准备部署 WindowsPrepare to deploy Windows

在规划阶段的活动中,你应该在准备环境和过程以部署 Windows 10 方面获得良好的地位。Having worked through the activities in the planning phase, you should be in a good position to prepare your environment and process to deploy Windows 10. 规划阶段将向你留下这些有用的项目:The planning phase will have left you with these useful items:

现在,你已准备好在你的环境中真正开始进行更改,即可开始部署。Now you're ready to actually start making changes in your environment to get ready to deploy.

准备基础结构和环境Prepare infrastructure and environment

  • 为 Configuration Manager 部署网站服务器更新。Deploy site server updates for Configuration Manager.
  • 更新非 Microsoft 安全工具(如安全代理或服务器)。Update non-Microsoft security tools like security agents or servers.
  • 更新非 Microsoft 管理工具,如数据丢失防护代理。Update non-Microsoft management tools like data loss prevention agents.

您的基础结构可能包含许多不同的组件和工具。Your infrastructure probably includes many different components and tools. 由于你对基础结构的各个部分所做的更改,你需要确保你的环境不会受到问题的影响。You’ll need to ensure your environment isn’t affected by issues due to the changes you make to the various parts of the infrastructure. 请按照下列步骤进行操作:Follow these steps:

  1. 查看你的计划中已标识的所有基础结构更改。Review all of the infrastructure changes that you’ve identified in your plan. 了解需要进行的更改并详细介绍如何实现它们非常重要。It’s important to understand the changes that need to be made and to detail how to implement them. 此过程可防止以后出现问题。This process prevents problems later on.

  2. 验证您的更改。Validate your changes. 你将验证你的基础结构的组件和工具的更改,以帮助你了解你的更改对生产环境有何影响。You’ll validate the changes for your infrastructure’s components and tools, to help you understand how your changes could affect your production environment.

  3. 实施更改。Implement the changes. 更改一经验证,你可以跨更广泛的基础结构实施更改。Once the changes have been validated, you can implement the changes across the wider infrastructure.

你还应查看你的组织的 environment's 配置,并概括如何实现在计划阶段中标识的任何所需更改以支持更新。You should also look at your organization’s environment’s configuration and outline how you’ll implement any necessary changes previously identified in the plan phase to support the update. 考虑当前 underpin 环境的各种设置和策略需要执行的操作。Consider what you’ll need to do for the various settings and policies that currently underpin the environment. 例如:For example:

  • 实施全新的草案安全指南。Implement new draft security guidance. 新版本的 Windows 可以包含改进环境安全性的新功能。New versions of Windows can include new features that improve your environment’s security. 安全团队将希望对安全相关的配置进行适当的更改。Your security teams will want to make appropriate changes to security-related configurations.

  • 更新安全基准。Update security baselines. 安全团队理解相关的安全基准,并且必须确保所有基线都符合所需的任何准则。Security teams understand the relevant security baselines and will have to work to make sure all baselines fit into whatever guidance they have to adhere to.

但是,你的配置将包含许多不同的设置和策略。However, your configuration will consist of many different settings and policies. 重要的是,只需在必要的位置应用更改,即可在其中获得明显改进。It’s important to only apply changes where they are necessary, and where you gain a clear improvement. 否则,你的环境可能会面临将减慢更新过程的问题。Otherwise, your environment might face issues that will slow down the update process. 你希望确保你的环境不会因所做的更改而产生负面影响。You want to ensure your environment isn’t affected adversely because of changes you make. 例如:For example:

  1. 查看新的安全设置。Review new security settings. 你的安全团队将查看新的安全设置,了解如何更好地设置这些安全设置以帮助更新,还可以调查它们可能对你的环境产生的潜在影响。Your security team will review the new security settings to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment.

  2. 查看安全基线的更改。Review security baselines for changes. 安全团队还会检查所有必要的安全基准,以确保可以实施更改,并确保你的环境保持合规。Security teams will also review all the necessary security baselines, to ensure the changes can be implemented, and ensure your environment remains compliant.

