Operating System Upgrade

Operating system upgrades replace the core software layer on endpoints and servers with a newer version, requiring coordination across applications, drivers, security configurations, and user workflows. This task covers Windows, macOS, and Linux upgrades for both individual devices and fleet-wide deployments.

The upgrade path determines much of the complexity. In-place upgrades preserve user data, applications, and configurations while replacing system files, completing in 1-3 hours per device. Clean installations erase the existing system and require application reinstallation and data restoration, completing in 4-8 hours per device including reconfiguration but providing a known-good baseline. The choice between these paths depends on the current system state, application compatibility requirements, and available deployment capacity.

Prerequisites

Successful operating system upgrades require preparation across hardware inventory, application compatibility, backup verification, and deployment infrastructure. Incomplete prerequisites cause upgrade failures, application breakage, and extended downtime.

Hardware requirements

Each target operating system version specifies minimum and recommended hardware. Windows 11 requires TPM 2.0, Secure Boot capability, 4GB RAM minimum (8GB recommended), 64GB storage, and UEFI firmware. macOS versions specify minimum Mac models by year of manufacture. Ubuntu and similar Linux distributions require UEFI or legacy BIOS support depending on configuration.

Verify hardware compatibility across the device fleet before planning upgrades. For Windows devices, run the PC Health Check tool or query WMI programmatically:

# Check Windows 11 hardware compatibility
Get-CimInstance -ClassName Win32_TPM -Namespace root\cimv2\security\microsofttpm |
    Select-Object SpecVersion, IsEnabled_InitialValue, IsActivated_InitialValue

# Verify Secure Boot status
Confirm-SecureBootUEFI

# Check available disk space
Get-CimInstance -ClassName Win32_LogicalDisk -Filter "DeviceID='C:'" |
    Select-Object @{N='FreeSpaceGB';E={[math]::Round($_.FreeSpace/1GB,2)}}

For macOS devices, verify model compatibility against Apple’s published requirements:

# Get Mac model identifier
system_profiler SPHardwareDataType | grep "Model Identifier"

# Check current macOS version
sw_vers -productVersion

Generate a fleet-wide compatibility report before proceeding. Devices failing hardware requirements need replacement or exclusion from the upgrade.

Application compatibility assessment

Applications interact with operating system APIs, kernel interfaces, driver models, and runtime environments. Major operating system versions change these interfaces, breaking applications that depend on deprecated or modified functionality.

Inventory all installed applications across target devices. For Windows, export from management tools or query directly:

# Export installed applications
Get-CimInstance -ClassName Win32_Product |
    Select-Object Name, Version, Vendor |
    Export-Csv -Path "installed_apps.csv" -NoTypeInformation

# Include non-MSI installations
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
    Select-Object DisplayName, DisplayVersion, Publisher |
    Export-Csv -Path "installed_apps_registry.csv" -NoTypeInformation -Append

Cross-reference the application inventory against vendor compatibility statements. Enterprise applications typically publish compatibility matrices. For applications without official statements, test in a representative environment before broad deployment.

Line-of-business applications

Custom and legacy applications require explicit testing. Vendor statements cover only standard configurations. Applications with kernel drivers, custom authentication, or hardware integration frequently require updates for new operating system versions.

Backup verification

Confirm that backup and recovery mechanisms function correctly before beginning upgrades. Test restoration of:

User profile data (documents, desktop, application settings)
Application data directories
System configuration (for servers)
Full system image (for recovery scenarios)

Execute a test restore to a spare device to verify backup integrity. Backup verification procedures appear in Backup Verification.

Deployment infrastructure

Remote upgrades require functioning deployment infrastructure. Verify:

Component	Verification method	Expected result
MDM/endpoint management	Console connectivity test	All target devices reporting
WSUS/SCCM (Windows)	Synchronisation status	Current update catalogue
Network distribution points	Content library verification	OS image accessible
PXE boot infrastructure	Test boot from network	Boot menu appears
Bandwidth capacity	Network baseline	Sufficient for concurrent downloads

For organisations without enterprise deployment tools, prepare USB installation media and document manual upgrade procedures.

Rollback preparation

Before beginning upgrades, confirm rollback capabilities:

Windows in-place upgrades retain the previous installation in C:\Windows.old for 10 days by default. This allows the built-in rollback mechanism to restore the previous version.

macOS upgrades on APFS volumes create a snapshot before major upgrades. Time Machine backups provide additional rollback capability.

Linux upgrades depend on distribution and method. Package manager upgrades can often reverse through package downgrades. Filesystem snapshots (btrfs, ZFS) enable complete system rollback.

Document the rollback procedure for your specific upgrade path before executing upgrades.

Procedure

Operating system upgrades follow a phased approach: pilot testing validates the upgrade in a controlled environment, staged rollout expands to broader groups while maintaining support capacity, and full deployment completes the migration.

Phase 1: Pilot testing

Pilot testing validates the upgrade against representative devices, applications, and user workflows before broader deployment.

Select 5-10 pilot devices representing the diversity of your fleet. Include devices with different hardware models, application configurations, and user roles. Document the pilot group composition and selection rationale.
Prepare pilot devices for upgrade. Verify current backup, confirm hardware compatibility, and notify pilot users of the upgrade timeline and expected duration.
Execute the upgrade on pilot devices. For Windows in-place upgrade via command line:

   # Download Windows 11 Installation Assistant or mount ISO
   # Run setup with logging enabled
   D:\setup.exe /auto upgrade /quiet /eula accept /copylogs C:\Upgrade_Logs

For macOS upgrade via terminal:

   # Download installer from App Store or Apple Business Manager
   # Start upgrade with installer application
   sudo /Applications/Install\ macOS\ Sonoma.app/Contents/Resources/startosinstall \
       --agreetolicense --nointeraction

For Ubuntu upgrade:

   # Update current system first
   sudo apt update && sudo apt full-upgrade -y

   # Run release upgrade
   sudo do-release-upgrade -d

Monitor pilot device upgrade progress. Check for installation failures, extended duration, or error messages. Windows upgrade logs appear in C:\$WINDOWS.~BT\Sources\Panther\ during installation and C:\Windows\Panther\ after completion.
Validate pilot device functionality after upgrade. Execute the verification checklist covering system boot, user login, application launch, network connectivity, printer access, and peripheral functionality. Document any issues.
Collect pilot user feedback over 5-7 working days. Identify workflow disruptions, performance changes, and usability concerns that require remediation before broader rollout.
Analyse pilot results and make proceed/adjust/stop decision. Proceed if all critical applications function and no blocking issues exist. Adjust if minor issues require remediation. Stop if critical functionality is broken.

Phase 2: Staged rollout

Staged rollout expands the upgrade to progressively larger groups while maintaining manageable support load.

+-------------------------------------------------------------------+
|                    STAGED ROLLOUT TIMELINE                        |
+-------------------------------------------------------------------+
|                                                                   |
|  Week 1        Week 2        Week 3        Week 4        Week 5   |
|    |             |             |             |             |      |
|    v             v             v             v             v      |
| +-------+    +--------+    +--------+    +--------+    +--------+ |
| | Pilot |    | Early  |    | Main   |    | Main   |    | Final  | |
| | 5-10  |--->|Adopters|--->| Wave 1 |--->| Wave 2 |--->| Wave   | |
| |devices|    | 10%    |    | 30%    |    | 40%    |    | 20%    | |
| +-------+    +--------+    +--------+    +--------+    +--------+ |
|                                                                   |
|  Validation    Expand if     Continue      Continue     Complete  |
|  period        stable        or pause      or pause               |
+-------------------------------------------------------------------+

Define rollout waves based on organisational structure, criticality, and support capacity. Early adopters should include technically capable users who can troubleshoot minor issues. Reserve final waves for high-criticality roles and field locations.
Schedule upgrade windows for each wave. Provide minimum 48-hour notice to affected users. For remote upgrades, schedule outside core working hours where feasible. Document the schedule and communicate via email and calendar blocks.
Execute early adopter wave (approximately 10% of devices). Deploy upgrades through your endpoint management platform:
For Microsoft Intune/Endpoint Manager:

   Navigate to: Devices > Windows > Feature updates for Windows 10 and later
   Create profile: Specify target Windows version
   Assign: Target early adopter group
   Deploy: Set rollout settings (deadline, restart grace period)

For JAMF Pro (macOS):

   Navigate to: Computers > Policies
   Create policy: macOS Upgrade
   Trigger: Self Service or recurring check-in
   Packages: macOS installer
   Scope: Target early adopter group

Monitor early adopter wave for 3-5 working days. Track upgrade success rate, help desk ticket volume, and user-reported issues. A success rate below 95% or support ticket surge indicates problems requiring investigation before proceeding.
Proceed with main rollout waves if early adopter wave succeeds. Execute each wave following the same process: deploy, monitor, validate, proceed. Maintain 3-5 working days between waves to allow issue identification.
Handle upgrade failures individually. Devices that fail automatic upgrade may require:
- Log analysis to identify failure cause
- Manual remediation (driver update, application removal, disk cleanup)
- Re-attempt upgrade after remediation
- Fallback to clean installation if in-place upgrade repeatedly fails
Complete final wave including high-criticality devices and field locations. These devices may require scheduled downtime windows and on-site support availability.

In-place upgrade execution

In-place upgrades preserve user data and applications while replacing the operating system. This approach minimises user disruption and reduces post-upgrade configuration effort.

Notify the user of the upcoming upgrade, expected duration, and restart requirements. Recommend saving work and closing applications.
Verify sufficient disk space. Windows upgrades require 20GB minimum free space on the system drive. Clear temporary files and move large user data if necessary:

   # Run Disk Cleanup with system files
   cleanmgr /sageset:1
   cleanmgr /sagerun:1

   # Verify free space
   Get-CimInstance Win32_LogicalDisk -Filter "DeviceID='C:'" |
       Select-Object @{N='FreeGB';E={[math]::Round($_.FreeSpace/1GB)}}

Disable BitLocker temporarily if enabled (required for some upgrade scenarios):

   # Suspend BitLocker for one restart
   Suspend-BitLocker -MountPoint "C:" -RebootCount 1

Execute the upgrade using your deployment method. For interactive upgrade:

   # Mount ISO or run from network share
   E:\setup.exe /auto upgrade

For unattended upgrade with answer file:

   E:\setup.exe /auto upgrade /quiet /eula accept /dynamicupdate disable

Monitor upgrade progress. The device restarts multiple times during installation. Total duration ranges from 30 minutes to 3 hours depending on hardware speed, disk type, and installed application volume.
Verify successful completion by checking the operating system version after final restart:

   [System.Environment]::OSVersion.Version
   winver

Clean installation execution

Clean installations provide a fresh system state, eliminating accumulated configuration drift and potential malware persistence. This approach requires more post-installation effort but produces a known-good baseline.

Back up all user data from the target device. Verify backup completion and test restoration of critical files before proceeding.
Document current device configuration including:
- Domain/Azure AD join status
- Installed applications and licence keys
- Printer configurations
- Network drive mappings
- Application-specific settings
Create bootable installation media:

   # Download Media Creation Tool from Microsoft
   # Run and select "Create installation media"
   # Choose USB flash drive (8GB minimum)

For macOS, download the installer and create bootable USB:

   sudo /Applications/Install\ macOS\ Sonoma.app/Contents/Resources/createinstallmedia \
       --volume /Volumes/MyUSBDrive

Boot from installation media. Access boot menu (typically F12, F2, or Option key during startup) and select the USB drive.
Perform clean installation following on-screen prompts. For Windows, delete existing partitions during installation to ensure clean state. Format the primary partition and proceed with installation.
Complete initial setup including:
- Region and language configuration
- Network connection
- Microsoft/Apple account or local account creation
- Privacy settings
Join the device to domain or Azure AD:

   # Azure AD join
   dsregcmd /join

   # On-premises domain join
   Add-Computer -DomainName "yourdomain.local" -Credential (Get-Credential) -Restart

Reinstall applications using your software deployment method. Prioritise productivity applications and line-of-business tools.
Restore user data from backup to appropriate locations.
Verify full functionality using the post-upgrade checklist.

Remote upgrade deployment

Remote upgrades reach devices without physical access, essential for distributed organisations and field offices.

Configure the deployment package in your endpoint management platform. Set installation behaviour to require no user interaction where possible, with fallback to user-initiated for scenarios requiring user presence.
Define installation deadlines and restart policies. Allow 7-14 days between deployment and deadline to accommodate user schedules. Configure automatic restart outside working hours (e.g., between 02:00 and 05:00 local time).
Set bandwidth controls for sites with limited connectivity:
For SCCM/Endpoint Manager:

   Distribution Point configuration:
   - Enable BranchCache
   - Configure BITS throttling
   - Set download priority to Low for large packages

For Intune with Delivery Optimisation:

   Configure download mode: LAN + Internet
   Set bandwidth limits for background downloads
   Enable peer-to-peer within LAN

Deploy to target group and monitor progress through the management console. Track:
- Download completion percentage
- Installation success/failure counts
- Devices pending restart
- Devices reporting errors
Follow up on failed deployments. Common remote upgrade failures include:
- Insufficient disk space
- Device offline during deployment window
- Conflicting software preventing installation
- Network interruption during download
For devices that cannot upgrade remotely, schedule manual intervention or user self-service with support documentation.

Field device considerations

Field devices operating in low-bandwidth environments, with intermittent connectivity, or in hostile conditions require modified upgrade approaches.

Remote upgrade over satellite or constrained connections often fails due to large download sizes (4-8GB for operating system images). Pre-stage upgrade media during periodic returns to headquarters or regional hubs. Alternatively, ship USB installation media to field locations with documented upgrade instructions.

For devices with intermittent connectivity, configure resumable downloads:

# Enable BITS transfer continuation
$bitsJob = Start-BitsTransfer -Source "https://download.url/image.iso" `
    -Destination "C:\Upgrades\image.iso" -Asynchronous -Priority Low

# Check job status
Get-BitsTransfer | Where-Object {$_.JobState -eq "Suspended"} | Resume-BitsTransfer

Coordinate field upgrades with field IT support or technically capable staff on-site. Provide documented rollback procedures and remote support availability during the upgrade window.

Verification

Post-upgrade verification confirms that the device functions correctly and meets organisational security requirements.

System verification

Confirm the operating system installed correctly:

# Windows version verification
Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, OsHardwareAbstractionLayer

# Expected output example:
# WindowsProductName     : Windows 11 Enterprise
# WindowsVersion         : 22H2
# OsHardwareAbstractionLayer : 10.0.22621.2506

# macOS version verification
sw_vers

# Expected output:
# ProductName:    macOS
# ProductVersion: 14.1
# BuildVersion:   23B74

# Ubuntu version verification
lsb_release -a

# Expected output:
# Distributor ID: Ubuntu
# Description:    Ubuntu 24.04 LTS
# Release:        24.04
# Codename:       noble

Security verification

Verify security features activated correctly:

# Check BitLocker status
Get-BitLockerVolume -MountPoint "C:" | Select-Object VolumeStatus, ProtectionStatus, EncryptionPercentage

# Check Windows Security features
Get-MpComputerStatus | Select-Object AMServiceEnabled, AntispywareEnabled, AntivirusEnabled, RealTimeProtectionEnabled

# Verify Secure Boot
Confirm-SecureBootUEFI

# macOS FileVault verification
fdesetup status

# Expected: FileVault is On.

# macOS Gatekeeper verification
spctl --status

# Expected: assessments enabled

Application verification

Test critical applications in order of business priority. Verify:

Application launches without error
Authentication functions correctly
Core functionality operates as expected
Integration with other systems works
Printing and peripheral access functions

Document application verification results for the upgrade record.

Network and domain verification

Confirm network and identity integration:

# Verify domain membership
(Get-CimInstance Win32_ComputerSystem).Domain

# Test domain controller connectivity
Test-ComputerSecureChannel -Verbose

# Verify Azure AD registration
dsregcmd /status | Select-String "AzureAdJoined|DeviceId|TenantId"

Performance baseline

Compare post-upgrade performance against pre-upgrade baseline:

# Boot time (event log query)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Diagnostics-Performance/Operational'; Id=100} -MaxEvents 1 |
    Select-Object @{N='BootTimeSeconds';E={$_.Properties[1].Value/1000}}

# Available memory
(Get-CimInstance Win32_OperatingSystem).FreePhysicalMemory / 1MB

# CPU idle
(Get-Counter '\Processor(_Total)\% Idle Time').CounterSamples.CookedValue

Investigate significant performance degradation (boot time increase over 30 seconds, memory reduction over 20%, sustained high CPU) before marking the upgrade complete.

Rollback procedures

When upgrades cause critical issues, rollback restores the previous operating system version.

Windows rollback within recovery period

Windows retains the previous installation in C:\Windows.old for 10 days after an in-place upgrade. During this period, use the built-in rollback:

# Initiate rollback from command line
Start-Process "ms-settings:recovery"

# Or via Windows RE
# Restart to recovery mode: Settings > System > Recovery > Advanced startup
# Navigate: Troubleshoot > Advanced options > Uninstall Updates > Uninstall latest feature update

For scripted rollback (useful for remote devices):

# This requires reboot into Windows RE
reagentc /boottore
shutdown /r /t 0

# After boot into recovery, automation is limited
# Manual selection: Troubleshoot > Uninstall latest feature update required

Windows rollback after recovery period

After 10 days, C:\Windows.old is automatically removed. Rollback requires:

Clean installation of the previous operating system version
Restore user data from backup
Reinstall applications
Reconfigure device settings

Alternatively, restore from a full system image backup if available.

macOS rollback

macOS rollback options depend on backup availability:

# Check for APFS snapshots
tmutil listlocalsnapshots /

# If snapshots exist, boot to Recovery Mode (Command-R during startup)
# Use Disk Utility to restore from snapshot

For complete rollback, restore from Time Machine or reinstall the previous macOS version using internet recovery (Command-Option-R for the version shipped with the Mac, or Shift-Command-Option-R for the oldest compatible version).

Linux rollback

Linux rollback depends on the upgrade method and filesystem configuration:

# For btrfs with snapshots
sudo snapper list
sudo snapper rollback <snapshot_number>
sudo reboot

# For package-based upgrade, downgrade packages
sudo apt install <package>=<version>

# For release upgrade, restore from system backup

Document the rollback execution including time, reason, and any data loss.

Troubleshooting

Symptom	Cause	Resolution
Upgrade fails at 0% with error 0x8007001F	Incompatible driver blocking installation	Identify and remove incompatible drivers; check manufacturer for updated versions
Setup repeatedly restarts without progress	Corrupted installation media or download	Re-download installation files; verify hash; recreate installation media
Error 0x800F0922 during Windows upgrade	System Reserved partition too small or VPN connected	Expand System Reserved partition; disconnect VPN during upgrade
”Not enough disk space” despite free space shown	Hidden recovery partition or system files	Run Disk Cleanup with system files; check for recovery partition space requirements
Applications fail after upgrade	Application incompatibility with new OS	Check vendor compatibility statement; apply application update; reinstall if necessary
Device boot loops after upgrade	Driver conflict or corrupted installation	Boot to Safe Mode; uninstall recent driver updates; attempt repair installation
Network adapters missing after upgrade	Drivers not included in new OS	Download drivers from manufacturer; use USB network adapter for connectivity to download
BitLocker recovery key requested repeatedly	TPM PCR values changed by upgrade	Enter recovery key; suspend BitLocker; allow OS to reconfigure TPM; resume protection
User profile corrupt after upgrade	Profile migration failure	Create new user profile; migrate data from old profile folder
macOS upgrade stalls at Apple logo	Insufficient space or power interruption	Boot to Recovery; verify disk; ensure power connected; retry upgrade
Upgrade succeeds but device extremely slow	Indexing and post-upgrade background tasks	Wait 24-48 hours for background tasks to complete; verify SSD health
Azure AD join broken after upgrade	Device registration corrupted	Disconnect from Azure AD (`dsregcmd /leave`); rejoin
Domain trust relationship broken	Secure channel corrupted during upgrade	Rejoin domain with domain admin credentials
Printers not working after upgrade	Drivers removed during upgrade	Reinstall printer drivers from manufacturer
VPN client fails to connect	Client incompatible with new OS	Install updated VPN client version

