Overview and Use Case

The Windows 11 - Operate pack enables IT teams to report on the stability and security of their Windows 11 estate and to monitor OS versioning to keep devices up-to-date with Microsoft’s latest security patches (Quality Updates) and the annual windows upgrades (Features Updates).

Pre-Requisites

Version 6.30 Maintenance Release 8 (October 2021) / Nexthink Experience 2021.9 and above is required. Note this is to include support for Windows 11 and this version of the on-premise version of Nexthink must be present or there may be difficulty importing the pack.

Change log

V2.0.0.0 - Added remote action Invoke SCCM Upgrade to Windows 11 to provide an end to end Windows 11 Features Update deployment solution for SCCM environments

V1.0.0.0 - Initial Release

How the pack works

This Windows 11 - Operate pack is used for the daily monitoring and maintenance of your existing Windows 11 estate and assists in deploying the monthly security patches (Quality Updates) released by Microsoft as well as the (currently) yearly release of the next version of Windows 11 (Feature Updates).

The Windows 11 - Operate pack utilizes Digital Experience, reliability, and performance indicators that are measured continuously, allowing the IT teams to identify and rectify issues reported.

Pack Structure

The pack comprises two remote actions, two campaigns, five categories, an investigation, and metrics related to the dashboards.

The remote action “Test pending reboot” is utilized in order to determine whether or not a device requires rebooting. It should be run regularly, especially during deployments of Quality or Feature updates, as a reboot is normally required in order to complete the installation. More information regarding the remote action can be found here: Windows Update | Nexthink. The remote action “Invoke SCCM Upgrade to Windows 11” is used to provide a ‘no-touch’ solution where the employee can trigger the installation of the Feature upgrade of Windows 11 at a more convenient time.

Campaigns are used to prepare the employees for the upcoming Quality and Feature updates to Windows 11 and provide information on the new version of Windows when deployed.

The categories give you the ability to: exclude business-critical devices that are not part of the current deployment process, enter the new OS or build version of Windows 11 being deployed via the Quality and Feature updates, nominate the pilot candidates who will be the first to receive these updates, and provide a list of the master applications you wish to monitor.

An investigation is also provided so that when an employee receives the latest Feature update (and therefore the latest version of Windows 11), at their first logon to a device with the new version, they will receive a campaign welcoming them to the new version of the operating system and offering some tips on how to use it.

The remote action is used to a ‘no-touch’ solution where the employee can trigger the upgrade to Windows 11 at a more convenient time.

Remote action

The remote action, Invoke SCCM Upgrade to Windows 11, is used to provide a ‘no-touch’ solution where the employee can trigger the upgrade to Windows 11 at a more convenient time. A campaign targets employees who are asked whether they are ready to proceed with the upgrade to Windows 11. and they have the option of refusing the upgrade or selecting to defer for 10 minutes, 60 minutes or six hours. The times cannot be changed. When the employee selects the preferred time, a scheduled task is created on the employee's device with the deferred time selected. Once the time has elapsed, the scheduled task is triggered and a script is run invoking the SCCM task to install Windows 11.

Nexthink Experience customers can view the details of all remote actions via the Engage portal.

V6 customers can access the remote action results via the Finder.

The remote action has to be triggered manually and therefore needs to have the options ‘Allow manual triggering of the remote on these devices’ and ‘The remote action can be triggered on multiple devices at the same time’ ticked.

The remote action Invoke SCCM Upgrade to Windows 11 requires that the UID of the campaign Windows 11 - Operate - Invoke-SCCMUpgradeW11-Campaign and the SCCM task sequence ID be added to the input parameters of the remote action.

To achieve this:

Find the remote action Invoke SCCM Upgrade to Windows 11, right-click and select edit.

Find and expand the ‘Parameters’ section

Find the campaign Windows 11 - Operate- Invoke-SCCMUpgradeW11-Campaign, right-click and select Export → Campaign UID to clipboard

Return back to the remote action and paste the UID into the field ‘ENTER-CAMPAIGNID-HERE’ within the parameters:

Finally, enter the SCCM task id (refer to your SCCM administrator for this information) into the field ‘ENTER-TASKID-HERE’ and click Save when done.

