diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 7c8dff22d6..bb8692ebf4 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -126,7 +126,7 @@ - name: Deploy updates with Configuration Manager href: update/deploy-updates-configmgr.md - name: Deploy updates with Intune - href: update/waas-wufb-csp-mdm.md + href: update/deploy-updates-intune.md - name: Deploy updates with WSUS href: update/waas-manage-updates-wsus.md - name: Deploy updates with Group Policy @@ -245,6 +245,8 @@ - name: Delivery Optimization reference href: update/waas-delivery-optimization-reference.md - name: Windows 10 in S mode + href: s-mode.md + - name: Switch to Windows 10 Pro or Enterprise from S mode href: windows-10-pro-in-s-mode.md - name: Windows 10 deployment tools items: diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 753f83e575..5ccbf1c1c7 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -22,29 +22,35 @@ landingContent: # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) - - title: Overview + - title: Deploy Windows 10 linkLists: - linkListType: overview links: - text: Windows 10 deployment scenarios url: windows-10-deployment-scenarios.md - - text: What is Windows as a service? - url: update/waas-overview.md - - text: Types of Windows updates - url: update/waas-quick-start.md#definitions - # Card (optional) - - title: Get started - linkLists: - linkListType: get-started links: - text: Demonstrate Autopilot deployment url: windows-autopilot/demonstrate-deployment-on-vm.md - - text: Servicing the Windows 10 operating system - url: update/waas-servicing-strategy-windows-10-updates.md - text: Deploy Windows 10 in a test lab url: windows-10-poc.md + # Card (optional) + - title: Update Windows 10 + linkLists: + - linkListType: overview + links: + - text: What is Windows as a service? + url: update/waas-overview.md + - text: Types of Windows updates + url: update/waas-quick-start.md#definitions + - linkListType: get-started + links: + - text: Servicing the Windows 10 operating system + url: update/waas-servicing-strategy-windows-10-updates.md + + # Card (optional) - title: Deployment planning linkLists: @@ -52,8 +58,12 @@ landingContent: links: - text: Create a deployment plan url: update/create-deployment-plan.md + - text: Define readiness criteria + url: update/plan-define-readiness.md - text: Evaluate infrastructure and tools url: update/eval-infra-tools.md + - text: Determine application readiness + url: update/plan-determine-app-readiness.md - text: Define your servicing strategy url: update/waas-servicing-strategy-windows-10-updates.md @@ -62,7 +72,9 @@ landingContent: linkLists: - linkListType: how-to-guide links: - - text: Prepare to deploy Windows 10 + - text: Prepare for Zero Touch Installation with Configuration Manager + url: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md + - text: Prepare to deploy Windows 10 with MDT url: deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md - text: Evaluate and update infrastructure url: update/update-policies.md @@ -74,21 +86,30 @@ landingContent: linkLists: - linkListType: deploy links: - - text: Deploy Windows 10 with Autopilot + - text: Windows Autopilot scenarios and capabilities url: windows-autopilot/windows-autopilot-scenarios.md + - text: Deploy Windows 10 to a new device with Configuration Manager + url: deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md + - text: Deploy a Windows 10 image using MDT + url: deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md - text: Assign devices to servicing channels url: update/waas-servicing-channels-windows-10-updates.md - text: Deploy Windows 10 updates - url: update/index.md + url: update/waas-servicing-channels-windows-10-updates.md + - text: Resolve Windows 10 upgrade errors + url: upgrade/resolve-windows-10-upgrade-errors.md # Card (optional) - - title: Also see + - title: Windows 10 resources linkLists: - - linkListType: reference + - linkListType: learn links: - text: Windows 10 release information - url: https://docs.microsoft.com/en-us/windows/release-information/ + url: https://docs.microsoft.com/windows/release-information/ - text: What's new in Windows 10 - url: https://docs.microsoft.com/en-us/windows/whats-new/ + url: https://docs.microsoft.com/windows/whats-new/ - text: Windows 10 Enterprise Security - url: https://docs.microsoft.com/en-us/windows/security/ + url: https://docs.microsoft.com/windows/security/ + - text: Desktop Deployment Center + url: https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home + diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md index 29c3c93099..b7e1707a7d 100644 --- a/windows/deployment/update/plan-determine-app-readiness.md +++ b/windows/deployment/update/plan-determine-app-readiness.md @@ -43,7 +43,7 @@ Combining the various validation methods with the app classifications you've pre |Test in pilot | x | x | x | -## Identify users +### Identify users Since your organization no doubt has a wide variety of users, each with different background and regular tasks, you'll have to choose which users are best suited for validation testing. Some factors to consider include: @@ -53,7 +53,7 @@ Since your organization no doubt has a wide variety of users, each with differen You could seek volunteers who enjoy working with new features and include them in the pilot deployment. You might want to avoid using core users like department heads or project managers. Current application owners, operations personnel, and developers can help you identify the most appropriate pilot users. -## Identify and set up devices for validation +### Identify and set up devices for validation In addition to users, it's important to carefully choose devices to participate in app validation as well. For example, ideally, your selection will include devices representing all of the hardware models in your environment. @@ -64,7 +64,7 @@ There is more than one way to choose devices for app validation: - **Data-driven analysis**: With appropriate tools, you can use diagnostic data from devices to inform your choices. -## Desktop Analytics +### Desktop Analytics Desktop Analytics can make all of the tasks discussed in this article significantly easier: diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md new file mode 100644 index 0000000000..76cbb5eea0 --- /dev/null +++ b/windows/deployment/update/prepare-deploy-windows.md @@ -0,0 +1,158 @@ +--- +title: Prepare to deploy Windows +description: +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Prepare to deploy Windows + +Having worked through the activities in the planning phase, you should be in a good position to prepare your environment and process to deploy Windows 10. The planning phase will have left you with these useful items: + +- A clear understanding of necessary personnel and their roles and criteria for [rating app readiness](plan-define-readiness.md) +- A plan for [testing and validating](plan-determine-app-readiness.md) apps +- An assessment of your [deployment infrastructure](eval-infra-tools.md) and definitions for operational readiness +- A [deployment plan](create-deployment-plan.md) that defines the rings you want to use + +Now you're ready to actually start making changes in your environment to get ready to deploy. + +## Prepare infrastructure and environment + +- Deploy site server updates for Configuration Manager. +- Update non-Microsoft security tools like security agents or servers. +- Update non-Microsoft management tools like data loss prevention agents. + +Your infrastructure probably includes many different components and tools. You’ll need to ensure your environment isn’t affected by issues due to the changes you make to the various parts of the infrastructure. Follow these steps: + +1. Review all of the infrastructure changes that you’ve identified in your plan. It’s important to understand the changes that need to be made and to detail how to implement them. This prevents problems later on. +2. Validate your changes. You’ll validate the changes for your infrastructure’s components and tools, to help you understand how your changes could affect your production environment. +3. Implement the changes. Once the changes have been validated, you can implement the changes across the wider infrastructure. + + +You should also look at your organization’s environment’s configuration and outline how you’ll implement any necessary changes previously identified in the plan phase to support the update. Consider what you’ll need to do for the various settings and policies that currently underpin the environment. For example: + +- Implement new draft security guidance. New versions of Windows can include new features that improve your environment’s security. Your security teams will want to make appropriate changes to security related configurations. +- Update security baselines. Security teams understand the relevant security baselines and will have to work to make sure all baselines fit into whatever guidance they have to adhere to. +However, your configuration will consist of many different settings and policies. It’s important to only apply changes where they are necessary, and where you gain a clear improvement. Otherwise, your environment might face issues that will slow down the update process. You want to ensure your environment isn’t affected adversely because of changes you make. For example: + +1. Review new security settings. Your security team will review the new security settings, to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment. +2. Review security baselines for changes. Security teams will also review all the necessary security baselines, to ensure the changes can be implemented, and ensure your environment remains compliant. +3. Implement and validate security settings and baseline changes. Your security teams will then implement all of the security settings and baselines, having addressed any potential outstanding issues. + + +## Prepare applications and devices + +You've previously decided on which validation methods you want to use to validate apps in the upcoming pilot deployment phase. Now is a good time to make sure that individual devices are ready and able to install the next update without difficulty. + +### Ensure updates are available + +Enable update services on devices. Ensure that every device is running all the services Windows Update relies on. Sometimes users or even malware can disable the services Windows Update requires to work correctly. Make sure the following services are running: + +- Background Intelligent Transfer Service +- Background Tasks Infrastructure Service +- BranchCache (if you use this feature for update deployment) +- ConfigMgr Task Sequence Agent (if you use Configuration Manager to deploy updates) +- Cryptographic Services +- DCOM Server Process Launcher +- Device Install +- Delivery Optimization +- Device Setup Manager +- License Manager +- Microsoft Account Sign-in Assistant +- Microsoft Software Shadow Copy Provider +- Remote Procedure Call (RPC) +- Remote Procedure Call (RPC) Locator +- RPC Endpoint Mapper +- Service Control Manager +- Task Scheduler +- Token Broker +- Update Orchestrator Service +- Volume Shadow Copy Service +- Windows Automatic Update Service +- Windows Backup +- Windows Defender Firewall +- Windows Management Instrumentation +- Windows Management Service +- Windows Module Installer +- Windows Push Notification +- Windows Security Center Service +- Windows Time Service +- Windows Update +- Windows Update Medic Service + +You can check these services manually by using Services.msc, or by using PowerShell scripts, Desktop Analytics, or other methods. + +### Network configuration + +Ensure that devices can reach necessary Windows Update endpoints through the firewall. + +### Optimize download bandwidth +Set up [Delivery Optimization](waas-delivery-optimization.md) for peer network sharing or Microsoft Connected Cache. + +### Address unhealthy devices + +In the course of surveying your device population, either with Desktop Analytics or by some other means, you might find devices that have systemic problems that could interfere with update installation. Now is the time to fix those problems. + +- **Low disk space:** Quality updates require a minimum of two GB to successfully install. Feature updates require between 8 and 15 GB depending upon the configuration. On Windows 10, version 1903 and later you can proactively use the "reserved storage" feature (for wipe and loads, rebuilds, and new builds) to avoid running out of disk space. If you find a group of devices that don't have enough disk space, you can often resolve this by cleaning up log files and asking users to clean up data if necessary. A good place to start is to delete the following files: +- C:\Windows\temp +- C:\Windows\cbstemp (though this file might be necessary to investigate update failures) +- C:\Windows\WindowsUpdate.log (though this file might be necessary to investigate update failures) +- C:\Windows.Old (these files should automatically clean up after 10 days or might ask the device user for permission to clean up sooner when constrained for disk space) + +You can also create and run scripts to perform additional cleanup actions on devices, with administrative rights, or use Group Policy settings. + +- Clean up the Windows Store Cache by running C:\Windows\sytem32\wsreset.exe +- Optimize the WinSxS folder on the client machine by using **Dism.exe /online /Cleanup-Image /StartComponentCleanup** +- Compact the operating system by running **Compact.exe /CompactOS:always** +- Remove Windows Features on Demand that the user doesn't need. See [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) for more guidance. +- Move Windows Known Folders to OneDrive. See [Use Group Policy to control OneDrive sync settings](https://docs.microsoft.com/onedrive/use-group-policy) for more information. +- Clean up the Software Distribution folder. Try deploying these commands as a batch file to run on devices to reset the download state of Windows Updates: + +``` +net stop wuauserv +net stop cryptSvc +net stop bits +net stop msiserver +ren C:\Windows\SoftwareDistribution C:\Windows\SoftwareDistribution.old +net start wuauserv +net start cryptSvc +net start bits +net start msiserver +``` + +- **Application and driver updates:** Out-of-date app or driver software can prevent devices from updating successfully. Desktop Analytics will help you identify drivers and applications that need attention. You can also +check for known issues in order to take any appropriate action. Deploy any updates from the vendor(s) for any problematic application or driver versions to resolve issues. +- **Corruption:** In rare circumstances, a device that has repeated installation errors might be corrupted in a way that prevents the system from applying a new update. You might have to repair the Component Based Store from another source. You can do this with the [System File Checker](https://support.microsoft.com/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system). + + + + + +## Prepare capability + +In the plan phase, you determined the specific infrastructure and configuration changes that needed to be implemented to add new capabilities to the environment. Now you can move on to implementing those changes defined in the plan phase. You'll need to complete these higher-level tasks to gain those new capabilities: + +- Enable capabilities across the environment by implementing the changes. For example, implement updates to relevant ADMX templates in Active Directory. New Windows versions will come with new policies that you use to update ADMX templates. +- Validate new changes to understand how they affect the wider environment. +- Remediate any potential problems that have been identified through validation. + +## Prepare users + +Users often feel like they are forced into updating their devices randomly. They often don't fully understand why an update is needed, and they don't know when updates would be applied to their devices ahead of time. It's best to ensure that upcoming updates are communicated clearly and with adequate warning. + +You can employ a variety of measures to achieve this, for example: + +- Send overview email about the update and how it will be deployed to the entire organization. +- Send personalized emails to users about the update with specific details. +- Set an opt-out deadline for employees that need to remain on the current version for a bit longer, due to a business need. +- Provide the ability to voluntarily update at users’ convenience. +- Inform users of a mandatory installation date when the update will be installed on all devices. + +