Windows 10 for Enterprise Administrators E-Book

BIRMINGHAM - MUMBAI

Windows 10 for Enterprise Administrators

Copyright © 2017 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: September 2017

Production reference: 1070917

ISBN 978-1-78646-282-4

www.packtpub.com

Credits

Authors

Jeff Stokes

Manuel Singer

Richard Diver

Copy Editor

Madhusudan Uchil

Reviewers

Iftekhar Hussain

Project Coordinator

Virginia Dias

Acquisition Editor

Meeta Rajani

Proofreader

Safis Editing

Content Development Editor

Sharon Raj

Indexer

Aishwarya Gangawane

Technical Editor

Komal Karne

Graphics

Kirk D'Penha

Production Coordinator

Aparna Bhagat

About the Authors

Jeff Stokesis a Windows/Microsoft engineer currently employed at Microsoft. He specializes in operating system health, reliability, and performance. He is skilled in Windows deployment with Microsoft Deployment Toolkit (MDT) and has exceptional skills in Virtual Desktop Infrastructure (VDI) and performance analysis. He is an active writer and blogger and loves technology.

Manuel Singerworks as a senior premier field engineer for Windows Client at Microsoft and is based in Germany. He has more than 10 years of experience in system management and deployment using Microsoft technologies. He is specialized in client enterprise design, deployment, performance, reliability, and Microsoft devices. Manuel works with local and international top customers from the private and public sectors to provide professional technical and technological support.

Richard Diver has been an IT professional for more than 20 years with experience across multiple industries, technologies, and geographies. He is currently working as a solutions architect with a focus on Microsoft cloud architecture, enterprise mobility, and identity management solutions. This is his first time as an author, though his previous book contributions include topics such as Sysinternals Tools, Microsoft Office 365, and Microsoft Intune.

Richard has a deep passion for simplifying complex topics and visualizing and sharing knowledge. He is a family man, with three daughters, and enjoys traveling, reading, and public speaking at events and conferences.

About the Reviewer

Iftekhar Hussain has been working with Microsoft for the last 9 years and has worked in various positions involving helping customers secure, manage, and deploy Windows and client management technologies.

He has over 12 years of experience providing high-value technology consulting to top enterprise businesses, public sector organizations, governments, and defense with architectural guidance, solution design and integration, and deployment strategies.

In his current role as a Windows cyber threat protection specialist, he helps organizations enable better security for systems by acquiring and enabling various capabilities to protect their environment from modern cyber threats and mitigating strategies using various best practices from Microsoft.

www.PacktPub.com

For support files and downloads related to your book, please visit www.PacktPub.com. Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.comand as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www.packtpub.com/mapt

Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Customer Feedback

Thanks for purchasing this Packt book. At Packt, quality is at the heart of our editorial process. To help us improve, please leave us an honest review on this book's Amazon page at https://www.amazon.com/dp/1786462826.

If you'd like to join our team of regular reviewers, you can email us at [email protected]. We award our regular reviewers with free eBooks and videos in exchange for their valuable feedback. Help us be relentless in improving our products!

Table of Contents

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the color images of this book

Errata

Piracy

Questions

Installation and Upgrading

Which branch to select?

Current Branch, also known as Semi-Annual Channel (Targeted)

Current Branch for Business, also known as Semi-Annual Channel

Support timeline before 1709

Support timeline since 1709

The Long-Term Servicing Branch

LTSB problem silicon support - potential risk with Zen, Cannonlake, and newer CPUs

Limitations of LTSB

Recommendations

New deployment methods

Why in-place upgrades?

