Windows as a Service

Windows as a Service cheat sheet, Windows 11 edition

Sometimes things change more quickly than you expect, and that’s certainly true with the announcements around Windows 11. You can read my summary here. The biggest surprise for me was the hardware requirement changes, which then effectively necessitates another surprise, that there will be three Windows releases this year:

  • Windows 10 21H2 as a new feature update to Windows 10.
  • Windows 10 Enterprise LTSC 2021 (at least that’s what I expect it will be called), a new LTSC release with five years of support that was already announced.
  • Windows 11, which effectively will be a feature update from Windows 10.

Let’s start out with a question that didn’t exist before: Should I continue running Windows 10 or move to Windows 11? For most, that’s an easy one, move forward to Windows 11, but there are some cases where that isn’t possible. So let’s first break that down:

If you are running an Enterprise SKU of …You should …
Windows 10 on a device that supports Windows 11 hardware requirementsUpgrade to Windows 11 before your Windows 10 release support timeline runs out. This is true for semi-annual channel and long-term servicing releases: You will be able to upgrade them to Windows 11. You can tweak the UI experience to minimize the impact (e.g. shift the Start button to the left, use the old Start menu, see here) if you must.
Windows 10 on a device that does not support Windows 11 hardware requirementsKeep upgrading to latest Windows 10 feature updates, as long as those continue to be released. While there is not yet a commitment from Microsoft to do one past the upcoming 21H2 release, it’s reasonable to assume that these will continue to support “orphaned” devices.
Windows 10 LTSB/LTSCSee line #1. While there will be a new LTSC release of Windows 10 later this year that will be supported for five years (and there won’t be an LTSC release of Windows 11 initially, if ever), you should move to the semi-annual channel. You can always upgrade from an LTSB/LTSC release to a later semi-annual release (higher build number), as long as you meet the hardware requirements.

In case you missed it, the hardware requirements changes are significant. Windows 11 requires:

  • A dual-core 64-bit processor. Yes, that means no more Windows 32-bit OS releases.
  • TPM 2.0 (except on VMs). If you don’t have TPM 2.0 enabled in the firmware, you’ll need to enable it.
  • UEFI. If you’re running with BIOS emulation (which was necessary to run a 32-bit OS on a 64-bit device, at least for anything released in the past several years), now would be a good time to look at moving to UEFI (which can be done in-place, but it is a little tricky — seek out a consultant who has done it before because building that out from scratch is no fun).
  • Secure Boot. If you’re running with UEFI, there’s no reason to not run Secure Boot, so this one should be fairly easy if you met that requirement.
  • 64GB of storage. Good luck keeping any version of Windows running well on 64GB or less, so this one is no big deal.

So if you can’t meet these, you’re stuck on Windows 10. Eventually, at some undefined future point, Windows 10 will cease to be supported, so this hardware will have an expiration date. And there’s no path from Windows 10 semi-annual channel to Windows 10 LTSC, at this point at least, so don’t expect that five-year support lifecycle to easily “save” you from this obsolescence. PCs have a 4-5 year lifecycle in the enterprise, so you should already be planning to replace the devices. If you have recently purchased devices that don’t meet these requirements, well, you’re probably buying crappy PCs (e.g. with spinning disk drives instead of SSDs, shameful). As you can tell, I have little sympathy in that area.

Windows 11 also comes with some welcome news around Windows as a Service: One release per year instead of two, with 36 months of support for that release. So while you should generally plan to deploy each new Windows 11 release (don’t skip them), you do have enough time for a lot of flexibility on when you do that deployment.

Now let’s revisit the overall status taking into account these changes.

If you are running an Enterprise SKU of…You should …
Something earlier than Windows 10 1909Seek help. You’re already unsupported.
Windows 10 1909This is supported until May 10, 2022. You should deploy one of the later feature updates, which will require a full in-place upgrade. Moving directly to Windows 11, or even Windows 10 21H2, is risky from a timeline perspective, so you should probably deploy 21H1.
Windows 10 2004This is supported until December 14, 2021. Install the Windows 10 21H1 enablement package by then. As with 1909, trying to go directly to Windows 11 or 21H2 is risky from a timeline perspective.
Windows 10 20H2This is supported until May 9th, 2023. You’ve got plenty of time. Look to deploy 21H2 (likely via an enablement package) or Windows 11 (via a full in-place upgrade) before May 2023.
Windows 10 21H1This is supported until December 13, 2022. Deploying 21H2 (likely via an enablement package) would extend that date to something like April 2024 (exact date depends on when 21H2 is released). Or you can go directly to Windows 11 (via a full in-place upgrade).
Any LTSC/LTSB releaseYou didn’t listen to me before, so I don’t expect you to start now. You’re on your own. Remember you can upgrade from LTSC to a semi-annual channel release at any time, just needs to be a newer build number. That could be directly to Windows 11, or to a Windows 10 release like 21H1 or 21H2.

A few general comments:

  • Enablement packages should be fairly safe to deploy (following a controlled rollout process), since they just turn on features that were otherwise hidden when you installed previous cumulative updates. The real risk is with those cumulative updates. (For those that said “wow, that enablement package installed fast,” of course it did, it’s only flipping a switch. The new payload was already included in a previous cumulative update.)
  • Tanium fully supports deploying feature updates and enablement packages using the Deploy and Patch solutions. For feature updates, you can deploy an initial compatibility scan to detect issues (more important than ever due to the changing hardware requirements around Windows 11), then use the results of that detection for targeting later. See here for more process details.

2 replies »