2 Dec.

Microsoft 365 Business and Upgrade Analytics – Determining Upgrade Readiness

In today’s post we will focus on analysing the data that was collected previously from the Windows 7 Pro and Windows 8.1 Pro. What you will also see in this post is that PCs that have been upgraded to Windows 10 will also start appearing in Upgrade Readiness to help identify any issues that might arise with the next round of Windows upgrades you need to manage.

For this post I’ve switched over to using https://portal.azure.com rather than using the classic OMS portal, partly as a way of highlighting that this capability is now available, and to help wean myself off the old workspace. You can see in the image above that at 1 I have
customised the shortcuts, and brought Solutions in as an easily accessible link.
At 2 I have selected Compatibility Assessment from a filtered list of the Solutions I have enabled in this tenant. From here you can see the overview blade, and at 3 you can see that I have 3 computers sitting in Upgrade Readiness. Clicking on Upgrade Readiness takes
us to the following screen.

Focusing on the Upgrade Overview information, clicking on Total computers gives us a good overview of the current stage of PCs that have been processed.

You can see that we can type our own queries or use the inbuilt ones. What I want to focus on here are the three PCs that I’ve highlighted, each with UAComputer in the $table column. This indicates that these machines haven’t been upgraded to the required Windows version, which is identified as Windows 10 Version 1709 in the Upgrade Overview image.

Expanding this Windows 10 PC out, you can now see that it’s on RS2 aka version 1703, thus the reason for being flagged. Once this machine is updated to 1709 it will be moved over to UAUpgradedComputer rather than UAComputer.

We can filter out the Windows 10 devices pretty easily so that we can focus on the older clients.

You can find more details on Step 1: Identify important apps
here. Click on Not reviewed to see what applications have been detected.

Rather than looking at the applications that aren’t being reported as problematic, can group and filter, as seen in the next screenshot.

Filtering out No known
issues only leaves one result – Microsoft Security Esssentials.

Even though we are informed that that app will be removed during upgrade, but if it’s one that isn’t reporting such a requirement, following the ReadyForWindows link takes us to the following page.

Because we already know that Windows Defender will replace Security Essentials on Windows 10, we don’t really need to worry about the lack of support.

If we head back to the main Upgrade Readiness view and take a look at STEP2: Resolve Issues we see that in REVIEW APPLICATIONS WITH KNOWN ISSUES we see that single app that I had already identified by filtering, but presented in a more user friendly manner. In the next screenshot we will see what options we have with the detected app. These are all VMs so the REVIEW KNOWN DRIVER ISSUES isn’t listing any problems, as would be expected, REVIEW LOW-RISK APPS AND DRIVERS and PRIORITIZE APP AND DRIVER TESTING are designed to help identify some of the lower hanging fruit for getting devices across the line faster.

Here is that same app that was previously identified, but if I click on Bulk Edit after selecting Decide upgrade readiness I get the following.

The options we can set here are Importance, Upgrade decision, Test plan, Test result and App owner, so that we
can log what is required and assign an owner if needed.

I’ll leave it therefor today’s post, next up we will look at the different options for deploying Windows 10 Pro/Windows 10 Business based on what we have discovered.

^ Scroll to Top
 24 Nov.

Microsoft 365 Business and Upgrade Analytics – Identifying Problematic Applications And Devices

Welcome back to part three in this series, first up was an introduction to OMS and Windows Analytics, second was installing the script on to older version of Windows Pro, and today we look at some of the different reporting options that are available once the device data has been processed. As mentioned. This will start off as a high level overview, and in upcoming posts we will dig further into some of the reporting categories.

Starting in the OMS Workspace you can see that Upgrade Readiness is reporting that our Windows 7 Pro and Windows 8.1 Pro PCs have been processed. Click on Upgrade Readiness to drill in to the solution.

Upgrade Overview tells
us what we would expect, some very high level details of computers and application counts. You can also see that Windows 10 Version 1709 has been chosen as the target, and tomorrow I will dig further into this and give some explanations as to why you may choose this option versus the other options.

Step 1: Identify important apps shows that from the two Windows machines that have been processed there are 36 apps we need to review. Because we are working with such a small sample size it can’t really list them as “Low install count”, because they would either be on 50% or 100% of the devices if they were detected.

Step 2: Resolve Issues is showing that there is 1potentially problematic app, but no driver issues. Because these PCs are Hyper-V VMs, seeing no issues with drivers should be expected.

