Windows 10 Migration for Enterprises

Alex Marin

Application Packaging and SCCM Deployments specialist, solutions finder, Technical Writer at Advanced Installer.

In January 2020, Windows 7 end of life support comes in place. This means that users won’t receive any updates from Microsoft, and companies have to pay extra for the next three years if they want them.

If you haven’t upgraded yet, start now. With its improved speed, greatest security ever in a Windows product, universal apps, and many more, Windows 10 can be considered the best OS ever released by Microsoft.

However, as you will see in the lines below, the upgrade process it’s not such an easy task. The key to a successful migration is good planning and patience, so let’s see what challenges are ahead.

MSIX Tutorial - by Advanced Installer

1. Why should you upgrade

If we compare Windows 7 to Windows 10, there is no doubt that in overall terms, Windows 10 is the future and it’s much more secure and better than its predecessor, but in an enterprise, those are not the only factors to take into consideration.

On 14th of January 2020, the extended life support for Windows 7 is coming to an end. That means that from that point on, you will no longer receive any updates of any sort, not even security ones. This is a big issue for companies, since the main concern, along with stability, compatibility and new features, will always be SECURITY.

Another point to take into consideration is the fact that end of life support for System Center Configuration Manager 2007 is scheduled for July 7th, 2019. If you manage your infrastructure using SCCM and already upgraded to the next 2012 version, this will not be an issue for you, but many large companies that use Windows 7 are likely to still have SCCM 2007 in place due to costs and the fact that upgrading your infrastructure is not so easy. Even if you wish to stay with the old SCCM 2007, this does not support the managing of Windows 10 devices.

One fundamental change in Windows 10 compared to the other Windows distributions is the introduction of continuous updates. This is a big step that Microsoft took for its users to receive major updates without waiting for a major release in forms of former Service Packs. The components with major changes will now be delivered as independent apps and will be made available when they are ready, and will not be held back by the release of a Service pack.

So, in an enterprise, the main reasons to upgrade are:

  • End Of Life support for Windows 7 starting in 2020
  • Different and better update cycles for Windows 10
  • Latest features and improved security
  • Better administration of infrastructure with the new SCCM or other alternatives
  • Cost reduction for future paid updates if you thought to stay on Windows 7

2. Factors to consider before upgrading

Choosing the right edition

One of the biggest decisions that have to be made is Windows 10 Pro or Windows 10 Enterprise. Windows 10 Pro is designed for professionals who don’t need or have limited tech support. Windows 10 Enterprise is designed for small or large companies and packs a lot more security and advanced features under the hood.

Some of the features that Windows 10 Enterprise offers additional to the Pro are:

  1. AppLocker
  2. MBAM
  3. Microsoft APP-V
  4. Microsoft UE-V
  5. Microsoft Desktop Optimization Pack (MDOP)
  6. LTSC servicing options

If you are a small company and don’t need any of the features above or wish to adopt Long Term Service Branch (LTSB) in your infrastructure, there’s no real reason to go for the Enterprise edition.

Understand Update and Servicing Branches

Because Microsoft adopted the continuous updates program, it’s always looking for the next major release of Windows 10 and now offers the possibility of beta testing the new features with its Insider Preview Rings.

Let’s talk a bit about the Insider rings. The most important public rings are:

  1. Fast - These are the first users who receive the latest approved build by Microsoft
  2. Slow - After the fast ring users have tested the build and left feedback for Microsoft, it’s time for the slow ring users to receive it with some minor patches here and there
  3. Release Preview - These are small patches that fix bugs, improve security and make small improvements. The difference is that release preview ring users get those patches a bit sooner than the general public
  4. Skip Ahead - As the name suggests, Insiders who opt-in for this ring will receive updates for the next build that is in development by Microsoft, skipping the current fast ring build

The Insider Preview branch is only meant for general public and enthusiasts who always want the fastest updates on their machines. However, inside an enterprise environment there are other branches that you can choose from:

  1. Current branch - The latest normal and stable version released by Microsoft. These updates are received immediately after Microsoft tested and released them to the general public.
  2. Current branch for business - Available for Windows 10 Pro, you can choose the option to defer the upgrades. The security patches are still received, but the major released will be received a few months after the Current branch gets them. A conservative option for an enterprise environment.
  3. Long Term Servicing Branch (LTSB) - The slowest branch between all of the above (including Insider Previews of course). This is meant for machines or enterprises who have the “Stability over new features” mentality.

