Tools Windows In-Place Upgrade Lead image: Lead Image © golffoto, photocase.com

Continuous upgrades for Windows 10

From the Same Mold

The new Windows 10 update strategy, called an in-place upgrade, requires some manual adjustments for third-party components, as well as accommodations for multilingual and non-English enterprises. By Matthias Wessner

With Windows 10, Microsoft launched a new update strategy. No longer is a new operating system released every three to five years; rather, new functions are added to Windows twice a year. This installation, known as an in-place upgrade, replaces the existing Windows 10 version and involves a large amount of work for the admin.

First, a clarification of terms: An in-place upgrade is the installation of a feature update. Previously known as Current Branch or Current Branch for Business, today the term Semi-Annual Channel is used. In-place upgrades are available for a wide variety of products. In most enterprise environments, they have not been the preferred choice for a migration approach.

An in-place upgrade is basically the installation of a new version of Windows, while preserving existing applications and settings. In the corporate environment, the systems were previously reinstalled and configured for a new Windows version. Although this meant considerable effort, it also made it possible, as it were, to dispose of any contaminated sites with the new installation.

With the six-month cycle, in-place upgrades are now usually stable. Initial practical experience has shown that you should consider the following points when upgrading in larger environments:

Microsoft recommends giving clients direct access to the update servers for Windows on the Internet.
Hardware-related components from third-party manufacturers often cause the biggest headaches, such as products for hard drive encryption or virus scanners. Because these components are closely linked to the operating system, optimizations to the security features of third-party Windows vendors, in particular, cause problems and prevent a smooth upgrade process.

Direct Access to Update Servers

If your corporate clients can talk directly to Microsoft update servers during in-place upgrades, they can easily download the latest update information. These include compatibility information or updated drivers. In a fully managed environment, where clients do not have direct access to the update servers, a few steps may need to be taken to ensure a smooth update.

These special requirements are usually available for download from Knowledge Base articles but must first be identified and then integrated into the OS to which the update is to be made. Additionally, Windows 10 retrieves feature packs from the update servers (e.g., language packages for text-to-speech or handwriting recognition). These packages must also be integrated for deployment in the enterprise.

Third-Party Stumbling Blocks

Administrators usually have the fewest possibilities in terms of active solutions for third-party components. Instead, they are dependent on the vendors, whose release notes should prove worthwhile. My recommendation is to use Microsoft internal products for virus scanners and hard drive encryption, at least in the medium term, which, as part of the operating system, should present the fewest problems with the new Windows 10 version.

Another important aspect is the language used with the operating system, because the upgrade can only be carried out with one OS in an identical language if you want to keep all applications and settings. If an English operating system meets a computer whose system language is German during the upgrade, the upgrade cannot be performed. The recommended approach is therefore always to set the system language to English and then install the appropriate language packages for the users.

Support from the SCCM

Microsoft's in-house deployment tool is the System Center Configuration Manager (SCCM), for which you naturally also have the option of an in-place upgrade. The SCCM offers two options for rolling out the updates.

The servicing model, on the one hand, works in principle like Windows updates that perform upgrades. The administrator defines several rings that are assigned corresponding delay values. For example, ring 1 receives the Semi-Annual Channel immediately and ring 2 after 30 days; ring 3 receives the Long-Term servicing channel (formerly Current Branch for Business) and so on. Then, you assign individual computers to the rings (collections). The in-place upgrade is then performed as part of the Windows update.

The approach behind this method is well thought out but in practice is unsuitable, because the in-place upgrade cannot be controlled in any way. For example, you cannot contribute language packs, drivers, or other elements. As a rule, this does not meet the requirements of non-English companies for such upgrade mechanisms. However, the servicing model can help to obtain a graphical overview of the version status of all Windows 10 clients.

The alternative is the task sequence, in which you can define all steps for the in-place upgrade (Figure 1). By means of a task sequence, the upgrade procedure can be adapted to your own requirements; logfiles are no problem, either. As with the servicing model, you should create multiple deployment rings and roll out Windows 10 step by step. In practice, the rings or collections have become established, as shown in Table 1. Parallel to ring 6, ring 1 starts again with the next version of Windows 10, so the environment is constantly moving, and the Windows 10 project is never finished, but a continuous process.

Figure 1: Upgrade processes can be controlled sensibly with a task sequence and the corresponding wizard.

Tabelle 1: Task Sequence Upgrade Rings

Ring	User	As of
Ring 1	IT employees	One month after the release of the new Windows version to prepare the infrastructure
Ring 2	Application owner	Two months after the release
Ring 3	10 percent of employees	Four months after the release
Ring 4	20 percent of employees	Five months after the release
Ring 5	50 percent of employees	Six months after the release
Ring 6	100 percent of employees	Seven months after the release

Creating a Meaningful Task Sequence

What does a task sequence that allows a stable upgrade process look like? In SCCM, you create an appropriately prepared task sequence, which you will want to extend using the Upgrade an operating system from an upgrade package function. Specify the default parameters and create a task sequence for the in-place upgrade: First the client is checked for RAM, CPU, and, optionally, for hard disk space; then, the in-place upgrade is triggered, and possible rollback actions are finally executed. You need to adjust the following in the task sequence:

End user message
BitLocker
Language pack und features on demand
Logging
Drivers
Adaptations

First, you should define a User Notification to inform users in the best possible way (Figure 2). If BitLocker is in use, you must disable it before upgrading, leading to a temporary vulnerability because an unencrypted Windows system is more vulnerable. Unfortunately, you have to live with this security gap.

Thanks to the User Notification tab, you do not leave users in the dark when upgrading Windows 10. — Figure 2: Thanks to the *User Notification* tab, you do not leave users in the dark when upgrading Windows 10.

The customization of language packs and features on demand (e.g., speech packages for text-to-speech or tablet functions) affects customers who use multiple languages and prohibit clients from accessing Windows Update directly. After an in-place upgrade, the language packages are no longer available. If the client has Internet access, you can retrieve the data from Microsoft, otherwise you have to install the packages yourself. Of course, it is more convenient for the user if the language packages are installed at the same time. For example, use the following PowerShell script, which must be in the same directory as the language package:

$ScriptFullName = & {$MyInvocation.ScriptName}
$LangPacksPath = [string]$(Split-Path $Local:ScriptFullName)
Add-WindowsPackage -online -PackagePath $LangPacksPath-NoRestart -ea SilentlyContinue |Out-NULL

Because it is always helpful to know what went wrong and why, you should copy the logfiles in Listing 1 with the appropriate commands as the first action of the rollback

Listing 1: Logfiles to Copy

cmd /c xcopy /Y /C C:\Windows\Temp\WindowsSetupCompatScan.Log \\Server\Share \Win10_Inplace_Upgrade\%computername%\
cmd /c xcopy /C /Y C:\$WINDOWS.~BT\Sources\Panther\*.log \\Server\Share \Win10_Inplace_Upgrade\%computername%\
cmd /c xcopy /C /Y C:\Windows\CCM\LOGS\SMSTSLOG\*.log \\Server\ Share \Win10_Inplace_Upgrade\%computername%\
cmd /c xcopy /C /Y C:\$WINDOWS.~BT\Sources\Panther\*.xml \\Server\Share \Win10_Inplace_Upgrade\%computername%\

Any missing or new drivers can be imported using the familiar SCCM mechanisms. Finally, the task sequence is also useful for making general adjustments (e.g., removing AppX, modifying the taskbar, or adding images for the desktop background), which shows that standard servicing in SCCM is not really sufficient, because exactly these adjustments cannot be carried out as part of the upgrade.

Conclusions

The regular task of upgrading the operating system since Windows 10 now happens not only every three to five years, but approximately every six months. In this respect, a stable process is very important to avoid problems or to identify them quickly. However, many companies have not yet established such consistent processes. The SCCM task sequence acts as an important part of this provisioning process, along with faster test cycles.