically, you will have several Servicing Plans within your environment.

The current situation of your Windows 10 landscape you can monitor through the Deployment Rings.

Important note #1:

Release Ready = Current Branch

Business Ready = Current Branch for Business



Important note #2:

If you want to skip an upgrade you have to set a GPO to Defer Upgrades for a certain period of time. In the future it will be possible to defer this out of the CM console.



Important note #3:

The info of the deployment rings is based on the Hardware Inventory, the Product Group will continue to invest into the visuals around your Windows 10 landscape. (remember CM has also a Servicing mechanism in-place to have these improvements much faster in the near future) In meantime it might be interesting that you also have some custom queries next the deployment rings to give you more insights.

OSBranch and Build are probably interesting properties you want to query. Currently these are not visible yet in the interface, so you cannot create an extra column in your viewing pane yet.


0 = CB, 1 = CBB, 2 = LTSB


e.g. “10.0.10240” or “10.0.10586”


select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.Client, SMS_R_System.OSBranch, SMS_G_System_OPERATING_SYSTEM.BuildNumber, SMS_G_System_OPERATING_SYSTEM.Version,from  SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_R_System.OperatingSystemNameandVersion like "%workstation%" and SMS_R_System.OperatingSystemNameandVersion like "%10%"



Task Sequences or Windows Servicing

Task Sequences are your preferred choice if you want to in-place upgrade existing Windows 7 and above machines to Windows 10.

You will continue to use Task Sequences for your typical Bare Metal, Refresh and Replace scenarios. Important change here is that you need to adapt your image process by replacing a new Windows 10 CBB Build so your new installed machines are at least on the latest ring.

Windows Servicing will be the engine (powered by WSUS) to keep your existing Windows 10 machines up-to-date.

The User Experience

The actual User Experience is more in the hands of the Windows team. Huge investments are done and will be done in the future to make sure that there will be less user impact. Today and also for the upcoming rings the User impact will be still there which means you need to plan your upgrades well by working for instance with Maintenance Windows. So yes, currently users will not able to work during the installation of the first rings that are planned and one or two reboots will be required. In the future it will be hopefully possible to upgrade the systems while users can continue to work and without reboots.

Windows Update for Business (WuFB)

WuFB is a SaaS solution that Microsoft offers for free. It’s leveraging Windows Update to upgrade your CBB systems automatically out of the cloud.

WuFB can aslo be used for your traditional deployment of updates.

You will have some configuration options like “Defer Upgrades”, “Pause upgrades”,… through GPOs and Windows 10 has some built-in peer-to-peer capabilities to make sure your systems are getting their upgrade packages on an economical way. This can also be fine-tuned through GPOs.


How does this cope with CM?

The integration with CM will be improved in the future but it’s clear that you can have both next to each other.

You might want to enable WuFB on satellite branches where CM has difficulties to reach because of lack of local DPs for instance.

Or their might be customers that prefer a lightweight mechanism for these upgrades.

I expect WuFB will be more used by customer that don’t have CM and want to keep their Windows 10 devices up-to-date.

Decent compliancy reporting is something that is not yet added to WuFB but that will be added in the future.

Hope that this was useful!


Till next time! (@nsienaert)