Limitations and blocker of the in-place upgrade

Changing from BIOS/legacy mode to UEFI mode

Changing from Windows 32-bit/x86 to 64-bit/x64

Changing the base OS language

Changing primary disk partitioning

Using the Windows To Go or boot from VHD features

Image creation process (sysprep after upgrade not supported)

Certain third-party disk encryption products

Changing too many apps (bulk application swap)

Changing the environment

Traditional wipe and load

An alternative: provisioning

Improvements in deployment since Windows 10 1511

Windows 10 1607, also known as Anniversary Update

Windows 10 1703/1709, also known as Fall Creators Update

Tips and tricks for smooth in-place upgrade from 7, 8.1, or 10 to 10

Integrating cumulative updates into install sources

Updating graphics driver

Looking at Setupact.log and Setupapi.dev.log

Using Windows Upgrade Analytics aka Windows Upgrade Readiness

Selecting the deployment tools

Summary

Configuration and Customization

Introducing Windows as a service

Cortana

Security mitigation

Image customization

Imaging process

Customizing the image

Upgrade expectations

Internet Explorer 11 Enterprise Mode configuration

Windows 10 Start and taskbar layout

Audit mode

Tips

Virtual Desktop Infrastructure

Layering technologies

Security Compliance Manager

AppLocker

Microsoft Windows Store for Business, also known as Private Store

Microsoft telemetry

Windows Spotlight

Mandatory user profiles

Assigned Access, also known as kiosk mode

Bring Your Own Device scenarios

Windows libraries

User Experience Virtualization

Summary

User Account Administration

Windows account types

Account privileges

Local Admin Password Solution

Create policies to control local accounts

Password policy

Account lockout policy

Manage user sign in options

Mobile device management security settings 

User Account Control

Windows Hello for Business

Manage options for Windows Hello for Business

Credential Guard

Privileged Access Workstation

Summary

Remote Administration Tools

Remote Server Administration Tools

Installing RSAT

RSAT usage

PowerShell

PowerShell setup

PowerShell usage

PowerShell in the Enterprise

Desired State Configuration

Windows Sysinternals tools suite

BgInfo

Configuring BGInfo

Deployment

Introducing PsTools

Installing PsTools

Using PsTools

Custom code repository

Summary

Device Management

Evolving business needs

Mobile device management

Changes to GPOs in Windows 10

Enterprise/Education - only GPOs

Known issues when upgrading the central policy store

Known issues with Group Policy Preferences/GPMC

Servicing and patching

Why cumulative updates?

Update delivery solutions

Windows Update

Windows Update for Business

Windows Server Update Services

SCCM and third-party solutions

Windows 10 servicing

Summary

Protecting Enterprise Data in BYOD Scenarios

Bring Your Own Device

What is BYOD?

