Use case: Upgrading Windows

Deploy supports two methods for upgrading Windows: enablement package upgrades and in-place upgrades.

Enablement package upgrades use files that are staged on endpoints to upgrade specific versions of Windows 10 to newer versions. This type of upgrade is fast, reliable, and requires no additional configuration.

Other upgrade paths require an in-place upgrade. This type of upgrade requires that you first stage Windows installation media on the endpoints to upgrade, then scan for compatibility, and lastly run Windows Setup to install the new version of Windows.

Overview of enablement package upgrades

To use the enablement package method, import the Feature Update software package from the Predefined Package Gallery and then deploy it to the endpoints you want to target. Enablement packages require no additional setup.

The deployment should include a pre-notification, a post-notification, and a restart to ensure that it completes successfully without end users interrupting it. For information about configuring notifications and restarts, see Deploy a software package or bundle.

Deploy supports the following enablement package upgrade paths:

Supported enablement package upgrades

Current version with upgrade prerequisites	Enablement package
Windows 10, version 2004 Windows 10, version 20H2 Windows 10, version 21H1 The following updates must also be installed before upgrading: Servicing stack update Windows 10, version 2004: September 8, 2020 or later Cumulative update September 14, 2021 – KB5005565 (OS Build 19041.1237) or later	Feature Update to Windows 10, version 21H2 (KB5003791)
Windows 10, version 20H2, Enterprise edition Windows 10, version 21H1 Windows 10, version 21H2 The following updates must also be installed before upgrading: Servicing stack update Windows 10, version 2004: September 8, 2020 or later Cumulative update July 26, 2022—KB5015878 (19041.1865) or later	Feature Update to Windows 10, version 22H2 (KB5015684)

For more information, see Import a software package from the Predefined Package Gallery.

Overview of in-place upgrades

Deploy supports the upgrade of Windows 7 Service Pack 1 and later to Windows 10 and upgrades of Windows 10 to later builds of Windows. You can use Deploy to handle the Windows upgrade process in three phases:

Phase 1: Download Windows media and scan for compatibility

You can choose from two options for downloading and installing the Windows media in preparation for the upgrade:

• Phase 1: Pre-Cache—The Phase 1 Pre-Cache software package invokes a PowerShell script to copy the files that are required for the upgrade to the C:\Deploy directory on the endpoint. After the files are in place, the PowerShell script runs Windows Setup to check for upgrade compatibility. The script then takes the information returned from Windows Setup and records the results in the registry. This option is the best choice for updating many Windows endpoints that are in the same physical network location.
• Phase 1: Direct Cache—This method uses a script to determine the correct URL for the Windows media that matches the architecture, edition, and language of the endpoint being upgraded and then downloads that media directly from Microsoft. This method is the best choice for updating Windows endpoints that are not peering with other Tanium-managed endpoints, such as those used by remote workers. It is also the best choice for managing many different language versions of Windows.

The following instructions assume that you are using the Phase 1: Pre-Cache option for peered Windows endpoints. For information about targeting both peered and non-peered Windows endpoints, see Tanium Community: Managing Windows 10 in a Distributed-Workforce World.

Phase 2: Compatibility remediation and re-scan

If the Phase 1 compatibility scan fails, you must remediate any problems. You can use the Phase 2 software package to force a new scan. Rescanning is necessary if there is a compatibility problem detected in the Phase 1 scan that is later remediated.

Phase 3: Windows Upgrade

The Phase 3 software package invokes a PowerShell script that runs Windows Setup to perform the upgrade.

Before you begin an in-place upgrade

To set up your Windows 10 upgrade, you must have the Windows 10 media (ISO or ESD file) that corresponds to the Windows version, channel, architecture, and language that you want to deploy.

Your security administrator must create security exclusions to ensure successful operation of Tanium Deploy and the Tanium Client. Additional security exclusions for Windows are required for Windows upgrades.

