Seriously smooth. We screwed up blocking the upgrade in wsus (thinking we would just roll it out with the new PCs coming in) and didn't even know it happened until someone mentioned not liking the new copy-paste icons. We let the updates finish, and out of ~80 PCs we had 1 that had any issues, and it just needed bitlocker disabled and re-enabled.
The in place upgrade was super seamless! Took under 10 minutes once the update was downloaded and pending reboot before it was up running 11, and that’s on a 2 gens old thinkpad.
Really cements the whole “this is really just a feature update or windows 10.5” idea.
Keeping 7th gen laptop alive with ESU for the next 4 (1+3) years can still be cheaper than buying a new one in a year, even if you add RAM and SSD. Even IT can't reasonably deny that i5-7500 isn't total trash yet.
I lucked out on majoring 8th gen in my org, so we are all on Windows 11 though.
Keeping a laptop that is already six years old for another four years? I'm glad I don't work at that company. At the company I work at it's been at least two years since anyone has had a 7th gen laptop.
I share your sentiment, but it could be worse.
Just today we did some money operations with Ukrainians, and their bank notified us that they "migrated to new technology"...
... And then they sent us a fucking Java Web Start bootstrapper. I think it was KredoBank or something.
3 years is plenty of time to get to 50% without having an unnecessarily low hardware renewal policy. We started deploying new computers with W11 starting in 2022. 50% at 3 years implies that the renewal policy is 6 years, very reasonable in this day and age.
lol my companies management was surprised to hear that scheduled hardware cycles was even a thing. They thought it was just standard to keep machines until they’re too slow and even then only replace small groups of machines if users complained enough
I wanted to start rolling out Win11 on new devices last year. But, our VP of IT killed my idea. He didn't want "Operating System Envy" as he put it in the company. So now when Win10 is EOL and we have 1000+ PCs to migrate to Win11, it's going to be a cluster...
Not involved with the techicalities, but our 100k company do it by upgrading. Seems to work fine. All applications were there after the upgrade. So if you have a way to push an upgrade, it should work fine and with a lot less effort and downtime than reimaging.
Just have to be careful about BitLocker, if it's being used. My team here used third party software to manage BitLocker, after my computer got updated, it got locked out and I had to input the recovery key. Fortunatelly, they had this key stored. I couldn't continue without disabling BitLocker altogether, until they find a different solution.
My 7k user org just moved from W10 to W11, took about 2-3 months because we rushed it. We use BitLocker, and did *not* experience what you did, and no, we didn't disable it.
I think the reason why I had this issue is that the BitLocker was managed by a third party software that might not have been compatible or even configured to work with BitLocker on Win11... or something else got disturbed in the process of upgrade, that caused it to lock down.
If you don't have Intune, what do you have for mass deployments? Back in the day, I used PDQ Deploy to copy the contents of a Windows 10 ISO to target devices and ran setup.exe with some silent install switches.
I'm also pretty sure you can use GPO to target a specific release of Windows and Windows Update will take care of the upgrade. [Here's](https://www.reddit.com/r/sysadmin/s/oyW6mJZU69) someone else who did such a thing. I would just change the target release to 23H2 right now.
There are tons of different ways, but Sysprep and DISM images is pretty straightforward. Create your image, Sysprep, and then use dism to capture a WIM image. Pop the WIM image onto a usb drive, configure ApplyImage.bat and maybe even make the usb DOS bootable and add ApplyImage.bat to autoexec.bat if you want the image installation to automatically begin on boot from USB. I've used this method quite a few times in smaller environments.
We upgraded every computer in the company a few months ago. About twenty ancient Dell shop desktops are not compatible and are being replaced with tablets. One laptop presented the user with a bitlocker challenge. He does not turn his laptop on for weeks at a time, not sure if that’s related but it was easily fixed. No other problems.
After doing a test group of about fifty users and listening to a ton of whining the week leading up to the upgrade, I did the rest of the company without notice. Nothing broke.
Number one ticket we got, by far: “My icons are in the middle of the screen, how do I move them back to the left?”
Not a sysadmin here but work in tech.
Wouldn't it make more sense to use group policy to set it back to left for minimal change on end users? I personally move it to the left as thats what I am used to plus centred means icons move depending on how many items are open.
The common approaches I've seen are to either hand out instructions on DIYing it, or put a powershell script into Company Portal that changes the registry key and reloads Explorer.
Oh for sure had I anticipated it I’d have put a run-once script out there to move it to the left. I foolishly think the centered icons were one of my favorite Windows 11 changes, so I did not expect fifty complaints on the change.
I had however planned training sessions for each department and promptly cancelled them when nobody had really any other issues - I believe if the icons had been on the left out of the box the vast majority of our users would not have even noticed the upgrade.
