<img alt="" src="https://secure.inventive52intuitive.com/789747.png" style="display:none;">
Windows 10 part #5 – Microsoft and the UEM sector

Windows 10 part #5 – Microsoft and the UEM sector

Posted by HTG

I know I come across as a rabid Microsoft basher sometimes, what with the fun we had with IE10+ Cookies and the like, but I am prepared to give any tech company a good tongue-lashing should I feel they deserve it. However, in light of early testing with Windows 10 in roaming enterprise environments, and some of the things I’m hearing on the grapevine, I am starting to feel more pressing concerns regarding Microsoft’s latest entry into the operating system market.

From all my early testing, which is corroborated by peers in the EUC sector, it looks to all intents and purposes that Windows 10 appears intentionally difficult to adapt for roaming environments. There’s a whole ecosystem of software products surrounding the adaptation and management of Windows-based platforms and applications for the enterprise. Let’s think about software like Unidesk, AppVolumes, FSLogix, AppSense, RES, Immidio, Scense, ProfileUnity, FlexApp, Citrix UPM, and many others in this space. Now I will admit I’ve only done some testing based around AppSense, UPM and FSLogix currently (and also around Microsoft’s own roaming profile solution), but it looks already as if it is comparably more difficult to get roaming working properly. This follows on from the IE10 Cookie issue that we saw, where it appeared that Microsoft had made it tremendously hard for users to roam their Cookies from machine to machine in traditional ways. Rory de Leur did an excellent blog post on this, and an interesting statement he made on this was to conclude that “…we agreed, Microsoft is trying to kill the Zero Profile". Zero Profiling is a RES term, but refers to the way that vendors like RES and AppSense provide a user with his personalized settings independent of the traditional Windows profile mechanisms. Tech like RES and AppSense removes the need for a Windows profile at all – in fact, if you could log on to a Windows machine without a profile (which you can’t), those using UEM tech like RES and AppSense wouldn’t need a profile for their users at all.

But Windows 10 appears to go further – not just aimed at the advanced UEM vendors but at layering technologies as well. There are rumours flying about – and I have to go on the level and explain that these are just things I am hearing from trusted contacts in the sector – that Microsoft are advising large enterprises to avoid solutions that utilize filter drivers and/or layering technology because something has architecturally changed in Windows 10 that will make it much harder for these sorts of solutions to function correctly.

Now this could all be FUD – but my preliminary testing, and that of others, seems to indicate that there are changes in Windows 10 that will make our lives as EUC staff a hell of a lot harder if we’re leveraging any of the third-party solutions that exist within the UEM ecosystem.

Microsoft’s world

Let’s not forget Windows is Microsoft’s environment and they own it. But over the last fifteen years or so, a whole industry has sprung up around providing advanced management features to this world. Solutions have gone to market based around making your life easier to manage users, applications and the environment that they work in. Why shouldn’t Microsoft try to bring all this into their new vision for Windows 10?

The Windows 10 movement

The problem is, Windows 10 represents an evolution – or maybe even a revolution – from Microsoft’s thinking about how the PC should be utilized. The default assumption seems to be that it’s their computer, not yours – a PC only in name now, personal no more.

With Windows 7, the computer was undeniably yours. You could do what you wanted with it. Even if you wanted to delete the entire HKLM hive in the Registry – I’ve seen it done, and it’s undeniably stupid, but hey, if that’s what you wanted then that’s what you could do. But now it’s moving back the other way – centralized, nannying, parental. Updates being enforced, logging of every move you make, user access control, download inspection, and all of the other wonderful things that Windows 10 has now pushed onto us. To be fair Microsoft are only following the lead of the other tech titans, Apple and Google, but it’s an uneasy path to tread for those who’ve been used to not only controlling what we could do ourselves but also what our users could do. And some of us are bound by compliance regulation – think of industries under the gaze of such entities as the FDA, as an example. This new “control removed” regime spells trouble for those of us who work in such tightly-regulated environments – or indeed any environment where there’s a reliance on testing and release management to keep applications running. I’ve already seen users and administrators forcibly disabling Windows Updates on Windows 10 systems – undoing over a decade of hard work to get people to accept regular patching as a defence against malware and worms. The patching system was sacrosanct, and Microsoft’s use – well, let’s pull no punches, it’s not use, it’s abuse – of the Windows Update mechanism to push advertising, unwanted OS upgrades and make patches that were manually declined reappear is nothing short of criminal. Shovelling out updates that cut directly through the corporate configuration we’ve specifically defined is ridiculous.

Microsoft’s defense is that this is their vision for the evolution of the PC. But they’re looking at this purely from the perspective of consumers and home users. We in the corporate world want to be able to, for instance, remove XBox from the Start Menus. We want to be able to customize the Start Menu and Start Tiles for our corporate environments. We want to use roaming profiles that look and feel the same no matter where the user logs in from. We want to be able to say – “look, a new operating system, let’s see how we can use this to better enable our users!” But instead we get an upgraded set of handcuffs with increased “telemetry” (spying, monitoring, tracking, whatever you want to call it).