The remote action can be invoked by either creating an investigation and adding it to the remote action or running the investigation and manually selecting the employees' devices and invoking the remote action.

To add the investigation to the remote action, select and edit as described above and tick the ‘Automatically run the remote action’ tick box and then drag and drop the investigation into the area indicated:

To manually select the devices, run the investigation and select the devices belonging to the Pilot users that are going to be upgraded by way of an investigation, right-click and select Remote actions → Invoke SCCM Upgrade to Windows 11

This will trigger the campaign where the pilot user selects the time to defer the upgrade for or to reject the upgrade:

Campaigns

Campaigns are used to prepare the employees for the upcoming Quality and Feature updates to Windows 11 and provide information on the new version of Windows when deployed by offering ‘tips and tricks'.

Nexthink Experience customers can view the details of all campaigns via the Engage portal.

V6 customers can access the campaign results via the Finder.

The campaigns are:

  • Windows 11 - Operate - Get ready

This campaign is sent to the employees, asking them to prepare to receive the next Quality or Feature updates that Microsoft has released for Windows 11. This 'Get ready' campaign should be sent as close as possible to when the migration will start.

The campaign asks the employee to back up their files, Outlook PST(s), and export their internet browser favorites. The list is not exhaustive. Based on company requirements and processes, these questions should be adapted or added to as required.

Within the questions, you have the ability to enter a link to your procedure that details the process required to back up the required files.

For example, in Step 1 within the screenshot below, the entry reads ‘Step 1: [Backup files and folders](ENTER_LINK_TO_PROCEDURE_HERE). Proceed to step 2 when done'. Replace ENTER_LINK_TO_PROCEDURE_HERE (do not delete the surrounding brackets) with the link to your procedure. The text displayed to the candidate will be Step 1: Backup files and folders. Proceed to step 2 when done

IMPORTANT: whilst the employees will have carried out the backups suggested within the campaign, the IT team must carry out a final differential backup to make sure that any changes since employees answered the campaign, the user backups carried out, and the migration started, have been captured.

  • Windows 11 - Operate - Welcome to Windows 11

An investigation detects when an employee first logs on to a Windows 11 device that has been upgraded with the next Feature update and displays a campaign welcoming them to the new version of the operating system and offering some tips on how to use it.

Please note that the two examples provided within the campaign are from the first release of Windows 11 so further tips will need to be added to the list to further assist and enrich the new operating system usage.

  • Windows 11 - Operate - Invoke-SCCMUpgradeW11-Campaign

This campaign is sent to the employees who are to receive the Windows 11 Feature Upgrade. The campaign must be published in order to be able to work successfully with the Invoke SCCM Upgrade to Windows 11 remote action. To publish, right-click the campaign and select ‘Publish’.

Click ‘Yes’ to the confirmation message:

The campaign is now shown in bold:

Apart from some changes to the text in the Header and Footer, no other changes should be made to the campaign as this could stop it from working.

Categories

Categories are used to exclude devices from the migration, such as servers or business-critical devices that are not to be part of the current migration process and are to be excluded from the metrics

The categories give you the ability to: enter the new OS or build version of Windows 11 being deployed via the Quality and Feature updates, exclude business-critical devices that are not part of the current deployment process, nominate the pilot candidates who will be the first to receive these updates, and provide a list of the master applications you wish to monitor.

The categories are:

  • Windows 11 - Operate - Build version

This category is used when deploying the Quality updates released by Microsoft on a monthly basis.

The category needs to be updated with the target OS build version that the operating system will be updated to when the Quality updates have been applied.

  • Windows 11 - Operate - Operating system version

This category is used when deploying the Feature updates released by Microsoft on a currently yearly basis.

The category needs to be updated with the target OS version and architecture version that the operating system will be upgraded to when the Feature update has been applied.

  • Windows 11 - Operate - Excluded devices

This category contains the devices that you wish to exclude from any updates until a later date. Servers have already been added, but if a business-critical device, for example, a workstation running a critical application, needs to be excluded then it should be added to this list.

  • Click on ‘Click here to add a new condition’ to add a device to exclude from the migration assessment. As an example, a device called LON10 has been added to the list. Click save or save and close when done.