Application compatibility

Migration from Windows XP to Windows 7 was a bit problematic because there were many incompatibilities between apps, devices and peripherals drivers. Microsoft has made an effort to ensure that almost all applications built for Windows 7 will work on Windows 10 as “out of the box”, and by this time most commonly used software has been updated so it supports Windows 10.

However, organizations who rely on in-house created apps are forced to test the applications manually and see if something needs to be changed. You can try to manually install each app on a Windows 10 machine and see if it works, or you can choose the Microsoft Upgrade Readiness. It’s not a perfect solution but it can reduce the time for testing.

If you also have browser-based applications built in-house, you should also consider if you make them compatible with the new Edge browser or continue with IE11. As Microsoft stated, Edge will not be available for the clients who chose the Long Term Service Branch. This will be another defining point when choosing what branch you will adopt in your infrastructure.

Hardware inventory

This might be a good time to redo a hardware inventory and see if you have any outdated machines, printers, scanners or any other peripheral that doesn’t support Windows 10.

There are some solutions on the market that offer a semi-automation finding of compatible Windows 10 drivers, so you know if you need to update some hardware, but always do a manual checkup as well, better safe than sorry.

Golden image and OSD’s

In the past with Windows 7, companies usually had the W7 SP1 base image, lots of updates and a big task sequence OSD. That meant huge installation times in terms of ZTI(Zero Touch Installation).

Since we are migrating, and Windows 10 update cycle is different from W7, the golden image for now should be the latest build of Windows 10. That way, you will have a small list of updates to apply to it.

Also try to have as few default apps in the OSD’s as possible, you don’t want a bloated machine after ZTI.

Application delivery technologies

In the past, the main types of package formats were MSI, EXE and APP-V. In Windows 8 Microsoft introduced APPX, a new type of installer that can be published on Microsoft Store. Starting with Windows 10, Microsoft added a new type of package format called MSIX, which might be the future of packaging.

MSIX is an improved version of the APPX package (initially used only for UWP apps) to better support traditional desktop applications on Windows 10, by bringing along the knowledge they have from MSI and App-V packages and the Desktop Bridge program.

Now it’s a good time to consider if you keep the old applications as they are, or upgrade to modern deployment solutions.

Infrastructure management

As previously stated, the end of life support for SCCM 2007 ends on 7 July 2019, so this will be a good time to analyze what infrastructure management tool you are going to use in your enterprise.

The next version of SCCM that can manage Windows 10 is SCCM 2012, but there are other alternatives on the market that you can choose from, like SaltStack, Vagrant, Ivanti and many more. However, with more and more features are integrated constantly into SCCM and Microsoft Deployment Toolkit (MDT), it is hard to justify the use of other solutions.

There are few factors to take into consideration regarding the migration from SCCM 2007 to SCCM 2012:

  1. Upgrading is not supported, if you want to keep your SCCM 2007 data and objects you have to do a side-by-side migration
  2. Distribution points now have throttling and scheduling features and now can be installed on workstations which are members of the AD domain
  3. SCCM 2007 Branch Distribution point is now a BranchCache setting for applications and packages deployments
  4. The PXE server role is now part of the Distribution Point
  5. Collections containing both users and devices cannot be migrated. In order to migrate them you will have to separate the users from the devices in a different collection.
  6. Packages can be migrated easily, however SCCM introduced Applications, a modern way to integrate your packages with far more options
  7. Server locator point is no longer a system role, this has been included in the Management Point (MP)

With the right knowledge and documentation, migration is possible, however a bit difficult and should be handled with care and not rushed.

