What is wrong with Windows 10?
Published on 2018/12/02 by Igor Levicki
After being forced to start using Windows 10 at work (the company I work for is licensing everything from Microsoft and paying big money for software assurance), I had plenty of time to look for proper justifications for my previously seemingly irrational hate for this "new" OS. People who are criticizing Windows 10 like I do are usually labeled as "afraid of change", but let me assure you — I am happy to embrace the change when it is meaningful and positive. Whether this is the case with Windows 10 and WaaS model I leave you to decide after reading this article.
Using an E3 Enterprise license tied to the user's domain account, the only way to properly install and activate Enterprise edition seems to be by installing the Windows 10 Pro version, joining to a domain (or Azure, more on that later), and then signing in with said user's account. This means you can only create Windows Enterprise recovery image after the user has signed in for the first time, and you have to supervise their sign-in because for the E3 license to be recognized username has to be entered in the form of email.
Furthermore, despite all laptops/workstations coming with OEM Windows 10 Pro preinstalled nowadays, you have to nuke and pave said install at least because you cannot trust the vendors (remember Lenovo Superfish anyone?) even if you are OK with shovelware/bloatware they add to the image. What this means in practice is that, since you are installing the "wrong" edition of Windows, all domain policies which exist in Enterprise version will not work until the image is "converted" into Enterprise after the user has signed in for the first time.
This may not seem like a big deal unless you are trying to control the extent of data leaving your organzation's network through "telemetry". Moreover, it also means you will get stuck with all the "consumer" features of Windows 10 Pro ("Candy Crush Saga" and other assorted junk preinstalled in the image) unless you invest considerable amount of time and know-how to create a custom install.wim image, which brings us to my next point.
Unless you are making fully unattended install, you will have to sit through those condescending messages during Setup. In version 1803 it was enough to customize privacy settings once and they were per machine, but from version 1809, those settings are per user which means you have no control over what the user of the machine is going to select later when they sign in for the first time.
If you made an effort of removing all the provisioned crap from the image but you forget to unplug the network cable Windows Setup will helpfully reinstall all that bullshit from the Store when you sign in. In version 1803 it was enough to select Skip for now when asked to connect to the network, but version 1809 added another nag screen after that one which says "Connect now to save time later" and asks you once again to connect to the network.
This is the first sign you see of a poorly thought out setup process — you just selected an option and you are being asked the same thing again. Either network is necessary during setup (in which case you should not be able to proceed unless you connect), or it is optional (in which case there is no justification to ask twice). Asking twice is insulting because it clearly shows that you think your customer is an idiot. Personally I can't wait for version 1904, which I am sure will ask you at least 3 times instead of "just" 2.
- Installing drivers
True, you could integrate drivers into the image, but for display drivers that is pointless because of frequent updates which are there to ensure compatibility with new software and enable new hardware features. You could also let Windows install drivers on its own, but even if it does that just fine for most peripherals, display drivers are something you don't want Windows to mess with.
From version 1809 you can forget the GUI setting "Do not install drivers from Windows Update" because it just doesn't work. You need some heavy-handed registry edits to make it stop installing outdated display drivers which will also stop it from installing and updating any other drivers. Blocking just display drivers by class GUID using GPO is out of the question because that will prevent all subsequent installations of display drivers unless the user is an Admininstrator and you allow the administrative override.
- Joining the domain (or Azure)
Once you finish the install it is time to join the corporate domain. You can either stick to on-premises AD, or use the fancy new MDM stuff and have the machine join the Azure AD. We learned the hard way that joining Azure is still the wrong thing to do. Despite the convenience, it lacks too many controls present in AD GPO to actually be useful for management. Furthermore, Azure AD joined machines might have issues accessing certain network resources. Whichever you chose, it's not over yet.
- First sign-in
"We are setting things up for you"... please don't, you don't know how I like them set up. From the message it is obvious that Microsoft believes they do know best, because you have no option but to endure this second barrage of condescending messages while the user profile is being prepared.
It is possible to avoid restarts while the user is working, but it is not possible to pick what updates are installed. You either take all or nothing, remember that for later. And if you try to disable Windows Update, there is now a new "Windows Update Medic Service" which will helpfully try to repair your "Windows Update" service to prevent you from messing with it.
There you go, another showing of "department of redundancy department" mentality entrenched deeply in Microsoft corporate culture. And who is going to repair the "Windows Update Medic Service" if you disable it? Well "Windows Update Medic Nursing™ Service" which I am sure will debut in version 1904 along with that 3rd "if you connected to the network on the previous screen Windows would have been installing right now" prompt.
Let's say you finally finished all that, and now it is time for someone to use the PC. Let's say the user is a developer. You shrug and assign them full local Administrator rights on the PC so they can install any additional tools they need and debug programs in Visual Studio. They start a console application which scrolls a lot of stuff and they are hit with the issue #279 — a performance regression bringing 65 times slowdown to a seemingly simple operation of scrolling text in the console. Later they start another console application and they are hit with issue #143 — another performance regression bringing more than 25 times slowdown to the application used.
