Michael Bird: Hello and welcome to Explain IT, brought to you by Softcat. This is a show for IT professionals that aims to simplify the complex and often over complicated bits of Enterprise IT, of course, without compromising on detail. I'm host Michael Bird and over the next 20 or so minutes I'll be challenging our panel of experts to take a different area of the IT ecosystem and, of course, 'Explain IT' this week we're going to be looking at Windows 10, specifically the eternal quest of how an organisation can easily get a Windows 10 desktop with all the applications they need to their users as easily and as cheaply as possible. So with me to help discuss, demystify and explain are Adam Harding, Softcat's chief technologist for end user computing and Jack Lewis, Softcat's Microsoft 365 technical architect.
So Jack, why Windows 10? Why are organisations moving to Windows 10? What's so good about it?
Jack Lewis: Ok, so there's two key reasons why organisations are choosing to move to Windows 10. Number one, to take advantage of the new productivity and security features which are a core part of the new operating system and also because the latest silicon chipsets do not support Windows 7, so if organisations are currently deploying Windows 7 as their default operating system and they want to move to the latest versions of the hardware or they can't get hold of any of the legacy style laptops, they are somewhat being forced to move to Windows 10. Additionally, Windows 7 goes 'end of support' in January 2020. I think the other key thing to keep in mind here around the security piece is Microsoft have listened to end users or organisations and have actively worked hard to align with objectives such as, remove passwords with Windows Hello and Windows Hello for Business.
Michael Bird: So Windows Hello, that's where you have the camera, top of your screen, and you smile at it and then it lets you in without having to type a password in.
Jack Lewis: Absolutely, so that is Windows Hello facial recognition, which is known as a 'gesture'. But there is another technology that's called Windows Hello for Business, which essentially allows you to authenticate using gestures, but then still get that single sign on token. So if an end user decides to authenticate using biometrics into Windows 10, they then don't need to enter a password to access Office 365, or that on premises application that they access every day to do their job. This is definitely the most secure operating system that Microsoft have ever released.
Michael Bird: What would an organisation need to consider before moving?
Jack Lewis: Undoubtedly most organisations will need to do some sort of infrastructure readiness task, so that could be upgrading Active Directory, building new organisational units; just general tasks to get your infrastructure into a Windows 10 ready state, so that's the first thing. Secondly, Windows 10 has two new servicing channels. So there's the long-term servicing channel, which is a similar servicing channel to the way Windows 7 is delivered, so it's five years mainstream, five years extended support, but it's not designed for general purpose devices, it's designed for single function devices, so think cash machines, laser cutters - those type of devices. There is then the Semi-Annual Channel which is designed for general purpose devices. Now the guidance from Microsoft here is that a device that runs Office is a general-purpose device and therefore is well suited to the Semi-Annual Channel. The Semi-Annual Channel is a rapid departure from the way Windows 7 was serviced, in so far as that new feature updates are released on a semi-annual basis, so they are released around March and September, so twice-yearly. Those feature updates will only be supported with security and bug fixes for a maximum of 18 months.
Adam Harding: There's a proper drop-dead date isn't there, at the end of that?
Jack Lewis: Yeah, so at that point I always say, you might as well be running Windows XP at that point, because you're not going to receive any, what Microsoft call, 'quality updates', which is the new terminology for the monthly updates for the operating system. So you've got this 18 month support cycle that's associated with each feature update, which means that you have to rapidly deploy the feature updates and you need to keep up-to-date. The feature updates that are released on a six-monthly basis contain new operating system features and reset that support cycle. The quality updates are the new name for the monthly updates.
Adam Harding: Yeah, so it's that move towards the evergreen cycle that we've seen across peers in the industry. Our biggest concern, Jack and I, who do this stuff all the time, is organisations are already struggling to get their house in order, with regards to application compatibility testings and general preparations of Active Directory, SCCM, or whatever it might be, already struggling to keep up with the demands of doing this once every three years or six years, so real focus from these organisations needs to be put on "how do we organise ourselves operationally to live with this once we've managed to deploy it?"
Michael Bird: So I guess that probably leads us quite nicely onto the next question, which is, how will an organisation get Windows 10 to their users? And I presume what would follow from that is, how can they make sure if they get it to users they can keep it up to date and maintain it?
Jack Lewis: We always say there are four key technical areas that you need to consider when you undertake an operating system migration project. Number one, which is deployment and provisioning, which is "how am I going to get Windows 10 out to my end users?" So there are some methodologies and some tools that we can use for that. Number two, "how am I going to manage and secure Windows 10?", which also includes the "how am I going to keep it up to date and make sure that it stays within that supported life cycle?" The third key area, which is the applications, so we are going to need to make sure the applications are Windows 10 ready, and then there's the fourth area which is data and settings, so how are we going to lift and shift that data that resides at the endpoints to the Windows 10 end point, and also how are we going to lift and shift the settings as well, so any personalisation that is on the existing operating system?
