Computers Management: How we succeeded in getting all computers up to date in few months
We have more than 4,000 computers at Cdiscount. Our objective was simple: to get all computers on Windows 10 up to date in less than 6 months, including OS, Drivers, and Bios. This project was key for security reasons, easing maintenance processes and improved UX for all employees.
The observation: our computers were note up to date
Managing the updates of operating systems on computers has always been a challenge in every company. It has become essential in the last years due to increased vulnerabilities as regards security and threats exploiting this.
To tackle this issue at Cdiscount, the starting point was to get an overview of all the operating systems we had, to measure the road ahead and define strategy.
No surprise at the result, 12 different versions from Windows 7 to Windows 10, with nearly 70% of computers on unsupported operating systems.
The strategy: let’s update everything we can
The decision was made to manage the easiest at the beginning, in order to have a larger number of computers up to date quickly. Technically speaking, we split the whole project into 4 steps:
· Step 1: From Windows 10 1903 to 20H2, the latest update was provided through Windows Updates so that computers could obtain it easily and effortlessly.
· Step 2: For other Windows 10 versions, we used the Microsoft Update Assistant that we deployed through ConfigMgr along with a PowerShell script to execute it. The aim was to get users to obtain the update from the Internet because we were in a period where most of them were working from home, and we wanted to minimize the impact on our VPN connections.
· Step 3: For older computers, the technology debt was significant, and Microsoft didn’t provide an easy process. Multiple updates were mandatory, which affected user experience. That’s why we decided to go through a task sequence in ConfigMgr to carry out an upgrade. In brief, the new Windows image was installed on the computer without any data loss for the user.
· Step 4: Some computers couldn’t be managed automatically for various reasons. Tasks sequence failed, rollback was performed, or disk space was just not large enough on computers to download the update. In some cases, computers were obsolete and out-of-warranty, so it was the perfect opportunity to make a hardware change and provide them with a new laptop running Windows 10 21H1.
In each phase, deployment was performed at a comfortable pace so that any problem could be managed efficiently, and avoiding incidents that would impact on hundreds of computers.
The engagement: user first
Engagement is key in every project, and this is even more important when you are impacting on the work tool used by all employees.
Communication and support were at the center of this initiative. We involved every user so they would be aware of what would happen on their computers, and more importantly ‘why we are doing it’.
From a support perspective, Workplace teams were particularly involved in the project, especially during the fourth step to handle computers that were not able to get the update and to renew the hardware. Managing this aspect could have been a real challenge because of the remote work aspect, but it has been dealt successfully by making individual appointments with affected users.
The results: more than 95% of the computers didn’t need any physical maintenance
Following this strategy, we reached our initial objective to update the operating systems of more than 90% of computers used by staff in only a few months. That was a significant security gap.
Only a few computers needed physical maintenance, less than 5%.
Having a homogeneous fleet now allows us to apply a simple process for each new update. The duration of the feedback period varies according to the hindsight that we consider necessary to avoid any problem and depending on the update. The pilot phase generally lasts two weeks and includes different user profiles to guarantee a wide spectrum of use cases. Then, we envisage a period of two months for global deployment to cover almost all the computers, before managing the leftovers.
We adopt a cautious approach in the first two phases to prevent any issues. But having regained control over all our computers allows us to calmly manage global deployment and minimize effort on the leftovers.
And more importantly, the effort put into this project protects us by reducing the attack surface related to obsolete operating systems.
The final phase: repeat again and again
The job couldn’t be easier now — all the hard work has already been done and it’s only taken a matter of weeks to get all our computers updated to the latest operating system.
And after updating all computers to 21H1? Here comes Windows 10 21H2! So to close the project completely, we defined milestones, where a version needed to have completely disappeared, on top of what Microsoft proposes. Like everywhere else, we have some legacy software or jobs running only on those specific versions, and we need to plan the upgrade.
The whole process that we have defined to catch up with and maintain updates has become standard. Today, we rely on it not only for Windows updates, but for any update cycle: BIOS, drivers, agents, and so on.