Use case: Upgrading Windows

You can use Tanium Deploy to prepare and deploy Windows 10 Upgrades to your Windows endpoints. To complete a Windows 10 Upgrade, you must understand how to target and deploy software packages in Deploy.

Overview

Deploy supports the upgrade of Windows 7 Service Pack 1 and later to Windows 10 and upgrades of Windows 10 to newer builds of Windows. You can use Deploy to handle the Windows upgrade process in three phases:

Phase 1: Download Windows media and scan for compatibility

The Phase 1 software package invokes a PowerShell script to copy the files that are required for the upgrade to the C:\Deploy directory on the endpoint. After the files are in place, the PowerShell script runs Windows Setup to check for upgrade compatibility. The script then takes the information returned from Windows Setup and records the results in the registry.

Phase 2: Compatibility remediation and re-scan

If the Phase 1 compatibility scan fails, you must remediate any problems. You can use the Phase 2 package to force a new scan. Rescanning is necessary if there is a compatibility problem detected in the Phase 1 scan that is later remediated.

Phase 3: Windows Upgrade

The Phase 3 package invokes a PowerShell script that runs Windows Setup to perform the upgrade.

Before you begin

To set up your Windows 10 upgrade, you must have the Windows 10 media (ISO or ESD file) that corresponds to the Windows 10 Windows version, channel, architecture, and language that you want to deploy.

Your security administrator must create security exclusions to ensure successful operation of Tanium Deploy and the Tanium Client. Additional security exclusions for Windows are required for Windows upgrades.

If you have any questions about implementing Windows upgrades in your environment, Contact Tanium Support to discuss your testing and implementation plans.

Import software packages

To begin, you must import three software packages from the predefined package gallery. The following examples use Windows 10 Version 21H1, 64-bit. Substitute with the version and architecture you are deploying as needed.

  1. From the Deploy menu, go to Software, and then click Predefined Package Gallery.

    You can use the filter or search options to narrow the list to Microsoft Windows upgrades.

  2. Select the following three packages:
    • InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase1 - Pre-Cache
    • InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase2 - Pre-Scan
    • InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase3 - Upgrade
  3. Click Import,confirm the action, and then click Go To Software Packages.

    A warning might appear indicating there are pending software package changes and that the catalog must be distributed. You can skip distributing the catalog in this step, as you need to do it again after providing the Windows 10 media.

Review and modify software packages

Before you deploy the packages, you must upload the downloaded ISO or ESD files, and then make some modifications to the software packages in the following order:

  1. Modify the Phase 1 software package
  2. View the Phase 2 software package
  3. (Optional) Modify the Phase 3 software package

Modify the Phase 1 software package

  1. From the Deploy menu, go to Software.

    You can use the filter or search options to narrow the list to Microsoft Windows upgrades.

  2. Click InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase1 - Pre-Cache and then click Edit.
  3. Expand Package Files, and then click Add Package Files > Local File.
  4. Navigate to the ISO or ESD file and then click Open.

    This upload takes a while to complete. If you want to complete other tasks in Deploy, click Save and Finish Later. The upload continues in the background and you can return to complete the package later.

    After the upload completes, the file entry with its SHA-256 hash appears.

  5. (Optional) If a locale other than en-us is required, edit the Update Detection and Install Verification rule and change 1033 to the appropriate language ID. For more information and a complete list of all language/region decimal IDs, see Microsoft Documentation: Available languages for Windows.
  6. Click Update Package and then if prompted, click Distribute Catalog.

    After you update the package, the Module Server transfers files to the Tanium Server. This process could take up to 30 minutes. You cannot deploy the Phase 1 package to any clients until it completes.

View the Phase 2 software package

This package triggers a new scan after remediating any problems with the Phase 1 scan. Modifications to this software package are not required or supported.

(Optional) Modify the Phase 3 software package

The PowerShell script associated with Phase 3 starts the Windows Setup upgrade process and in most cases should need no modification. The script runs Windows Setup with the following command line arguments:

/auto Upgrade /NoReboot /Quiet /DynamicUpdate disable /ShowOOBE none /Telemetry disable /Uninstall enable

If you need to append additional arguments to the command line that Windows Setup is using for upgrade, you can complete the following steps:

If you modify these packages, ensure that you test thoroughly and run them at your own risk.

  1. From the Deploy menu, go to Software.

    You can use the filter or search options to narrow the list to Microsoft Windows upgrades.