  • Virtualization type

As virtual devices are not part of the scope due to the vastly different configurations on customer premises, the category Virtualization type, part of the Digital Experience Score pack, is utilized. Within the category, there is the ‘Virtual Desktop Infrastructure (VDI)’ keyword where the Auto-tagging conditions must be edited to match your environment.

  • Windows 11 - Operate - Pilot Candidates

This category lists the employees that have been determined as being suitable candidates to be the first to receive the Quality or Feature update.

The category can be populated by either of the two methods described below:

Method 1

  • Find the required pilot candidates via an investigation based on the criteria determined (i.e., by department, location etc.)

  • From the list retrieved from the investigation, right-click on the required employee name and select ‘Edit.’

  • the following dialogue is displayed:

  • Click on the drop-down box under ‘Keyword’ and select ‘Pilot candidate’ (please note that the wording may be truncated:

  • This will add a tick in the box next to Windows 11 - Operate - Pilot Candidates. Click ‘Apply’ to confirm and close the dialogue box. A message will be displayed saying the user was successfully edited

Method 2

  • Open the category by double-clicking on it

 

  • Enter the name of the employee in the last field. Click on ‘Click here to add a new condition’ and add an employees name. Keep clicking on ‘Click here to add a new condition’ to add new names until all pilot candidates have been entered. Click on Save or Save and close when done:

IE

  • Windows 11 - Operate - Master applications

Enter within this category the list of your master applications. These are the applications you expect to find on every device within your estate. It can also be used to exclude applications from being monitored. This is useful if you want to exclude certain applications due to licensing or for any other reason.

To add an application to either list:

  • Open the category by double-clicking on it:

  • Select either ‘Master applications’ or ‘Excluded applications’ from the list of keywords to the left

  • Click on ‘Click here to add a new condition’ and add an application name. Keep clicking on ‘Click here to add a new condition’ to add a new application until all applications have been entered. Click on Save or Save and close when done:

Two metrics have been created to identify devices not running all required master applications. Following changes to the category, the matching condition section in these metrics must be edited to reflect the total applications added to the list, minus one:

  • Windows 11- Operate - Master applications non-compliance

  • Windows 11 - Operate - Master applications and device security non-compliance

For example, based on the example list above, which contains three applications within the master application list, the metric Windows 11- Operate - Master applications non-compliance must be edited to count “less or equal to” two applications as shown below :

This causes the metric to look for any devices that have two or less of the master applications installed.

Dashboards

Summary

The Summary dashboard gives you an overview of the health of your Windows 11 estate and the progress of any Quality or Feature updates that may be in progress.

  • Summary

    • An overview of the total number of Windows 11 devices, how many have a Digital Experience Score below five, and how many devices have not had any user activity.

  • Devices with low devices score history

    • A history of the devices that have a score below five.

  • Device reboot status
    The display of devices that require a reboot is based on the output from the remote action “Test pending reboot”. Devices requiring a reboot for any reason are shown under ‘All pending a reboot’ and devices requiring a reboot after receiving a Feature or Quality update are shown under ’Pending a reboot after update'.

Device performance

  • Device operating system scores

    • The overall Digital Experience Score and the device performance score which is a sub-score of the Digital Experience Score.

  • Device operating system scores history

    • The history of the Digital Experience Score and the device performance score.

Feature updates

  • Overall landscape

    • This widget shows the count of devices that are waiting to be upgraded to the next version of Windows 11, the percentage of devices that have been upgraded to the next version, and devices that have been upgraded but have a low score. These should be investigated as a priority to discover why the score is low.

  • Devices updated with low score history

    • The history of devices that have been upgraded and have a low score. The support teams should strive to resolve issues on devices with a constant low score with a view to driving the score back up.

  • Digital Experience Score

    • The Digital Experience Score pre and post-upgrade are displayed. If the post-upgrade score is low, investigations should be carried out as to why.

  • Digital Experience Score history

    • A history of the score during the upgrade.

Quality updates

  • Overall landscape

    • This widget shows the count of devices that are waiting to be updated with the currently approved Quality updates for Windows 11, the percentage of devices that have been updated, and the devices that have been updated but have a low score. These should be investigated as a priority to discover why the score is low.

