High Level Considerations when Migrating to Windows 10

Within the world of security, the use and adoption of Windows 10 is always a topic for discussion. Windows 10 provides us with a secure and stable operating system for our user base, of which Microsoft provides regular updates to mitigate against vulnerabilities. Unlike Windows 7 which doesn’t receive as many updates due to main support ending in 2015, with the extended support due to end early 2020. In short, Microsoft are focusing their attention on Windows 10 as their main operating system. The sooner we adopt it the sooner we can reduce our attack surface.

When we think of migrating operating systems, we all think of the time we had to move from XP to Windows 7, or even Windows 7 to Windows 8. All of this was accomplished by wiping a machine and reloading the operating system. The so called ‘wipe and load’ or ‘reimaging’ of a machine. This process was known for deploying down a full image of Windows to a machine, in most instances the image was customised to include core applications, custom configurations and hardening rules.

This is of course possible when moving to Windows 10, feel free to capture a custom ‘corporate’ image with deployment tools. And for some, this is a viable option to deploy Windows 10, especially when heavy customisations to the base image are essential.

When looking to migrate to Windows 10, there are various aspects to consider. The first being Assessing and understanding your environment, then using this information you can start to plan the migration and understand any dependencies (such as Application and Hardware Compatibility). After a pilot attempt at the migration, review and test the build and feed this back into the migration plan. Finally, something that a number of people forget, is to include both User and Technical training in the migration, adoption of the technology is key and this is made easier if users are familiar with the platform.

Assessing Compatibility

When moving existing machines to Windows 10 the area which will cause the most issues is compatibility. There are two main areas to consider with compatibility and that is Hardware compatibility and Application Compatibility.

Microsoft have a tool called the Windows 10 Upgrade Readiness tool, formally known as the Upgrade Analytics tool. It is a cloud-based tool that pulls metadata from your client machines and assesses if they are ready to move to Windows 10. The tool looks at applications, settings, drivers and hardware to provide insight in if a machine can be upgraded or what needs to be done to get that machine ready for upgrade. This tool can also integrate with SCCM and leverage the existing agent on the clients. For more information on this tool click here.

Hardware Compatibility

Unless you are planning to migrate to Windows 10 inline with your hardware refresh, then assessing the hardware of machines and understanding if the hardware is supported and there is enough resource to run Windows 10 plus any applications. For machines that are not that ‘old’ then sometimes a RAM upgrade and maybe an upgrade to an SSD will suffice (Moving to an SSD will require a wipe and reload, rather than an in-place upgrade however). This can sometimes work out cheaper in the short term then buying new machines. However, and the big however is, how long will each of these upgrades take? Its ok if you are doing it to 100 machines and have staff members to support, but what happens when you have 1,000 machines with minimal members of the IT Team? What happens when some of these devices are in remote offices? This will take time and effort when doing hardware changes. Also, you must consider that upgrading might make the system supported and perform better, but for how long? Are you just throwing money and resource at something that is going to be binned in a year?

Its important to strike a balance here, between cost and effort as well as long term vs short term gain. As with all migrations, planning and testing will be key.

Application Compatibility

This is the part that will sting several organisations, especially those who have developed their own bespoke applications or have paid for bespoke and custom applications that do not support Windows 10 and cannot be made to support Windows 10.

Fortunately, there are some tools that can mitigate this. These tools are generally application streaming and delivery solutions, like App-V and Citrix. With these, the application does not sit on the device, but is streamed remotely. It should be noted, that this is not a long-term solution but more of a tactical solution that will enable you to move the user’s primary device to Windows 10 whilst allowing them to still work with the legacy applications.

For this element of compatibility, testing will need to be done aggressively, get users on pilot Windows 10 machines and get them to break the legacy applications, then look at remediations or solutions that will allow you to containerise these applications.

Migration Methods

There are a few other ways to consider when migrating that are new to Windows 10. These are detailed below along with the traditional approach of wiping and reloading.