Choose Your Own Device

Key considerations

Device choice

Ownership

Management responsibility

Comparing options

Protection options

Identity and access management

Connect to work or school

Microsoft Passport

Windows Hello

Credential Guard

Device Configuration

Application management

Provisioning packages

Windows Store for Business

Mobile Application Management

Information protection

BitLocker and device pin

Windows Information Protection

Document classification and encryption

Data loss prevention

Alternative options

Enable remote/virtual desktops - RDS/VDI

Enable virtual private networks

Publish applications via proxy

End user behavior analytics

OneDrive for Business

Work Folders

Work Folders compared to other sync technologies

Summary

Windows 10 Security

Today's security challenges

Windows Hello/Windows Hello for Business

Differences between Windows Hello and Windows Hello for Business

Virtualization-based security

Credential Guard

Device Guard

Windows Defender Application Guard for Microsoft Edge

Windows Defender Exploit Guard

Device Health Attestation

Windows Defender Security Center

New BitLocker options

Local Administrator Password Solution

AD preparation

 Now to the installation

LAPS UI

Group Policy client-side extension

Group Policy configuration options

Summary

Windows Defender Advanced Threat Protection

Prerequisites

Windows Defender

Windows Defender Security Center

Windows Defender ATP

Plan - environment analysis

Deploy - service activation

Sign up and activate Windows Defender ATP

Portal configuration

Check service health

Check sensor status

Enable SIEM integration

Onboard endpoints

Configure sensor data

Additional configuration

Detect - using the ATP portal

Alerts queue

Machine list

Preferences setup

Endpoint management

Protect Post-breach response

Types of threats

Ransomware

Credential theft

Exploits

Backdoors

General malware

Potentially Unwanted Application

Take responsive actions

Taking responsive actions on a machine

Collecting an investigation package

Isolate a machine

Take responsive actions on a file or process

Request deep analysis

Stop and quarantine file

Block file

Pivot into Office 365

Summary

Advanced Configurations

Virtual desktops

VDI infrastructure best practices

VDI configuration considerations

The Windows ICD

Windows 10 Kiosk Mode

AutoPilot mode

The Set up School PCs application

Device lockdown

Custom Logon

Keyboard filter

Shell Launcher

Unbranded Boot

Unified Write Filter

Summary

RedStone 3 Changes

OneDrive – file on demand

Task Manager shows GPU usage graph

No SMB1

Ubuntu, openSUSE and SUSE LSE available as Linux subsystem

New features of Microsoft Edge

New Google Chrome to Microsoft Edge migration feature

Hyper-V improvements

Change of network profiles in GUI

Improved storage sense feature

Microsoft Fluent Design

My people app

Eye tracking

Controlled folder access

Summary

Preface

Microsoft’s launch of Windows 10 is a step toward satisfying Enterprise administrator needs for management and user experience customization. This book provides Enterprise administrators with the knowledge required to fully utilize the advanced feature set of Windows 10 Enterprise. This practical guide shows Windows 10 from an administrator's point of view.

What this book covers

Chapter 1, Installation and Upgrading, covers Enterprise deployment and in-place upgrade techniques. Deployment tools will be covered, along with tips and tricks to smooth in-place upgrades from Windows 7 to Windows 10 and migrating user state information and settings.

Chapter 2, Configuration and Customization, dives into Enterprise image customization and configuration techniques. We will specifically cover Windows 10 customization techniques as they diverge from the Windows 7 and lower models.

Chapter 3, User Account Administration, covers the concepts and technologies that enable the secure and productive use of the Windows 10 operating system as well as the advanced options available to secure the user account credentials and prevent unauthorized system configuration changes and software installation.

Chapter 4, Remote Administration Tools, covers how to install and configure RSAT, perform administrative tasks using the RSAT tool, configure the Enterprise for secure PowerShell remoting, and perform remote administration using PowerShell.

Chapter 5, Device Management, covers the different form factors of machines and how management can be customized based on the chassis. Considerations for laptops, desktops, tablets, mobiles, and hybrid devices will be covered. Microsoft InTune and SCCM will be discussed in some depth.

Chapter 6, Protecting Enterprise Data in BYOD Scenarios, explores the risks and the impact of personally owned or unmanaged devices on information security and the practical steps you can take to ensure that the appropriate protection is applied. Key considerations for device choice, ownership, and management will be discussed.

Chapter 7, Windows 10 Security, covers the new security options available with Windows 10 and how they can be combined with the existing security to enhance protection. You will explore their benefits and their hardware and software requirements and look at some caveats when implementing some of them.

Chapter 8, Windows Defender Advanced Threat Protection, provides information about a new service that defends against modern threats that have a high impact if they get into the Enterprise. We discuss how to activate and configure it and then maintain and use it for operations.

Chapter 9, Advanced Configurations, discusses the configuration of Windows 10 for Virtual Desktop Infrastructure, kiosk mode, and methods for providing a clean and locked-down configuration for various purposes. Troubleshooting and the configuration of these scenarios will be covered.

Chapter 10, RedStone 3 Changes, describes the new features in RedStone 3, also known as Fall Creators Update, including changes to power management, user interface, file security, eye tracking, and many more minor and major updates.

What you need for this book

We recommend that you install and activate a copy of Windows 10 Enterprise in a test environment. An Active Directory domain will be required in order to test new Group Policy options. An Azure subscription will be required to test the following features covered in this book:

Azure Active Directory domain join

Microsoft Intune for device management

Security center for Advanced Threat Protection (ATP)

You may also want an Office 365 subscription to see the complete integration between Windows Defender ATP and Office 365 ATP.

Who this book is for

If you are a system administrator who has been given the responsibility of administering and managing Windows 10 RedStone 3, then this book is for you. If you have deployed and managed previous versions of Windows, that would be an added advantage.

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book-what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of. To send us general feedback, simply email [email protected], and mention the book's title in the subject of your message. If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the color images of this book

We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from https://www.packtpub.com/sites/default/files/downloads/Windows10forEnterpriseAdministrators_ColorImages.pdf.