  2. Click InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase3 - Upgrade and then click Edit.
  3. In the Update section of the Deploy Operations section, add any arguments to the end of the command in Run Command.

    For example, if you want to keep BitLocker active during a Windows 10 to Windows 10 upgrade, you can append that argument to the end of the command:

    powershell.exe -executionpolicy remotesigned -noninteractive -command ".\Invoke-Win10Upgrade.ps1" /Bitlocker ForceKeepActive

    The full list of commands available to Windows Setup can be found at: Microsoft Documentation: Windows Setup Command-Line Options.

Deploy software packages

After the software packages are ready, complete the following steps to complete the upgrade process:

  1. Deploy the Phase 1 package
  2. Review and remediate compatibility results
  3. Deploy Tanium package: registry - set value
  4. Deploy the Phase 2 package
  5. Deploy the Phase 3 package

Deploy the Phase 1 package

You cannot complete the following steps until the Windows 10 media you uploaded in Modify the Phase 1 software package has finished caching on the Tanium Server.

  1. From the Deploy menu, go to Software.

    You can use the filter or search options to narrow the list to Microsoft Windows upgrades.

  2. Select InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase1 - Pre-Cache and click Deploy Package.
  3. Select the desired options according to your environment, click Save, and then click Deploy Software.

    For this deployment, notifications are not necessary because actions are not visible to end users.

    Deploy this package on an ongoing basis. Deploy automatically runs this deployment on endpoints when they enter an eligible state.

Review and remediate compatibility results

Deploy includes sensors that are designed to help you determine endpoint readiness for the Windows 10 upgrade.

Deploy - Windows Upgrade Ready (Optional)

This sensor returns a True/False result as to whether systems are ready and meet the Windows 10 requirements for installation. A False result means that the scan failed for a variety of reasons or that you targeted an ineligible system, such as Windows Server, Mac, or Linux. Use this question for tracking counts of endpoints that are ready for upgrade.

Deploy - Windows Upgrade Scan Details

This sensor provides detailed information from Windows Setup, including specific compatibility blockers. Use this sensor for remediation in the following procedure.

Deploy - Windows Upgrade Scan Results (Optional)

This sensor produces the text of the scan and the result (return code) from Windows Setup. An example of a successful return code from Windows Setup is: 0xc1900210. Use this sensor for tracking groups of compatibility states. Review Windows Upgrade SCAN Details and remediate errors.

Use the Deploy - Review Windows Upgrade Scan Details sensor to view more detailed information about compatibility failures. For example, some installed software might be incompatible with the upgrade process to this version of Windows. In this scenario, you might need to update or remove software before upgrading Windows.

You can use the Deploy - Review Windows Upgrade Scan Results sensor to review and remediate any conditions that prevent upgrade, such as low disk space or a compatibility block.

  1. Go to the Tanium Home page and in the Explore Data field, ask the following question:

    Get Windows Upgrade Scan Details from all machines

  2. (Optional) Filter to restrict the question to endpoints that you targeted with the Phase 1 deployment.
    1. From the Deploy menu, go to Deployments and click the InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase1 - Pre-Cache deployment.

      You can use the filter or search options to narrow the list to Microsoft Windows upgrades.

    2. In the Summary section, click Summary next to Reporting and select View Online Data.
      A new Interact page appears with a question filtered to machines that ran this deployment.
    3. Replace the Get Deploy - Deployments portion of the question with Get Deploy - Windows Upgrade Scan Details.
    4. Select the new question for the filtered view of Get Deploy - Windows Upgrade Scan Details.
  3. Identify remediation strategies for blocking conditions. For example, if an answer indicates an installed application is not compatible, deploy a Deploy Software Package or Tanium Package to update or remove that application.
  4. (Optional) If remediating with a Deploy Software Package or Tanium Package, consider using the Custom Tagging - Add Tags Tanium Package to apply a custom tag before deploying the remediation to easily track the remediated endpoints. For more information, see Tanium Community: How to Group Computers Based on Your Organization’s Needs Using Custom Tags.

Deploy Tanium package: registry - set value

After you have remediated any blocking issues, you must set the registry value to enable Phase 2 to run.