  3. 实施和验证安全设置和基线更改。Implement and validate security settings and baseline changes. 然后,你的安全团队将实施所有安全设置和基线,解决任何潜在的未决问题。Your security teams will then implement all of the security settings and baselines, having addressed any potential outstanding issues.

准备应用程序和设备Prepare applications and devices

你以前已确定要在即将进行的试点部署阶段中用于验证应用的验证方法。You've previously decided on which validation methods you want to use to validate apps in the upcoming pilot deployment phase. 现在可以确保单个设备已准备就绪,并且能够无障碍地安装下一次更新。Now is a good time to make sure that individual devices are ready and able to install the next update without difficulty.

确保更新可用Ensure updates are available

在设备上启用更新服务。Enable update services on devices. 确保每个设备都运行 Windows 更新所依赖的所有服务。Ensure that every device is running all the services Windows Update relies on. 有时,用户甚至恶意软件也可以禁用 Windows 更新所需的服务才能正常工作。Sometimes users or even malware can disable the services Windows Update requires to work correctly. 请确保下列服务正在运行:Make sure the following services are running:

  • 后台智能传送服务Background Intelligent Transfer Service
  • 后台任务基础结构服务Background Tasks Infrastructure Service
  • 如果你使用此功能进行更新部署,则 BranchCache () BranchCache (if you use this feature for update deployment)
  • 如果使用 Configuration Manager 部署更新,则 (ConfigMgr 任务序列代理) ConfigMgr Task Sequence Agent (if you use Configuration Manager to deploy updates)
  • 加密服务Cryptographic Services
  • DCOM 服务器进程启动器DCOM Server Process Launcher
  • 设备安装Device Install
  • 传递优化Delivery Optimization
  • 设备安装管理器Device Setup Manager
  • 许可证管理器License Manager
  • Microsoft 帐户登录助手Microsoft Account Sign-in Assistant
  • Microsoft 软件卷影复制提供程序Microsoft Software Shadow Copy Provider
  • 远程过程调用 (RPC) Remote Procedure Call (RPC)
  • 远程过程调用 (RPC) 定位器Remote Procedure Call (RPC) Locator
  • RPC 终结点映射程序RPC Endpoint Mapper
  • 服务控制管理器Service Control Manager
  • 任务计划程序Task Scheduler
  • 令牌代理Token Broker
  • 更新 Orchestrator 服务Update Orchestrator Service
  • 卷影复制服务Volume Shadow Copy Service
  • Windows 自动更新服务Windows Automatic Update Service
  • Windows 备份Windows Backup
  • Windows Defender 防火墙Windows Defender Firewall
  • Windows Management InstrumentationWindows Management Instrumentation
  • Windows 管理服务Windows Management Service
  • Windows 模块安装程序Windows Module Installer
  • Windows 推送通知Windows Push Notification
  • Windows 安全中心服务Windows Security Center Service
  • Windows 时间服务Windows Time Service
  • Windows 更新Windows Update
  • Windows 更新 Medic 服务Windows Update Medic Service

你可以通过使用 services.msc 或使用 PowerShell 脚本、桌面分析或其他方法来手动检查这些服务。You can check these services manually by using Services.msc, or by using PowerShell scripts, Desktop Analytics, or other methods.

网络配置Network configuration

确保设备可以通过防火墙到达必要的 Windows 更新终结点。Ensure that devices can reach necessary Windows Update endpoints through the firewall. 例如,对于 Windows 10 版本2004,以下协议必须能够访问各个终结点:For example, for Windows 10, version 2004, the following protocols must be able to reach these respective endpoints:

协议Protocol 终结点 URLEndpoint URL
TLS 1。2TLS 1.2 *.prod.do.dsp.mp.microsoft.com
HTTPHTTP emdl.ws.microsoft.com
HTTPHTTP *.dl.delivery.mp.microsoft.com
HTTPHTTP *.windowsupdate.com
HTTPSHTTPS *.delivery.mp.microsoft.com
TLS 1。2TLS 1.2 *.update.microsoft.com
TLS 1。2TLS 1.2 tsfe.trafficshaping.dsp.mp.microsoft.com

备注

请确保不要对指定 HTTP 的终结点使用 HTTPS,反之亦然。Be sure not to use HTTPS for those endpoints that specify HTTP, and vice versa. 连接将失败。The connection will fail.