Step 3: Deploy shows that our 2 PCs are currently in the review process, and that we can also create Computer Groups to more easily identify them.

Step 4: Monitor allows us to track update progress, and offers potential solutions when you do encounter driver issues.

Office add-ins allows us to identify
that are installed. Most organisations will find a variety of add-ins here, from those that were included with Office installs, to those that were installed standalone or as part of another software installation.

And finally, if you opted in to IE reporting, you will see information populated in Site discovery. If you have older line of business apps that have stronger IE dependencies this is going to be useful information, but if you are already accessing your web applications from a variety of platforms and devices this should be much less of an issue. The worst case scenario is that you might identify a few sites and ActiveX controls that weren’t considered for the migration.

^ Scroll to Top
 22 Nov.

Microsoft 365 Business and Upgrade Analytics – Collecting Data From Previous Windows Pro Editions

Following on from the last post which was an introduction to the Windows Analytics Upgrade Analytics solution in Operations Management Suite, today’s post is on collecting data from your Windows 7 Pro and Windows 8.x Pro devices. For this post I will be using the Pilot version of the Upgrade Readiness Deployment Script to collect data from a couple of PCs rather than using an automated deployment option.

Before jumping in to the instructions, it’s worth discussing how many PCs you should consider collecting data from. The best answer is “all of them”, but the realities of the situation is that you may not be able to access all of the devices in a timely manner, which means starting small and then scaling up as other devices become available. If you are dealing with a large variety of PCs and installed software, then you are going to need a larger sample size. If you are working in an environment with limited hardware and software variation, you might be able to get away with targeting a smaller group of devices and extrapolate from there. The initial client data upload is only around 2MB in size, which means that it should only be around 600MB for the 300 users maximum that Microsoft 365 Business supports.

Now that we’ve covered the basics of targeting, head to https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-readiness-deployment-script to download the script and save it locally.

After downloading the Upgrade Readiness Deployment Script to one of the PCs, extract its contents.

The RunConfig.bat file in the Pilot folder is what we need to edit.

The first thing we need to do is add our CommercialIDValue.. Where do we get this?

Heading back to the first post in the series we grab the CommercialIDValue (which I have hidden on this screenshot).

Next up is allowing IE data collection if required, which is a two part process, first of all you need to allow data collection, and then choose the collection level. Save the file and return to explorer.

Choose Run as Administrator for RunConfig.bat. Accept the UAC prompt
to allow the script to run.

This will take a minute or so, let it run until complete.

Once complete, head to the UADiagnostics folder and verify that the script ran successfully. Follow this process on other machines you want to evaluate, and after a while you should see them appear in the OMS Workspace.

I had to click the Generate Report button, which advises that the computers should be visible in the workspace within 48-72 hours, which makes this a good place to end this post.

^ Scroll to Top
 21 Nov.

Microsoft 365 Business and Upgrade Analytics – Preparing to upgrade to Windows 10 Business

I’ve previously posted about Windows 10 Business, so I won’t go into that in this post. Instead the focus of this post is how set up Operations Management Suite’s Windows Analytics Upgrade Anaytlics to capture information from your Windows 7 and Windows 8.x devices. Even if you are just targeting Windows 10 Pro deployments, the information in this post is just as relevant, so don’t be concerned about references to Windows 10 Business.

What do you need to get started? First up, if you don’t already have an Azure subscription, sign up for an Azure Fee Account. If you haven’t looked at what you get with an Azure Free Account, take a look at the Frequently Asked Questions. My preferred approach when setting up an Azure Subscription is to add it to the same Azure Active Directory tenant as the Microsoft 365/Office 365/Enterprise Mobility + Security subscription so that you get deeper integration when you start using more of Azure’s functionality.

If you go to http://mms.microsoft.com you get the above page, where you need to create a new OMS workspace.

It needs to have a unique name, and you will be presented with a selection of Azure regions to deploy to.

We can now assign this OMS Workspace to our Azure subscription.

Once setup is finalised, we are taken to the OMS Workspace, which starts out blank, but if we click on the Gallery (shopping bag) icon on the left we can see a range of solutions. I’ve highlighted Upgrade Readiness solution, as it’s the main one I will be focusing on for now. Next to it you will see Device Health, which is licensed via the following Windows SKUs

  • Windows 10 Enterprise or Windows 10 Education per-device with active Software Assurance
  • Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5)
  • Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5)
  • Windows VDA E3 or E5 per-device or per-user subscription

However, for Upgrade Readiness you don’t need the above licenses, and the data is zero-rated so it ends up as a free of charge service.

