IT checklist for Windows 11 annual servicing

New feature assessment

Each annual release of Windows 11 comes with new features. A feature assessment can determine how to get the most value for your organisation, or identify if there are unintended consequences. To do this keep across Microsoft’s what’s new page, or join Microsoft’s Windows Insider program.

  • Identify any technical dependencies. For example, Microsoft Self Service Password Reset (SSPR) service requires Windows 10 machines to be joined to Azure AD.
  • Identify alignment to broader IT strategy. For example, advancements in Windows AutoPilot may align to a strategy to deliver new computers directly to users.
  • Identify deployment considerations. For example, biometrics-based login using Windows Hello for Business is only available on certain supported devices and requires Server 2016 Domain Controllers.
  • Identify servicing impact. For example, Windows 10 came provisioned with “Windows apps” such as OneNote and Your Phone (as of Version 1809). These apps cannot be updated via MEM (SCCM) or WSUS.
  • Identify alignment to security and compliance policies. For example, Windows Timelines timeline can be configured to send data to Microsoft which may need review before enabling.
  • Identify any training required for end users to adopt the new features.
  • Provide support and troubleshooting documentation to support teams
  • Keep a log of the decisions taken for each new feature. This provides visibility of the roadmap for your implementation of Windows 11 and allows review of previous decisions when new information is received.

Group Policy review

This checklist assumes large enterprise deployment and thus Group Policy Objects for controlling Windows settings will almost certainly apply. Each new version of Windows 11 introduces new Group Policy Objects (GPOs). See Group Policy Settings Reference Spreadsheet for Windows 11 October 2021 Update (21H2) here.

  • Review the new policies available for Windows 11 and make a decision if they apply to your organisation.
  • In addition to Windows consider policy changes for web browsers that receive regular updates such as Microsoft Edge and Google Chrome. 
  • In determining how to treat a new policy setting refer to Microsoft provided baseline recommendation and consider reviewing the Center for Information Security (CIS) Benchmark guidance.
  • Determine if Administrative Templates in Active Directory require updating (new policy guidance normally includes information on relevant templates available).
  • Validate the impact of any policies that are not clear.
  • Keep a log of new policies and the decision you took for configuration. This will assist when reviewing policies in the future, or if you need to troubleshoot issues that may be policy related.

Device driver updates

Hardware vendors re-certify their device drivers for each new version of Windows and if need be release updates to enable compatibility. Using device drivers that are not certified as compatible can result in unexpected behaviour such as wireless network disconnections or Blue Screen errors. In rare cases Microsoft will even prevent new version of Windows applying if incompatible device driver is found.

  • Check with if your hardware vendor has supported device drivers. In our experience models up to 3 years old should have supported drivers.
  • If you have hardware models without supported drivers everything may still work without issue. If the devices are not planned for retirement, we recommend upgrading Windows for a sample of the devices and let volunteer users identify any unexpected behaviour.
  • In addition to computer device drivers, also validate device drivers for docking stations and external monitors.
  • If you use virtual environments then confirm compatibility of the hypervisor with Windows 10 upgrade (we know virtual environments don’t have device drivers, but we had to find a list to add this item!).
  • Add the compatible device drivers to your new Windows machine build process.
  • Deploy compatible device driver upgrades as applicable. We recommend device driver updates occur weeks before updating Windows. This helps to separate unexpected behaviour caused by device drivers versus Windows upgrade.

Machine health

The success rate of deploying Windows 10 upgrades to computers is directly aligned to the health of those machines. Conversely, unhealthy machines will cause upgrade issues and in turn create user interruption and require local support recovery actions. As such, assessing machine health perhaps the most important readiness item to complete.

