cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Deploying a new version of Windows 10 in a remote world
By
James_Bell
Published May 27 2020 10:01 AM 172K Views
James_Bell
Microsoft
‎May 27 2020 10:01 AM

Deploying a new version of Windows 10 in a remote world

‎May 27 2020 10:01 AM

Today's post offers provide practical, step-by-step guidance to help you move your existing devices to Windows 10, version 2004—the latest Windows 10 feature update—as quickly and seamlessly as possible.

In the current remote-first work environment, many businesses are finding that they need to modify and modernize their existing processes to maintain and ensure business continuity. IT admins globally have had to rapidly react, getting users up and running with secure remote work options and finding the best ways to keep remote devices up to date with monthly updates. Last month, we published tactical guidance to help you optimize Windows monthly update deployment for remote devices. This month, we are outlining the steps that will help you deploy feature updates in your production environments while pivoting to a remote workforce using Microsoft Endpoint Configuration Manager to manage devices. While we know many companies are still using more traditional processes, the steps provided in this post leverage cloud resources to reduce bandwidth, reduce the workload on you as the IT admin, and, most importantly, improve the end user experience in a secure way.

Microsoft's guidance for adopting a faster Windows 10 update cadence has remained consistent: plan, prepare, and deploy. With so many people working remote, IT professionals need to embrace new mechanisms to perform this work securely through the internet. These new mechanisms may include configuring endpoints via Configuration Manager to receive updates from Windows Update—or using Windows Update for Business to take advantage of a full set of IT admin controls while leveraging the agility and innovation of the Windows Update service.

The calendar below shows a potential timeline for rolling out Windows 10, version 2004 across your organization, one that is aligned with Microsoft 365 Apps and Configuration Manager release cycles.

deployment-calendar.png

Figure 1. Deployment calendar for Windows 10, version 2004

While the calendar timeline above depicts the rollout of Windows 10, version 2004, this same approach can be used as a guide regardless of which version of Windows 10 is currently running on the devices in your environment and which version you are targeting with your rollout. By following a process based on plan, prepare, and deploy, you can successfully deploy feature updates in less time and avoid running up against (or past)  end of service dates. As a result, we encourage you to read through the process and see how connecting to Microsoft's cloud resources can help you accelerate and evolve legacy processes in order to provide a more protected and productive environment for end users.

Plan (June)

Modernization planning

In a world of remote workers, it is critical to reconsider how direct internet connections can be used to securely service Windows devices. To ensure that end user devices stay up to date and continue to receive security updates by being on a supported version of Windows 10, we have to modernize existing processes. That means reducing consumption of corporate network bandwidth while embracing cloud services. Here are recommendations tailored to supporting this effort regardless of your corporate network architecture:

  • Review VPN configuration changes needed to support remote work. For recommended practices for configuring split tunnel VPN to get publicly accessible traffic moved to the internet, while keeping corporate data secure on the corporate VPN, see the first part of this blog post series, Optimize Windows monthly update deployment for remote devices.
  • Optimize Microsoft 365 Apps traffic for remote endpoints. Confirm that traffic is optimized for remote workers to support Microsoft 365 Apps (formerly Office 365 ProPlus).
  • Implement Desktop Analytics. Desktop Analytics provides a process through which you can assign application importance and ownership, offers insight into which versions of Windows 10 are installed in your environment, and automatically creates pilot and broad deployment plans. To utilize Desktop Analytics, you need Configuration Manager and Windows 10 Enterprise E3, and to enable diagnostic data on your end user devices. (Watch this video for an overview of Desktop Analytics functionality.)
  • Configure and enable co-management. Co-management adds cloud management capabilities to Configuration Manager through the use of Microsoft Intune. To ensure business continuity and support remote work, organizations need to be cloud-capable. Enabling co-management is a recommended step with key controls and optimization for updating devices through the internet.
  • Transition to Windows Update for Business. Windows Update for Business provides both Windows 10 monthly quality updates and feature updates to remote endpoints through an internet connection to the Windows Update service; thereby reducing latency by utilizing Microsoft's global bandwidth, scaled infrastructure, and local distribution points. Windows Update for Business can also handle driver update, an ongoing challenge regardless whether supporting remote work or on-premises scenarios.

Compatibility planning

We know you need to feel confident that a Windows 10 feature update will not cause interruption to your critical line of business applications. Microsoft is committed to ensuring your apps work on the latest versions of our software and, with Microsoft App Assure, commercial customers Apps with an eligible subscription can receive no-cost app compatibility assistance when deploying Windows 10 and Microsoft 365. As a result of our confidence in application and device compatibility, we recommend the following steps when planning for the next Windows 10 feature update.

  • Review and confirm the Microsoft 365 Apps servicing approach for remote workers. Consider applying updates right away if there are no critical line of business applications, add-ins, or macros that need to be tested to verify that they work with an updated version of Microsoft 365 Apps. Consider deferring updates if critical line of business applications, add-ins, or macros need to be tested before rolling out updates broadly across your organization. Confirm the Microsoft 365 Apps servicing channel(s) used in your organization and review the next update release schedule to determine when to schedule testing and/or your broader rollout:
  • Review and confirm the Microsoft 365 Apps servicing approach for remote workers. Consider applying updates right away if there are no critical line of business applications, add-ins, or macros that need to be tested to verify that they work with an updated version of Microsoft 365 Apps. Consider deferring updates if critical line of business applications, add-ins, or macros need to be tested before rolling out updates broadly across your organization. Confirm the Microsoft 365 Apps servicing channel(s) used in your organization and review the next update release schedule to determine when to schedule testing and/or your broader rollout:
    • The Semi-Annual Enterprise Channel is the default for enterprises, and an update is expected in July 2020.
    • The Semi-Annual Enterprise Channel (Preview) will have an update released in September 2020.
    • The Monthly Enterprise Channel provides new features to users in the quickest way with a monthly update cadence.
  • Maintain an application and device portfolio. Create a list of the applications used in your organization and update/review it as you approach each feature update. Understanding what device types exist in your estate will help you determine which applications need to be tested, and the devices on which they should be tested. Use Desktop Analytics when possible to reduce the time and effort involved in maintaining the application and device portfolio.
  • Define what applications are critical, important, and not important. Setting common terminology for critical and important applications helps to make decisions if/how applications should be tested and what course of action to take if the application has a compatibility problem during deployment. Use Desktop Analytics to maintain application importance criticality designation.
  • Assign owners to critical applications. Critical applications should be validated ahead of broad deployment of a feature update. Find a contact in your organization that can test or assign testers to critical applications and provide compatibility feedback.
  • Determine success criteria to move from the prepare phase, to pilot, and then to broad deployment phases. Understand the number of applications that must be tested in a pilot deployment, and what success looks like for your organization to move to a broader deployment. Agreeing on these metrics up front in the planning phase ensures that decisions are made based on data, rather than opinion.

Deployment planning

In order to deploy Windows 10 feature updates at scale for remote workers, you need to ensure that your deployment engine is ready. This includes making sure your infrastructure and security applications are up to date with supported versions, and training support teams if and as needed. To ensure you are successful in your deployment planning, we recommend the following activities:

  • Assess the infrastructure used to deploy and manage Windows 10. Confirm support for the new feature update with your infrastructure management tool(s), and determine the effort needed to update the infrastructure as a prerequisite to deploying the update. For example, for Windows 10, version 2004:
    • Ensure that you have a current version of Microsoft Endpoint Configuration Manager Current Branch. The minimum required version would be Update 2002, which is supported through September 2021. The recommended version, however, would be Update 2006, which is supported through March 2022, as this release will support all in-support versions of Windows 10 and the next Windows 10 feature update.
    • For those customers that use cloud-based infrastructure management tools, such as Microsoft Intune, and/or Windows Update for Business, supportability challenges will be reduced as no on-premises or client-side products need to be updated.
    • Follow the same guidance (e.g. update to the latest version) if you use other deployment or mobile device management (MDM) tools.
  • Update your Administrative Templates and security baselines. Update your Administrative Templates (.admx) and security baselines to the latest release, test them in the pilot phase, and roll them out during broad deployment.
  • Review supportability for security and other endpoint agents installed on Windows 10. If you have a non-Microsoft agent installed on your Windows endpoints, confirm with the supplier what updates are required to the agents to ensure support is maintained.
  • Review how planned changes to infrastructure and configuration will impact support and operations teams. Document new features, configurations, or working scenarios provided by the required changes above, and provide a summary to your support and operations teams to ensure they can assess any impact. 
  • Determine success criteria to move from the prepare phase to deployment phase. Define infrastructure readiness criteria across the prepare and deploy phases to ensure that both the desired user and IT experiences will be achieved. Consider success criteria when updating infrastructure and configurations to support the new Windows 10 feature update, and confirm when each item should be updated, validated, and broadly deployed.
  • Don’t spend time designing deployment rings (yet). Often, commercial customers spend effort upfront to design a deployment ring strategy for all endpoints without understanding if any device driver or application compatibility challenges exist. Save this effort for the deploy phase when more is known about application and device upgrade readiness across your entire estate.

Capability planning

The deployment of a Windows 10 feature update alongside updates to infrastructure and configuration and productivity applications will unlock new features and working scenarios for users and IT professionals alike. As a result, all parties should be aware of the new features or functionality that help streamline deployment and make the end user experience better. The constant innovations in the servicing stack of the OS, or with Configuration Manager and Intune, may provide added benefits to the deployment that weren't previously available. Capability planning should, particularly at the present time, be focused on improving remote worker experiences, maintaining productivity, and minimizing user interruption during the update process. The following recommendations provide structure to help you achieve these outcomes:

  • Review the newest IT-related features in Windows 10 and related technologies. The What's new for IT pros in Windows 10, version 2004 blog post provides a list of recent improvements for IT pros as well as the top productivity features that any user of Windows 10 will appreciate. Review these capabilities against your current environment to help determine which features to communicate to remote workers, and to prepare your IT teams to support them.
  • Join the Windows 10 Community. Learn about technical best practices, tips and tricks, and the latest news and trends related to Windows 10 and the Windows client OS. Bookmark and visit the Windows 10 community on Tech Community.

Prepare (July/August)

Compatibility preparation

With an application portfolio in place, and application importance/ownership assigned, critical applications can be tested, and important applications can be validated. The focus of this section is how to test, and how to expand testing to a pilot group. Desktop Analytics can dramatically improve insights during compatibility preparation into remediations or additional testing needed. By acting as an early warning system, Desktop Analytics facilitates the move from prepare to deployment by reducing—if not eliminating—manual compatibility testing. It also enables you to rationalize your application estate, identify critical versus important applications, and prepare accordingly. Regardless of the approach used, we recommend that you conduct the following activities during this stage:

  • Choose a testing approach for critical applications. Any application marked as critical should be tested ahead of a broader deployment. One or more of the test approaches below should be defined for each critical application in the portfolio:
    • Regression testing provides full quality assurance and is recommended for critical applications that must work prior to a pilot deployment. In a remote worker scenario, undertaking this testing approach ahead of a pilot deployment requires additional effort from IT teams to provide the tester with access to a device or virtual session running the feature update—Windows 10, version 2004 in this case—as well as one or more of the critical applications.
    • Automated testing tools can test applications using the regression or smoke test approach and free up resources to perform other tasks. Use this approach if automated testing is already configured and accessible remotely.
    • Testing during the pilot phase provides real world validation of the applications and devices in your environment and we recommend that it be performed by remote workers for all critical and important applications.
  • Choose a testing approach for important applications. Applications marked as important can be tested during the pilot phase or during broad deployment. This approach provides validation of applications and it is up to application owners and IT to determine how important applications should be tested:
    • Testing during pilot provides real world validation of applications and devices and is recommended to be performed by remote workers for all important applications.
    • Reactive response testing is typically performed during broader deployment phases for applications with limited or no business impact.
  • Use Desktop Analytics to create a pilot group of devices to validate apps and drivers. Now integrated with Microsoft Endpoint Configuration Manager, Desktop Analytics can be used to track application importance/ownership and use that data to automate the selection of devices to test. This saves administrative time and effort, enabling you to move to the deploy phase quicker by providing insight into any known device driver incompatibilities. If Desktop Analytics isn’t available, work with application owners to identify users and devices for a pilot group.
  • Identify remote workers that can test applications and provide feedback on new features and work scenarios. Having a mix of users helps ensure that both functionality and usability of the platform are tested in the pilot phase. Connect with users via collaboration tools such as Microsoft Teams and ask users for the name of the device being used. Matching users to devices will help you understand the applications installed on the device through Desktop Analytics. If Desktop Analytics isn’t available, check which applications are being used remotely in Configuration Manager using the steps in the following article: Use CMPivot to gather troubleshooting data from remote clients.

Deployment preparation

When preparing for deployment, the focus is on upgrading (if necessary) your infrastructure and configurations to support the new Windows 10 feature update and remote workers.