  1. Ask a Tanium question that identifies the remediated endpoints. For example, if you used a custom tag called Win10remediated to identify endpoints in the previous step, ask the following question:

    Get Online from machines with custom tags equals Win10Remediated

  2. Select the answer indicating the remediated endpoints and click Deploy Action.
  3. Select the Tanium Package: Registry - Set Value.
  4. Select the OS Architecture according to the targeted endpoints.
  5. For Registry Key Name, enter HKEY_LOCAL_MACHINE\Software\WOW6432Node\Tanium\Tanium Client\OSD.
  6. For Value Name, enter Status.
  7. For Value Data, enter WIM File Copied.
  8. For Value, select REG_SZ.

After you are ready to rescan any endpoints, proceed to Deploy the Phase 2 package to force a compatibility re-scan.

Deploy the Phase 2 package

The Phase 2 deployment uses the Windows Setup files to run the same compatibility scan that runs during the Phase 1 deployment. If there were no compatibility errors during the Phase 1 deployment, the Phase 2 deployment is not required and all endpoints that completed the Phase 1 deployment have the Installed applicability status. If errors were remediated and the registry value was set, as described in Deploy the Phase 2 package, the Phase 2 deployment appears in the Update Eligible applicability status on those endpoints.

  1. From the Deploy menu, go to Software.

    You can use the filter or search options to narrow the list to Microsoft Windows upgrades.

  2. Select InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase2 - Pre-Scan and click Deploy Package.
  3. In the Targeting section, select the same targets or a subset of the targets that you configured for the Phase 1 deployment.
  4. Select the desired options according to your environment, click Save, and then click Deploy Software.

    For this deployment, notifications are not necessary because you are running a scan that is not visible to end users.

    Deploy this package on an ongoing basis. Deploy automatically runs this deployment on endpoints when they enter an eligible state.

After you deploy the Phase 2 package, review compatibility results again for any targeted endpoints that are not in Installed status for the Phase 2 package. Some endpoints might take several iterations of remediation before the compatibility scan passes.

Deploy the Phase 3 package

The Phase 3 deployment depends on the successful completion of the Phase 1 and Phase 2 deployments. This deployment executes the Windows Upgrade.

  1. From the Deploy menu, go to Software.

    You can use the filter or search options to narrow the list to Microsoft Windows upgrades.

  2. Select InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase3 - Upgrade, click Deploy Package.
  3. In the Targeting section, select the same target as the Phase 1 deployment or the desired targets that you want to start the upgrade. Endpoints that are not in Installed status for both the Phase 1 and Phase 2 deployments cannot execute this software package operation, so there is no need to restrict targeting based on the previous phase results.
  4. Select the desired deployment options based on your environment, click Save, and then click Deploy Software.

    Pre-notify the user, post-notify the user, and force a restart as part of the deployment. The upgrade does not complete until the computer is restarted and fails if the user shuts down the computer while it is running. As a result, it is necessary to inform the user that a Windows upgrade is beginning and subsequently that their computer must be restarted.

If the Phase 3 deployment does not complete successfully, action lock might be turned on for some endpoints. For more information about how to find endpoints with action lock enabled and how to disable action lock, see Tanium Console User Guide: Test action lock and Tanium Console User Guide: Turn off action lock.

Deploy Cleanup

After you complete the Phase 3 deployment or run the Phase 1 deployment again, if necessary, use the Windows 10 Cleanup software package to remove artifacts and enable future usage of Windows 10 upgrade software packages.

  1. From the Deploy menu, go to Software.
  2. Select Windows 10 Upgrade Cleanup and click Deploy Package.
  3. In the Targeting section, select Set Targeting Criteria for endpoints to remove Windows 10 upgrade artifacts. For example, you can enter the following targeting filter to clean up endpoints that completed the 21H1 x64 upgrade:

    Deploy - Installed Software Packages matches .*InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase3 - Upgrade.*Installed

    If necessary, replace the software package name to match the package you deployed.

  4. Select the desired options according to your environment, click Save, and then click Deploy Software.

For more information about deployment settings, see Deploying software.

Troubleshooting

You can access detailed logs for each phase of the Windows Upgrade.

To troubleshoot Windows Setup errors in each phase, review the appropriate log file from an affected endpoint:

  • Phase 1 media caching: %temp%\Win10IPU_PreCache.txt
  • Phases 1 and 2 compatibility scan: %temp%\Win10IPU_CompatScan.txt
  • Phase 3 Windows setup: %temp%\Win10IPU_Upgrade.txt

For problems with Windows Setup, see the appropriate Microsoft log files as described in Microsoft Support: Log files that are created when you upgrade to a new version of Windows.

For general Deploy troubleshooting, see Troubleshooting Deploy.