Insights

Ami Casto

Enterprise Endpoint Experts (E³): Ami Casto

by

In this info-packed interview with industry expert Ami Casto, you’ll learn about the Windows 10 Creators Update from an IT professional’s perspective. What’s new in Windows Updates, telemetry, and security, including Windows Defender, BIOS to UEFI support with MBR to GPT, Edge browser enhancements, and more.

Bill

Hello and welcome to E3 Podcast, Enterprise Endpoint Experts. I’m your host Bill Bernat from Adaptiva and our guest today is Ami Casto. Good afternoon Ami.

Ami

Hey Bill, how’s it going?

Bill

Good, how are you doing?

Ami

Good, thank you.

Bill

We’re going to be talking today about the Windows 10 Creators Update, which as you have pointed out to me is not really just for creators at all. There’s quite a bit for professionals correct?

Ami

That is absolutely true.

Bill

So you’re a Senior Systems Administrator focusing on Configuration Manager, and you’re also an industry expert. You do a lot of public speaking. This year you’ll be speaking at MMS in May. I’ll be there. You’ll be at IT DEV Connections in October as well, speaking on Config Manager. So you’re very involved in Config Manager, the community as well.

Ami

Yeah, this is correct.

Bill

I understand you’re a runner. Is that right?

Ami

Yes I am. I try to run a few half marathons a year. I have one coming up this April. The first one out is always the hardest. It’s more of a mental battle than a physical one. Why do I do this? Why do I run? I hate running, and then I finish and then I feel great and then sign up for another one.

Bill

Really, so you do several a year.

Ami

I do, yeah.

Bill

I aim for one a millennium. I missed last millennium, but I’ve still got time in this one.

Ami

Plenty of time, yeah.

Bill

Yeah, yeah, I’ll get there. Okay so let’s dive in. Windows 10, the Creators Update, numbers, for people who want the numbers, it is 1703, correct?

Ami

It’s 1703, although I know that there was an update that’s pushed out that’s bumped it up to 1703.2. I’m not sure if there will be any more last minute updates that will bump that build number a bit, but the main thing to understand is that it’s 1703.

Bill

Okay great. Windows Updates, there’s a lot of changes in the way Windows Updates work and are presented. Is that right?

Ami

Yeah. So the biggest change that we’re going to see is the Unified Platform Feature. This is going to be available for use after you upgrade, and it’s supposed to make the packages smaller and possibly install faster. Some other great changes that you’re going to see is that you can snooze updates for several days. You can set your working hours. So, am I going to get interrupted with updates? You can set that to 16 hours now, whereas before you could set it for 12 hours. You can pause all your updates for up to seven days, and then those subsequent reboots that happen, after updates resume, you get better control over that, over the restart notifications and when you actually reschedule those reboots.

Bill

Okay, and I heard that it has some sort of better sense of when you might be doing something, better intelligence around figuring out oh, wait this person is doing something, even though I’m not seeing a whole lot of mouse clicking or whatever.

Ami

Yeah exactly. So the behavior that people are used to is like if you got to Microsoft Update and just allow auto updating, you’ll get prompted with a notification that says, you’re your update’s been applied, your computer needs to restart. We think that this is the best time, like say 3 a.m. on a Wednesday, so we’re going to go ahead and schedule that reboot for then. You can reschedule that reboot for that time. The biggest, I would say, tension point that people had is that the system thought that the user wasn’t doing anything, because there wasn’t any mouse or keyboard activity. And we’ll say, in architecture for example, doing 3D rendering. So you’re not doing a lot of mouse clicking or anything, but you’re actually rendering out something that you’ve worked on and then the computer says, hey, don’t really see a lot of user activity so I’m going to go ahead and reboot now, and then you lose all of your work. Well, that’s supposed to change now.

Bill

Okay, well that seems nice. So the settings app, let’s dive into that. What’s new in the settings app?