Windows Update for Business uses a set of policies which may be unfamiliar and may need to be rationalized between Configuration Manager and Intune to create a predictable end user experience. Making preparations at this point in the process will save support costs down the road related to help desk support and inevitably improve end user satisfaction with the update. Once this work is done for the first time, preparation for subsequent feature updates through Windows Update for Business will be streamlined significantly.

We recommend that the following steps be completed ahead of the pilot deployment phase.

  • Update Configuration Manager. Update to the version you selected in the planning phase. For guidance, see Upgrade on-premises infrastructure that supports Configuration Manager.
  • Apply new configuration updates to your pilot device collection only. Administrative Templates (.admx) and Microsoft Security Baselines are available at the time of, or shortly after, the release of a Windows 10 feature update. New policy settings should be assessed and, where possible, default settings should remain in place.
  • Delay the creation of a Windows 10 base image. A Windows 10 base image is not required to support a Windows 10 feature update. The only reason to create a Windows 10 base image is to support new corporate devices that require customized configurations or for re-imaging devices that encounter hardware failure or that require some type of white glove service. By delaying this task, you will avoid spending valuable resources and effort on creating an image for new and replacement deployment scenarios until all configurations and tools have been tested.
  • Prepare Windows Update for Business. The recommended approach is to leverage Desktop Analytics to populate a collection of devices based on application and device compatibility data in Configuration Manager, and then use the device collection information to populate devices in a pilot group for Windows Update for Business. This can be performed using Configuration Manager or through Configuration Manager and Microsoft Intune:
    1. For Configuration Manager + Intune scenarios, follow the guidance outlined in co-management prerequisites and How to enable co-management in Configuration Manager.
    2. Configure Windows Update for Business policies. Select the Semi-Annual Channel for Windows, review user experience settings, and configure settings to update outside of an end user’s active hours. Work with communications teams to explain the process that works best for the organization’s remote users and configure a deadline to ensure that the update is applied to pilot devices immediately. Ensure devices can receive driver updates through Windows Update for Business.
    3. Deploy Windows Update for Business policies. Apply both quality and feature update settings, as Windows Update for Business will control both.
    4. Create a pilot deployment for Desktop Analytics. Create a pilot group, which will populate a device collection in Microsoft Endpoint Configuration Manager.
    5. For Configuration Manager + Intune scenarios, switch the Windows Update policy workload from Configuration Manager to Pilot Intune. We recommend that you add devices incrementally, first selecting known IT devices to test the configuration and deployment approach. When confident, change the target device collection to the device collection populated by Desktop Analytics.

Capability preparation

The capability initiatives you defined in the planning phase are implemented or configured in the prepare phase. As a result, we recommend the following activities to empower users to receive additional value out of Windows 10 + Microsoft 365 Apps:

  • Map new features to worker roles. Create a draft of workforce personas, mapped to the edition of Windows and Office used in your environment, in order to create new "hero" scenarios that showcase new or improved ways of working.
  • Provide communications to pilot users to showcase known new features/scenarios. Finding a communication strategy that is part of a broader change management approach helps users realize value from Windows will help reduce confusion about why updates will happen, and how they can be scheduled in a way that minimizes user disruption.

Deploy (August/September)

Deploying a Windows 10 feature update through Windows Update for Business is a unique shift from traditional deployment methods. Instead of “push” controls where you send down the update to the next ring of devices, Windows Update for Business provides “pull” controls to prevent the update from automatically going to the next ring. This is a mental shift for many IT admins as they have little to do if everything is going right. More attention needs to be spent to determine if an update needs to be stopped or slowed in the event that end users are having a poor or broken experience. Again, Desktop Analytics can provide real-time data to help make decisions and increase IT confidence in those decisions.

Pilot (August)

Once you have prepared and updated your configurations and infrastructure, you are ready for a pilot deployment. The first-time work to prepare, and the results afforded by, the pilot through Windows Update for Business provide long-term value for every future feature or quality update deployment. Updates are automatically optimized for the smallest update package size and the lowest latency regardless of how and where devices connect, assuming that devices are directly connected to the internet and not running back through the corporate VPN.

Recommendations for the pilot deployment phase are as follows:

  • Monitor the Windows 10 feature update to pilot devices. If a deployment of the feature update to an endpoint fails, Desktop Analytics can show where the deployment has failed or, if it is stuck, helping administrators isolate deployment problems quickly. If you are not able to use Desktop Analytics to monitor Windows 10 feature updates, review the log files and/or the SetupDiag tool to troubleshoot the deployment with assistance from the remote worker.
  • Create a frequently asked questions (FAQ) that users can access. Capture learnings from the pilot deployment to minimize calls to support teams during broad deployment.
  • Use collaboration tools for pilot users to share their experiences. Effective end user feedback and escalation points are critical to any successful servicing model. Using tools such as Microsoft Teams can provide an effective way to capture compatibility challenges, and screen sharing can help users walk support or an operations teams through any issues experienced.
  • Leverage Windows 10 rollback functionality. By leveraging recovery options, users can return to productivity with the previous version of Windows if the current feature update fails to install correctly. This reduces pressure on support and operations teams to triage issues remotely, enabling them to investigate during scheduled work hours. As a result, we recommend that you communicate the rollback process well in advance, and in the FAQ, in case an issue is encountered and the user needs to initiate a recovery.

Broad deployment (August, September)

Once the pilot deployment results in a consistent, predictable, and satisfactory end user experience, it is time to create your deployment rings and proceed with broad deployment. Windows Update for Business settings will continue to update devices unless you purposefully stop deployment. Once your first broad deployment is conducted, monitor update velocity and consider increasing that speed for the next feature update, for example, using the recommendations outlined in Optimizing Windows 10 update adoption.

The Windows Update service operates at massive scale, rolling out Windows updates to the consumer population globally and has the capacity to update devices connected through Windows Update for Business in short order. As corporate devices are updated to a version of Windows 10 closer to the latest release (for example, Windows 10, version 2004) using Windows Update for Business, the end user experience will improve with without much additional IT admin workload.

To accelerate the deployment of Windows 10, we recommend the following:

  • Expand configuration and Windows Update for Business policies. Once tested via your pilot deployment to ensure a predictable, satisfactory end user experience, deploy updated configuration sets and Windows Update for Business policies to all production devices to receive the feature update. As users will not be able to schedule their installation using this approach, should any validation issues occur, leverage the pause functionality for feature updates in Windows Update for Business to provide time for troubleshooting.
  • Enforce compliance deadlines for updates. To ensure that your Windows 10 devices continue to be serviced and supported, apply compliance deadlines that ensure that devices receive feature updates before any end of service moment for Windows 10. Check the Windows 10 lifecycle fact sheet to determine the end of service dates for your installed editions of Windows 10.
  • Create broad deployment plans. Deciding to deploy an update broadly after successfully validating applications and hardware during your pilot deployment will depend on how confident and comfortable your IT team is with maximizing deployment success. Desktop Analytics can provide additional assurance for broad deployment through dynamic device selection based on update readiness results, which ensures that devices not ready to successfully receive an update at the time of deployment do not receive the update until known issues are resolved. In addition, Windows Update for Business guarantees the highest level of success as it will block the deployment of a feature update to devices if hardware challenges are discovered, enabling you to deploy updates to your environment more quickly and removing the need to pause deployment while discovered issues are addressed.
  • Monitor increases for support requests. Aggregate and review data related to spikes in support requests after the deployment of a feature update to ensure issues can be isolated and triaged accordingly.
  • Create a baseline image to support new and replacement deployment scenarios. Once all supporting components and applications have been tested and validated, an image can be created to support deployment scenarios for new and replaced devices.
  • Use Windows Autopilot to deploy new devices to remote workers. Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on a new device. Instead of re-imaging the device, the existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support advanced features.
  • Document any lessons learned and use them for continuous improvement. Track deployment success, incorporate user and business feedback, understand reasons for delays, and determine what worked well and what can be improved across efforts in compatibility, deployment, capability, and modernization. Document any lessons learned, as well as the time and effort spent servicing Windows, to inform planning for the next Windows feature update and help you focus on where improvements can be made to reduce time, effort, or cost.

Summary

This post has provided guidance and recommendations on how to stay keep a remote workforce and your device ecosystem current with Windows 10 by leveraging direct internet connections in secure ways. By aligning to a plan, prepare, and deploy motion, you will be able to maintain a serviced version of Windows 10 on a faster cadence, which helps to harden the operating system against malicious intent, simplifies OS administration for IT, improves = performance, adds new capabilities, and unlocks new working scenarios. Examples of a successful transition can be found in the experience of our own Core Services Engineering and Operations (CSEO) team. Let us know if you find this article helpful, and which approaches best help your organization maintain up to date, productive, and secure devices for remote workers.

4 Comments
Version history
Last update:
‎May 27 2020 01:21 AM
Updated by:
Labels