The other option I want you to enable is the Update Compliance solution, which will be useful for longer term monitoring of Windows 10 devices that will be joining Azure Active Directory.

We start by adding Upgrade Readiness.

Adding the Upgrade Readiness solution doesn’t take very long…

At which point we are taken to the OMS Workspace which is empty no longer.

To access settings for the Workspace click on the gear icon at the top of the browser session

Here you can see that Upgrade Readiness was successfully added.

Go back to the Gallery and add Update Compliance.

This shouldn’t take long.

Now we have two OMS Solutions in the Workspace.

Click on the gear icon again to take a look at the settings.

You can see that both of the Solutions are listed.

Clicking on Connected Sources -> Windows Telemetry brings us to the final items for today – the Commercial ID Key. This is the unique identifier that we will need to initially load on to our Windows 7 and Windows 8.x devices to check Upgrade Readiness, and in the next post in this series I will cover deployment of the settings to those devices.

^ Scroll to Top
 4 Nov.

Microsoft 365 Business Resources

Following on from the earlier posts on Microsoft 365 Business, it’s now on the price list and there are some additional resources that will help get you up to speed. One of the documents I strongly encourage you to take a look at is the FAQ, which covers a variety of topics, but also explains some of the capabilities versus some of the restrictions. I’ve copied some of these here, as they explain some of the pieces you need to be aware of regarding the Intune and Azure Active Directory functionality that is included with the license.

Does Microsoft 365 Business include the full capabilities of Microsoft Intune?

Microsoft 365 Business includes a robust set of mobile app management capabilities powered by Microsoft’s MDM solution (Microsoft Intune). These are a subset of features, specifically chosen to meet the needs of SMBs and organized to be easily managed via a simplified administration experience. If a company requires the full capabilities of Intune, they can purchase a qualifying plan separately.

Does Azure Active Directory P1 come with Microsoft 365 Business?

No. Microsoft 365 Business is built on technology from across Microsoft and while it shares some features with Azure Active Directory, it is not a full version. The security and management policies created in Microsoft 365 Business rely on some Azure functionality but does not include all features (e.g. self-service features, conditional access features, and reporting). Customers may choose to purchase Azure Active Directory Premium as an add-on to Microsoft 365 Business.

Does Microsoft 365 Business allow customers to manage Macs?

The security and management capabilities of Microsoft 365 Business pertain to iOS, Android mobile and tablet devices, and Windows PCs.


Technical readiness

^ Scroll to Top
 9 Oct.

Microsoft 365 Business Part 4 – Office 365 Business Deployment

In the earlier posts in this series we covered Windows 10 Business, Azure Active Directory and Windows AutoPilot, and now we move over to the deployment of Office 365 Business. In the last post on Windows AutoPilot we saw that this gets installed automatically as part of the Azure Active Domain Join and autoenrollment into Intune, and today we’ll take a look at enabling this deployment, as well as what is going on behind the scenes with Intune.

From the Microsoft 365 Portal we choose Manage Office deployment.

First of all, we need to select who to assign this to. We will keep this simple today by using the inbuilt groups, rather than doing more selected targeting.

In this case we have the All Users group, but if we had more groups created they would appear here.

Select All users

A couple of things to highlight here – first of all that this is targeting Intune enrolled devices. How can we tell? Because we are doing an automated application installation, as opposed to just applying policies to an already installed application. The second point is that we only have the options to Install Office as soon as possible, which I have highlighted, or to Uninstall Office.

Take a second to review the changes.

And then we can close the window. That’s it. If you’ve previously deployed Office 365 desktop apps via the Office Deployment Tool or Intune, you probably realise there were a large number of options that you weren’t presented with, so how do you know if the defaults that were selected make sense for you. That’s easy, we can just jump in to the Azure Portal.

After opening the Intune blade, select Apps, and you can see something a little peculiar – the TYPE column for the Office Desktop Suite shows Office 365 Pro Plus Suite (Windows 10). The version of Office that is installed converts to Office 365 Business when it is automatically activated, so don’t worry about the Pro Plus licence not activating against a Business license, this is transparent.

Selecting Office Desktop Suite and then Properties shows us the three pre-configured property areas.

Configure App Suite shows
that we could do select install of the Office suite components, but in this case we want a full install. The second thing to notice here is that we could also have Project and Visio show as installed, but you would need to have purchased and assigned those licences separately. This is not a change you would usually make in the default Office installation settings, instead you would create a new group and target that group instead.

