End-of-Life Operating System explained

Microsoft releases feature updates typically once or twice per year. Each feature update has their predefined lifecycle, and once they have reached their end-of-life, they do not receive any monthly security updates. 

That’s why it’s crucial to make sure that none of the devices fall outside of the supported versions at any given time, as Microsoft patches serious zero-day vulnerabilities almost every month.

You can find the lifecycles of all Windows versions in the below links.

Pro and Home

Windows 10: https://learn.microsoft.com/en-us/lifecycle/products/windows-10-home-and-pro

Windows 11: https://learn.microsoft.com/en-us/lifecycle/products/windows-11-home-and-pro

Enterprise and Education

Windows 10: https://learn.microsoft.com/en-us/lifecycle/products/windows-10-enterprise-and-education

Windows 11: https://learn.microsoft.com/en-us/lifecycle/products/windows-11-enterprise-and-education

Even with automatic updates enabled and configured correctly, there are various reasons individual devices fall behind when it comes to Feature updates.

Clear corrupted update cache

The most common reason for feature updates failing is corruption in the cached update files. In order to fix this, you need to rename and delete the appropriate files and folders. Follow the instructions below to clear the cache.

Open the Command Prompt as an Administrator

Stop the required services by entering the following commands. Press Enter after each command.

• net stop wuauserv
• net stop cryptSvc
• net stop bits
• net stop msiserver

Next rename the C:\Windows\SoftwareDistribution and C:\Windows\System32\catroot2 folders by entering the following commands. Press Enter after each command.

• ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
• ren C:\Windows\System32\catroot2 Catroot2.old

Note: If catroot2 folder fails to be renamed, return to the previous step, and stop the services and try again.

Next delete the C:\$WINDOWS.~BT folder by entering the following command.

• rd /S /Q C:\$WINDOWS.~BT

Finally restart the services again by entering the following commands. Press Enter after each command.

• net start wuauserv
• net start cryptSvc
• net start bits
• net start msiserver

Restart the computer and check for Windows Updates and attempt to install the Feature Update again.

Note: You may also create a batch file or a PowerShell script with all the above commands if you wish to deploy the fix centrally to multiple devices.

Remove stale registry keys

Another common reason for updates failing is registry keys and values that are causing a conflict. This is most common when migrating existing devices from legacy endpoint management to a modern, cloud-based one.

In order to fix this issue, simply delete the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate registry key and it’s subkeys and values.

This can be done by opening the Registry Editor as an Administrator 

Alternatively, you can open the Command Prompt as an Administrator and entering the following command: 

• reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /f

If you are using Group Policy Objects to configure Windows Update policies, run the following command in the command prompt after clearing the registry keys:

• gpupdate /force

Fix corrupted Windows files

If the above methods fail, check and repair the Windows system files. To do this, navigate to Microsoft Support - Use the System File Checker tool to repair missing or corrupted system files and follow the step-by-step instructions.

Utilize Installation assistant

If the above methods fail, attempt to use the Update Assistant to perform the update to the latest version.

Windows 10:

• Go to Microsoft Windows Update Assistant download page.

• Download the Update Assistant by clicking Update now.

  

• Open the downloaded file (Windows10Upgrade9252.exe) as an Administrator and follow the instructions of the installation wizard.

Windows 11:

• Go to Microsoft Windows 11 download page.
• Download the Windows 11 Installation Assistant.

• Note: Do not download the Windows 11 Installation Media at this point.

  

• Open the downloaded file (Windows11InstallationAssistant.exe) as an Administrator and the instructions of the installation wizard.

Reinstall Windows

If all other methods fail, perform a clean installation of Windows. 

Note: If your company is using task sequences or imaging to install Windows, the method described is not viable.

IMPORTANT: Do not use the Reset this PC feature of Windows, as the system files may be corrupted, and you will end up having to update to a new version afterwards, even if corruption is not present.

It’s worth noting that if your company is still running Windows 10, now is a good opportunity to update the device to Windows 11 if it meets the system requirements.

If you do not have Windows installation media at hand, follow the below steps:

If your company is using Windows Enterprise or Education, navigate to Microsoft Learn - Download and burn an ISO file on the volume licensing site (VLSC) and follow the instructions to download the media.

To download the media for other versions of Windows, follow the instructions below.

Windows 10

• Plug a viable USB-drive to the PC, the drive needs to have at least 8 Gigabytes of disk space. A minimum of USB 3.0 is recommended, otherwise the process can significantly longer.
• Navigate to Microsoft Media Creation Tool download page.

• Download the Media Creation Tool by pressing Download Now.

  

• Open the downloaded file (MediaCreationTool22H2.exe).
• Accept the terms and conditions.

• Select the Create installation media option and press Next.

  

• Select the right language and version of Windows and press Next.

  

• Choose the USB flash drive option and press Next.
  Note: You may also download the ISO image file for later use, but you will need a software like Rufus to burn the image to a USB drive later.

  

• Select the drive you inserted earlier and press Next.

  

Windows 11

• Plug a viable USB-drive to the PC, the drive needs to have at least 8 Gigabytes of disk space. A minimum of USB 3.0 is recommended, otherwise the process will take significantly longer.
• Navigate to Microsoft Media Creation Tool download page.

• Download the Media Creation Tool by clicking the Download now under Create Windows 11 Installation Media.

  

• Open the downloaded file (MediaCreationTool_Win11_2XHX.exe).
• Accept the terms and conditions.

• Select the right Language for your organization and press Next.

  

• Choose the USB flash drive option and press Next.
• You may also download the ISO image file for later use, but you will need a software like Rufus to burn the image to a USB drive later.

• Select the drive you inserted earlier and press Next.

  

• Now use the USB drive to install Windows on the target device. You will need to boot from external media. Each manufacturer has a specific hotkey for the procedure. Below are a few examples:
  • Lenovo: F12
  • HP: F9
  • Dell: F9
• Note that you may need to disable Secure Boot or reset BIOS settings to default values if booting from USB is not working.
  IMPORTANT NOTE: If disabled, be sure to re-enable the Secure Boot after the installation.

Review configurations and processes

If the issue is systemic, it most likely means that configurations and processes are not set in place. Consider this your top priority, as each device with an end-of-life operating system is a security risk.

Configuration

Start by configuring Windows Update for Business to automatically upgrade to the latest stable feature version. 

If you are using Microsoft Intune, read about configuring the feature updates in the following links:

• Microsoft Learn - Feature updates for Windows 10 and later policy in Intune
• Microsoft Learn - Settings for Windows Update that you can manage through Intune policy for Update rings

If you are using Group Policies, read about configuring Windows Update for Business at 

• Microsoft Learn - Walkthrough: Use Group Policy to configure Windows Update client policies

For other methods of endpoint management, refer to the developer’s documentation.

Alternatively, take this chance to start upgrading your devices to Windows 11 where possible. For more information about Windows 11 migration, read the blog article at Applixure Blog - How to Migrate to Windows 11 | Recommended steps & timeline.

As with everything else, be sure to test and pilot the upgrade before organization wide deployment.

Processes

For small and homogeneous organizations, it's practical to set feature updates to install automatically, employing staggered delays to facilitate testing and piloting. However, even with automated updates, it's essential to monitor their progress and address any arising issues proactively. Organizations should establish processes to track the end-of-life dates for feature versions and intervene on devices that haven't been updated, preferably six months prior to their end-of-life.

In contrast, larger or more complex organizations should exercise stricter oversight over feature updates. It's recommended to manage these updates as a controlled project, initiating the process at least six months before the feature version's end-of-life date. This approach ensures dedicated monitoring and an action plan for potential issues, enabling a more structured and secure update process across the organization's devices.

In addition to keeping your Windows versions and feature updates up to date, it’s just as crucial to make sure the monthly security updates for Windows systems are deployed, as they often patch critical zero-day vulnerabilities that malicious actors can exploit. 

As with feature updates, even with automatic updates enabled and configured correctly, there are always devices that fall behind when it comes to monthly security patches. 

The most common mistake companies make is to blindly trust the automations that are in place. While properly configured Windows Update for Business policies take care of 95 – 99 % of the devices, there are always a small number of devices, that fall outside of the patching process.

Below are the most common causes for the updates failing on individual devices as well as the remediations for them.

Once the problems have been remediated, it’s advisable to create a process to monitor the updates on a regular basis in order to react to future issues in a timely manner.

Clear corrupted update cache

The most common reason for updates failing is corruption in the cached update files. In order to fix this, you need to delete the appropriate files and folders. Follow the instructions below to clear the cache.

