Jump to content


anyweb

How can I forcefully upgrade Windows 7 or Windows 10 to the latest version of Windows 10 using System Center Configuration Manager (Current Branch)?

Recommended Posts

Note: I've upgraded the wrapper to PowerShell 2019/01/06 as explained here.

Introduction

This blog post is all about upgrading to Windows 10, either from Windows 7 or from an earlier release of Windows 10 to the latest release of Windows 10.

Windows 10 is probably one of the fastest developing operating systems from Microsoft yet, and was initially released in July 2015 as Windows 10 version 1507. The version 1507 nomenclature equates to (YYMM) or year year, month month so you'll always know when a version was released to manufacturing (declared RTM). So far we've seen the following Windows 10 mainstream versions (not including LTSB/LTSC)

  • Windows 10 version 1507
  • Windows 10 version 1511
  • Windows 10 version 1607
  • Windows 10 version 1703
  • Windows 10 version 1709
  • Windows 10 version 1803
  • Windows 10 version 1809

As each new version of Windows 10 is released, the new features it contains ensure that it is desirable to some and it's just a matter of time before people want to upgrade to that version given the chance, but even with all the latest and greatest features, some users just won't upgrade if given the choice for whatever reason.

There is however another element to consider and that how long Microsoft will release security updates for any given release of Windows 10 (i.e. how long is that release supported by Microsoft). Michael Niehaus discusses simplifying Windows As A Service (WAAS) here but in a nutshell there is an 18-month servicing timeline for each release however, Microsoft have added an additional 6 months to ease your pain, for now.

Update: In September 2018, Microsoft blogged the following after years of listening to customers complaining about the WAAS support lifecycle. In a nutshell, there are two main releases of Windows 10 for the Enterprise to think about going forward, the 03 releases (18 month support) and the 09 releases (30 months support). Based on that statement alone, Enterprises will most likely opt for the 09 releases to avoid disruption to business and to their end users.

This leads you to deal with the security support ability in a couple of ways, you can make the new upgrade available in Software center and hope your users will upgrade (seriously do you think they will ?), or you can get tough and decide when and where they will upgrade. To do that you have two options:

  • servicing plans
  • task sequences

I've discussed servicing plans here so I won't go over that subject again, they are a valid option for many but are not very dynamic. With task sequences you have far greater control over how to deal with things that can break servicing plans (such as incompatible AntiVirus software or Windows Language packs). Assuming that you've made the choice to use task sequences to forcefully upgrade your computers to the next version of Windows the next problem is how do you force the upgrade. The answer is defined by the purpose of the task sequence deployment, namely Required (or mandatory).

Just mentioning the words Required and Task Sequence is usually enough to make any seasoned ConfigMgr admin shiver. Why ? well there are many cases of people who've had career changing events in relation to required task sequences, therefore using them must come with a big fat warning, so here it is.

 WARNING!

Using required task sequences is risky!

Use them with extreme care and always test thoroughly.

Disclaimer: if you choose this method and it all goes wrong, I'm sorry, I cannot accept liability. In this guide I show you how to set it up in a safe way and I include a 'get out of jail free' in case you make a mistake. It's up to you to test what works in your organization and what doesn't. My advice is that you test this thoroughly in a lab and once you are happy with the results, recreate it in production and continue to test it thoroughly. Also, be very careful about how you add computers to the required collection especially if it involves queries.

Note: The Get out of Jail free step will help to secure your environment towards any accidental upgrades.

Now that that is out of the way, let's get on with it. In this post I'll show you one way of forcefully upgrading your computers from a soon to be unsupported version of Windows 10 to the latest and greatest, and I'll include steps and advice to help you 'protect' yourself from disaster. In this guide we'll be forcing our source Windows 10 version 1511 computers to upgrade to the target Windows 10 version 1607.

Note: you can always change the target Windows 10 version to whatever build you want (using the TargetBuild variable) as described in the Troubleshooting section at the end of this guide.