• Microsoft Support: Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows (KB822158).
• Tanium Client Management User Guide: Host system security exclusions
• Security exclusions

If you have any questions about implementing Windows upgrades in your environment, Contact Tanium Support to discuss your testing and implementation plans.

Step 1: Import software packages

To begin, you must import three software packages from the predefined package gallery. The following examples use Windows 10 Version 21H1, 64-bit. Substitute with the version and architecture you are deploying as needed.

1. From the Deploy menu, go to Software, and then click Predefined Package Gallery.

   You can use the filter or search options to narrow the list to Microsoft Windows upgrades.

2. Select the following three packages:
   • InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase1 - Pre-Cache
   • InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase2 - Re-Scan
   • InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase3 - Upgrade
3. Click Import, confirm the action, and then click Go To Software Packages.

   A warning might appear indicating there are pending software package changes and that the catalog must be distributed. You can skip distributing the catalog in this step, as you need to do it again after providing the Windows 10 media.

Step 2: Review and modify software packages

Before you deploy the packages, you must upload the downloaded ISO or ESD files, and then make some modifications to the software packages in the following order:

1. Modify the Phase 1 software package
2. View the Phase 2 software package
3. (Optional) Modify the Phase 3 software package

Modify the Phase 1 software package

1. From the Deploy menu, go to Software.
2. Click InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase1 - Pre-Cache and then click Edit.
3. Expand Package Files, and then click 7Zip.msi.
4. Copy the URL of the 7-Zip MSI file in the origin field and paste it in a browser window to download it to the local computer. Click Delete.
5. Click Add Package Files. Click Local File. Browse to the location that you saved the MSI file in the previous step. Click Open.
6. Expand Package Files, and then click Add Package Files > Local File.
7. Navigate to the ISO or ESD file and then click Open.

   After the upload completes, the file entry with its SHA-256 hash appears.

8. (Optional) If a locale other than en-us is required, edit the Update Detection and Install Verification rule and change 1033 to the appropriate language ID. For more information and a complete list of all language/region decimal IDs, see Microsoft Documentation: Available languages for Windows.
9. Click Save Package and then if prompted, click Distribute Catalog.

   After you update the package, the Module Server transfers files to the Tanium Server. This process could take up to 30 minutes. You cannot deploy the Phase 1 software package to any clients until it completes.

View the Phase 2 software package

This package triggers a new scan after remediating any problems with the Phase 1 scan. Modifications to this software package are not required or supported.

(Optional) Modify the Phase 3 software package

The PowerShell script associated with Phase 3 starts the Windows Setup upgrade process and in most cases should need no modification. The script runs Windows Setup with the following command line arguments:

/auto Upgrade /NoReboot /Quiet /DynamicUpdate disable /ShowOOBE none /Telemetry disable /Uninstall enable

If you need to append additional arguments to the command line that Windows Setup is using for upgrade, you can complete the following steps:

If you modify these packages, ensure that you test thoroughly and run them at your own risk.

1. From the Deploy menu, go to Software.
2. Click InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase3 - Upgrade and then click Edit.
3. In the Update section of the Deploy Operations section, add any arguments to the end of the command in Run Command.

   For example, if you want to keep BitLocker active during a Windows 10 to Windows 10 upgrade, you can append that argument to the end of the command:

   powershell.exe -executionpolicy remotesigned -noninteractive -command ".\Invoke-Win10Upgrade.ps1" /Bitlocker ForceKeepActive

   The full list of commands available to Windows Setup can be found at: Microsoft Documentation: Windows Setup Command-Line Options.

Step 3: Deploy the Phase 1 software package

You cannot complete the following steps until the Windows 10 media you uploaded in Modify the Phase 1 software package has finished caching on the Tanium Server.

1. From the Deploy menu, go to Software.
2. Select InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase1 - Pre-Cache and click Deploy Package.
3. Select the desired options according to your environment, click Show Preview to Continue, and then click Deploy Software.

   For this deployment, notifications are not necessary because actions are not visible to end users.