Under App Suite Information we have some prepopulated options, but again the recommendation here is to not change the settings that are in here, instead create a similar Mobile Apps policy but with your required settings.

App Suite Settings is where things really get interesting though, this is where Microsoft 365 Business is making decisions that are designed to be most beneficial across a variety of scenarios – thus the 32 bit installation, Monthly updates, acceptance of the EULA and setting up for single user activation, not shared computer/RDS installation. What other options would we normally see here? Let’s take a look.

Before I explain these options, I need to highlight that I am not editing the base configuration, I’ve just taken a screenshot of a new deployment. As the names of these releases has evolved the names in the drop down have also changed. If you take a look at my earlier post on this topic you can see this. If you need to learn more, take a look at Overview of update channels for Office 365 ProPlus. If you want to get an idea of just how much Office 365 desktop apps change over time, take a look at Office 365 client update channel releases.

The final section, Assignments, shows what we already know, that the All Users group has an install type of Required.

^ Scroll to Top
 30 Sep.

Microsoft 365 Business Part 3 – Windows AutoPilot

Following on from the last post on Azure Active Directory inclusions in Microsoft 365 Business, let’s take a look at the Windows AutoPilot pieces. For full details on Windows AutoPilot take a look at the official documentation.


To start adding enrolling devices into Windows AutoPilot, sign in to the Microsoft Store for Business as an admin and clicking Manage.

Click on Windows AutoPilot Deployment Program.


I already have one device enrolled, but I need to add another device.

I already have the required details for the device in a CSV file, so I begin the process of adding a new device by clicking on Add Devices.


After selecting the file I can Add devices to an AutoPilot deployment group, but I will skip this step.

You can now see the second device listed, but it doesn’t have a Profile assigned.

I begin clicking AutoPilot deployment and then selecting the profile I had pre-created, which skips several of the Out of Box Experience Steps.

You can now see that the policy is applied, which means it’s time to test it out.

Starting up our new Windows 10 Pro device, we don’t need to choose whether the device is a work or school account, I only have to choose some region and keyboard settings. You can see that the company branding, text and naming is brought in to the initial sign in screen.


We can still see the customisations on the password page.

Once entered and verified, Windows OOBE continues.

We are prompted to enter a PIN.

I’ve already enrolled my contact details for Multi Factor Authentication, so I just need to enter the received code here.


The PIN is now entered and confirmed.

And we are ready to go.


As soon as we sign in you can see the desktop customisations provided by Enterprise State Roaming, which was briefly mentioned in yesterday’s post.

If you look at the time here, it’s only one minute after I was able to sign in, and you can see that Office 365 Business Premium is being installed automatically for me as part of the device configuration by Microsoft Intune.

Within another three minutes the installation is complete, which will obviously vary based on connection speeds.

To wrap up, I want to show that under Windows Specifications the Edition has been changed to Windows 10 Business to highlight that this is now a Microsoft 365 Business managed device.


^ Scroll to Top
 28 Sep.

Microsoft 365 Business Part 2 – Azure Active Directory

In the first post of this series I covered the Windows 10 Pro upgrades included in Microsoft 365 Business, today it’s time to discuss the Azure Active Directory components that work alongside Intune to enable Windows 10 Business. I’ll start by posting the components included with the Microsoft 365 Business SKU again.

Third from the bottom you can see Azure Active Directory, and this version is a subset of Azure Active Premium P1, focusing on the required components that allow the Windows 10 management scenarios that are required. These include MDM Auto enrol, more than ten SaaS apps for single sign on in myapps, as well as self service capabilities and enterprise state roaming. We can still open the Azure Active Directory admin center from the Microsoft 365 admin center, and it looks like this.

Looking at the dashboard you can see that this doesn’t offer all of the capabilities of Azure Active Directory Premium P1, but if you do need the extra capabilities such as the additional security reporting, and clicking through the various options will soon give an idea of what is and isn’t included. If you eventually need to add these capabilities, you can easily add the required licenses alongside your Microsoft 365 Business licenses, and below I’ve included some screenshots of what happens in a tenant that has taken more of a mix and match approach.

Starting with a simple view, you can see that I have five different SKUs in this tenant, a mix of enterprise and SMB focused offerings.

In this screenshot I want to highlight the specific naming of the Azure Active Directory SKUs that are include with EMS E5- Premium 1 and Premium 2, as opposed to the Azure Active Directory that is referenced in the first image in this post.

