(Updated: This article was updated September 15th, 2017 to reflect the terminology changes. Please also note that Microsoft has extended support for versions 1511, 1607, 1703, and 1709 for an additional 6 months for all enterprise and educational customers.)
You probably heard about the malware attack WannaCry 2 just a few weeks ago that held 200,000 computers in more than 150 countries, including devices at the Britain’s National Health Service, at ransom. The thing is, this attack was entirely preventable — and I am not speaking about the NSA or WikiLeaks. Microsoft issued a fix for this vulnerability days before it spread like wildfire.
Unfortunately, cybercrime and data breaches are becoming the norm. According to the Global Economic Crime Survey, 32% of companies said they were the victims of cybercrime in 2016. Because we are relying more on data and connectivity, the consequences of cybercrime are severe — costing us up to $2 trillion by 2019. These increased security threats have affected Windows 10 in two ways:
- First, Microsoft significantly improved the security of Windows 10 and designed the new OS as a Windows-as-a-Service (WaaS) — forcing enterprises as well as other customers to update frequently and often. As we have seen from the WannaCry attack, a safe OS version isn't doing you any good unless you have it installed.
- Secondly, the improved security measures and the continuous commitment to fixing vulnerabilities are significant drivers for enterprise adoption — making it the fastest adopted operating system yet.
To maintain Windows-as-a-Service, Microsoft releases new feature releases twice a year and monthly quality updates which are managed by servicing channels.
(Image Credit: Juriba, This graphic was updated Sept. 15th, 2017)
Why You Need A Windows 10 Servicing Readiness Tool
Most large businesses will take about seven months to roll out a new Windows 10 version across their entire estate, while Microsoft ships new updates every six months. While you could theoretically skip an update as they are cumalative, this isn't a great idea.
Theoretically speaking, if you start your upgrade process the day 1703 came out and you take seven months to upgrade, you will be finished by the end of October 2017. Microsoft will by then have already released the Fall Creators Update (1710). If you now start the upgrade process once 1803 is released, 1703 will be end-of-life BEFORE you have finished migrating all of your business users — and for most larger enterprises, a seven month migration timeline is very optimistic.
As a consequence of these frequent updates, IT faces an increased frequency of application and hardware testing as well as a larger need for transparency on application dependencies and application compatibility.
Setting Yourself Up For Success With A Scalable, Repeatable Process
To be able to support this faster velocity of PC upgrades in a sustainable, timely, and economic manner, enterprise IT organizations need to adopt a lifecycle management framework that enables the aggregation of application dependencies and compatibility status (including hardware, software, and other IT components). Additionally, the process needs to consume and support testing results, device allocation, scheduling and, of course, the initiation of the upgrade itself.
A Windows 10 Servicing Readiness Tool will allow your organization to:
- Minimize the time, effort and cost spent on planning and executing a Windows 10 upgrade
- Create a consistent and repeatable (automated) workflow to avoid “reinventing the wheel” with every new upgrade
- Better plan and budget for future upgrade cycles as you can track and schedule previous and current rollouts
- Gain better insights into your environment's compatibility with upcoming Windows 10 versions
- Significantly streamline deployment
- Avoid creating deployment bottlenecks by not rolling out upgrades to devices that are not ready
- Minimize manual interactions by IT staff through the use of self-service option
- Manage exceptions/postponements of upgrades without increasing administrative overhead.
Extensive Data Collection Capabilities
First and foremost, your Windows 10 Servicing Readiness Tool must provide you with extensive data collection capabilities. You will need to load data from existing sources via industry standard connectors and also manual imports leveraging a pull and push approach to complete your data warehouse.
Data collection should be automated on a defined schedule and interval based on the specific data source. If needed, the data needs to be augmented using a data warehouse that supports a multidimensional data model. Only then will you be able to automate downstream activities and reporting, taking all interdependencies into account.
The following data types will need to be collected for a successful process implementation:
- Hardware and software inventory
- Operating System inventory (including version and update/patch level)
- Organizational data such as user information, location, region or country, department or business unit
- Directory (device OU path, user OU path, and group membership)
- Readiness status of networks, relevant hardware, and application compatibility
Automated Calendaring & Scheduling, Self-Service Option
Upgrading to the latest Windows 10 version can be seen as a mini-migration that is most effectively done by assigning users and their devices into deployment rings or waves. To execute a migration with this approach, you will need to know your capacity limitations, and all relevant interdependencies. There are two steps in this process:
- Calendaring - the assignment of a device to the first available date and time available for an upgrade — without actually committing to the execution. Calendaring should be automated and dynamically updated if relevant parameters change.
- Scheduling - which refers to determining the eligibility to upgrade as part of their pre-defined ring (ring support) and committing to the upgrade slot. If all conditions for a group of devices are met, they are first in line for an upgrade. If not, the upgrade for this group is deferred until all conditions are met.
The tool you are using should offer the following capabilities:
- Visually represent all calendaring and scheduling events and updates in a calendar view
- Ability to drill-down into the readiness tracking information and to aggregate upgrade-eligible and in-scope objects within a specific date or time range
- Ability to provide status reporting in accordance with a T(minus) timeline (e.g., in relation to End-of-Life date of a specific Windows 10 version)
- Ability to define multiple “ring” schedules based on a specific device, country, business unit, or region and delegate scheduling to specific roles
- Option to provide a self-service for your end users — allowing them to initiate a request for his/her device to be upgraded once the minimum set of pre-defined conditions have been met. To accelerate your migration, this self-service option should be able to override (“skip the queue”) other readiness processes which would have rendered the device as not-qualified yet.
Hardware, Application, & Other Dependency Tracking
To avoid business disruption due to the incompatibility of devices receiving an upgrade, it is essential to track the readiness of your applications, hardware (device model and hardware configuration), and other pre-conditions.
Hardware Readiness. The hardware readiness status is based on the minimum required hardware configuration for the next Windows release version, be it drivers or enough free space to accept the upgrade. Since IT needs to define appropriate conditions and exceptions to determine hardware readiness, individual custom rule-based approach should be available within the tool. In addition, you should have a data source containing (in)compatibility data for those hardware conditions in relation to the next Windows version.
Application Readiness. After performing an in-scope application inventory, you will need to determine which apps are on which devices and match that data against your database, including your Windows 10 compatibility information. This will allow the tool to populate or update the readiness status. However, this will often create millions of data rows that are impossible to filter through manually. You will need to apply data filtering and rationalization to eliminate irrelevant apps (e.g., hotfixes, language packs). In addition, an appropriate rule-based approach allows you to define the conditions and exceptions.
Other Pre-Conditions. Since all upgrades will be automatically delivered over your network, you will need to track your network conditions amongst other items including departmental or country approval, SCCM upgrade readiness and other items. These pre-conditions should be defined and managed within the tool, setting the appropriate status at the deployment ring level.
Once all three types are deemed ready, the device would receive a “green” status (see screenshot below) to receive the upgrade. Additionally, all readiness information is overlaid with organizational information such as department/business unit/country to ensure organizational readiness.
In order for the “Readiness Dashboard” to be sustainable, the mapping of the interdependent data should be able to form a basis for automated task execution designed through a workflow interface. The business logic of the workflows should be implemented by means of a “rule-book” which is customizable and includes formula fields (ability to automatically generate a new value based on multiple values from original source data) and conditional statements.
- Readiness Assignment (e.g., automatically populate relevant device records with readiness status, automatic aggregation of overall readiness status by specific criteria, ability to override readiness status based on custom conditions)
- Calendaring / Forecasting (e.g., automated and rule-based allocation of deployment tasks and "pre-flight" updates)
- Scheduling (e.g., automated allocation of devices to deployment rings based on certain attributes which in turn determine when a device is scheduled for upgrade tasks, ability to override based on custom conditions)
- Deploy Update Capabilities (e.g., task is triggered based on preceding workflow results (i.e., green light), deployment executing possible through third-party tool including 2-way communication / write-back capabilities)
- Communication (e.g., streamline communication with predefined communication templates (with variable parameters), communication can be triggered by preceding, configurable workflow before and after migration, replies can serve as data source to augment or populate data fields (i.e., approval request))
- Approvals (e.g., implement approval process after passing predefined tollgate before proceeding to the next activity, automatic generation of approval requests)
What type of communications can be and are typically generated? Any logic-tree/event driven triggers that can be configured? End user communication should be automated and the content should be relevant to the appropriate phase a user’s device is in. The primary communication channel would typically be through email, although advanced organizations may wish to create a desktop application that hooks into the readiness dashboards to remind the user to action the upgrade.
- Event-driven trigger
- Multi-language support (at least English and German)
- Integrated with Task Automation: Communication
- Frequency and repeat rules
- Connector to external mail system (e.g. MS Exchange)
At Juriba, we are working closely with customers, technology partners (including the Microsoft Readiness team) and industry experts to help define best practice methodology and tooling to help organizations manage the complexity of frequent mass Windows 10 updates. If you are considering implementing an IT Transformation Project Management Tool like Dashworks to manage your Windows 10 migration and/or Windows 10 Servicing Management, download our buyer's guide to learn more about the full scope of Dashworks and how it can accelerate your IT Transformation by up to 65%.