Errata

Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books-maybe a mistake in the text or the code-we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title. To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.

Piracy

Piracy of copyrighted material on the internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the internet, please provide us with the location address or website name immediately so that we can pursue a remedy. Please contact us at [email protected] with a link to the suspected pirated material. We appreciate your help in protecting our authors and our ability to bring you valuable content.

Questions

If you have a problem with any aspect of this book, you can contact us at [email protected], and we will do our best to address the problem.

Installation and Upgrading

In this chapter, you'll learn the concepts and best practices of the new deployment options introduced with Windows 10. We will look into the traditional wipe and load method and the complementing new options of in-place upgrade and provisioning and provide some context to the difference these deployment options can make. Finally, we will look at the improvements made with the Windows 10 Redstone Branch 1607/1703/1709, also known as Anniversary Update, Creators Update, and Fall Creators Update, and learn some tips and tricks for a smooth in-place upgrade.

We will cover the following topics:

Differences between Current Branch, Current Branch for Business, and Long-Term Servicing Branch

Risks and support life cycles of these branches

New deployment methods: in-place upgrade and provisioning

Limitations and blocker of in-place upgrade

Problems of traditional wipe and load

Improvements in deployment since Windows 10 1511

Tips and tricks for a smooth in-place upgrade from 7, 8.1, or 10 to 10

Selecting the correct deployment tool

Which branch to select?

Before we can select the best deployment method, we need to select a suitable branch, as one branch implies some timing restrictions due to shorter support timelines, which will be explained now.

Current Branch, also known as Semi-Annual Channel (Targeted)

Beginning with Windows 10 and its new Windows as a service concept, you can choose between two main flavors. All Windows 10 Home, S, Professional, Pro for Workstation, Enterprise, and Education SKUs support the Current Branch (CB) model. This branch was renamed with Windows 10 1709 to Semi-Annual Channel (Targeted). When Microsoft officially releases a new feature update for Windows 10, that update is marked as CB / Semi-Annual Channel (Targeted).

In this CB model, the system will be updated up to three times a year (don't worry, the Windows 10 product group stated that they normally plan only one to two releases per year). As soon as this CB is available, it will be rolled out to all Windows 10 installations, which will be getting their updates directly from Windows Update (WU) online. The roll out will be done in stacked waves.

If you want to postpone such a roll out, you need to defer feature updates, which is an option only available in Pro, Pro for Workstation, Enterprise, and Education. You can defer updates per GPO when using WU for 1-8 months, or directly inside your Windows Server Update Service (WSUS), System Center Configuration Manager (SCCM), or third-party deployment solution for a even longer time frame.

To distinguish between the different branches, a lot of people use the build numbers. But it is cumbersome to memorize all these builds: 10240, 10586, 14393, and so on. You should use this naming only when speaking of Windows Insider builds.

Also, the code names are not that clear and do not describe at what time a version was released (for example, Threshold 1/2, Redstone 1/2/3, and so on). With the Windows 10 release in 2016, they also introduced public code names such as Anniversary Update or Creators Update. But this is more or less only a way for marketing to describe a future version without already stating the exact release date, which is possibly not fixed at the time of announcing the new version.

Current Branch for Business, also known as Semi-Annual Channel

When speaking of the defer option, a lot of sources mix it up with the Current Branch for Business (CBB). But this is only partially correct. When a new Windows 10 version is released, it is automatically CB. After around 4 months, when several cumulative updates have ironed out all remaining hiccups or when a newer version is released, the ISOs will be updated and the CB will be declared as CBB. So CBB is not different in its bits and bytes; it's just updated media and a different name.

This branch was renamed with Windows 10 1709 to Semi-Annual Channel.

Organizations can selectively delay CB and CBB updates into as many phases as they wish (also called a ring model) using one of the servicing tools mentioned in the CB section. Deferring a version long enough will result in it being on an older branch than the current CBB. If you now name it just CBB, it could be misleading.

We should instead always speak of a CB or CBB with its version (for example, CBB 1703) or as CBB and CBB+1, where CBB+1 is the older version. I prefer the year year month month (YYMM) versioning. Also naming convention of CBB/CBB+1 will be completely replaced with 1709 by Semi-Annual Channel (Targeted) and Semi-Annual Channel (without any extension). So beginning with Windows 10 1709 we should speak about Semi-Annual Channel 1709.

So, when you are able to defer feature updates as long as you want, how long is such a CBB / Semi-Annual Channel version supported and getting security updates?

Support timeline before 1709

Before the release of Windows 10 1709 it was rather complicated, the answer is a minimum of 12 months support, according to Michael Niehaus, Director of Product Marketing for Windows at Microsoft:

Most people were only reading 12 months and getting scared. But in fact, the support time frame can be much longer:

The minimum 12 months' time frame starts at the time when a release gets declared as CBB. So you always get a minimum 4 months of CB (blue bar) + 12 months of CBB (orange bar) + 60 days grace period (grey bar) after a release goes out of support. So each feature update release will be supported and updated for a total time frame of at least 18 months.

Depending on how many releases are done per year, this time frame could be even longer, because a release will be supported as long as there are no more than two CBB versions at the same time. For example, 1511 released in November 2015 got support until 1703 was declared CBB in August 2017, and with an additional grace period of 60 days, it was supported and updated for 24 months in all. (Version 1511 was declared CBB in March 2016, release 1607 was declared CBB in November 2016. When release 1703 was declared CBB, there would have been three CBB versions in the field and so support for the 1511 CBB was dropped and the grace period started.)

In the unlikely event of three releases a year, the other rule of a minimum 12 months' CBB support will jump in, so in all circumstances, you will always get a minimum of 18 months of total support and update time beginning with GA.

Support timeline since 1709

All these CBB, CBB+1 and Grace Period phase was more confusing than helping. With the release of Windows 10 1709 a lot of things were made easier. CBB is now named Semi-Annual Channel. And there is no more Grace period, no more calculating, no more dependence on any version release. You will get a fix full support time frame of 18 months.

Windows 10 will be released 2 times a year with a target frame of March and September each. After release each Windows 10 Version will be supported 18 months fix and end of support date will be available on release date or short after.

A lot of enterprise customers requested already longer support time-lines. At the time of writing this book the time was still 18 months. Look out for announcements regarding a longer opt-in time frame after release of 1709.

The Long-Term Servicing Branch

The Long-Term Servicing Branch (LTSB) has a ten year support time frame, like with former Windows releases. The ten year time frame is also split into five years main support and five years extended support. During this ten year time frame, the LTSB will only get security and quality updates but no feature updates. Stability and not breaking anything are the most critical points.

LTSB versions are only available as Windows 10 Enterprise LTSBs. So if you do not have Windows 10 Enterprise, you won't qualify for LTSB. The version always contains a year in its name. So the first LTSB version created is now referenced as Windows 10 Enterprise LTSB 2015. In 2016, Windows 10 Enterprise LTSB 2016 was released, but don't expect this to be a standard occurrence. Releasing the 2016 version was an exception, and the next LTSB version is not planned for release before 2019. New LTSB releases are planned typically every two or three years. To get new features, you will need to install a newer LTSB version.

IT pros getting nervous when reading about two updates per year at the CB/CBB branch may be tempted to select the LTSB as it seems at first like all the previous Windows versions' support strategies. But there are several risks and limitations when choosing the LTSB.

The LTSB was designed for specialized systems such as controlling medical equipment, point-of-sale systems, and ATMs. These devices typically perform a single important task and don't need feature updates as frequently as other devices.

Maximum compatibility, reliability, and stability are the key focuses of the LTSB, which makes changes to the kernel and system less possible. Using MS Office and other products on your system that would need changes to the system would block a patch. Therefore, you could end up in a situation where the only workaround would be waiting for the next (fixed) LTSB or changing to CB/CBB meanwhile.

LTSB problem silicon support - potential risk with Zen, Cannonlake, and newer CPUs

At the time of the LTSB 2016 release, the latest processor families were Intel's Kaby Lake and AMD's Kaveri platforms. Newly released processors such as AMD Zen or Intel Cannonlake will most likely not be supported on LTSB 2016 as they will need modifications to the kernel and the system, and this is in conflict with the maximum reliability and compatibility goals.

Limitations of LTSB

The LTSB has some more limitations, which the following table summarizes:

Even so, since 1607/LTSB 2016, support has been introduced to perform an in-place upgrade from LTSB to CB/CBB; there is no support yet to perform an in-place upgrade from a down-level OS to LTSB or from CB/CBB to LTSB.

So you could end up in a situation where Kaby Lake and Kaveri are no longer available, but neither is the LTSB version, so you will have an image but no suitable hardware.

Recommendations

With all the limitations and caveats of LTSB, it is best to stay with CB and CBB for most of your PCs. Use LTSB only in situations where long-term maintenance is essential, such as in production lines, point-of-sale systems, and medical control systems. Most enterprise customers decide to roll out CB and CBB on their main general purpose systems and so should you.

New deployment methods

With the introduction of Windows 10, there was also a change to the installation mantra. Earlier, it was recommended you create a golden image and always perform a wipe and load sequence. Now with Windows 10, it is recommended you perform an in-place upgrade. Also, a new option with provisioning is now possible. We will look at the different new possibilities.

Why in-place upgrades?

With the improvement of the Windows servicing stack, the possibilities of in-place upgrades got faster and more robust. In-place upgrades aren't the go-to solution, but will do well for a large number of scenarios. Performing an in-place upgrade will preserve all data, settings, apps, and drivers so, it will reduce a huge part of the complexity of migration, transfer of user profile, and (re-)installation of programs.

A big benefit of performing an in-place upgrade is 100% rollback in case of failure. With a classic wipe and load, if there is something wrong after installation, the user ends up with nothing, putting a high time pressure on IT to solve the problem. Mostly, this pressure results in a fast workaround of reinstalling the client a second time and losing all data, settings, apps, and so on.

When something goes wrong during an in-place upgrade, it will completely roll back to its original OS and the user will still be able to work with their client. This gives IT some time to inspect what went wrong and try again later when they have a fix. Even after a successful upgrade, IT has the ability to roll back to the old OS for 10 days if something else is not working as expected.

The current in-place upgrade process is divided into four phases, with multiple reboots in between:

The Downlevel Phase

: Depending on whether you are executing

setup.exe

or executing this phase by upgrading via Windows Update or WSUS, the GUI will be different. But technically, the following steps always need to be done:

Build a

$Windows.~BT

folder, analyzing the system and downloading required cumulative updates (if not restricted by setup flags)

Extract required drivers from the running system or (if not prohibited by setup flags) download drivers from Windows Update

Prepare the system and the sources, place a SafeOS Windows

Preinstallation Environment

(

PE

)

boot environment, upgrade the boot entry, and suspend BitLocker (if running)

You will see this phase as Windows Update preparing your system, counting from 0% to 100%. The system will reboot after this phase. Setup result error codes (the second code after the 0xC19xxxxx code) in this phase typically start with 0x100.

The SafeOS Phase

: In this phase, a Windows PE instance is running, which is why it is called so. The recovery partition will be prepared and updated, the old OS will move offline to

Windows.old

, a new Windows folder will be built, and the new OS WIM will be applied to the drive. Dynamic updates and OS updates will now be installed. After that, the required drivers will be integrated so the system can boot from the new Windows version

next time

. You will see this phase in older Windows 10 releases as a black screen with a grey ring, like doing a setup installation and in releases since 1607 as a blue screen, like installing Windows Updates, with a message stating

part 1 of 3

and

counting from 0% to around 30%

. The system will reboot after this phase. Setup result error codes (the second code after the

0xC19xxxxx

code) in this phase typically start with

0x2000C

or

0x20017

.

The First Boot Phase

: Now the new system will boot up for the first time and run through the sysprep phase. Device drivers are getting ready and the migration plugin is running to extract all required data from the old OS. Already, the first boot data and settings have been applied. You will see this phase as

part 2 of 3

and

counting from 30% to 60%

. The system will reboot after this phase. Setup result error codes (the second code after the

0xC19xxxxx

code) in this phase typically start with

0x30018

or

0x3000D

.

The Second Boot Phase