  • Devices upgraded with low score history

    • The history of devices that have been updated and have a low score. The support teams should strive to resolve issues on devices with a constant low score with a view to driving the score back up.

  • Digital Experience Score

    • The Digital Experience Score pre and post-update are displayed. If the post-update score is low, investigations should be carried out to discover why.

  • Digital Experience Score history

    • A history of the score during the update.

Application, compliance, and security

  • Security non-compliance

    • This widget gives a summary of your device compliance with regard to security and applications. Security compliance relates to whether the anti-virus is up to date, the firewall is turned on, and whether the User Access Control (UAC) has been disabled. Any non-compliant devices should be investigated as this poses a security risk to the company. Application compliance relates to whether the devices have the required master applications installed.

  • Security non-compliance history

    • A history of the security compliance of the devices within the Windows 11 estate.

Operational View

The Operational View dashboard gives you a more detailed view of the current Windows 11 estate.

  • Summary

    • An overview of the total amount of Windows 11 devices, how many have a Digital Experience Score below five, and how many devices have not had any user activity.

  • Digital with low devices score history

    • A history of the devices that have a score below seven.

Understand operating system landscape

  • Device operating system scores

    • The overall Digital Experience Score and the device performance score which is a sub-score of the Digital Experience Score.

  • Device operating system scores history

    • The history of the Digital Experience Score and the device performance score.

  • Remote vs Office workers

    • The count of remote and office workers, the operating system they are using, and their device score.

Stability

  • Device stability

    • The number of devices that have experienced stability issues highlighting bluescreens or hard resets, high CPU loads, high memory loads, and devices with a long boot or logon time.

  • Application stability

    • The number of devices that have experienced crashes or freezes

Feature Updates

The Feature Updates dashboard assists with the planning and rollout of the annual (currently) upgrade to the next version of Windows 11 as released by Microsoft. This increases the operating system version and the build version of Windows 11.

The campaign Windows 11 - Operate - Get ready can be used to ask potential pilot candidates whether they wish to be part of the pilot upgrade group and, if so, to prepare them for the upgrade by requesting and confirming that tasks that are essential to keeping user data safe are carried out. It is important to have the commitment from those selected to provide accurate and honest feedback.

  • Overall landscape

    • This widget shows the count of devices that are waiting to be upgraded to the next version of Windows 11, the percentage of devices that have been upgraded to the next version, and devices that have been upgraded but have a low score. These should be investigated as a priority to discover why the score is low.

  • Overall landscape history

    • This shows a timeline of devices that are waiting to be upgraded and those that have been upgraded.

  • Pilot to upgrade

    • The progress of the upgrade of the selected pilot candidates. The count of devices that are waiting to be upgraded to the next version, the percentage of devices that have been upgraded to the next version, and devices that have been upgraded but have a low score are shown. Devices upgraded with a low score should be investigated as a priority to discover why the score is low.

  • Pilot upgrade history

    • A history of the upgrade progress

Pilot Feature updates

  • Pilot Digital Experience score

    • The number of devices, by location, of the pre and post-upgrade Digital Experience scores following a Feature update. If the Target version score is significantly lower than the Previous version score then investigations should be carried out by the support team to discover the reason and rectify it.

  • Pilot OS version and architecture

    • The number of devices, by operating system version, showing the respective Digital Experience Score and Device score. Should the scores be significantly lower on the target operating system then investigations should be carried out by the support team.

Overall Feature updates landscape

  • Digital Experience score

    • The number of devices, by location, of the pre and post-upgrade scores following a Feature update. If the Target version score is significantly lower than the Previous version score then investigations should be carried out by the support team to discover the reason and rectify it.

  • OS version and architecture

    • The number of devices, by operating system version, showing the respective Digital Experience Score and Device score. Should the scores be significantly lower on the target operating system then investigations should be carried out by the support team.

Disk space readiness (system drive free space < 15Gb)

  • Disk space readiness

    • A display of the count and ratio of devices that have less than 15Gb of free space on the system drive. Whilst Quality updates do not require as much space as Feature updates, it is still recommended that the 15Gb be the target minimum before attempting to install any Quality updates.