In-Place Upgrade

In-place Upgrade provides a simple approach to upgrading machines to Windows 10, assuming the current operating system is at least Windows 7 and the hardware can handle Windows 10. This method automatically migrates the existing user data, applications, configuration and drivers to the new OS Build. This can sometimes cause issues with compatibility with drivers and applications if not planned, assessed and tested correctly. This method is most useful when you want to keep all existing applications on the machine, assuming they are compatible, this should be fine. This method can also be used to migrate from a Windows 10 early release to a later release, should there be a large gap in the updates.

Dynamic Provisioning (Auto-Pilot)

This approach looks to configure new Windows 10 devices for organisations without having to deploy down a full Windows 10 image. This process utilises the existing image of the machine and configures it to corporate specification (Domain Join, Applications, Patches, Settings and Configuration). The idea here, is a user can obtain any devices, log in and have their device configured. It can make the migration more user-driven, whilst making it easier to deploy in remote locations. As a full image is not being pushed down, there is less bandwidth being used and no requirement for PXE (Which generally requires hands on keyboard to activate, which makes it difficult for offices without an IT presence.

Wipe and Reload / Wipe and Load / Reimage

With the above in mind, a traditional Wipe and Reload should be used when there are several operating system configuration changes that might impact the use of in-place upgrading or using auto-pilot. Some advanced configuration may not be accomplishable using in-place or Dynamic provisioning, this could be configuration such as converting BIOS to UEFI or changing OS architecture from x86 to x64. This method also works well for converting unmanaged devices into managed devices, as this way unwanted configuration and applications are removed, and a fresh image is deployed down to the system. A Wipe and Reload scenario will not retain data like an in-place upgrade, therefore you will need to investigate a suitable way to backup and restore user data and settings. USMT (User State Migration Tool) can support with this.

Migration Approach

Given the above methods, there are various approaches to deploying Windows 10. We are all used to Windows 10 deployment being IT driven. IT obtains the device, images it (one way or another) and hands it to the user. With Windows 10, the approach can change in terms of WHO deploys Windows 10.

Windows 10 can be user-driven using the Dynamic Provisioning capabilities. As mentioned above, users can purchase a device, log in with their Azure AD Credentials and this will kick off a process to push down settings, applications, updates, policies and licensing keys to the device. This service can then turn the device into a configured and managed corporate device, ready for the user to work with, with no interaction (at least physically) from IT.

Testing

Testing will be critical when rolling out Windows 10 and will need to be feed back into the assessment stage. While assessing compatibility using tools is effective, testing is going to be the real deal.

When migrating to Windows 10, use a pilot group of users and devices to test the build to understand if there are any areas that need to be improved. It is important to note that testing should not be limited to one team or one subset of devices, but incorporate a variety of devices, users, groups and situations. If you just pilot Windows 10 in the IT team, this will not be as effective as testing with general users.

Once testing is complete and key success markers have been achieved, then a wider roll-out can occur.

Ongoing Management

Windows 10 is Microsoft’s final operating system, in which they will keep adding feature updates and packages. Microsoft have dubbed this as Windows as a Service or WaaS, meaning that Windows 10 will be constantly serviced and updated. This is good, because this way we don’t have to migrate to a Windows 11 or 12, we still need to manage the ongoing build on Windows 10 and the patches and updates. Tools such as SCCM and WSUS can support with Microsoft based patches and updates, and will help businesses control the distribution and compliance of these updates.

Its worth noting that a number of businesses are now providing managed services around the Windows 10 management and can take on the responsibility of keeping your Windows estate up to date and protected.

User Training

The one element that is either underestimated or missed. User Training is essential for the adoption of Windows 10 in many organisations, while we expect most users to be familiar from a home perspective on Windows 10, it is still worth running some training for users to ensure that they know how to access and use there services. Training is also good for highlighting the benefits of Windows 10 and how it can increase productivity, making users more inclined to consume and adopt the operating system.

In short, good training will equal a positive user experience, which in turn will reduce any friction with IT and Users, as well as reducing the amount of service desk tickets on trivial things post migration.