Ami

o, the settings app, when you hit the Windows iKey or if you search for settings within “Start” is that the dashboard is a little bit different. You’ll notice that “Apps and Features” has moved to the top node. It used to set in the “Settings” node within “Settings”. It’s great to see it out in the dashboard. If you’re not familiar with apps and features, it’s just the modern programs and features or add/remove programs that you would find in the control panel. And by the way, I checked, it’s still there in control panel. So if you want to interact with it there, you can go ahead. You just get better data about what’s on your system when you use this modern app. The other thing that you’ll noticed that’s changed is that troubleshooting has moved to top level as well. Not only that, but troubleshooting is a bit more useful within your Windows session, whereas before you actually had to reboot into a troubleshooting session to really get anywhere. So it’s just nice to see that you’re getting a little bit more help.

Bill

Yeah sweet. Okay, and the Edge browser, I know Microsoft keeps just improving and improving Edge browser, and there’s more improvements here. Before we talk about Edge, let me ask you, what browser do you use? What’s your browser configuration of choice?

Ami

My preferred browser is Firefox, followed by Edge actually. I do have a little bit of love for I.E. just because I’ve worked on so many projects over the years where we had to make I.E. work in our environment. I just have a strange attachment to it, we’ll call it. How about you?

Bill

Well actually my favorite browser is Opera, but I don’t really use it because it is often incompatible. So I don’t know why it’s my favorite. It’s like it was rooting for Opera for years and years and they never quite made it into the big leagues. So I really use Chrome. It’s super compatible so it makes it easy for me.

Ami

Okay.

Bill

Okay so Edge, what’s new?

Ami

So the Edge browser is providing a more immersive experience, and this just patched back into the Windows 10 Creators update being about innovation and creativity. So a big change that you’ll notice is that tabs can be expanded to show previews of all your open tabs so you can get a visual representation of what you have open so you don’t have to guess hey, I see the title of this tab, but I don’t really know what’s on this page. So you can actually visually understand what you have there. The other thing that is cool is that you can actually set aside [6:00], the feature is called Set Aside, so you can stack your current tabs as groups and then load them all up again later. That’s really useful for people who use tabs as bookmarks, but the gotcha there is that it’s not persistent. So if you close the window, they’re all gone.

Bill

Yeah, that’s really painful because, yeah, I count on being able to open a browser and have my tabs. So I imagine that’s probably going to get a lot of helpful feedback from users who are gently and not so gently telling them…

Ami

You can definitely use Edge and then provide feedback in the Insider Hub because Microsoft really wants to know what you want from this browser. I know that there is a big push to use this, especially with enterprise features like Edge Redirect, which lets you use Edge and then if it’s not compatible, it shifts you back to I.E. So you have to do your part and provide feedback for what you’re experience is within this browser so that you can really help shape the future of it.

Bill

That’s a really good point, and Microsoft as a company, at least over the past year and maybe long, has really turned into just a hungry company that is eager to hear what people want, and then make smart decisions about doing what they can to put that into their products.

Ami

Yeah this is true. It’s so great to see that they want our feedback now.

Bill

Yeah, yeah. So what else in the new Edge?

Ami

Another cool thing, as everyone knows, Cortana is integrated within the ecosystem. So you can actually set Cortana reminders on your tabs. So if you’re using browser tabs or the to-do list, this is a great thing to start using as well. And the other cool thing is that previously Edge could open all types of file formats to be used as an e-reader. The newest one to join is the epub file format, which again is just another e-reader file format. The only sad part about it is that it doesn’t support annotations, so you can’t take notes on it.

Bill

And browser security, have they done anything with security in Edge?

Ami

Yeah so security has been hardened a little bit more. I know Microsoft likes to say that Edge is not only the fastest, but most secure browser. Just a think to note here is that the Edge sandbox is stricter. It’s access prohibited to a wide range of Windows APIs. So if an attacker gets malicious code to run within the browser, that code now has fewer opportunities to actually break out of the browser process and attack the system, and the other thing to note here is that the process that handles the web content can no longer mark data as being executable. So again, some great security hardening that we’re seeing here.

Bill

Awesome, okay, and what kinds of changes are there to the… we say, out of the box experience, which is I guess what everybody says now, but there’s no literal box of course. There hasn’t been for decades, but what would you say is new about the out of the box experience for Windows 10 Creators Update?

Ami

My favorite change is that there’s Cortana support in setup, so you can actually run through a setup and do it voice controlled. So this is a great leap forward for accessibility.

Bill

And what about privacy? [9:00] The privacy settings, has that changed at all?

Ami

Yes, I’ve seen some screenshots of this that looks really great. So before, the behavior that everyone was used to, when I guess there was a section about privacy, there’s an express button that you can pick to just have the default set, but there’s no real explanation about what you’re picking. So how it is now is that you get sent to that page to setup your privacy. Everything is turned on by default. There’s slider buttons to turn it off so you can really fine tune your privacy. There’s also explanations for each section of privacy on what it is that you’re setting up and what that really means. I think a lot of people are really going to like that.

Bill

Yeah that’s really awesome. I like that. Just in general for any kind of configuration.

Ami

Yeah.

Bill

Okay, and this isn’t quite privacy, but tangential topic, being because this data is technically not identifiable as you, but telemetry data. Let’s talk about what they’ve done with telemetry in Windows 10 Creators Update.

Ami

Sure. So there’s just more of an understanding of what you’re picking when you actually turn on telemetry. My professional opinion is that you should turn on telemetry. I understand that that’s a really sensitive topic, and some people are going to say no way, there’s no chance I’ll do this. But really what I want to hit on is the difference between if you’re picking basic or full. So I’ll just go ahead and explain it. When you pick basic telemetry, what you’re doing is allowing Windows 10 to send the security data to Microsoft, along with some other data. And the purpose of it is to help improve application stability and compatibility. The Microsoft recommended level is actually full, and the details around this is really if Microsoft can’t gather data via internal testing, it can gather additional data like registry information, diagnostics, power config, system information, large crash dumps like heap dumps and full dumps from a small number of PCs with full telemetry enabled that have experience with whatever problem it is that they’re researching. This is really important, again, it’s a type of feedback that you’re providing without having to sit through a support call when you’re talking about a problem, if you just want to get on with it. Just send the data to Microsoft and allow them to use it for internal testing that they can’t really reproduce on their own.

Bill

So what do you see? You work in the Configuration Manager world and you know a lot of sysadmins. What do you see generally amongst the people you know in the community? Are they turning on telemetry or not so much?

Ami

Yeah, everyone is turning on telemetry that I work with. Just the understanding is what you’re picking really kind of determines what information you have available to you. Let’s say OMS and in the Cloud, so useful data for yourself that you can pipe back to your help desk or your own analytics team to really get useful information about battery or memory or CPU, fan help, stuff like that. You’re not going to get that when you pick basic. You’ll definitely get that when you pick full. Don’t shoot yourself in the foot though. [12:00] Definitely turn this, unless there is some security standard at your company that absolutely prohibits you from doing it.

Bill

Okay, that makes a lot of sense. They’ve updated, or not updated, but they’ve included I think for the first time some blue light support.

Ami

Yeah, blue light support. This is a big one in the industry as a whole is really being able to control what kind of light comes from your screen at certain times of the day. There’s a lot of studies about this, especially in parenting groups about kids that are getting too much screen time. The bottom line is this, if you have an iPhone, you may be familiar with it, with the Night Shift feature. So you can set a certain time of day when the, I don’t know, is the tone of the light that changes or is it the phone almost turns a little bit orange instead of a bright blue.
So this is the same thing that we’re seeing happening in Windows 10 now that you can actually sync it with the sunrise/sunset so it’s done automatically. You can design your own hours and say hey every night at 10, change the blue light that emits from my screen so that I get better sleep at night when I do walk away from my computer.

Bill

Okay that seems like a good thing to put in there and solely option, although it does bring up for me questions about what, blue light, I didn’t realize that was a problem. Does that apply to NetFlix as well? That’s what I’m wondering. Do I need to worry about this across the board, or maybe some shows have less blue light. Like Game of Thrones is actually okay. Silicon Valley maybe has too much blue light.

Ami

Exactly. I don’t really watch a lot of TV having a toddler in the house because he generally wants to watch trains and things that just aren’t very interesting, can’t side away from that.

Bill

Windows Defender Security, what’s new?

Ami

The dashboard has been completely overhauled, not only visually, but features you have within it. Of note, the Enterprise version gets even more security and manageability features. The Windows Defender Advanced Treat Protection or ATP. The thing that I think is really cool when I was going through this is that there’s actually a section within Defender now that admins can add their own insights to threat or intrusions detected on their network. You can even upload samples to Microsoft within the Defender dashboard, and who doesn’t want to send a virus to Microsoft.

Bill

Right.

Ami

The other cool thing about ATP is that it’s also integrated into Office 365. So an admin can see, for example, what email contain a malicious file.

Bill

Okay nice. I think the last topic on our list for the day is something that the Configuration Manager administrators love talking about, BIOS to UEFI.

Ami

Oh yes, this is the big one that’s coming with those updates for the admins. So the thing here of note is that [15:00] it’s not BIOS to UEFI per se, it’s actually MBR to GPT. This is a Microsoft supported automation that allows you to switch your partitions without data loss. Whereas before you couldn’t do that unless you were using some third party thing that you trusted. I generally shy away from those. I would rather do what Microsoft is testing and supporting.
So what I will say about this is that if you’re running Bit Locker, you’ll need to suspend protection, and then to resume protection after you convert, you’ll need to delete the existing protectors and recreate them. For people who don’t know what that means, protectors are methods for how Bit Locker is protected. So that’s a PIN code a password, TPM certificate, and those can be changed without decrypting the entire volume. Now if you have third party disk encryption, you need to wait for the vendor for when they plan to support it because there are post steps such as turning on UFIs, secure booting the BIOS. So if you have a Dell or HP, those are automated, but the problem is the encryption vendor needs to support it because you can actually trigger a device lockout or a brick, but if you don’t want to wait for them to support, you’ll actually have to decrypt your drive before you can actually go through the process of converting, and then you’ll have to reencrypt afterwards.
So do get some time saver and pain saver, if you’re already using Bit Locker for your encryption, otherwise you need to wait a little bit after. I know the vendor that we use says they’ll support it by March, sorry, by May. So it is coming.

Bill

So this is typically going to be used, obviously in wipe and load it doesn’t really matter that much, which is a common upgrade scenario, but for in place upgrades it’s huge right?

Ami

Exactly.

Bill

What’s the workflow like? How is it working? What’s it doing exactly?

Ami

yeah so a quick walkthrough of how it works is that there’s disk validation, is this actually MBR. If it is, we’ll proceed, then the disk is repartitioned to create UEFI system partition or EFP, if it doesn’t already exist. Then UEFI boot files are installed on to the EFP and GPT metadata, layout information is applied. The boot configuration or BCD store is updated and then drive letter assignments are restored, and that’s my favorite part. I don’t have to worry that Windows isn’t going to be on C:. When I boot back into my O/S session, is that going to be on G: or F: or anything crazy like that? Everything is going to stay as it was.

Bill

Okay that’s great. Well this has been a lot of good information. Thank you so much for joining us. Is there anything else you want to say before we close here about the new Windows 10?

Ami

Yeah, so the thing of note for Windows 10 is how it’s going to be deployed is that Microsoft is going to make it available for what they’ve tested on the most first, and then do stage deployments out there until eventually they get the hardware that they’ve tested on the least and then obviously they’re not going to make it available for hardware that they haven’t tested at all. If you are an enterprise admin, then you can definitely force it onto hardware that Microsoft hasn’t tested, but do it at your own risk.

Bill

Okay great. Well thank you so much Ami. You have a great afternoon.

Ami

You too Bill. Thanks for having me.

Bill

You bet, bye.

Bill Bernat
Director of Product and Content Marketing, Adaptiva