   Deploy this package on an ongoing basis. Deploy automatically runs this deployment on endpoints when they enter an eligible state.

Step 4: Review and remediate compatibility results

After deploying the Phase 1 software package, you must check for and remediate any compatibility problems on endpoints. If all targeted endpoints show an applicability status of Installed for Phase 1, then you can skip to Deploy the Phase 3 software package.

Use the following sensors to help you determine endpoint readiness for the Windows 10 upgrade:

Deploy - Windows Upgrade Ready (Optional)

This sensor returns a True/False result as to whether systems are ready and meet the Windows 10 requirements for installation. A False result means that the scan failed for a variety of reasons or that you targeted an ineligible system, such as Windows Server, Mac, or Linux. Use this question for tracking counts of endpoints that are ready for upgrade.

Deploy - Windows Upgrade Scan Details

This sensor provides detailed information from Windows Setup, including specific compatibility blockers. Use this sensor for remediation in the following procedure.

Deploy - Windows Upgrade Scan Results (Optional)

This sensor produces the text of the scan and the result (return code) from Windows Setup. An example of a successful return code from Windows Setup is: 0xc1900210. Use this sensor for tracking groups of compatibility states. Review Windows Upgrade SCAN Details and remediate errors.

Use the Deploy - Windows Upgrade Scan Details sensor to view more detailed information about compatibility failures. For example, some installed software might be incompatible with the upgrade process to this version of Windows. In this scenario, you might need to update or remove software before upgrading Windows.

You can use the Deploy - Windows Upgrade Scan Results sensor to review and remediate any conditions that prevent upgrade, such as low disk space or a compatibility block.

1. Go to the Tanium Home page and ask the following question:

   Get Windows Upgrade Scan Details from all machines

2. (Optional) Filter to restrict the question to endpoints that you targeted with the Phase 1 deployment. Feature Update to Windows 10, version 22H2 (KB5015684)
   1. From the Deploy menu, go to Deployments and click the InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase1 - Pre-Cache deployment.
   2. In the Summary section, click Summary next to Reporting and select View Online Data.
      A new Interact page appears with a question filtered to machines that ran this deployment.
   3. Replace the Get Deploy - Deployments portion of the question with Get Deploy - Windows Upgrade Scan Details.
   4. Select the new question for the filtered view of Get Deploy - Windows Upgrade Scan Details.
3. Identify remediation strategies for blocking conditions. For example, if an answer indicates an installed application is not compatible, deploy a Deploy Software Package or Tanium Package to update or remove that application.
4. (Optional) If remediating with a Deploy Software Package or Tanium Package, consider using the Custom Tagging - Add Tags Tanium Package to apply a custom tag before deploying the remediation to easily track the remediated endpoints. For more information, see Tanium Community: How to Group Computers Based on Your Organization’s Needs Using Custom Tags.

Step 5: Deploy Tanium package: Registry - Set Value

If you have remediated any blocking issues and are ready to re-scan those endpoints for compatibility, you must set a registry value to enable Phase 2 to run.

1. Ask a Tanium question that identifies the remediated endpoints. For example, if you used a custom tag called Win10remediated to identify endpoints in the previous step, ask the following question:

   Get Online from machines with custom tags equals Win10Remediated

2. Select the answer indicating the remediated endpoints and click Deploy Action.
3. Select the Tanium Package: Registry - Set Value.
4. Select the OS Architecture according to the targeted endpoints.
5. For Registry Key Name, enter HKEY_LOCAL_MACHINE\Software\WOW6432Node\Tanium\Tanium Client\OSD.
6. For Value Name, enter Status.
7. For Value Data, enter WIM File Copied.
8. For Value, select REG_SZ.

After you are ready to rescan any endpoints, proceed to Deploy the Phase 2 software package to force a compatibility re-scan.