  • Disk space readiness history

    • A history of the devices that have had less than 15Gb of free space. A growing trend should be investigated as to why disk space is being consumed.

Quality Updates

The Quality Updates dashboard assists with the planning and rollout of the Quality updates (security patches) that are released on a monthly basis (normally every 30 days). This increases the build version of the operating system.

The campaign Windows 11 - Operate - Get ready can be used to ask potential pilot candidates whether they wish to be part of the pilot update group and, if so, to prepare them for the update by requesting and confirming that tasks that are essential to keeping user data safe are carried out. It is important to have the commitment from those selected to provide accurate and honest feedback.

  • Overall landscape

    • This widget shows the count of devices that are waiting to be updated with the next Quality updates that are being deployed, the percentage of devices that have been updated to the next version, and devices that have been updated but have a low score. These should be investigated as a priority to discover why the score is low.

  • Overall landscape history

    • This shows a timeline of devices that are waiting to be upgraded and those that have been upgraded.

  • Pilot to upgrade

    • The progress of the update of the selected pilot candidates. The count of devices that are waiting to be updated to the next version, the percentage of devices that have been updated to the next version, and devices that have been updated but have a low score are shown. Devices updated but have a low score should be investigated as a priority to discover why the score is low.

  • Pilot upgrade history

    • A history of the update progress

Pilot Feature updates

  • Pilot Digital Experience score

    • The number of devices, by location, of the pre and post-update scores of the devices that have received the released Quality update. If the Target version score is significantly lower than the Previous version score then investigations should be carried out by the support team to discover the reason and rectify it.

  • Pilot OS version and architecture

    • The number of devices, by operating system version, showing the Digital Experience Score and Device score. Should the scores be significantly lower on the target operating system then investigations should be carried out by the support team.

Overall Feature updates landscape

  • Digital Experience score

    • The number of devices, by location, of the pre and post-update scores of the devices that have received the released Quality update. If the Target version score is significantly lower than the Previous version score then investigations should be carried out by the support team to discover the reason and rectify it.

  • OS version and architecture

    • The number of devices, by operating system version, showing the Digital Experience Score and Device score. Should the scores be significantly lower on the target operating system then investigations should be carried out by the support team.

Application, compliance, and security

This dashboard gives you an insight into how compliant your devices are with regards to anti-virus, Firewall, User Access Control, and applications.

A list of ‘Master Applications’ is maintained within the Windows 11- Operate - Master applications non-compliance category and devices that do not contain these applications will be highlighted.

Summary

  • Devices with non-compliant security

    • This widget shows a brief summary of how compliant your devices are with regards to security, applications, and both combined. Any devices failing the Security non-compliance or Full non-compliance checks should be investigated as a priority as this may place the wider company at risk.

  • Devices with non-compliant security history

    • A history of the security compliance of the devices within the Windows 11 estate.

  • Devices missing master applications

    • The count of devices per location that are missing applications as defined within the Windows 11- Operate - Master applications non-compliance category. This could indicate issues with the deployment of these applications or even possibly some elevated rights that an employee may have that they shouldn’t.

  • Devices missing master applications history

    • A history of the ratio of devices that have been missing the master applications as defined within the Windows 11- Operate - Master applications non-compliance category.

  • Most used applications not included in the master

    • A list of the most used applications that are being used on devices that have not been defined within the Windows 11- Operate - Master applications non-compliance category. This will include agents that may also be installed (i.e. the Nexthink Collector) and should be considered to be added to the Master Application list.

  • Most used applications with a graphical interface

    • A list of applications with direct employee interaction. Consideration should be taken as to whether they should be added to the Windows 11- Operate - Master applications non-compliance category.

  • Security

    • KPIs that display a count of the devices that have their antivirus either disabled or not up to date, or their Firewall or User Access Control (UAC) disabled. Any count on these KPIs should be investigated immediately as this may place the wider company at risk.

  • Security by region

    • Table showing the count of the devices via location that has their antivirus either disabled or is not up to date, or their Firewall or User Access Control (UAC) disabled. Any count on these KPIs should be investigated immediately as this may place the wider company at risk.