Upgrading to Windows 11 with Tanium

I’ve always known that Tanium supported doing in-place upgrades to later versions of Windows, but since I had been focused primarily on Tanium provision for bare metal imaging, I had never actually gone through full process myself. Since I’m going to be talking about it on https://twitch.tv/GoTanium tomorrow (Tuesday, January 25th, exact time TBD — watch Twitter) with the TaniumExplorers I figured I needed to do that to be able to maintain at least a little bit of credibility.

To start off, you can read through the documentation on the Tanium docs site for a good overview (replacing “Windows 10” with “Windows 11” as the docs haven’t been updated yet). The first step described is to import the packages from the Predefined Package Gallery (a set of software/app templates that you can easily use to deploy common software).

The docs mention that there are three packages, but as you can see above there is now a 4th as well. A brief description of each:

  • Phase1 – Pre-Cache. This one is run in advance of the actual upgrade, perhaps days or weeks ahead of time. It gets the full Windows 11 media onto each device where it can be used to perform compatibility checks (setup.exe /compat ScanOnly, which I blogged about back in 2015) and later the in-place upgrades. You have to add the .ISO file for the Windows 11 media to this package (in its entirety, not extracted — it is dynamically extracted using one of the scripts attached to the package), and then deploy it to all of your Windows 10 machines.
  • Phase1 – Direct-Cache. This is an alternative to the previous package (not mentioned in the docs yet). The only difference is that it downloads the Windows 11 media from Microsoft directly, instead of using a .ISO file that you download yourself. In today’s “work from home” environment, this can be more efficient since you don’t need to distribute the bits yourself.
  • Phase2 – Re-scan. The phase 1 package runs the compatibility check. If that compatibility check fails (e.g. because you didn’t have TPM 2.0 enabled in the firmware), you can re-run it later via this second package.
  • Phase3 – Upgrade. Once the compatibility check has passed, the device will be eligible for this phase 3 upgrade package that will invoke the actual in-place upgrade (setup.exe /auto upgrade and a bunch of additional parameters). That can be pushed out to the devices, or enabled via self-service for the user to invoke when they are ready.

In my case, I deployed the Phase1 – Pre-Cache package with the .iso file attached. I can easily see the results in the Tanium console:

In this case, 27 machines are already running Windows 11 and one has already successfully completed the caching and compatibility scan. One failed the compatibility scan (“Update ineligible”) and six were not applicable (running Windows Server, not Windows 10). So far so good.

If I fixed the reason for the “Update ineligible” device, which in this case was a lack of RAM (needs 4GB for the Windows 11 hardware requirements), a subsequent running of the Phase2 package would then change the status to “Installed” (meaning “bits installed and ready” in this case).

For devices that passed the compatibility check, the Phase3 – Upgrade package has been made available via the Self-Service Portal so the user can initiate it themselves (even when they don’t have admin rights).

When I click to “Update” I can see the “Current Activity” in the portal, showing the scripts that drive the process downloading:

And as soon as that is done, I can see SETUP.EXE and its child processes running:

Eventually, the computer will initiate a reboot to continue the process. Once the upgrade is finished, the user can log back in and get back to work.

For those of you with good memories, you might recall that this general process was discussed at MMSMOA back in 2018 by Mike Terrill and Keith Garner, with the details posted to Mike’s blog. The Tanium implementation (which was initially put together by Keith) is a bit simpler than what was described at MMS, but it achieves the same basic results.

The same process applies for Windows 10 feature updates (using a slightly-different version of the packages as the SETUP.EXE command lines are different), for example if you wanted to upgrade from Windows 10 1909 to Windows 10 21H2. But keep in mind that if you are running Windows 10 20H2 or later and want to go to a later Windows 10 feature update, you just need to deploy an enablement package for that; you don’t need to do a full in-place upgrade. The enablement package is small since it just flips a switch to turn on any new features; the payload for those features was already installed by the standard Patch Tuesday cumulative updates.

Categories: Tanium

Tagged as: ,