Technology Leaders’ Checklist

Windows 10 upgrades

Most organisations have completed their Windows 7 to Windows 10 migrations or have plans in progress given Microsoft no longer supports Windows 7.

This checklist is focussed on a key challenge for every large enterprise once the upgrade to Windows 10 is complete; keeping Windows 10 versions current.

Unlike Windows 7, which was supported for 10 years, Windows 10 versions are supported for between 18 and 30 months.

Indeed, the following versions of Windows 10 Pro are no longer supported by Microsoft and lost support before Windows 7; 1511, 1607, 1703, 1709, 1803. These Windows 10 versions no longer receive security updates and are vulnerable to new security threats that are discovered.

Thus, the challenge is to upgrade Windows 10 versions regularly. This challenge comes with significant opportunities as each new Windows 10 version enables new features that bring productivity and security benefits.

This checklist provides our experience upgrading Windows 10 machines in large enterprises across the globe, in various industries, covering tens of thousands of devices, with thousands of applications, and hundreds of hardware models.

We hope you find it useful.

Feature assessment

Each release of Windows 10 comes with new features. A feature assessment can determine how to get the most value for your organisation or identify if there are unintended consequences.

The following link provides a list of new features by Windows 10 version:

https://docs.microsoft.com/en-us/windows/whats-new/

The following link provides a list of features removed and no longer in development for each Windows 10 version:

https://docs.microsoft.com/en-us/windows/deployment/planning/windows-10-removed-features

https://docs.microsoft.com/en-us/windows/deployment/planning/windows-10-deprecated-features

If you are keen you can keep across the Windows Insider Program as each new version is developed at:

https://docs.microsoft.com/en-us/windows-insider/flight-hub/

Features assessment checklist

  • Identify any technical dependencies. For example, Microsoft Self Service Password Reset (SSPR) requires Windows 10 to be joined to Azure AD.

  • Identify alignment to your broader IT strategy. For example, advancements in Windows AutoPilot may align to a strategy to deliver new computers directly to users.

  • Identify deployment considerations. For example, biometrics-based login using Windows Hello for Business is only available on certain supported devices and requires Server 2016 Domain Controllers.

  • Identify servicing impact. For example, Windows 10 comes provisioned with “Windows apps” such as OneNote and Your Phone (as of Version 1809). These apps cannot be updated via MEM (nee SCCM) or WSUS.

  • Identify alignment to security and compliance policies. For example, Windows Timeline can be configured to send data to Microsoft which may need review before enabling.

  • Identify any training required for end users to adopt the new features.

  • Identify support and troubleshooting documentation for support teams.

  • Keep a log of the decisions taken for each new feature. This provides visibility of the roadmap for your implementation of Windows 10 and allows review of previous decisions when new information is received.

Group Policy review

This checklist assumes a large enterprise deployment and thus Group Policy Objects for controlling Windows settings will almost certainly apply. Each new version of Windows 10 introduces new Group Policy Objects (GPOs). For example, the release of Windows 10 version 1809 (October 2018) included 165 new policies.

Group Policy checklist

  • Review the new policies available for Windows 10 and decide if they apply to your organisation.

  • In addition to Windows consider policy changes for web browsers that receive regular updates such as Microsoft Edge and Google Chrome.

  • In determining how to treat a new policy setting refer to Microsoft provided baseline recommendations and consider reviewing the Center for Information Security (CIS) Benchmark guidance.

  • Determine if Administrative Templates in Active Directory require updating (new policy guidance normally includes information on relevant templates available).

  • Test the impact of any policies that are not clear.

  • Keep a log of new policies and the decision you took for configuration. This will assist when reviewing policies in the future, or if you need to troubleshoot issues that may be policy related.

Device driver updates

Hardware vendors certify their device drivers for each new version of Windows and release updates to enable compatibility. Using device drivers that are not certified can result in unexpected behaviour such as wireless network disconnections or Blue Screen errors. In rare cases, Microsoft will even prevent a new version of Windows applying if incompatible device drivers are found.

Device driver checklist

  • Check with if your hardware vendor has supported device drivers. In our experience, models up to 3 years old should have supported drivers.

  • If you have hardware models without supported drivers everything may still work without issue. If the devices are not planned for retirement, we recommend upgrading a sample of the devices and let volunteer users identify any unexpected behaviour.

  • In addition to computer device drivers, also validate device drivers for docking stations and external monitors.

  • If you use virtual environments then confirm the compatibility of the hypervisor with Windows 10 upgrade (we know virtual environments don’t have device drivers, but we had to find a list to add this item!).

  • Add the compatible device drivers to your new Windows machine build.