Upgrade MBAM

MBAM (Microsoft BitLocker Administration and Monitoring) is a tool from Microsoft that you can use to manage your BitLocker Drive Encryption. This acts as an extra layer to the new Windows 10 security. In case somebody ever loses a device, nobody can access it since the drives are BitLocker encrypted. You can also choose to disable a device remotely. If you are using MBAM in your infrastructure, you must upgrade to the new version. Starting with MBAM 2.5, Microsoft introduced Windows 10 support. Keep in mind that officially, only Windows 10 Enterprise is supported.

Microsoft UE-V (User Experience Virtualization)

In our modern times, chances are that a user has more than one device. However, each time you move to another device, all OS and application settings are gone, meaning that if you have certain settings on one device, you have to manually adjust the same settings to the other.

Here is where Microsoft UE-V, or User Experience Virtualization, comes into play. It allows the user to have a consistent experience on all his Windows devices. All the user settings are stored inside a UE-V template, in the form of an XML. This XML specifies where each setting is stored inside the file system and registry.

Microsoft UE-V is available only for Windows 10 Enterprise.

Microsoft UE-V is designed to be a replacement for Windows roaming profiles which have existed since Windows NT, the main reason being that roaming profiles can be large and copying user data from a computer from another at log off/log on might take some time. However, UE-V only supports Windows greater than 7 SP1 and only Windows OSes.

UE-V was initially released in 2012 as part of Microsoft Desktop Optimization pack, but later updated to version 2.0 in 2016 when new features were introduced as custom sync profiles for 3rd party apps, choose what apps and desktops to sync, and many more.


3. Pros

As with all things in this world, there are pros and cons to upgrading to Windows 10, it is up to you to decide if the pros outweigh the cons.

Let’s start to list the pros that we see.

  1. Latest features - With each new update, a whole lot of features are added that boost user productivity and make the lives of IT administrators easier. A few notable added features are “Pick up where I left from”, Timeline feature, Files on Demand feature for OneDrive users, MSIX support, and many more. It’s hard to ignore such additions in Windows since they can be profitable if used in your enterprise.
  2. Release and update cycle - Besides functionality, the biggest change Microsoft implemented is the update cycle. Indeed, the update model with different branches and rings is a bit challenging for the IT departments, but on the other hand, it does offer a large number of options which enterprises can adopt.
  3. Windows-as-a-service - This might be the final full OS release and Microsoft will move to an incremental rollout framework, which is referred to as ‘Windows-as-a-service’. Users are starting to become accustomed to see an OS as part of the device, and if you think about it, Microsoft is the only vendor who still charges for the OS separately.
  4. Improved security and management - Since the launch of Windows 10, it is definitely seen that Microsoft has put a key on making Windows as secure as possible. The biggest update in terms of security came with the Fall Update, which introduced the new Windows Defender Application Guard for Windows 10 Pro and Enterprise. The Advanced Threat Protection (ATP) uses Microsoft Intelligent Security Graph to detect and remove malware before it gets a chance to get on your network or system and it’s backed up by Microsoft huge data pool and applied AI techniques. Microsoft also added identity management features, biometric authentication, two-step authentication with Passport and Device guard, improved BitLocker, and many more.
  5. Updated drivers by OS - Remember the days when you installed and old Microsoft OS and had to get that CD or USB stick or search through the web for the latest driver for your device? With Windows 10, most of the drivers will be automatically updated by the OS itself. Or they can be easily managed by the IT department

4. Cons

The pros list can go on with smaller things like customizable start experience, refreshed graphics and improved Aero, integration with Microsoft digital assistant Cortana, Task View to manage applications across multiple desktops, Continuum mode, and many more.

But of course, nothing can be perfect, so let’s enumerate some of the possible cons that come with Windows 10.