Tools to Consider

Here is a ‘short’ list of some of the tools that can be used to assist and support with a migration to Windows 10. Please note that this is not an exhaustive list. If you do have any further suggestions on tools, then please check a comment below and I will look to add it to this list.

Window 10 Upgrade Readiness Tool – As mentioned in the above section, this is a Microsoft provided cloud-based tool that can poll the metadata of clients and assess application and hardware compatibility. It is a free tool that can be ran standalone or integrated with SCCM. The Microsoft page here has further details on this tool and how to get started.

SCCM – System Center Configuration Manager is a powerful tool that can manage client and server devices. It has capabilities to deploy operating systems (via PXE) and applications as well as providing a level of Windows based patch management. SCCM provides a good level of reporting for compliance and inventory, providing an adequate level of visibility for the IT team. SCCM is a large tool, capable of managing enterprise level client estates and giving the IT teams a good amount of functionality for administrating and supporting clients. SCCM is a Microsoft product, and as such has great support for both management and deployment of Windows 10. SCCM supports the 3 migration options listed above, making it a powerful tool when looking to migrate to Windows 10. SCCM is a huge tool and as such warrants its own article!

WDS – Windows Deployment Service is a feature that is included in Windows Server. WDS allows the capturing and deployment of a windows image over a network (via PXE). Because it is an included tool for Windows Server and not a standalone product like SCCM, it does lack some capabilities in terms of image management. From WDS, you cannot modify or customise the captured image (This would require the use of another tool). The capturing process on WDS is time consuming, as you will need to provision a machine with all the correct tools and configuration, and then capture the image on the machine using sysprep. In short, good for simple wipe and reload deployments of Operating System images but lacks the customisation of images and capabilities to allow mass in-place upgrade.

WSUS – Windows Server Update Service is a windows-based feature that allow the management and deployment of windows-based updates. It provides a layer of patch management within an estate. Please note that WSUS is limited to pushing windows-based updates only. WSUS underpins the patch management service of SCCM, with SCCM enabling additional functionality such as Automated Deployment Rules (ADRs).

MDT – Microsoft Deployment Toolkit is a free set of tools offered by Microsoft to allow for the customisation of a windows images (both captured or vanilla). MDT acts as the workbench to create custom task sequence’s for Windows operating systems, this can allow for configurations such as BIOS to UEFI and MBR to GPT when deploying a full image in a Wipe and Reload Scenario.

Microsoft Intune – This is Microsoft’s enterprise level device management solution, capable of managing devices from a cloud-based service and providing MDM and MAM functionality to mobile devices. Deployment options such as Auto-pilot (Dynamically Provisioning) will utilise Intune in the backend to manage the device and ensure that policies, applications and patches are pushed down to the device in question. While the capabilities of Intune are very similar to SCCM, there is one shortfall which is Intune cannot push down a full image and allow machines to boot by PXE. Making Wipe and Reload options with Intune much more manual. For devices that are new and need to be managed, Intune presents itself as a strong option for consideration when gradually migrating to Windows 10.

App-V – App-V sometimes known as Application Virtualisation, allows applications to be containerised and steamed down to clients. This can allow the backward compatibility of applications on newer systems. There are backend infrastructure requirements for this, however it does offer a tactical option for application compatibility.  

USMT – User State Migration Tool is a tool that can be used to backup user data and settings, the ‘User State’ to a network-based share prior to upgrading to Windows 10. Once the migration of a client is complete you can then restore the User State to the new Windows 10 device. Very handy for Wipe and Reload options and especially valuable when integrated into SCCM to automate as much of the migration as possible.

Summary

While not the shortest article I have written (and can certainly add more), this should hopefully give some insight in the options and tools available to migrate to Windows 10. It is becoming more and more of a requirement to migrate both for operational support but also security, Windows 10 comes equipped with several security features and well as the latest patches and hotfixes to mitigate threats and vulnerabilities. Not moving to Windows 10 will just leave massive gaps in security and will allow attackers to walk right in!

I hope you enjoyed this article, I may look to add more content or break this into multiple shorter articles and there is so much to talk about.

Thanks for reading!!!

Leave a Reply

Your email address will not be published.