特定终结点可能会在 Windows 10 版本之间有所不同。The specific endpoints can vary between Windows 10 versions. 请参阅 Windows 10 2004 企业连接终结点See, for example, Windows 10 2004 Enterprise connection endpoints. 其他 Windows 10 版本的类似文章在附近的目录中可用。Similar articles for other Windows 10 versions are available in the table of contents nearby.

优化下载带宽Optimize download bandwidth

为对等网络共享或 Microsoft 连接的缓存设置 传递优化Set up Delivery Optimization for peer network sharing or Microsoft Connected Cache.

解决不正常的设备Address unhealthy devices

在调查设备总体的过程中,使用桌面分析或其他方法,你可能会发现具有系统问题的设备可能会干扰更新安装。In the course of surveying your device population, either with Desktop Analytics or by some other means, you might find devices that have systemic problems that could interfere with update installation. 现在是修复这些问题的时候了。Now is the time to fix those problems.

  • 磁盘空间不足: 质量更新至少需要 2 GB 才能成功安装。Low disk space: Quality updates require a minimum of 2 GB to successfully install. 根据配置,功能更新需要 8 GB 和 15 GB。Feature updates require between 8 GB and 15 GB depending upon the configuration. 在 Windows 10 版本1903和更高版本上,你可以主动使用 "保留存储" 功能 (用于擦除和加载、重建和新的内部) 版本,以避免磁盘空间不足。On Windows 10, version 1903 and later you can proactively use the "reserved storage" feature (for wipe and loads, rebuilds, and new builds) to avoid running out of disk space. 如果你找到的一组设备没有足够的磁盘空间,则通常可以通过清理日志文件并要求用户清理数据(如有必要)来解决该问题。If you find a group of devices that don't have enough disk space, you can often resolve the problem by cleaning up log files and asking users to clean up data if necessary. 一个好的开始位置是删除以下文件:A good place to start is to delete the following files:

    • C:\Windows\tempC:\Windows\temp
    • C:\Windows\cbstemp (尽管可能需要此文件来调查更新失败) C:\Windows\cbstemp (though this file might be necessary to investigate update failures)
    • C:\Windows\WindowsUpdate.log (尽管可能需要此文件来调查更新失败) C:\Windows\WindowsUpdate.log (though this file might be necessary to investigate update failures)
    • C:\Windows.Old (这些文件应在10天后自动清理,或者可能要求设备用户在对磁盘空间进行限制时获得更快的清理权限) C:\Windows.Old (these files should automatically clean up after 10 days or might ask the device user for permission to clean up sooner when constrained for disk space)

你还可以创建和运行脚本以使用管理权限在设备上执行其他清理操作,或使用组策略设置。You can also create and run scripts to perform additional cleanup actions on devices, with administrative rights, or use Group Policy settings.

  • 通过运行 C:\Windows\sytem32\wsreset.exe 清理 Windows 应用商店缓存。Clean up the Windows Store Cache by running C:\Windows\sytem32\wsreset.exe.

  • 通过使用 Dism.exe/Online/Cleanup-Image/StartComponentCleanup,优化客户端计算机上的 WinSxS 文件夹。Optimize the WinSxS folder on the client machine by using Dism.exe /online /Cleanup-Image /StartComponentCleanup.

  • 通过运行 Compact.exe/CompactOS:始终压缩操作系统。Compact the operating system by running Compact.exe /CompactOS:always.

  • 按需删除用户不需要的 Windows 功能。Remove Windows Features on Demand that the user doesn't need. 有关更多指导,请参阅 按需功能See Features on Demand for more guidance.

  • 将 Windows 已知文件夹移动到 OneDrive。Move Windows Known Folders to OneDrive. 有关详细信息,请参阅 使用组策略控制 OneDrive 同步设置See Use Group Policy to control OneDrive sync settings for more information.

  • 清理软件分发文件夹。Clean up the Software Distribution folder. 尝试将这些命令部署为在设备上运行以重置 Windows 更新的下载状态的批处理文件:Try deploying these commands as a batch file to run on devices to reset the download state of Windows Updates:

    net stop wuauserv
    net stop cryptSvc
    net stop bits
    net stop msiserver
    ren C:\Windows\SoftwareDistribution C:\Windows\SoftwareDistribution.old
    net start wuauserv
    net start cryptSvc
    net start bits
    net start msiserver
    
  • 应用程序和驱动程序更新: 过期的应用或驱动程序软件可以阻止设备成功更新。Application and driver updates: Out-of-date app or driver software can prevent devices from updating successfully. 桌面分析将帮助你识别需要关注的驱动程序和应用程序。Desktop Analytics will help you identify drivers and applications that need attention. 您也可以检查已知问题,以采取相应措施。You can also check for known issues in order to take any appropriate action. 从供应商 (s) 中部署任何有问题的应用程序或驱动程序版本的任何更新以解决问题。Deploy any updates from the vendor(s) for any problematic application or driver versions to resolve issues.

  • 损坏: 在极少数情况下,具有重复安装错误的设备可能会损坏,以防系统应用新的更新。Corruption: In rare circumstances, a device that has repeated installation errors might be corrupted in a way that prevents the system from applying a new update. 您可能必须从另一个源修复 Component-Based 存储。You might have to repair the Component-Based Store from another source. 您可以通过 系统文件检查器修复该问题。You can fix the problem with the System File Checker.

准备功能Prepare capability

在 "计划" 阶段中,你确定了需要实现以向环境添加新功能的特定基础结构和配置更改。In the plan phase, you determined the specific infrastructure and configuration changes that needed to be implemented to add new capabilities to the environment. 现在,你可以继续执行在计划阶段中定义的这些更改。Now you can move on to implementing those changes defined in the plan phase. 您需要完成这些较高级别的任务才能获得这些新功能:You'll need to complete these higher-level tasks to gain those new capabilities:

  • 通过实施更改,跨环境启用功能。Enable capabilities across the environment by implementing the changes. 例如,在 Active Directory 中实现相关 ADMX 模板的更新。For example, implement updates to relevant ADMX templates in Active Directory. 新的 Windows 版本将附带你用于更新 ADMX 模板的新策略。New Windows versions will come with new policies that you use to update ADMX templates.

  • 验证新更改以了解它们对更大环境的影响。Validate new changes to understand how they affect the wider environment.

  • 修正通过验证发现的任何潜在问题。Remediate any potential problems that have been identified through validation.

准备用户Prepare users

用户经常感觉他们不得不随机更新其设备。Users often feel like they are forced into updating their devices randomly. 它们通常不会完全理解为什么需要更新,并且不知道何时将更新应用到其设备。They often don't fully understand why an update is needed, and they don't know when updates would be applied to their devices ahead of time. 最好确保即将发布的更新清晰且有充足的警告。It's best to ensure that upcoming updates are communicated clearly and with adequate warning.

你可以使用各种度量值实现此目标,例如:You can employ a variety of measures to achieve this goal, for example:

  • 发送概述有关更新以及如何将其部署到整个组织的电子邮件。Send overview email about the update and how it will be deployed to the entire organization.
  • 通过特定详细信息向用户发送有关更新的个性化电子邮件。Send personalized emails to users about the update with specific details.
  • 根据业务需求,为需要保留在当前版本上的员工设置选择性退出截止时间。Set an opt-out deadline for employees that need to remain on the current version for a bit longer, due to a business need.
  • 提供在用户方便时自愿更新的功能。Provide the ability to voluntarily update at users’ convenience.
  • 当将在所有设备上安装更新时,通知用户必需安装日期。Inform users of a mandatory installation date when the update will be installed on all devices.