Step 6: Deploy the Phase 2 software package

The Phase 2 deployment uses the Windows Setup files to run the same compatibility scan that runs during the Phase 1 deployment. If there were no compatibility errors during the Phase 1 deployment, then the Phase 2 deployment is not required. If errors were remediated and the registry value was set, the Phase 2 software package appears in the Update Eligible applicability status on those endpoints and should be deployed.

1. From the Deploy menu, go to Software.
2. Select InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase2 - Re-Scan and click Deploy Package.
3. In the Targeting section, select the same targets or a subset of the targets that you configured for the Phase 1 deployment.
4. Select the desired options according to your environment, click Show Preview to Continue, and then click Deploy Software.

   For this deployment, notifications are not necessary because you are running a scan that is not visible to end users.

   Deploy this package on an ongoing basis. Deploy automatically runs this deployment on endpoints when they enter an eligible state.

After you deploy the Phase 2 software package, review compatibility results again for any targeted endpoints that are not in Installed status for the Phase 2 software package. Some endpoints might take several iterations of remediation before the compatibility scan passes.

Step 7: Deploy the Phase 3 software package

The Phase 3 deployment depends on the successful completion of the Phase 1 and Phase 2 deployments. This deployment executes the Windows Upgrade.

1. From the Deploy menu, go to Software.
2. Select InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase3 - Upgrade, click Deploy Package.
3. In the Targeting section, select the same target as the Phase 1 deployment or the desired targets that you want to start the upgrade. Endpoints that are not in Installed status for both the Phase 1 and Phase 2 deployments cannot execute this software package operation, so there is no need to restrict targeting based on the previous phase results.
4. Select the desired deployment options based on your environment, click Show Preview to Continue, and then click Deploy Software.

   Pre-notify the user, post-notify the user, and force a restart as part of the deployment. The upgrade does not complete until the computer is restarted and fails if the user shuts down the computer while it is running. As a result, it is necessary to inform the user that a Windows upgrade is beginning and subsequently that their computer must be restarted.

If the Phase 3 deployment does not complete successfully, action lock might be turned on for some endpoints. For more information about how to find endpoints with action lock enabled and how to disable action lock, see Tanium Console User Guide: Test action lock and Tanium Console User Guide: Turn off action lock.

Deploy Cleanup

After you complete the Phase 3 deployment or run the Phase 1 deployment again, if necessary, use the Windows Upgrade Cleanup software package to remove artifacts and enable future usage of Windows upgrade software packages.

1. From the Deploy menu, go to Software.
2. Select Windows Upgrade Cleanup and click Deploy Package.
3. In the Targeting section, select Set Targeting Criteria for endpoints to remove Windows 10 upgrade artifacts. For example, you can enter the following targeting filter to clean up endpoints that completed the 21H1 x64 upgrade:

   Deploy - Installed Software Packages matches .*InPlace Upgrade to Windows 10 Version 21H1 x64 - Phase3 - Upgrade.*Installed and Windows OS Release ID matches 21H1

   If necessary, replace the software package name and release ID to match the package you deployed.

4. Select the desired options according to your environment, click Show Preview to Continue, and then click Deploy Software.

To check for Phase 3 success, ask the question Get Operating System?maxAge=60 from all computers. If an endpoint does not answer with the operating system you deployed, the upgrade was not successful. See Troubleshooting. The maxAge parameter ensures that the answer is updated immediately.

For more information about deployment settings, see Deploying software.

Troubleshooting in-place upgrades

You can access detailed logs for each phase of the Windows Upgrade.

To troubleshoot Windows Setup errors in each phase, review the appropriate log file from an affected endpoint:

• Phase 1 media caching: %temp%\Win10IPU_PreCache.txt
• Phases 1 and 2 compatibility scan: %temp%\Win10IPU_CompatScan.txt
• Phase 3 Windows setup: %temp%\Win10IPU_Upgrade.txt

For problems with Windows Setup, see the appropriate Microsoft log files as described in Microsoft Support: Log files that are created when you upgrade to a new version of Windows.

For general Deploy troubleshooting, see Troubleshooting Deploy.