Diagnostic log locations

Windows upgrade logs:

During installation: C:\$WINDOWS.~BT\Sources\Panther\setupact.log
After installation: C:\Windows\Panther\setupact.log
Error details: C:\Windows\Panther\setuperr.log

macOS upgrade logs:

Install log: /var/log/install.log
System log during upgrade: accessible via Console.app in Recovery Mode

Ubuntu upgrade logs:

Upgrade log: /var/log/dist-upgrade/main.log
Package manager: /var/log/apt/term.log

Escalation criteria

Escalate to vendor support when:

Upgrade fails consistently across multiple device types with same error
Error codes not documented in public knowledge bases
Hardware-specific failures suggesting firmware or driver issues
Data loss occurs during upgrade
Security features fail to activate after upgrade

Collect diagnostic logs, hardware specifications, and reproduction steps before escalating.

Automation options

Scripted upgrade deployment reduces manual effort for large fleets. The following PowerShell framework illustrates automated Windows upgrade with pre-flight checks:

# Windows upgrade automation framework
param(
    [string]$ISOPath = "\\server\share\Win11_23H2.iso",
    [string]$LogPath = "C:\Logs\Upgrade"
)

# Create log directory
New-Item -ItemType Directory -Force -Path $LogPath | Out-Null
$LogFile = Join-Path $LogPath "upgrade_$(Get-Date -Format 'yyyyMMdd_HHmmss').log"

function Write-Log {
    param([string]$Message)
    "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - $Message" | Tee-Object -FilePath $LogFile -Append
}

# Pre-flight checks
Write-Log "Starting pre-flight checks"

# Check disk space
$FreeSpace = (Get-CimInstance Win32_LogicalDisk -Filter "DeviceID='C:'").FreeSpace / 1GB
if ($FreeSpace -lt 25) {
    Write-Log "ERROR: Insufficient disk space: $([math]::Round($FreeSpace,2))GB free"
    exit 1
}
Write-Log "Disk space check passed: $([math]::Round($FreeSpace,2))GB free"

# Check pending reboot
$PendingReboot = Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending"
if ($PendingReboot) {
    Write-Log "WARNING: Pending reboot detected - restarting before upgrade"
    shutdown /r /t 60 /c "Restarting for pending updates before OS upgrade"
    exit 0
}

# Mount ISO and run upgrade
Write-Log "Mounting ISO: $ISOPath"
$Mount = Mount-DiskImage -ImagePath $ISOPath -PassThru
$DriveLetter = ($Mount | Get-Volume).DriveLetter

Write-Log "Starting upgrade from $DriveLetter`:\"
$SetupArgs = "/auto upgrade /quiet /eula accept /copylogs $LogPath /dynamicupdate enable"
Start-Process -FilePath "$DriveLetter`:\setup.exe" -ArgumentList $SetupArgs -Wait

Write-Log "Upgrade initiated - device will restart"
Dismount-DiskImage -ImagePath $ISOPath

For SCCM task sequence automation, use the built-in “Upgrade Operating System” task with pre-requisite checks for disk space, driver compatibility, and application readiness.