  • Deploy compatible device driver upgrades as applicable. We recommend device driver updates occur weeks before upgrading Windows. This helps to separate unexpected behaviour caused by device drivers versus Windows upgrade.

Machine health

The success rate of deploying Windows 10 upgrades is directly aligned to the health of those machines. Conversely, unhealthy machines will cause upgrade issues and in turn create user interruption and require local support recovery actions. As such, assessing machine health is perhaps the most important readiness item to complete.

Machine health checklist

  • Machines with insufficient disk space either need space recovered or in desperate cases disk sizes increased.

  • Machines with limited RAM can take an extended time to update, and this increases the chance an impatient user will reboot the machine mid-upgrade. Thus, consider if machines with less than 4G RAM should be replaced with more powerful machines.

  • Check if machines are up to date on Windows patches; applying version updates to machines that are fully patched comes with less unexpected issues.

  • Check which machines are not receiving monthly updates correctly or not receiving recent package deployments (e.g. an Antivirus client update failure).

Application assessment

In our experience, applications with an issue after a Windows 10 version upgrade is insignificantly small, but this does not negate the need for an application assessment strategy.

While there are tools that help indicate application compatibility, we have found these tools are not reliable.

Given the above, we have found deploying a Windows upgrade using a phased deployment to be the most time effective way to identify incompatible applications. If an application issue is found, either pause the deployment or step around users with that application while a fix is identified. Yes, this is a reactive approach, but it is also a pragmatic approach in large enterprise environments with thousands of applications. The following checklist applies this approach across five phases.

Application assessment checklist

  • First phase – Core apps: Upgrade Windows for representatives for any applications that have 100% user coverage.

  • Second phase – Support teams: Deploy to user support and application support teams. This has the bonus of gaining support teams visibility.

  • Third phase – All of IT: This phase allows any kinks in deployment to be identified before deploying to your Business Unit first adopters. This is important so that any issues are genuine application issues and not issues due to problems with the deployment process.

  • Forth phase – Business Unit first adopters: Deploy to owners of key business systems; Finance, Legal, HR, Procurement, etc.

  • Fifth phase – Full rollout: By the time this phase starts any significant application issues will have been identified. Of course, there still may be application issues waiting to be found, but if the first four phases were completed correctly the only applications with issues can be managed re-actively without significant impact.

Deployment process

The checklists so far provide the necessary preparation in advance of deployment of the Windows upgrade. To keep current with Windows versions an upgrade deployment will need to be completed once every 6 months. Many large organisations skip a Windows version and upgrade every 12 months which provides more time for deployment preparation and the completion of the actual deployment.

Deployment process checklist

  • Validate the readiness items in previous sections are complete: feature assessment; Group Policy review, device driver updates; machine health; and, application assessment.

  • Validate your deployment infrastructure (e.g. MEM, nee SCCM) is healthy and compatible with the new Windows version.

  • Identify the rollout order; see our recommendation for deployment in phases in the “Application Assessment” part of this guide.

  • Identify if the deployment process will allow users to postpone and at which point the deployment becomes mandatory. We recommend making the deployment mandatory after one week.

  • Identify if VIP users will be managed separately. We recommend updating VIP user machines by appointment via VIP support teams.

  • Define your daily deployment rate. We recommend 2% of machines per location per day. This upgrades 10% per week or a full deployment in 10 weeks. This limits the potential impact on both users and support teams.

  • Identify the user notification process; this may include a combination of emails, Windows notifications, and custom desktop notifications. Highlight new features as applicable and relevant “how-to” instructions.

  • Identify the point in time when new build machines, or machine re-builds, will be recaptured to include the updated Windows version. We recommend this occurs once all of IT have been upgraded.

Ongoing operations

Ongoing operations are critical to the success of a Windows upgrade deployment. This is particularly important with a new Windows version release from Microsoft every 6 months. The items in the checklist that follow ensure your Windows fleet continues to be kept up to date once an upgrade is completed.

Ongoing operations checklist

  • Ensure you have a process in place for the deployment of monthly Windows patches, and for servicing your new build Windows image to include monthly patches.

  • Identify the cadence at which your organisation will update Windows versions. Microsoft releases versions in around March and September each year; the March versions are supported for 18 months and the September versions for 30 months.

  • Build your own Windows upgrade checklists and tailor them to inject the upgrade realities that apply to your environment.

  • Identify any environment improvements that will make the next upgrade more efficient. For example, rationalising the models of computers, reducing fragmentation of application versions, or pro-actively managing the health of computers on a monthly basis.

  • Publish your Windows upgrade roadmaps to provide visibility to your customers and stakeholders.

  • Remember that the real value in Windows upgrades is not just keeping within Microsoft supported versions, it is in extracting the value of the new features available. High-value upgrades focus on extracting business value by leveraging the new features available.