The roaming issue

As I mentioned at the start, it seems – to me, anyway – that Microsoft have pretty much deliberately tried to hobble the roaming capabilities of Windows 10. In Windows 7 and 2008 R2, the Start Menu was a flat filesystem, as were most of the other pertinent parts of the user profile (Cookies, Favourites, etc.). It was easy to customize and maintain, and Group Policy Objects could be used to manage this, with the option of UEM solutions if you needed anything more advanced.

From Windows 8, and even more so in Windows 10, parts of the user profile are locked up in Jet Blue databases that are very difficult to roam. The Start Menu Tiles, Internet Explorer Cookies and the Notification Center now all sit in databases and roaming these presents great difficulty, being locked by system services and having user- and device-specific information written to them. The Start Menu itself is no longer manageable in the way it used to be – you can’t rename or delete the folders in there – and it will only display one folder-level deep if you copy a custom filesystem into %PROGRAMDATA%. Again, it feels like roaming capabilities have been intentionally curtailed.

This also fits in with what I’m hearing on the industry grapevine about Microsoft’s intentions. There are rumours that Windows 10 compatibility with UEM solutions and any software that uses filter drivers is “not on the roadmap” for Microsoft at this time. The November 2015 update was supposed to address a lot of the problems with roaming and Start Menus – yet as far as I can tell it hasn’t (although the Enterprise version of the 1511 update has only just been released, to be fair). With this in mind, it’s quite worrying for anyone who relies on UEM solutions to enable their roaming users, or for anyone who wants to deploy Windows 10 with full enterprise capability.

Embrace, extend, extinguish

It’s quite possible that Microsoft have designs on the UEM market for themselves. They have a product called UE-V, and combining UE-V with Azure integration would be a big way for Microsoft to take back a market that has essentially grown out of providing solutions for problems that couldn’t be addressed with Microsoft’s native tools. A combination of Azure AD, UE-V and Group Policy may be Microsoft’s way to attack the entire UEM sector and bring all of this market in-house for themselves, possibly sold under the MDOP license. Windows Store for Business and the rumoured Project Centennial – bringing desktop Windows apps to the Store as App-V packages – would also fit nicely into this area. Given the architecture of Windows 10, and the aggressive marketing behind it, I’d say this could be a distinct possibility. There are also unconfirmed reports of something in the pipeline called “Oxygen Services” which represents the Windows 10 personalization piece. I’ve been meaning to do some testing around UE-V to see what it currently offers in the Windows 10 department – more on this soon, hopefully, and with it confirmation of whether Microsoft are serious about roaming capability.

What does this mean for us?

A lot of this is speculation based around what I’ve seen in Windows 10. But it’s clear it isn’t very roaming-friendly – at least at the moment. A lot of the GPOs from Windows 8 and up only support device-centric deployments. Given how excellent Windows 7 was in this department, I can only conclude that the change in focus is deliberate – they could easily have lifted-and-shifted from the existing settings. Hearing tell of quotes attributed to Microsoft staff such as “roaming is dead” only serves to pour fuel onto this particular fire, and there are some enormous roaming enterprises I know of that would be horrified at the prospect of Microsoft treating them like a relic of the distant past.

I think the UEM vendors should be concerned, and so should those of us that rely on them for our existing solutions, and as tools that solve specific problems. Microsoft may well produce a solution that they suggest we use in place of our existing UEM vendors, but using theesults of their foray into antivirus as a yardstick – another software market that sprung into being to service the base needs of Windows systems – it may be that whatever they produce simply doesn’t meet the standards of functionality required, at least not for the moment. It’s also entirely possible that this neglect of roaming enterprise functionality may force Windows 7 and 2008 R2 to become the Windows XP and Server 2003 of the next – a situation I would have thought Microsoft were desperate to avoid a repeat of (apart from the revenuepotential of paying for extensions to support, I guess).

In the EU, though, there is also the consideration of the EU and their dim view of Microsoft monopolizing any particular market. Remember the (admittedly annoying) “Browser Choice” update (which incidentally, seems to have disappeared in Windows 10)? Maybe Microsoft might get forced into a similar thing for UEM – although it might still be within reason for them to restrict their competitors’ capabilities by manipulating the various databases they’re now using for user settings.

But I think, for the moment, prudency dictates we should wait until June of 2016, when Server 2016 and the promised “Redstone” update for Windows 10 arrive to provide us with “full enterprise functionality”. If the profile is still filled with databases, and the roaming capabilites are still neutered, then we can conclude at that point that this is the path Microsoft are heading inexorably down, and start to make plans from there. We might even end up (finally!) with the year of Linux on the desktop 🙂

Contact

Want to partner with us?

Get in touch to learn more about our services or arrange a free 30-minute consultation with one of our Secure Cloud Experts.

Get in touch
HTG - Contact CTA