Finally, for comparison, you can see here that because this tenant has AAD Premium, I can see the additional reports, as well as not being prompted to sign up for a trial subscription to AAD Premium.

^ Scroll to Top
 18 Sep.

Microsoft 365 Business Part 1 – Windows 10 Business

As I’m currently preparing some session content for Ignite 2017, I thought I would share some of the pieces I’ll be going through, starting with Windows 10 Business. This raises the question – what is Windows 10 Business, is it another Windows SKU? Rather than think of it as another SKU, the best way to think about it is that it’s Windows 10 Pro when it’s being managed by Microsoft 365 Business. If that’s not clear, think of it as Windows 10 Pro, plus the cloud based management capabilities that Azure Active Directory and Intune provide, including the choice of MAM or MDM based management options. You get to take advantage of MDM auto-enrolment, Windows Autopilot and other capabilities on offer when you start combining these technologies.

At the bottom of the graphic above you’ll see Windows Business listed. What you need to understand here is that this is an upgrade license for PCs that have licensed Windows Pro editions of Windows 7/Windows 8/Windows 8.1 that they haven’t upgraded already. If you had to sit on the sidelines during the Windows 10 upgrade offer and miss out, this is a way of getting the Windows Pro based devices up to date, assuming you didn’t upgrade due to hardware and software compatibility issues that haven’t been resolved.

The online activation via the users Azure Active Directory details is something that also needs to be taken into account. There are no product keys provided for this upgrade, which means the target PC is one that needs to be Azure Active Directory Joined as opposed to traditional on-premises deployment with Windows Server’s Active Directory Domain Services.

From the Microsoft 365 Admin Center you have the links above,

Install upgrade – this takes you to the Download Windows 10 page – https://www.microsoft.com/en-au/software-download/windows10

Share the download link
This creates an email message with the following text…
Create installation media – this also takes you to the Download Windows 10 page – https://www.microsoft.com/en-au/software-download/windows10
Troubleshoot installation – as per the link name, this takes you out to Windows 10 Help.
How do you tell if you running Windows 10 Business? Settings -> System -> About will show you the following.

As a comparison, here’s what it looks like after I enrol a Windows 10 S device in the same tenant, via the same process.

As you can see, because it’s not the Windows 10 Pro SKU, it doesn’t show as Windows 10 Business. I thought I’d throw this in as an introduction to what the Windows 10 Business inclusion isn’t – it’s not a Windows 10 Home or Windows 10 S path to Windows 10 Pro, only the older versions of Windows Pro mentioned earlier in the post. One of the topics I’ll cover in an upcoming post is Upgrade Readiness Solution in OMS, which can help to identify potential issues that previous operating systems and installed applications might have during or after the upgrade process.



^ Scroll to Top
 7 Aug.

Updates to WSUS/WU Dual Scan on Windows 10 1607

One of the scenarios I’m often asked about at the events I’m involved with is “why are my Windows 10 clients going to Windows Update instead of WSUS?”, and previously I’ve pointed people to the Demystifying “Dual Scan” post from the WSUS Product Team Blog. They’ve just put up a new post Improving Dual Scan on 1607 which is being released as part of the August cumulative update.

This update is also being rolled into 1703, and is already part of 1709.  Right now the support is for Group Policy, with MDM support coming later this year.  Jump to their blog post to get the full details of this update, but here’s their description of how dual scan works with this policy…

In order for Dual Scan to be enabled, the Windows Update client now also requires that the “Do not allow update deferral policies to cause scans against Windows Update” is not configured. In other words, if this policy is enabled, then changing the deferral policies in a WSUS environment will not cause Dual-Scan behavior. This allows enterprise administrators to mark their machines as “Current Branch for Business,” and to specify that feature updates should not be delivered before a certain amount of days, without worrying that their clients will start scanning Windows update unbidden. This means that usage of deferral policies is now supported in the on-premises environment. While the new policy (dubbed “Disable Dual Scan”) is enabled, any deferral policies configured for that client will apply only to ad hoc scans against Windows Update, which are triggered by clicking “Check online for updates from Microsoft Update”

They then go on to discuss five of the common update management scenarios, and how they should be updated for use with this policy…

Windows updates from WU, non-Windows content from WSUS

Windows updates from WSUS, blocking WU access entirely

Windows updates from WU, not using WSUS at all

Windows updates from WSUS, supplemental updates from WU

Windows updates from Configuration Manager, supplemental updates from WU


^ Scroll to Top

%d bloggers like this: