[QUOTE=stealthn;8358358]Thanks guys, met with Microsoft today and got some good feedback re the GPO's, one chalkenge we have is if you disable windows ipdates this also causes grief with Windows app downloads.[\QUOTE]
SCCM should control your updates (You mention SCCM client so assuming that is your System Management Software). We disable the app store in Windows 8.1 as all software comes from SCCM. In our environment users are prohibited from installing any software including updates. This helps us keep a consistent environment and also prevents bad updates from being installed. We've had to pull several updates this year due to bad updates from Microsoft. Had users been allowed to install updates they would have blue screened their computers. So using GPO we disable automatic updates and then create a few reg keys to point to our SCCM Windows Update Server. We haven't had any issues with regards to app installs through SCCM or GPO.
Quote:
Originally Posted by stealthn
My concern is with one of two techs they are not ready for the high cadence of updates/patches/firmware changes that will come with this new platform. They also told me windows 10 will have a 1 month update cycle (not just patches) so our client needs to start thinking different.
I'm not saying a gold image is not the way to go, just a lot less agile than i think is going to be required. Now I just need they to allow the tile apos to talk to Activesync  |
We've mostly automated our update cycle so the admins typically just have to monitor. The first Thursday after patch Tuesday we deploy to a test group. The following Wednesday it goes to our pilot group. The following Wednesday it goes to all 20k systems on a rolling schedule. So most systems are patched within a month of the released patch date. This also gives time for us to pull back if we find a bad patch or if Microsoft pulls one of the patches. We never deploy the same day. This schedule includes the surfaces (we have about 50 in our environment starting from Surface 1 through surface pro 3). This entire process is automated using ADR's (SCCM 2012) and some scripting. We treat the surfaces just like any other computer on our network for patching and imaging and software deployment.
In addition, We refresh our gold image every two months with all updates since the last update cycle. We add additional drivers to support new hardware and other functionality at this time as well.
I would recommend setting the surfaces up as you would any other laptop. The more hardware agnostic your management strategy is the easier it will be to scale. Our process for deploying systems doesn't change for desktop, laptop or surface. We incorporate bitlocker and our wireless setup within our task sequence in addition to department specific applications. Of course, all of this needs to be built out on the backend so the front end looks simple.