It turns out that the change from the legacy console to the new console which supports Unicode, which has proper text wrapping on resize, which has proper copy and paste support, and which is required for Windows Subsystem for Linux comes with a price so heavy that you are better off not using it, especially when you take into account that, according to Microsoft developers, the fix won't be delivered anytime soon.
So instead of being able to chose old .vs. new console per console window it is again "all or nothing". Let me remind you, the people who would have benefited most from the new console features are developers and administrators, the literal cornerstones of Windows user base. That takes one of the most compelling features in favor of Windows 10 off the list for them.
The developer finds a workaround, they will run console applications under Windows XP in a virtual machine. So they install VirtualBox and... find out that they don't have hardware virtualization. Well the PC has it, and Windows 10 has it, but even though Hyper-V role is not installed neither VirtualBox nor diagnostic software such as AIDA64 can see the real CPU hardware.
It turns out that in the name of security the OS is running in root partition and user is running in a guest partition meaning the user cannot use other hypervisor solutions without resorting to a heavy-handed approach of disabling Device Guard and Credential Guard using hardware readiness tool. This is already a third showing of the "all or nothing" mentality. You chose between security and the ability to run 3rd party virtualization solutions.
True, you can run Hyper-V when it's bundled with the OS, but it is inferior in many ways, not being able to emulate DMI and ACPI tables or to use iSCSI drives without the host OS seeing them as well being just two shortcomings off the top of my head. So "enhanced security" is also off the list of compelling Windows 10 features by now.
Finally, this also raises the question whether defaulting to Hyper-V and requiring non-trivial effort to be able to use 3rd party virtualization software is another case of Internet Explorer bundling and another abuse of Microsoft desktop OS monopoly.
Our developer proceeds to map some network drives so they can access corporate resources. After reboot, network drives show a red X and appear inaccessible. It turns out there is a known issue, and as of time of this writing there are only workarounds, no fix.
The developer then installs Chrome (or Firefox) because they use them as primary browser for development and testing. When they try to set their browser of choice as a system default they are greeted with "Try Microsoft Edge" blatant advertisement with a button saying "Don't switch" and small text saying "Switch anyway". Is that another anti-trust case in the making or what?
Swearing loudly they click "Switch anyway" but next time they launch an URL or open an HTML file they are asked again which browser to use. Turns out there is another known issue in the current OS build which messes with application associations, one of the core concepts in Windows, and at the time of this writing there is no fix.
Tired of all this crap, your developer goes home to resume working from there. They attempt to connect through the RDP only to be met with a black screen after logging in. Guess what? It is yet another known issue.
Both network drive and RDP issues are resolved in Insider Build 18290, but that build alternative name is 19H1 meaning our developer won't see those fixes until version 1904 which will surely bring its own fair share of new "known issues". So yet again the "all or nothing" mentality strikes. You are either running insider builds and risk loss of productivity and data or you are on a "stable" OS branch and you wait six months (or longer for LTSC) for a fix.
I hope by now you have a pretty good idea what is wrong with Windows as a Service idea. Windows is an extremely complex piece of software and 6 months between major releases is way too short given the lack of quality assurance we witnessed over the last few months. As an administrator you barely have time to understand the changes and prepare a new image, let alone test it adequately before you are forced to deploy it. You also lack control over regular updates which can break things and cause considerable loss of productivity.
I won't even touch upon the "consumer features" territory in this article (games in Enterprise software, impossible to fully remove Cortana, Windows Defender, Virtual Reality, XBox support, showing ads on Lock Screen, showing ads in Windows Explorer, shameless and annoying self-promotion in application association dialog, and further monetizing customer data despite paying for software license) — there is enough bullshit there for a separate article spanning several pages.
To fully understand the importance of all the things mentioned here we need to remind ourselves what an operating system is:
An operating system is system software that manages computer hardware and software resources and provides common services for computer programs.
Note how the definition from Wikipedia does not mention:
- Nagging the user with notifications and prompts
- Installing garbage applications without consent
- Collecting user data which may include encryption keys in memory dumps and anything typed including passwords and CC numbers
- Not allowing the user to uninstall unwanted "features"
- Preventing the user from writing files to the root of C: drive
- Moving settings around in user interface so they are harder to find
- Experimentally changing user settings without consent
- Outright ignoring user settings
- Showing ads
- Coercing users into using certain search providers and certain bundled applications
- Restarting or installing video drivers while you are using the PC leading to loss of data
- Deleting your files during upgrade
That's right, the OS is supposed to be a thin, invisible layer which allows you to use the applcations you want to use, to accomplish the tasks you need to accomplish. Nothing more, nothing less.
In my opinion, both as an experienced developer and system administrator, Mac OS is an example of what real OS is and should be, and if Microsoft doesn't realize their profit-making driven mistakes made under Satya Nadella, more and more companies are going to compare the one time cost of switching to Apple ecosystem with the cost of maintaining their presence in Microsoft's hellscape and realize that in fact such a change would be meaningful and well justified.
Repeat after me — we don't need Frustration as a Service.