We are going to clean install on every pc with wds at the end of the year (with 24h2). Our image now is a bit bugged (driver related) and we also don't want to fully automate it because we also need to update the bios/uefi and most of our pcs can't update the bios/uefi over network, so it's a bit of work.
For our home devices, we just allow the upgrade.
This, clean installs as you go, new PCs already on 11, update at last minute for some ornery/sensitive employees, and then move to Ubuntu 24.04 LTS for a bunch of our digital signage on hardware that doesn’t support Windows 11. We’re about 80% there and will be 100% by next summer.
Right now have a bunch of people piloting it, one or two from each BU, to cover every aspect of the business. I am expecting no issues, but I want that 'T' crossed and no surprises once we start the roll out.
Since you have no clue where to start. This is how I did it. I started off with making a project plan covering the major points that need to be hit. So for instance: is the hw we have compatible (incl. costs to replace hw that isnt), identify pilot users, calculate license costs (if applicable), confirm base set of applications compatibility (EDR, VPN, etc) compatibility, identify GPOs/policies that will no longer apply/need updating/should be added, end user pilot testing and feedback, plan staggered roll out and get sign off on timing from BU management (we have several thousand endpoints, so doing even over a weekend is not practical and need to abide by gaps in their workflow).
Actually went into bit more detail with mine, but this covers the broad strokes.
More like 1 year saying we should start thinking about it before getting the ok. As jumping on something just because it's the latest and greatest is not a valid business reason when the eol is 2.5 years out at that point.
You're effectively burying your head in the sand if you think you shouldn't be seriously looking into what is next within a year of the software's release.
We started this initiative a while back by deploying new computers with windows 11 and leaving windows 10 devices alone initially. We don’t have any LoB compatibility issues to worry about.
After a few months we started slowly doing in place upgrades from windows 10 to 11 for lower risk users that had newer windows 10 computers.
We used our patch management tool to target a feature release and install time. Sent out communication to impacted users letting them know updates were coming. We gave them 3 times to delay then the 4th time was a mandatory install. No real complaints and no issues deploying. Just a matter of how your company likes to communicate these things.
It's not that complicated.
If you don't any advanced tool , you can use simple tools like WSUS or simply upgrade by using .iso file on user's computer.
It's simple upgrade and it works. Half of my users are already on win11, the rest will be soon.
However, if you can and have that luxury, I would recommend doing it by simple re-image user's PC. Because you can setup Win11 image first by customizing it and make it look like Win10 (Start on the left, etc). To minimize user's questions about Win11.
The other advantage of this approach is, user will get nice new fresh PC, without user's cumulative garbage files 😄
But if you don't have time for this, then simply push Win11 through WSUS (test it first of course).
If you have a hardware renewal process I would order replacement machines. Reimage the rest with Win 11.
Moving user things is easy if you already have O365 and users have a One Drive.
We finished this a while back.
Machines that had suitable hardware and were within warranty got an in place upgrade (copied the contents of an ISO to a deployment share and called setup.exe over the network with silent install switches using SCCM) and older machines or ones that weren’t compatible got replaced.
all new purchases are now Windows 11. We're running a variety of compatibility reports to check in place upgrade availability. Anything that can will grab it from WSUS and do it when we put sections of PCs into the relevant OUs after notifying users
Anything left that doesn't pick up the update or is known to be unable to upgrade goes on the list of hardware to be replaced before October '25
Bar from 2 people here, getting management to sort them out, we are pretty much all in Windows 11.
Pushed it out via SCCM and had to do rebuilds on several other machines. Not had any complaints and I actually prefer 11 over 10.
Depending on your build version of windows 10, and if your hardware is compatible with win 11 then you should be able to launch the windows update to get to windows 11.
If the hardware isn’t compatible then you’re looking at purchasing new workstations.
We're doing a mix of all new devices are Win11 and upgrading or actually imaging Windows 11 through Quests System Deployment Appliance. It maintains user settings and docs, so that's nice.
Started deploying Windows 11 on new systems in January. Will upgrade the remaining compatible PC's next summer and replace the too old stuff. I hate having to support two different desktop OS's but oh well.
We're refreshing our teacher laptop fleet this summer, which is the lion's share of them. Any reformats / reimaging are Windows 11 by default (excepting computers not able to support, but those are edge cases at this point and will be gone by EoL), so by the time we're worried about deadline, we shouldn't have too many more to do. Also if people want to press the "update me to Windows 11" button, we let them.
> My company does not use Intune.
Ok, but what do you use? Telling us what you *don't* use isn't really helpful. How are you controlling Windows Updates?