  • Machines with insufficient disk space either need space recovered or in desperate cases disk sizes increased.
  • Machines with limited RAM can take an extended time to update, and this increases the chance an impatient user will reboot the machine mid-upgrade. Thus, consider if machines with less than 4G RAM should be replaced with more powerful machines.
  • Check if machines are up to date on Windows patches; applying version updates to machines that are fully patched comes with less unexpected issues.
  • Check which machines are not receiving monthly updates correctly or not receiving recent package deployments (e.g. an Antivirus client update failure).

Application assessment

In our experience, the actual applications with an issue after version upgrade is insignificantly small, but this does not negate the need for an application assessment strategy.

While there are tools that help indicate application compatibility, we have found these tools are not reliable.

Given the above, we have found deploying a Windows upgrade using a phased deployment to be the most time effective way to identify applications. If an application issue is found, either pause the deployment or step around users with that application while a fix is identified. Yes, this is a reactive approach to identifying applications, but it is also a pragmatic approach in large enterprise environments with thousands of applications. The following checklist applies this approach across five phases.

  • First phase – Core apps: Upgrade Windows for representatives for any applications that have 100% user coverage. 
  • Second phase – Support teams: Deploy to user support and application support teams. This has the bonus of gaining support teams visibility.
  • Third phase – All of IT: This phase allows any kinks in deployment to be identified before deploying to your Business Unit first adopters; this is important so that any issues are genuine application issues and not issues due to problems with the deployment process.
  • Forth phase – Business Unit first adopters: Deploy to owners of key business systems; Finance, Legal, HR, Procurement, etc.
  • Fifth phase – Full rollout: By the time this phase starts any significant application issues will have been identified. Of course, there still may be application issues waiting to be found, but if the first four phases were completed correctly the only applications with issues can be managed re-actively without significant impact.

Deployment process

The checklists so far provide the necessary preparation for proceeding with the actual deployment of the Windows upgrade. To keep current with Windows versions an upgrade deployment will need to be completed annually.

  • Validate key readiness items in previous sections are complete; New Feature Assessment, Device Drivers, Group Policies, Machine Health.
  • Validate your deployment infrastructure (e.g. MEM formerly SCCM) is healthy and compatible with the new Windows version.
  • Identify the rollout order; see our recommendation for deployment in phases in the “Application Assessment” part of this guide.
  • Identify if the deployment process will allow users to postpone and at which point the deployment becomes mandatory. We recommend making the deployment mandatory after one week.
  • Identify if VIP users will be managed separately. We recommend updating VIP user machines by appointment via VIP support teams.
  • Define your daily deployment rate. We recommend 2% of machines at a location per day. This allows 10% per week, or a full deployment in 10 weeks. This limits potential impact on both users and support teams.
  • Identify the user notification process; this may include a combination of emails, Windows-based notifications, and custom desktop notifications. Remember to highlight new features and relevant “how to” instructions.
  • Provide Windows 10 upgrade troubleshooting steps to your Service Desk and Site Support teams.
  • Identify the point in time when new build machines, or machine rebuilds, will be recaptured to include the updated Windows version. We recommend this occurs once all of IT have been upgraded.

On-going operations

On-going operations is critical to the success of a Windows upgrade deployment. This is particularly important with a new Windows version release from Microsoft every 6 months. The items in the checklist that follow ensure your Windows fleet continues to be kept up to date once the upgrade deployment is completed.

  • Ensure you have a process in place for deployment of monthly Windows patches, and for servicing your new build Windows image to include monthly patches.
  • Build your own Windows upgrade checklists and tailor them to inject the upgrade realities that apply to your environment.
  • Identify any environment improvements that will make the next upgrade more efficient. For example, rationalising the models of computers, reducing fragmentation of application versions, or pro-actively managing the health of computers on a monthly basis.
  • Publish your Windows upgrade roadmaps to provide visibility to your customers and stakeholders such as application teams. 
  • Remember that the real value in Windows upgrades is not just keeping within Microsoft supported versions, it is in extracting the value of the new features available. High value upgrades focus on extracting business value by leveraging the new features available.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s