Windows 10 migration plan [updated].

Windows 10 could be the last dedicated new Windows desktop Operating System released, so in this two part article, I describe my approach to upgrading Windows 7 to Windows 10 and things to bear in mind for your Windows 10 migration plan.  I’ll cover considerations for infrastructure, build, application compatibility, packaging and deployment, and share the tools I use at each stage in my migration projects.  Be sure to signup for part 2!

Microsoft has moved to a new release cadence bringing major changes to the Operating System much more frequently than in the past. Rather than a future Windows 11, 12, 13 etc. these changes continue to fall under Windows 10 but with versioning such as Windows 10 1803, indicating year and month of release.

This new release approach means significant changes are happening more frequently, but with Windows as a Service, this has been made relatively seamless. The fact the underlying OS mostly remains the same with changes being added to it iteratively means there’s no need to lift and shift. You don’t need to export user data, format drives and import back in afterwards. This fact makes it likely this could be the last major desktop migration undertaking for enterprise customers for the foreseeable future.

Migration should be seen as an opportunity to transform the desktop. You can harden OS security, re-architect your Active Directory and add new products to improve end-user experience. Conceivably, this could be the last time to build things net new and deliver them as part of a migration. You should grab this opportunity with both hands!

So, where do you start?

Infrastructure.

Get your Active Directory in order.

A healthy Active Directory is key to so much in an enterprise environment. Without a well-organised AD, it’s impossible to automate employee onboarding, to set up automated, accurate auditing and of course to integrate products with Group Policy requirements or that are AD integrated.

Unfortunately, if your AD is way out of control, the best solution tends to be to build a new AD from scratch.

The good news is, a Windows 10 migration is the perfect time to rebuild your AD! If you don’t have the time or experience dealing with AD in-house, I would recommend bringing in a top AD expert to assist with this new build, somebody who can give guidance to keep the environment healthy going forward. It’ll set you in good stead long into the future.

Windows 10 also has the Azure Active Directory Join feature. If you’re not already consuming Azure-based services, you’re almost certainly going to in the future as a Microsoft customer.

Mobile Device Management.

Windows Autopilot and MDM are perfect examples of why you may want to leverage Azure Active Directory for machine targeting purposes. Today you may ship remote employees a pre-imaged laptop, desktop or thin client and expect them to use a VPN or possibly consume hosted applications or VDI based solutions like those from Citrix, VMware, Software2, Workspot and Parallels. For some time these were really the only solutions to support remote workers. With the cloud that’s no longer the case.

With Windows Autopilot, you can ship your users a corporate laptop or desktop. They go through a simple out of box setup wizard (OOBE but much more streamlined) which joins the machine via Azure AD.

With InTune you can set machine based policies to ensure the remote device is kept secure, you can also push software and updates with relative ease and more. Coupling these together, you now have a way to quickly onboard remote workers and manage these users devices off your network in a secure manner and keep them up to date just as if they were in the office.

InTune can also apply to users with their own devices. You can set a company policy that employees must enrol their device on the company portal to access applications. Honestly, this does not prove very popular! People are not very willing to permit their employer that level of access on personal devices. I am one such user who doesn’t go for MDM on my own devices. You can read why I don’t below:

I recommend you check out JAMF Pro and VMware WorkspaceOne for MDM products. You could of course mix and match products such as InTune and XenMobile if you happen to already own those products. VMware WorkspaceOne keeps getting better and offers a lot of granularity with device policies.

My preference is to consume applications via Citrix Virtual Apps, VMware Horizon Apps, Workspot or Parallels or better yet consume them through Software2 AppsAnywhere which can aggregate all of my application delivery solutions into a single portal. Personally, I don’t use a XenDesktop or Horizon Desktop. I access a physical PC on my desk using Citrix RemotePC when I need something powerful. Otherwise, I use a shared desktop.

Windows Virtual Desktop and Multi-User.

While it’s not something I can include in my Windows 10 migration plan today, ideally, in future, I would like to use Windows Virtual Desktop, but I’m not sure what this service will look like quite yet. Trentent Tye and I covered this in great detail in the article below:

If Microsoft someday makes multi-user Windows 10 available on-premises, it would simply slot in and become the base for my shared desktop and make my life a lot easier. If you don’t use shared desktops, RemotePC, Citrix Virtual apps or any virtualisation products for your end users, this migration could be an excellent opportunity to consider implementing these.

Of course, mobile workers and remote workers today don’t make up the majority of users in most organisations. For doing the actual imaging of on-premises PCs, you’ll likely use SCCM, LanDesk, Marimba or whatever your preference is! You’ll also use these ESD products for patching, deploying applications and general maintenance. Some have speculated that InTune will some-day replace SCCM but today is not that day!