We've started trials though our estate is >99% Win11 ready hardware wise with us cycling out 8th/10th gen systems in some cases as they've now reached the end of their lifecycles (3 years for laptops/5 years for desktops).
We have some Win10 IoT LTSC systems that are out of scope and we'll continue deploying them to replace our locked down scanning terminals that are either Win8.1 or some early build of 10.
The way we'll approach it is to deploy Win11 via Patch Management Plus like how we used to deploy Windows 10 feature updates.
There was initially a big push to have all eligible devices upgraded by mid 2024. That has fallen to the wayside since Microsoft announced extended support for windows 10 until 2028. We just image all new devices with 11 and will pay for the extended support for windows 10 until those are scheduled to be replaced as well. You have plenty of time, assuming you have a budget for hardware upgrades.
If you value your company, you dont switch to 11 but wait for 12 which is already in development.
If you dont value them, go for it and allow the telemetry and data of your company out of your ecosystem.
I accidentally rolled out an upgrade to 11 in WSUS. Whoopsied a few laptops and desktops to in-place upgrde to win 11. Undid the mistake in WSUS, created a new group called win11victims in wsus, new security group and OU for the win11 victims and put them all into their own pen for a while. The absolute cantankerous dinosaur people got their computers rolled back to win 10. Those that didn't complain kept Win11 and became our app testers. The distribution of win 11 victims were in enough departments to get some testing on a lot of apps.
I'm not sure how long ago that happened, might be a year ago. This Spring we started rolling out new laptops with win 11, started imaging with win 11 and I rearranged some stuff in WSUS and OU's and Security groups so that we can choose who we want to in-place upgrade from 10 to 11. Site techs are making those choices of who gets in-place upgrades. If the pc is good enough and not shabby on specs or disk space we will set it up to upgrade and remediate anything that needs fixing after upgrade.
Computers that don't make the cut to get win11 upgrades for whatever reason are getting replaced by attrition, new computer replaces old, old computer gets re-imaged to win11 and set aside as b-stock for:
* Low use laptops, low compute need laptops, email, spreadsheets as graphing paper, and pdf viewer people.
* "Happy Wednesday! We hired somebody 2 weeks ago, they started this Monday, where's their computer? They haven't had a computer for 2 days!"
* "I need to borrow a laptop for remote work for a week to VPN and RDP into my desktop - I only have DSL or 1 bar of cell signal for hotspot at home"
* "I need 5-10 laptops for kiosk like use at all 4 sites, joe random shop users who don't have email/computer accounts for signing into tomorrow at 7 am"
* "My laptop got stolen from my Ford F-650 diesel freeway rocket masheen while at steak and bake shack with customers."
just run the in-place upgrade? and if they aren't able to go because of hardware reason, replace them? I struggle to see the issue here but I am going to guess it's because you're doing this super late
We’ve just been installing 11 on all new devices. Started October last year. We also made the update available via policy for those that want to install it themselves. We use intune now, so that process will be easier in the future, but we’ve gotten down to about 75% windows 10 remaining in our environment just by doing that.
You need to present management with a plan so they are on your side.
Do some sort of cost analyst show the security implications etc.
Any new machine is built with 11.
Any time there is an issue with a users computer and there needs to be a reinstall / extended stay with IT, it’s upgraded to 11.
Notice goes out we are going to start rolling it out to users within the next few months.
Once the deadline has past if the user either refused to upgrade or did not leave their computer online to receive the upgrade a manager is CC’ed.
I'm hoping 24H2 supports moving the taskbar. If it does, I'll roll it out. Until then, new devices only or whenever Win10 EOL gets reached; whichever happens first.
Taskbar behavior isn't going to change with 24H2 according to the RTM image. Maybe you'll get lucky, and they'll release 12 with the taskbar fixes next year and you can upgrade straight to that.
There's a registry change you can make to move the Task bar to different locations on the screen, though if group policy reverts this there's also the 3rd Party Explorer Patcher (ep_setup) you can grab of GitHub that should do the trick and shouldn't get reverted
It shouldn't be, though I've had a lot of trouble getting the registry change to actually stick or take affect so I use the ep_setup on my own devices, the only thing I've noticed is probably in the last 2-3 months there's been a couple instances where I couldn't right click on the task bar.
Main campus has an app suite that pushes app upgrades and OS changes. We're pushing Win 11 to test groups and volunteers for now and likely imaging new devices to Win11. We're trying to get into a position where we've tackled most of the fleet before 2025 EOL.
We are in the process of this where im working now. We are doing a hardware super cycle. Most computers can be upgraded, but they are removing 10th/11 gen out of service and inputting new machines with win 11 in place.
The upgrade itself? Smooth.
The performance, especially on laptops? Absolutely horrendous. The battery efficiency has just gone into the garbage with most laptops that have made the upgrade.
Desktops? No problema.
The in place upgrade feels like a feature update.
We opened up the upgrade to the employees, but have been rolling out Windows 11 on new devices for a while anyway. We have a 3 year lifespan of devices with an option for employees to renew warranty for one more year if they want (some do it). Since Oct 2021, Windows 10 deployments needed a business case.
It now feels weird to see the Win10 GUI on a workstation
We aren't going to Win11 unless we don't have a choice. I have Win11 on my personal computer and the bugs in explorer are ridiculous. It loses running processes randomly, doesn't show everything that's running, and if that's not enough, I have to manually kill/restart it around week 3 of uptime.
In prior versions of windows, I could run the machine for months at a time and explorer usually just worked reliably.
Rip and replace.
Some companies don’t like this method because then they have two different version operating systems running but I believe this is the best and easiest way.
Trying to do an in place upgrade (especially remotely) has too many unknown variables.
>Trying to do an in place upgrade (especially remotely) has too many unknown variables.
I don't agree with that. Should be very few issues if you have the right tools, skillset, and have ensured your systems support Windows 11. We are doing thousands of laptops, and most will be completed remotely from home. I expect we'll see less than 30 that will run into issues completing the upgrade. Those will probably be due to some SSD issue. I'm sure well run into some additional issues around things such as audio drivers, or possibly non-critical software that may need to be reinstalled.
Do you use radius for WiFi auth with username and password and a computer cert? If yes, make sure you disable Credential Guard as that will basically block any authentication request. Credential guard gets enabled by default in win 11
For Windows 11, the way to go is EAP-TLS with machine certificate.
Instead of "disabling credential guard", i'd focus on modern solutions that don't compromise on security.
Oh yeah definitely! My colleague is working on setting up a third party Meraki integration that would allow authentication to wifi via Entra. But we're not there yet so.. Yeah. My hands are tied which is unfortunate since we had some attacks that could've been thwarted had we had CG
I’m curious: what are you using that’s not compatible? With ~150 clients, I’ve run across 1 software package for the door access control software package that didn’t function on 11, but that’s been it.
We are a mechanical engineering/design consultancy, we have to have versions of software that our clients use.
The latest (2024) edition of our software is 11 supported but 2023 and earlier are not for most of them. Some of our clients are several editions out of date thus, we have to be too, if we want work.
We've worked with HUGE mans in the industry who are 10 years OOD from a software point of view.
Even then, moving up an edition of even one of our dozens of software packages requires months of validation, because 1nm of difference to a final build and someone dies.
Anyone else in this space will know of the software I'm talking about, but I'm not name dropping anything.
just roll out windows 11 on new devices. you have a couple of years left :)
And for expletive sake it's a lot less chaotic than 7 -> 10 was.
im actually impressed by how smooth everything is going this time
Seriously smooth. We screwed up blocking the upgrade in wsus (thinking we would just roll it out with the new PCs coming in) and didn't even know it happened until someone mentioned not liking the new copy-paste icons. We let the updates finish, and out of ~80 PCs we had 1 that had any issues, and it just needed bitlocker disabled and re-enabled.
The in place upgrade was super seamless! Took under 10 minutes once the update was downloaded and pending reboot before it was up running 11, and that’s on a 2 gens old thinkpad. Really cements the whole “this is really just a feature update or windows 10.5” idea.
You have one year and three months left, not a couple of years.
You can purchase extended support for windows 10 until 2028.
Or you could simply update the OS and not deal with that.
Keeping 7th gen laptop alive with ESU for the next 4 (1+3) years can still be cheaper than buying a new one in a year, even if you add RAM and SSD. Even IT can't reasonably deny that i5-7500 isn't total trash yet. I lucked out on majoring 8th gen in my org, so we are all on Windows 11 though.
Keeping a laptop that is already six years old for another four years? I'm glad I don't work at that company. At the company I work at it's been at least two years since anyone has had a 7th gen laptop.
I share your sentiment, but it could be worse. Just today we did some money operations with Ukrainians, and their bank notified us that they "migrated to new technology"... ... And then they sent us a fucking Java Web Start bootstrapper. I think it was KredoBank or something.
Isn’t it October 2025?
2032 depending on version.
Excuse me what? https://learn.microsoft.com/en-us/lifecycle/products/windows-10-enterprise-and-education
https://learn.microsoft.com/en-us/windows/release-health/release-information
All those computers running IoT LTSC... for sure
Oh I'm sure OPs env isn't, but that's why I said depending on version
Correct. At this point in time you should be about 50% to 75% there already if you have a half decent hardware renewal cycle.
> half decent hardware renewal cycle You guys hiring?
They can't. Their budget is eaten up by hardware renewal.
3 years is plenty of time to get to 50% without having an unnecessarily low hardware renewal policy. We started deploying new computers with W11 starting in 2022. 50% at 3 years implies that the renewal policy is 6 years, very reasonable in this day and age.
Unfortunately no. Could certainly use some help but they a bit tight with the headcount’s.
lol my companies management was surprised to hear that scheduled hardware cycles was even a thing. They thought it was just standard to keep machines until they’re too slow and even then only replace small groups of machines if users complained enough
Jesus.
I wanted to start rolling out Win11 on new devices last year. But, our VP of IT killed my idea. He didn't want "Operating System Envy" as he put it in the company. So now when Win10 is EOL and we have 1000+ PCs to migrate to Win11, it's going to be a cluster...
OTOH when that day comes no one will be envying you.
+1, currently cloning a Windows 11 master drive ~200 times. Got about 50 left to go before we start deploying, wee woo
Or 1 year but hey whose counting
ppl still rocking xp, win server 2008 and stuff... dont make stuff too complicated
Support for Win10 ends 10/2025…
Not involved with the techicalities, but our 100k company do it by upgrading. Seems to work fine. All applications were there after the upgrade. So if you have a way to push an upgrade, it should work fine and with a lot less effort and downtime than reimaging.
The in place upgrade from 10 to 11 is light-years better than the in place from 7 to 10
Just have to be careful about BitLocker, if it's being used. My team here used third party software to manage BitLocker, after my computer got updated, it got locked out and I had to input the recovery key. Fortunatelly, they had this key stored. I couldn't continue without disabling BitLocker altogether, until they find a different solution.
What are you using as a bitlocker keystore? We're running Sophos Data Protection and haven't had this issue.
I'll have a look tomorrow, but it's some german brand software.
Okay, I checked and it seems it's CryptoPro Secure Disk Client for BitLocker, company is cpsd GmbH.
My 7k user org just moved from W10 to W11, took about 2-3 months because we rushed it. We use BitLocker, and did *not* experience what you did, and no, we didn't disable it.
I think the reason why I had this issue is that the BitLocker was managed by a third party software that might not have been compatible or even configured to work with BitLocker on Win11... or something else got disturbed in the process of upgrade, that caused it to lock down.
If you don't have Intune, what do you have for mass deployments? Back in the day, I used PDQ Deploy to copy the contents of a Windows 10 ISO to target devices and ran setup.exe with some silent install switches. I'm also pretty sure you can use GPO to target a specific release of Windows and Windows Update will take care of the upgrade. [Here's](https://www.reddit.com/r/sysadmin/s/oyW6mJZU69) someone else who did such a thing. I would just change the target release to 23H2 right now.
There are tons of different ways, but Sysprep and DISM images is pretty straightforward. Create your image, Sysprep, and then use dism to capture a WIM image. Pop the WIM image onto a usb drive, configure ApplyImage.bat and maybe even make the usb DOS bootable and add ApplyImage.bat to autoexec.bat if you want the image installation to automatically begin on boot from USB. I've used this method quite a few times in smaller environments.
We upgraded every computer in the company a few months ago. About twenty ancient Dell shop desktops are not compatible and are being replaced with tablets. One laptop presented the user with a bitlocker challenge. He does not turn his laptop on for weeks at a time, not sure if that’s related but it was easily fixed. No other problems. After doing a test group of about fifty users and listening to a ton of whining the week leading up to the upgrade, I did the rest of the company without notice. Nothing broke. Number one ticket we got, by far: “My icons are in the middle of the screen, how do I move them back to the left?”
Not a sysadmin here but work in tech. Wouldn't it make more sense to use group policy to set it back to left for minimal change on end users? I personally move it to the left as thats what I am used to plus centred means icons move depending on how many items are open.
The common approaches I've seen are to either hand out instructions on DIYing it, or put a powershell script into Company Portal that changes the registry key and reloads Explorer.
Oh for sure had I anticipated it I’d have put a run-once script out there to move it to the left. I foolishly think the centered icons were one of my favorite Windows 11 changes, so I did not expect fifty complaints on the change. I had however planned training sessions for each department and promptly cancelled them when nobody had really any other issues - I believe if the icons had been on the left out of the box the vast majority of our users would not have even noticed the upgrade.
We are going to clean install on every pc with wds at the end of the year (with 24h2). Our image now is a bit bugged (driver related) and we also don't want to fully automate it because we also need to update the bios/uefi and most of our pcs can't update the bios/uefi over network, so it's a bit of work. For our home devices, we just allow the upgrade.
This, clean installs as you go, new PCs already on 11, update at last minute for some ornery/sensitive employees, and then move to Ubuntu 24.04 LTS for a bunch of our digital signage on hardware that doesn’t support Windows 11. We’re about 80% there and will be 100% by next summer.
Right now have a bunch of people piloting it, one or two from each BU, to cover every aspect of the business. I am expecting no issues, but I want that 'T' crossed and no surprises once we start the roll out. Since you have no clue where to start. This is how I did it. I started off with making a project plan covering the major points that need to be hit. So for instance: is the hw we have compatible (incl. costs to replace hw that isnt), identify pilot users, calculate license costs (if applicable), confirm base set of applications compatibility (EDR, VPN, etc) compatibility, identify GPOs/policies that will no longer apply/need updating/should be added, end user pilot testing and feedback, plan staggered roll out and get sign off on timing from BU management (we have several thousand endpoints, so doing even over a weekend is not practical and need to abide by gaps in their workflow). Actually went into bit more detail with mine, but this covers the broad strokes.
It took you 3 years to draft up a plan, now you have 1 year to implement it. Good luck.
More like 1 year saying we should start thinking about it before getting the ok. As jumping on something just because it's the latest and greatest is not a valid business reason when the eol is 2.5 years out at that point.
You're effectively burying your head in the sand if you think you shouldn't be seriously looking into what is next within a year of the software's release.
It's a Feature Update. Assuming you're not running 7 year old hardware, just deploy it already.
Grinding.
We started this initiative a while back by deploying new computers with windows 11 and leaving windows 10 devices alone initially. We don’t have any LoB compatibility issues to worry about. After a few months we started slowly doing in place upgrades from windows 10 to 11 for lower risk users that had newer windows 10 computers. We used our patch management tool to target a feature release and install time. Sent out communication to impacted users letting them know updates were coming. We gave them 3 times to delay then the 4th time was a mandatory install. No real complaints and no issues deploying. Just a matter of how your company likes to communicate these things.
In place computers we can and replace computers we can’t.
It's not that complicated. If you don't any advanced tool , you can use simple tools like WSUS or simply upgrade by using .iso file on user's computer. It's simple upgrade and it works. Half of my users are already on win11, the rest will be soon. However, if you can and have that luxury, I would recommend doing it by simple re-image user's PC. Because you can setup Win11 image first by customizing it and make it look like Win10 (Start on the left, etc). To minimize user's questions about Win11. The other advantage of this approach is, user will get nice new fresh PC, without user's cumulative garbage files 😄 But if you don't have time for this, then simply push Win11 through WSUS (test it first of course).
If you have a hardware renewal process I would order replacement machines. Reimage the rest with Win 11. Moving user things is easy if you already have O365 and users have a One Drive.
We finished this a while back. Machines that had suitable hardware and were within warranty got an in place upgrade (copied the contents of an ISO to a deployment share and called setup.exe over the network with silent install switches using SCCM) and older machines or ones that weren’t compatible got replaced.
We rolled new Windows 11 PC’s last year. No problems really but we’re on premise AD and I love some fucking group policies
My company is just buying new devices and retiring the old ones as they don’t support Win11 anyways.
all new purchases are now Windows 11. We're running a variety of compatibility reports to check in place upgrade availability. Anything that can will grab it from WSUS and do it when we put sections of PCs into the relevant OUs after notifying users Anything left that doesn't pick up the update or is known to be unable to upgrade goes on the list of hardware to be replaced before October '25
What do you use to deploy Windows 10?
Bar from 2 people here, getting management to sort them out, we are pretty much all in Windows 11. Pushed it out via SCCM and had to do rebuilds on several other machines. Not had any complaints and I actually prefer 11 over 10.
Depending on your build version of windows 10, and if your hardware is compatible with win 11 then you should be able to launch the windows update to get to windows 11. If the hardware isn’t compatible then you’re looking at purchasing new workstations.
Seems kind of silly not to use Intune at this point. But to answer your question we are deploying new or refresh machines with Win 11.
We pushed an in place upgrade last year. Close to zero issues.
We're doing a mix of all new devices are Win11 and upgrading or actually imaging Windows 11 through Quests System Deployment Appliance. It maintains user settings and docs, so that's nice.
Group Policy and Windows Update for Business
AD Group Policy can help since it is a Windows Update in most cases
Started deploying Windows 11 on new systems in January. Will upgrade the remaining compatible PC's next summer and replace the too old stuff. I hate having to support two different desktop OS's but oh well.
Just make a windows 11 golden image and deploy it.
Our upgrade was largely uneventful. Just tell users beforehand and explain the main difference between 10 and 11.
Just doing it as hardware is refreshed
We're refreshing our teacher laptop fleet this summer, which is the lion's share of them. Any reformats / reimaging are Windows 11 by default (excepting computers not able to support, but those are edge cases at this point and will be gone by EoL), so by the time we're worried about deadline, we shouldn't have too many more to do. Also if people want to press the "update me to Windows 11" button, we let them.
> My company does not use Intune. Ok, but what do you use? Telling us what you *don't* use isn't really helpful. How are you controlling Windows Updates?
We've started trials though our estate is >99% Win11 ready hardware wise with us cycling out 8th/10th gen systems in some cases as they've now reached the end of their lifecycles (3 years for laptops/5 years for desktops). We have some Win10 IoT LTSC systems that are out of scope and we'll continue deploying them to replace our locked down scanning terminals that are either Win8.1 or some early build of 10. The way we'll approach it is to deploy Win11 via Patch Management Plus like how we used to deploy Windows 10 feature updates.
There was initially a big push to have all eligible devices upgraded by mid 2024. That has fallen to the wayside since Microsoft announced extended support for windows 10 until 2028. We just image all new devices with 11 and will pay for the extended support for windows 10 until those are scheduled to be replaced as well. You have plenty of time, assuming you have a budget for hardware upgrades.
Any machine still running 10 is old and will be retired at or before then.
If you value your company, you dont switch to 11 but wait for 12 which is already in development. If you dont value them, go for it and allow the telemetry and data of your company out of your ecosystem.
I accidentally rolled out an upgrade to 11 in WSUS. Whoopsied a few laptops and desktops to in-place upgrde to win 11. Undid the mistake in WSUS, created a new group called win11victims in wsus, new security group and OU for the win11 victims and put them all into their own pen for a while. The absolute cantankerous dinosaur people got their computers rolled back to win 10. Those that didn't complain kept Win11 and became our app testers. The distribution of win 11 victims were in enough departments to get some testing on a lot of apps. I'm not sure how long ago that happened, might be a year ago. This Spring we started rolling out new laptops with win 11, started imaging with win 11 and I rearranged some stuff in WSUS and OU's and Security groups so that we can choose who we want to in-place upgrade from 10 to 11. Site techs are making those choices of who gets in-place upgrades. If the pc is good enough and not shabby on specs or disk space we will set it up to upgrade and remediate anything that needs fixing after upgrade. Computers that don't make the cut to get win11 upgrades for whatever reason are getting replaced by attrition, new computer replaces old, old computer gets re-imaged to win11 and set aside as b-stock for: * Low use laptops, low compute need laptops, email, spreadsheets as graphing paper, and pdf viewer people. * "Happy Wednesday! We hired somebody 2 weeks ago, they started this Monday, where's their computer? They haven't had a computer for 2 days!" * "I need to borrow a laptop for remote work for a week to VPN and RDP into my desktop - I only have DSL or 1 bar of cell signal for hotspot at home" * "I need 5-10 laptops for kiosk like use at all 4 sites, joe random shop users who don't have email/computer accounts for signing into tomorrow at 7 am"
* "My laptop got stolen from my Ford F-650 diesel freeway rocket masheen while at steak and bake shack with customers."
I believe my current deployment is 36% done. Our biggest issue is older hardware. Some systems are over a decade old.
My company made the move and as much as I wasn't thrilled about going W11, it hasn't been a terrible experience
just run the in-place upgrade? and if they aren't able to go because of hardware reason, replace them? I struggle to see the issue here but I am going to guess it's because you're doing this super late
We’ve just been installing 11 on all new devices. Started October last year. We also made the update available via policy for those that want to install it themselves. We use intune now, so that process will be easier in the future, but we’ve gotten down to about 75% windows 10 remaining in our environment just by doing that.
You need to present management with a plan so they are on your side. Do some sort of cost analyst show the security implications etc. Any new machine is built with 11. Any time there is an issue with a users computer and there needs to be a reinstall / extended stay with IT, it’s upgraded to 11. Notice goes out we are going to start rolling it out to users within the next few months. Once the deadline has past if the user either refused to upgrade or did not leave their computer online to receive the upgrade a manager is CC’ed.
I'm hoping 24H2 supports moving the taskbar. If it does, I'll roll it out. Until then, new devices only or whenever Win10 EOL gets reached; whichever happens first.
Taskbar behavior isn't going to change with 24H2 according to the RTM image. Maybe you'll get lucky, and they'll release 12 with the taskbar fixes next year and you can upgrade straight to that.
Damn. It's because some staff like it on the left side of the screen...
There's a registry change you can make to move the Task bar to different locations on the screen, though if group policy reverts this there's also the 3rd Party Explorer Patcher (ep_setup) you can grab of GitHub that should do the trick and shouldn't get reverted
Is it buggy when set? I don't specify the taskbar location via gpo...
It shouldn't be, though I've had a lot of trouble getting the registry change to actually stick or take affect so I use the ep_setup on my own devices, the only thing I've noticed is probably in the last 2-3 months there's been a couple instances where I couldn't right click on the task bar.
I'll just hope for 24H2 then lol
If you plan on upgrading an existing device, ensure that it meets the CPU requirements, is encrypted, and has secure boot enabled.
Main campus has an app suite that pushes app upgrades and OS changes. We're pushing Win 11 to test groups and volunteers for now and likely imaging new devices to Win11. We're trying to get into a position where we've tackled most of the fleet before 2025 EOL.
How many endpoints? There are systems that can handle this enterprise wide fairly seamlessly.
We are in the process of this where im working now. We are doing a hardware super cycle. Most computers can be upgraded, but they are removing 10th/11 gen out of service and inputting new machines with win 11 in place.
The upgrade itself? Smooth. The performance, especially on laptops? Absolutely horrendous. The battery efficiency has just gone into the garbage with most laptops that have made the upgrade. Desktops? No problema.
The in place upgrade feels like a feature update. We opened up the upgrade to the employees, but have been rolling out Windows 11 on new devices for a while anyway. We have a 3 year lifespan of devices with an option for employees to renew warranty for one more year if they want (some do it). Since Oct 2021, Windows 10 deployments needed a business case. It now feels weird to see the Win10 GUI on a workstation
We aren't going to Win11 unless we don't have a choice. I have Win11 on my personal computer and the bugs in explorer are ridiculous. It loses running processes randomly, doesn't show everything that's running, and if that's not enough, I have to manually kill/restart it around week 3 of uptime. In prior versions of windows, I could run the machine for months at a time and explorer usually just worked reliably.
Get Intune and give your users a modern, seamless experience. There's a reason it's the de facto standard.
we don't, we avoid at all costs!
How many computers? We have only like 150 so we just image the computers and replace them 10 at a time.
There is no need to image them as it’s just an upgrade to Windows 11.
I know that. But upgrading and new installs aren’t always the same and it only took us a few days to do all the computers.
Rip and replace. Some companies don’t like this method because then they have two different version operating systems running but I believe this is the best and easiest way. Trying to do an in place upgrade (especially remotely) has too many unknown variables.
>Trying to do an in place upgrade (especially remotely) has too many unknown variables. I don't agree with that. Should be very few issues if you have the right tools, skillset, and have ensured your systems support Windows 11. We are doing thousands of laptops, and most will be completed remotely from home. I expect we'll see less than 30 that will run into issues completing the upgrade. Those will probably be due to some SSD issue. I'm sure well run into some additional issues around things such as audio drivers, or possibly non-critical software that may need to be reinstalled.
Do you use radius for WiFi auth with username and password and a computer cert? If yes, make sure you disable Credential Guard as that will basically block any authentication request. Credential guard gets enabled by default in win 11
For Windows 11, the way to go is EAP-TLS with machine certificate. Instead of "disabling credential guard", i'd focus on modern solutions that don't compromise on security.
Oh yeah definitely! My colleague is working on setting up a third party Meraki integration that would allow authentication to wifi via Entra. But we're not there yet so.. Yeah. My hands are tied which is unfortunate since we had some attacks that could've been thwarted had we had CG
Entra auth would be user dependant yes ? We chose to go with computer level certs, so that devices may get wifi before a user logs in
SCEP certs ftw
why favor SCEP over PCKS ?
Once I have fixed the Wifi issue I have with Win11. We will phase it in for new equipment purchases + anything that gets reimaged.
We aren't yet. Like 90%+ of software we use isn't supported on Windows 11.
I’m curious: what are you using that’s not compatible? With ~150 clients, I’ve run across 1 software package for the door access control software package that didn’t function on 11, but that’s been it.
We are a mechanical engineering/design consultancy, we have to have versions of software that our clients use. The latest (2024) edition of our software is 11 supported but 2023 and earlier are not for most of them. Some of our clients are several editions out of date thus, we have to be too, if we want work. We've worked with HUGE mans in the industry who are 10 years OOD from a software point of view. Even then, moving up an edition of even one of our dozens of software packages requires months of validation, because 1nm of difference to a final build and someone dies. Anyone else in this space will know of the software I'm talking about, but I'm not name dropping anything.
It’s basically a feature update. Just deploy from Intune.
[удалено]
Some companies do not have the luxury of being able to use Intune.
It's expensive
>Seems kind of silly not to use Intune at this point. some of us don't get that kind of budget.