Notifying users

There is one other thing to consider about required task sequences, they are normally for all intents and purposes zero touch meaning no user interaction. That is fine for simple quick changes such as upgrading applications but if your users are going to have one or two hours downtime due to a forced Windows upgrade, you'll want to notify them and give them options to defer for a limited time period to a time that makes sense for them. In this guide I assume that the client setting Show notifications for new deployments in Computer Agent is set to No, that is a common client setting in organizations as it means less annoyances for the end user and of course there are other ways to notify a user about mandatory actions (PowerShell Application Deployment Toolkit for example).

The recently released System Center Configuration Manager (Current Branch) version 1702  contains a great ability to edit the user notification message shown to users but it's limited in ability and it depends on your configured notification settings. So how do we solve that problem in a nice way. ConfigMgr allows us to chain programs before the task sequence begins and that's the key to this solution.

Step 1a. Get out of jail free (recommended)

The wrapper will not allow the HTA to display if a file called DO_NOT_UPGRADE.txt is present in C:\ProgramData. If you are paranoid about accidental upgrades (and you should be if using required task sequences) then do as follows.

1. Create a package (with no content) with a program to deploy a text file to all computers that are at risk of accidental deployment. Run the package daily. The program is simply a one liner as follows:

cmd.exe /c echo "Windows 10 Required Upgrade" > C:\ProgramData\DO_NOT_UPGRADE.txt

2. Target the OSD Servicing Required Deployment collection with another package/program that will remove the Do_NOT_Upgrade.txt file. Run the package every 2 hours. The program is again a one-liner, as follows:

cmd.exe /c echo "Y" | del C:\ProgramData\Do_Not_Upgrade.txt

The above actions should protect your computers from accidentally being targeted by the task sequence. Any computer that has the Do_NOT_Upgrade.txt file present, will not show the popup (HTA) and will not run the task sequence and thus, will not upgrade until you are ready to do so.

Step 1b. Create some collections (optional)

This step is optional but recommended as it will give you a base of collections to manage your deployments. To complete this step download the CreateWindows10DeviceCollections.ps1 PowerShell script in the downloads section and run it as Administrator in PowerShell ISE as shown below. This script not only creates collections to make your job of finding different versions of Windows 10 easier, but it adds queries, include and exclude rules as necessary.

powershell script.png

and below is a subset of the collections created (there are 18 in total).

collections in ConfigMgr.png

The OSD Servicing Required Deployment collection is limited to Windows 10 version 1511 as that is our target for the required upgrade. This does not mean that it will use all computers in that collection it just means it will only use computers added to the OSD Servicing Required Deployment collection provided that they are also present in All Windows 10 version 1511. This ensures that you are targeting the correct version of Windows 10 for the required upgrade.

Step 2. Create a Package/Program

In this step you'll add a simple package/program that contains a few scripts. These scripts have error checking, logging and more built in so that you can trace what was done and when. These scripts will be chained to the required task sequence meaning that they must run successfully (with an exit code of 0) before the actual task sequence can start. User actions such as Defer in the popup will force an exit code 99 and the task sequence cannot start.

Download the scripts in the downloads section and extract somewhere useful. Copy the Required Windows 10 Upgrade folder to your source folder on your ConfigMgr server.

folder on configmgr sources server.png

In the ConfigMgr console, select Application Management, Packages and Create Package.

create package.png

Give the new package a suitable name such as Required Upgrade to Windows 10 and point it to the source folder.

package name.png

For Program Type, choose Standard Program.

standard program.png

In the Specify information about this standard program screen fill in the following details,

Note: keep in mind that if you set Program can run Only when a user is logged on that that becomes a requirement, i.e. that a user must be logged on in order for this to run. You may want to get even tougher and set the Program can run option to Whether or not a user is logged on. If you do set it to Whether or not a user is logged on, and if the user is not logged on, the scripts will write to HKEY_USERS\.DEFAULT\Software\windowsnoob and you may need to update the scripts to detect this change.

  • Name: start-upgrade.ps1
  • Command line: Powershell.exe -Executionpolicy bypass ".\Start-Upgrade.ps1"
  • Startup folder:
  • Run:  Hidden
  • Program can run: Only when a user is logged on
  • Run mode: Run with user's rights
  • Drive Mode: Runs with UNC name

standard program properties.png

Note: If your target computers are running Windows 7, then place a check mark in the All Windows 7 (64 bit) box also.

in the Specify the requirements for this standard program screen use the following values

This Program can run on only on specified platforms: All Windows 10 (64 bit)

Estimated disk space: 10 MB

Maximum allowed time (minutes): 250

requirements.png

click next through to completion.

package complete.png

Step 3. Modify the package

On the newly created package, right click and choose Properties, click the Data Access tab. Select Copy the content in this package to a package share on distribution points

data access.png

Click Apply and OK.

Step 4. Distribute the package to your distribution points

Right click the package and choose Distribute Content

distribute content.png

select your distribution points and continue through the wizard until completion

select dps.png

Step 5. Modify an existing Windows 10 Required Upgrade task sequence

In this step I'll assume you've already created your Windows 10 Required Upgrade task sequence. If you haven't already then take a look at this post to see how. Locate the task sequence in the ConfigMgr console, right click and choose Properties, in the Advanced tab place a check mark in Run another program first and select the Windows 10 Required Upgrade program. In the Run only on the specified client platforms screen select All Windows 10 (64 bit).

Note: Make sure that Always run this program first is checked.

Note: If your target computers are running Windows 7, then place a check mark in the All Windows 7 (64 bit) box also.

advanced tab.png

Next, edit the task sequence and add a new Set Task Sequence Variable step as the first step in the task sequence, name it Is upgrade allowed to run. Fill in the following values

  • Task Sequence Variable: Upgrade_Forced
  • Value: True

upgrade forced.png

Click on the options tab and add the following options:

If ALL the conditions are true:

File C:\ProgramData\Upgrade_Forced.txt exists

If None of the conditions is true:

WMI Query: select * from Win32_OperatingSystem where VERSION = "10.0.15063"

If None the conditions are true:

File C:\ProgramData\DO_NOT_UPGRADE.txt exists

These three checks allow us to halt the task sequence on computers that don't meet our upgrade criteria.

Note: You'll need to decide what build is deemed 'the latest version' of Windows 10 in your organization and change accordingly. In this post I'm assuming that is Windows 10 version 1703 (build 10.0.15063).

options tab.png

 

On the Upgrade Operating System step, edit the Options and include the following

Task Sequence Variable: Upgrade_Forced=True

Note: This will ensure that the required upgrade only occurs if the Upgrade_Forced.txt file was present in C:\ProgramData.

upgrade forced equals true.png

Next in the Post-Processing group add a new Run Command Line step called Add Windows 10 Required Upgrade reg key with the following command line:

cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\windowsnoob" /v RequiredUpgrade /t REG_SZ /d "%date%" /f

cmd reg add.png

This will allow you to run reports on when computers were upgraded using this method. Close the task sequence.

Next create a new Run command line step called Remove Upgrade_Forced.txt with a cmd line of cmd.exe /c echo Y | del C:\ProgramData\Upgrade_Forced.txt

remove upgrade forced.png

 

Step 6. Deploy the task sequence

In this step we deploy the task sequence with a purpose of required.

Note: I'd strongly advise you to test this thoroughly in your lab and make sure to pick your collections correctly and to populate them very carefully.

Right click on the task sequence and choose Deploy

deploy.png

For collection choose OSD Servicing Required Deployment, and ignore the popup telling you it's empty, you can add computers to that collection later.

osd servicing required deployment.png

Change the Purpose to Required

required.png

For Scheduling click on New, then choose Schedule, then change it to run daily at 11am. For rerun, choose Always rerun program as you will update the limiting collection (All Windows 10 version 1511) membership daily @ 1pm and upgraded computers will fall out of the collection. In case they don't (for whatever reason) the wrapper checks for the targetbuild and if the computer matches that build, it will abort and not start the upgrade.

scheduling.png

Note: The above schedule will run our popup daily at 11am for 6 days prior to forcing the upgrade to Windows 10. You should change the schedule according to your preferences.

Continue through the wizard until completion.

required complete.png

Note: If you want to test run the Task Sequence from the Software Center or if you want your users to do this, then enable the Allow users to run the program independently of assignments checkbox on the User Experience tab.

user experience.png

Step 7. Adjust Windows 10 limiting collections membership schedule

Below you can see the membership rules update frequency on the limiting collection, it's set to run two hours after our Upgrade, adjust as necessary for your organization and your agreed schedule.

all windows 10 1511 properties.png

Step 8. Add test computers to the OSD Servicing Required Deployment collection

Note: Before doing this step, carefully read the Warning and Disclaimer at the top of this guide!

Right click on the collection and choose Add Resources (or use your own chosen method to add computers) to add one or more test computer to the OSD Servicing Required Deployment collection. As this collection now has a live required task sequence deployed to it, do this step very very carefully, if in doubt stop what you are doing, go and have a coffee and try again when your nerves are calm.

add resources.png

and add your test computers as you see fit..

add test computers.png

Step 8. Monitor the experience on test computers

Login to a test computer, do a machine policy update in the ConfigMgr client actions and wait for the popup or kick it off via software center.

After the computer receives the policy and the scheduled time is reached a popup is shown offering the user to Defer the upgrade or Upgrade now by selecting the appropriate checkbox and then clicking on Upgrade Now.

windows 10 popup.png

Note: The clickable link goes to a non-existant url, you need to point it to whatever documentation you want your users to read in preparation for the upgrade.

As each day passes (or based on your custom schedule) the counter reduces by 1 every time the popup appears.

4 remaining.png

When there are no more deferrals left, a 4 hour countdown starts and when it reaches 00:00:00 the Windows 10 Required Upgrade will start. If the user closes the popup, the timer will resume where it left off when it is restarted.

4 hours.png

Alternatively, if the user doesn't want to defer, and they want to run the upgrade right now, they can place a checkmark in the 'My files are synced in OneDrive...' and then click Upgrade Now to start the task sequence.

upgrade now.png

Either way, regardless of what your user clicks on, (based on the schedule in this guide) the computer will start the upgrade within 7 days (or earlier or later if you adjust the schedule).

Once the Upgrade Now button is clicked on, or once the Timer reaches 00:00:00 the task sequence will automatically start (assuming that the DO_NOT_UPGRADE.txt is not present).

upgrade starting.png

Branding

Simply replace the banner.png file included with one matching your Company Name, edit the upgrade.hta and locate the 'windowsnoob' name in the text field (line 347) and replace it with your own Company Name.

Troubleshooting

The popup creates 3 log files to troubleshoot the process, they are located in C:\ProgramData and named

  • Windows10RequiredUpgradeHTA.log
  • Windows10RequiredUpgradeWrapper.log
  • Windows10RequiredUpgradeStartUpgrade.log

logfiles.png

The wrapper writes to the registry in HKCU\Software\windowsnoob

hkcu.png

Note: The collections, scripts and task sequence assume you are upgrading from Windows 10 version 1511 to Windows 10 version 1607, you'll need to edit the WMI Query in the task sequence to change Windows 10 build version when you move to creators update  and for later versions of Windows, and you'll need to edit the TargetBuild variable in the wrapper.vbs script accordingly. Once done, you should change the Limiting Collection for the OSD Servicing Required Deployment collection to match the n-1 version of Windows 10 you want to migrate from.

Tip: If you have rendering issues with the popup on different devices then edit the call ResizeWindow(425,335,500,375) values and ResizeWindow Function  to fit your specific needs, I don't have access to too much hardware to test this on. The popup is fixed, if you want the user to be able to move it change the line caption="no" to caption="yes". If you want to programmatically use it then add a Window.moveTo(x, y) line.   

Downloads

You can download the scripts used above in the following zip files:

Summary

Forcefully upgrading computers is a tricky area but hopefully this method gives you one more option to consider.

 

  • Thanks 1

Share this post


Link to post
Share on other sites

Thanks for this write up, Niall...I was actually getting ready to start work on this very project here :)

This is particularly useful in my scenario, for a number of reasons.  I work for a K-12 school and the AD/network structure is...different, from most places.  I do not have access to my WSUS server, AND it sits in the DMZ behind my internet filter (don't get me started).  The entity controlling the approved patches for Windows 10 has them on a delayed schedule due to the fact that they test all patches first to make sure that they are compatible in our environment.  I have the potential to stand up my own WSUS to use with CM, but the short version is that it isn't happening in the immediate future.

So in short, I needed a way to upgrade all my 1511 stations to 1607 (or even the creators update) in a controlled manner, rather than letting WSUS hand out the updates and simultaneously bottleneck my internet filter.  Thank you for your work on this!

  • Like 1

Share this post


Link to post
Share on other sites

I'm in 100% agreement with you there :)

There are a number of school districts in our state who have inherited a ConfigMgr setup, either due to being a new hire or someone leaving the department,  and they get handed management of CM...I am always telling them: test, test, and then test again.

Share this post


Link to post
Share on other sites

Absolutely top work, I foresee problems to forcing users to upgrade and this deferring upgrades to suit the user is something that SCCM should have built in. I migrated from Zenworks to SCCM and for all its problems there's a few bits of functionality that I miss. This is definitely one.

Thanks again.

 

 

 

  • Like 1

Share this post


Link to post
Share on other sites

I am having trouble with the script to create the device collections and I'm not sure why... Would you mind taking a look... I'm sure it's just a Monday oversight on my part.

Import-Module : Cannot bind argument to parameter 'Name' because it is null.
At F:\Sources\windows-noob Required Windows 10 Upgrade\CreateWindows10DeviceCollections.ps1:184 char:14
+ Import-Module <<<<  $console
    + CategoryInfo          : InvalidData: (:) [Import-Module], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ImportModuleCommand
 
Get-PSDrive : Cannot find a provider with the name 'CMSite'.
At F:\Sources\windows-noob Required Windows 10 Upgrade\CreateWindows10DeviceCollections.ps1:185 char:22
+ $SiteCode=Get-PSDrive <<<<  -PSProvider CMSite
    + CategoryInfo          : ObjectNotFound: (System.String[]:String[]) [Get-PSDrive], ProviderNotFoundException
    + FullyQualifiedErrorId : GetLocationNoMatchingDrive,Microsoft.PowerShell.Commands.GetPSDriveCommand
 
Connecting to Set-Location : The given path's format is not supported.
At F:\Sources\windows-noob Required Windows 10 Upgrade\CreateWindows10DeviceCollections.ps1:188 char:3
+ cd <<<<  "$($SiteCode):"
    + CategoryInfo          : InvalidOperation: (C:\Windows\system32\::String) [Set-Location], NotSupportedException
    + FullyQualifiedErrorId : ItemExistsNotSupportedError,Microsoft.PowerShell.Commands.SetLocationCommand
 
Set-Location : Cannot find path 'C:\Windows\system32\:' because it does not exist.
At F:\Sources\windows-noob Required Windows 10 Upgrade\CreateWindows10DeviceCollections.ps1:188 char:3
+ cd <<<<  "$($SiteCode):"
    + CategoryInfo          : ObjectNotFound: (C:\Windows\system32\::String) [Set-Location], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLocationCommand
 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.