I am currently involved in the implementation of a flexible desktop as part of a Windows 10 migration plan. The majority of applications had been deployed through SCCM as setup.exes or MSI packages in the past. SCCM is fine and is an excellent solution for managing physical endpoints sprawled across many different geographical regions, BUT it can be quite slow for deploying patches and applications and is often unreliable with client-side failures.

In a flexible desktop scenario, we can leverage Citrix Workspace App to deliver a seamless, unified experience for users both in the office and those working remotely. They get the same experience whether they use a Mac, PC or Thin Client and an almost identical experience when using a tablet or phone (the only reason it’s not identical is screen size and the fact that most Windows apps you publish aren’t necessarily touchscreen friendly)

Getting ready to build.

Things to think about in your Windows 10 migration plan BEFORE you start.

Before proceeding with the build, you have some important strategic questions to answer that are really a pre-requisite to your migration.

1. What hardware will you deploy to? This is important for ensuring you stage the correct drivers for all devices that are compatible with Windows 10.
2. Will you deploy Windows 10 32-bit AND Windows 10 64-bit or just 64-bit? If you have 32-bit Windows 7 and need to move to a 64-bit standard, this could be the biggest challenge regarding app compatibility.
3. UEFI or not? If you are standardising on 64-bit, this is pretty much already decided for you, but even so, it’s a good idea to move toward UEFI. The good news is a move to UEFI isn’t as painful as it was a few years ago.
4. Will you use a third party anti-virus or Windows Defender? If you don’t use Windows Defender, you need to ensure you disable it correctly
5. Windows 10 LTSB? Current Branch? Windows as a Service?
6. Deployment strategy, will you determine which departments get Windows 10 first based on apps or by business needs? (We will get into this more in part 2)
7. How will you handle training and marketing of the new platform? This usually differs from place to place based on workplace culture

Creating a Windows 10 Image.

For my build, I start creating the Windows image in two places. My virtual desktops for task workers and an image to deploy with SCCM to workstations in the offices. Creating an image for virtual desktops is easy. If you use something like VMware Horizon, you can build out a new parent VM with a Windows 10 install. If you intend to use something like Citrix Workspace, you’ll want to ensure you include the Workspace App and by policy have a browser launch to the portal on launch. If you would like to make a full desktop experience available on the desktop this could mean installing Microsoft Office, .Net Framework, Visual C++ Redistributables, Flash, Java Runtime and all of the old not so favourites.

If you’re a Citrix or VMware customer and haven’t leveraged layering yet, this could be an opportunity to introduce those.

In fact, if you use Citrix Virtual Apps and Desktops, you could use Citrix App Layering for image management of your session hosts, shared desktops and virtual desktops. If you’re not familiar with layering and what kind of apps will and won’t work, check out the article below:

If you’re creating your Windows 10 base image in SCCM, it’s a good idea to keep the image itself as thin as possible. I tend to put in some Microsoft products like the Visual C++ Redists and .NET Framework just for expediting patching. I then install other apps as part of the build rather than in the image, e.g. Flash, Adobe Reader, JRE. The rest of the applications will be consumed via Citrix Workspace. SCCM will continue to be used for patching. You may not lean so heavily on virtualisation for application delivery, in which case you may want to target and deploy more apps with SCCM.

An important step to consider when deploying your image is ensuring your user’s data is carried over. If you already used a profile management solution on Windows 7, it should be easy. Just ensure the same profile management will work on Windows 10, and their files should follow. If you used folder redirection, that should also follow. If you didn’t use anything and everything was tied to a user’s machine and didn’t roam, you should consider implementing a profile management solution going forward. FSLogix Profile Containers, AppSense, Citrix Profile Management/WEM can all be good products for this. Of course, that won’t help you move the data to their new Win10 experience, you will likely want to leverage USMT which can be executed as part of the Task Sequence.

OS security hardening.

I mentioned using the migration as an opportunity for OS Security Hardening. If you don’t encrypt your drives today, it’s time to consider it. There are also some great products such Application Guard, Credential Guard and Device Guard now available from Microsoft. App Locker still features with Windows 10 for blacklisting/whitelisting. If you’re an Ivanti customer, AppSense has a great blacklisting/whitelisting feature.

You’ll also most likely want to build out new group policies for Windows 10 as each release comes with its own updated templates. If you have hundreds of GPOs, you should start again.

When designing your GPO structure, consider these important performance points: https://theorypc.ca/2018/04/09/group-policy-monolithic-vs-functional-design-and-performance-evaluation/

Once you have a golden image, your group policy in place and working and have decided on a strategy for application delivery, it’s time to tackle the biggest challenge in your move to Windows 10. The APPS!

PART 2 – Application Readiness