  1. Migrating - Although it’s not as complicated as migrating from Windows XP to Windows 7, this is a tedious process that should not be rushed in any way, and it should take between 12 and 18 months to complete. Most apps, by this point, are compatible with Windows 10, and you shouldn't have many issues with drivers, but still, there are many tasks and processes you should consider before you start the upgrade.
  2. Constant IE/Edge battle - Until this point, we still don’t know what is Microsoft’s position regarding Edge and Internet Explorer. As mentioned above, if you have any applications or in-house developed solutions that use Internet Explorer and plan to migrate to Windows 10 Pro, you have to analyze if it’s worth putting resources into changing your solution to be compatible with Edge. Even if you do this, it’s unsure if Microsoft plans to continue in the future with Edge, seeing that it doesn’t receive extended life support if you chose Windows 10 Enterprise. On the other hand, you have IE11, which is an old solution that might be gone in the coming years so a change might be welcomed.
  3. New improved UI? -Unlike MacOS, IOS or other operating systems, Microsoft is just starting to implement a Fluent Design across its UI. Unfortunately, there are some inconsistent implementations amongst Microsoft’s core apps to this day. Let’s not forget that we still use the same explorer from 95 with minimal changes to it, and if you look in control panel, you still see settings and tabs that haven’t been changed in a long time. So, the UI is a little bit of a mess right now, a struggle between the new and the old, continuous changes with every build, and some questionable implementations across the board.

5. Project planning

As you can see, migrating to Windows 10 is not an easy task, so you need to have a well-defined process on how to get there. Keep in mind, this process must not be rushed, this is a 12-18 months project.

Project initiation

You can consider this as the starting point for the project. This is where the big steps are discussed: calculate what resources are needed, find the qualified guys for this operation, assign managers for each department that is required, calculate KPI’s, costs and what extra steps you feel are necessary to be covered.

Content build

Once you consider all the factors and have the teams assigned, each team from each department should start documenting the needed steps, rules, blocking points, and any other technical points that need to be covered. This documentation will be passed to the teams as a set of rules after the project ended.

Base Build

Get the latest windows build and create a golden image. This is the moment when you can customize the OS image according to customer’s needs. Remember, this will be the image that all applications must be tested and repackaged.

Applications

Once you have a golden image, compose a list of all needed applications. This would be a good time to switch to 64 bit applications since this is the future, it might sound like a lot of work for the packaging team, but this might be the last migration project, so do it right the first time. Keep in mind that Window 10 x64 does not offer 16-bit support anymore, so any old applications in the infrastructure must be updated or replaced.

Infrastructure

Define and design the infrastructure (devices) and how the new Windows 10 image is delivered to the targeted machines. In this point you must configure any other remaining topics, from users, rights, GPO’s, device collections, and many more. Anything you define at this point will remain the same for a long time in the infrastructure.

Pilot phase

Once you have the infrastructure, image and some base applications you should start a pilot phase with a handful of users. At this point there might be some setbacks since users have to test a lot of topics, and usually not everything is right from the first try. Centralize users inputs, repair the issues and try to make a golden rules standard regarding everything.

This phase is critical and should not be skipped. You don’t want to go directly into production with a new OS and risk taking/slowing down important business activities due to large scale technical problems.

Handover to operations

If all is ok with the pilot phase, the next step is to hand all the documentation and work to the rest of the operations team and migrate to a “Business as usual” standard. Continue to package all the applications, manage all the required GPO’s, migrate all users, etc.

Ready for service

This is the last “phase”, if you can call it like that. This means that everything is done from all perspectives and the users can safely install Windows 10, have all the settings, security scopes and access to their usual applications that they were used to in Windows 7. Congratulations, you have successfully migrated your infrastructure to Windows 10.

6. Costs of a delayed migration

If you started a late migration and don’t think you have time until January 2020 to finish everything that was discussed earlier, fear not, you can still receive updates for Windows 7, however, with a bit of a cost to them. Microsoft has released how much will cost to get ESUs after January 2020, and it’s not cheap at all. We have an in-depth article about this here.

You can still hold on to Windows 7 for three more years, if you are willing to pay the price, however, it’s wiser to start the migration as soon as possible to avoid this kind of costs and potential security threats.

About
Advanced Installer helps you create powerful and reliable MSI, App-V & MSIX packages.
Upgraded every month by our team, since 2003.

Share

Comments: