The Enterprise Feature Update Deployment plan for Windows 10 launched with the 20H2 Feature Update for Windows 10 in 2021 and is being revamped for the deployment of Windows 10 22H2 in 2023 The plan will help USGS to shorten the window of time required to move between Windows 10 Feature Update versions and help to standardize annual feature update deployment methods across the Bureau.
Windows10 21H2 and 22H2 share a common core operating system with an identical set of files (See: KB2015684). As such, upgrades from 21H2 to 22H2 are lightweight in comparison to previous Windows 10 feature update experiences. Window 10 21H2 contains inactive 22H2 features, which can be activated with the installation of an “enablement package” software update. Due to the small size of this deployment, the USGS will be able to upgrade all 21H2 installations to 22H2 rapidly.
The Web Report GS: Windows 10 21H2 to 22H2 Status – Web Reports (doi.net), in combination with the AD Status page, can be used for monitoring 22H2 deployment progress. Note: the OS Version Number Property used in the Web Report filter updates once per day.
Resources:
- Video Demo – Feature Update via USAT
- What’s new in Windows 10, version 22H2 for IT pros | Microsoft Learn
Deployment Plan Overview
Deployment Plan Phases:
Development: During the initial phase, the Information Security Office and BWTST conduct initial OS testing, STIG development, and Upgrade tools development and testing.
Pilot: Fast Ring and Early Adopters will be a single consolidated deployment ring with a deadline that aligns with the Monthly Fast Ring patching deadline in March (Tuesday, March 21, 2023). Computers in the Fast Ring will install the March Cumulative update and the Windows 10 22H2 Enablement update at the Fast Ring deadline. Testing has shown that after installation of both items and a single reboot, the computer is both patched and upgraded. Computers in the Early Adopters group, that are not a member of Fast Ring, will be rebooted for patching during the March cumulative update cycle.
USGS approval of Windows 10 22H2 is expected to occur upon successful completion of the Pilot phase.
Production: Production will consist of two deployment rings. Ring 3 includes ePatching Reboot computers. The 22H2 Enablement update will be deployed alongside the March Cumulative Update. Ring 4 includes all remaining Windows 10 21H2 clients, including No Reboot ePatching computers. Ring 4 begins with Ring 3 but has a 5 1/2 weeklong deployment Window. There will be a one-month delay after the final deployment deadline before the USGS End-of-Life date for Windows 10 21H2.
Planning Considerations:
Reboot / No Reboot Computers: No Reboot computers are a part of Ring 4 and have an extended deployment window, with an enforced reboot at the deadline. Local IT should work with users of No Reboot computers to schedule the upgrade during the deployment windows ahead of the enforced reboot deadline.
Peer Cache: Peer Cache systems will not be excluded from the Fast Ring deployment Ring, due to the rapid deployment schedule alongside of patching.
32-bit Windows 10: The USGS Standard Configuration for Windows 10 is 64-bit. 32-bit Windows 10 systems are not in scope of the Windows 10 Feature Update Enterprise Deployment Plan. For systems with a business case to run 32-bit Windows 10, contact the Service Desk to request upgrade guidance.
The MECM Baseline GS-ENT Public Desktop Permissions that grants standard users’ permissions to delete desktop icons from the %publicdesktop% folder will be deployed alongside of the Enablement Package update.
22H2 Deployment Rings
The Proposed Windows 10 Feature Update Deployment Schedule is listed below:
| Ring | Description | Deployment Available | Deployment Deadline | Collection or Group in Scope of Deployment | Comments |
|---|---|---|---|---|---|
| 0 | Development | January 2023 | N/A | N/A | ISO and BWTST Members |
| 1 | Pilot: Early Adopters | 3/16/2023 (Thurs), 2:30PM | 3/21/2023 (Tues), 2:00AM | Members of “IGSGBWTST Win10 Feature Update Ring 1 – Early Adopters | 5 Days: Deployment aligns with March ePatching Fast Ring |
| 2 | Pilot: Fast Ring (no Peer Cache) | 3/16/2023 (Thurs), 2:30PM | 3/21/2023 (Tues), 2:00AM | Existing Members of Fast Ring | 5 Days: Deployment aligns with March ePatching Fast Ring |
| Ring | Description | Deployment Available | Deployment Deadline | Collection or Group in Scope of Deployment | Comments |
|---|---|---|---|---|---|
| 3 | Production | 3/22/2023 (Wed), 2:30AM | 3/29/2023 (Wed), 2:00AM | All ePatching Reboot Windows 10 21H2 Clients | 7 Days: Deployment aligns with March ePatching Production |
| 4 | Delayed Production | 3/22/2023 (Wed), 2:30AM | 5/1/2023 (Mon), 6:00PM | All Remaining Windows 10 21H2 Clients. | 5 1/2 Weeks: Begins with March ePatching Production Window. Reboot is enforced at the deadline |
Local IT Actions Required
1 – Build an Early Adopters Group
Each site is responsible for populating the pre-staged AD Security group with computers that can participate in Early Adopters for Windows Feature Updates.
- Create an AD Security group using the following naming convention: OU Name – Windows 10 Feature Update Ring 1 – Early Adopters
- Populate the group with computers that will be a part of the Early Adopter deployment ring. Be sure to select “Computers” as an object type.
- Make the new local group a Member Of IGSGBWTST Win10 Feature Update Ring1 – Early Adopters
2 – Review Fast Ring Membership
Review local Fast Ring membership to ensure that approximately 10% of systems are Fast Ring members and that the Fast Ring member list is a diverse sample of systems from the site. Fast Ring guidance is here.
3 – Coordinate and Communicate
A communication template is available to use on the ESS Communication Resources for IT webpage: Windows 10 22H2 Feature Update.v1.docx
4 – Monitor and Provide Feedback
Use the GS.DOI.NET Status Dashboard (usgs.gov) and the BigFix Web report GS: Windows 10 21H2 to 22H2 Status to monitor upgrade status. Note: the OS Version Number Property used in the Web Report filter updates once per day.
Provide Feedback using this Service Desk Form.
22H2 FAQs
What can I do if the MECM deployment isn’t working?
The easiest option is to use the following powershell command to download the update directly from Microsoft:
invoke-webrequest -UseBasicParsing -Uri "http://b1.download.windowsupdate.com/c/upgr/2022/07/windows10.0-kb5015684-x64_d2721bd1ef215f013063c416233e2343b93ab8c1.cab" -OutFile "C:\SoftwareLogs\windows10.0-kb5015684-x64_d2721bd1ef215f013063c416233e2343b93ab8c1.cab" ; start-process -wait -PassThru dism.exe -ArgumentList "/online /add-package /packagepath:`"C:\SoftwareLogs\windows10.0-kb5015684-x64_d2721bd1ef215f013063c416233e2343b93ab8c1.cab`"" -NoNewWindowIf further assistance is needed, reach out to BWTST. It some cases, a reimage will be necessary.
Post 22H2 Upgrade Known Issues
OS Version Reporting Issues
If, after the upgrade, the AD computer object is not reporting the new version of OS, check the following:
- If the computer is in a remote work or telework location, ask the user to connect to VPN.
- If the AD attributes on the computer object are not updating, check the lastlogondate and pwdlastset attributes for the computer object. If the dates are not current, communication needs to be repaired.
- Run the following PowerShell command on the host to repair the secure channel between the computer and the domain: “Test-ComputerSecureChannel -Repair”