Open the Command Prompt as an Administrator

Stop the required services by entering the following commands. Press Enter after each command.

• net stop wuauserv
• net stop cryptSvc
• net stop bits
• net stop msiserver

Next rename the C:\Windows\SoftwareDistribution and C:\Windows\System32\catroot2 folders by entering the following commands. Press Enter after each command.

• ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
• ren C:\Windows\System32\catroot2 Catroot2.old

Note: If catroot2 folder fails to be renamed, return to the previous step and stop the services and try again.

Finally restart the services again by entering the following commands. Press Enter after each command.

• net start wuauserv
• net start cryptSvc
• net start bits
• net start msiserver

Finally restart the computer and see if updates are installing properly.

Note: You may also create a batch file or a PowerShell script with all the above commands if you wish to deploy the fix centrally to multiple devices.

Remove stale registry keys

Another common reason for updates failing is registry keys and values that are causing a conflict. This is most common when migrating existing devices from legacy endpoint management to a modern, cloud-based one.
In order to fix this issue, simply delete the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate registry key and it’s subkeys and values.
This can be done by opening the Registry Editor as an Administrator

Alternatively, you can open the Command Prompt as an Administrator and entering the following command: 

• reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /f

If you are using Group Policy Objects to configure Windows Update policies, run the following command in the command prompt after clearing the registry keys:

• gpupdate /force

Delete local Files and Configurations

If using on-premises Active Directory, it’s also possible that the Group Policy files have been corrupted. In addition, local group policies may have been configured manually on the client. To remediate both issues, open Command Prompt as an Administrator and delete the local files by entering the following command:

• RD /S /Q "%WinDir%\System32\GroupPolicyUsers" && RD /S /Q "%WinDir%\System32\GroupPolicy"

One more thing to try if all the above methods fail is to check and repair the Windows system files. To do this, follow the instructions in Microsoft Support - Use the System File Checker tool to repair missing or corrupted system files.

If all else fails, a clean reinstallation of Windows is a viable solution. Refer to Reinstall Windows for instructions.

Enforce the updates centrally

If the problem is systematic, it’s likely due to missing configurations for Windows Update for Business. By default, the end-user can decide when to update their device within a 30-day window. 

This flexibility, while beneficial for avoiding disruptions during business-hours, can lead to significant security vulnerabilities if updates are consistently postponed or ignored. 

If this is the case, it is highly recommended to create automatic update processes as soon as possible. This can be done with any modern endpoint management solutions as well as legacy Group Policy Objects, if the devices are domain-joined.

Phased deployments

Be sure to phase out your updates, so that you at least have a pilot group before deploying updates to the entire organization. This strategy minimizes the risk of operational downtime if faulty updates are published and deployed by Microsoft. Implementing updates in stages allows your organization to catch potential issues early in a controlled environment, preventing widespread impact.

For typical small and medium-sized companies, it’s advisable to have a pilot group consisting of 10 – 15% of the organization’s workforce. This group should be diverse, including members from different business units to comprehensively cover all line-of-business applications in use. This diversity ensures that the updates are tested across a wide range of scenarios and software configurations, highlighting any compatibility issues or bugs before a wider rollout.

In addition to the pilot group, companies with their own IT organization are advised to establish a test group consisting of IT team members. This group plays a critical role in the initial testing phase, as they have the expertise to evaluate the updates' impact on the organization’s infrastructure and troubleshoot any issues that arise. 

For larger and specialized companies, the number of pilot and test groups can be higher, depending on the organization's needs and the criticality of various departments. In environments where uptime is paramount, or where specialized software requires rigorous testing, segmenting the workforce into multiple pilot groups ensures that updates do not disrupt critical operations. 

Each pilot group can focus on testing the updates against specific business functions or technologies, minimizing the risk of unexpected downtime.

Configuration

Be sure to include deadline settings for the updates in your configurations. This measure acts as a safety net, ensuring that updates are installed after a certain amount of time, even if the user decides to ignore the update prompts. For pilot and test groups the deadline should not be longer than two (2) days. For organization wide deadline, the recommended setting is between five (5) to seven (7) days.

Applixure Analytics warnings and alerts

This issue is associated with the following Analytics alerts and warnings:

• Alert/warning description: Device has end-of-life OS