Michael Bird: Ok so let's touch on that first one then, so deploying and provisioning - how can an organisation get Windows 10 to their users?
Jack Lewis: Ok so there are three methods you can use to deploy and provision Windows 10. You've got the traditional reimaging type scenarios, so we take a device out the box, or we bring a Windows 7 device in and we use some sort of tool like Microsoft Deployment Toolkit, System Centre Configuration Manager, to essentially perform a wipe and load of the operating system. There is also a new scenario that was introduced in Windows 10 which sits alongside this, called the in-place upgrade which doesn't perform a wipe and load, it essentially upgrades Windows 7 to Windows 10 and keeps the data and the settings intact. In-place upgrades were used to migrate Windows 7 to Windows 10 for consumers. We wouldn't recommend that approach typically for any kind of enterprise.
Adam Harding: It brings way too many historical problems along with it. Nine times out of ten, actually 10 times out of 10, go with wipe and load as your metrics for getting you from Windows 7 to Windows 10 and then in-place upgrade takes over from there on in, when you get into the Windows as-a-service.
Jack Lewis: Yes so the in-place upgrade when you are in the world of Windows 10, we're going to call it, you will use in-place upgrades to move between the feature updates, typically, whereas the wipe and load scenario should be used as your way of getting from Windows 7 to Windows 10. Although it is more costly and a bit more laborious, we would recommend that approach because it is that fresh start and you're not going to drag across any of the issues and also those drivers, as well, that were built for Windows 7 on the device, you're essentially performing an in-place upgrade and hoping that those drivers work. We definitely would not recommend that approach. So the second one is to use provisioning methods. There are two ways of doing this; there are the provisioning methods that are utilised by IT, so this would be; we ship a device to our IT department, they take it out the box and rather than reimaging the device, they simply plug a USB key in and connect it to the corporate network and it joins the domain and gets enrolled in config manager or enrols into the MDM solution.
Adam Harding: So it goes just far enough for these management tools to take over.
Jack Lewis: Absolutely, and it's about reducing the need to reimage devices, so there is a general move in Windows 10 away from imaging devices because when you re-image devices, it takes time, it's very costly, it reduces agility. The other type of scenario within the provisioning world is Windows AutoPilot, which is an over-the-air provisioning method, where essentially you ship your corporate owned Windows 10 devices directly to end users and they take them out the box - the first thing they will be asked to do is to join it to the Wi-Fi network. If it's in the Windows AutoPilot database and it's assigned to your organisation, the end user will be somewhat forced to enter their email address and their password and the device will be Azure AD joined and enrolled in your MDM solution. It's really desirable because it completely removes the need for IT to ever touch that device - so it's quicker and it's cheaper.
Michael Bird: So if you're an organisation that has users that are rarely in the office and maybe in different countries and you're just shipping hardware straight to them, then I guess that's so much easier as they don't have to come to the central base to get their new laptop working, and that kind of thing.
Jack Lewis: Yeah, absolutely, and there are scenarios that some of the OEMs are working on where for organisations that have employees that are in and out of airports all the time, they will allow you to store corporate owned devices that are enrolled in Windows AutoPilot in airports. So if you're a consultant and you work in Belgium but your head office is in the UK and you're going to be flying to Norway tomorrow, you just simply collect a device from the airport, if your device dies, stick your dead device in the airport kiosk, take your device out the box, join it to the airport Wi-Fi and within 30 minutes to an hour, you're up and running again, rather than having to come back to the UK head office and losing two or three days' worth of productivity.
Michael Bird: So what's the last method of deployment provisioning?
Jack Lewis: We've got the VDI type approach; the virtual desktop infrastructure type approach so I'm going to hand over to Adam now to cover this.
Adam Harding: VDI approach is quite simply running a virtual machine, a VDI session, from within your own datacentre or from within a hyperscale cloud, which contains the Windows desktop operating system as the operating system, and then on top of that you stick your applications. You can share that and make it accessible via any device, anywhere, from any connected location, that's the general gist. The actual tools required to manage a Windows 10 virtual desktop, rather than a Windows 7 virtual desktop, are exactly the same. You don't need to go out and buy anything new. What you do you need to make sure you do is update those tools so that they support the Windows 10 deployment.
Michael Bird: So is there a specific use case for a VDI environment with Windows 10 or earlier operating systems?
Jack Lewis: VDI is excellent for containerisation-type requirements and also for those applications that do not support Windows 10.
Adam Harding: Yeah absolutely, and realistically, if it comes down to the absolute use cases for virtual desktop, it is when the data is not allowed to leave the building. Case in point - across a lot of the racing teams, they have huge amounts of intellectual property that may well be back at base around the Silverstone area, but their teams are out and about around the world, trackside, so if somebody accidentally leaves a laptop, or it gets stolen from some exotic location, whoever has ended up with that device is not going to walk off with the plans to your fancy race car.
Michael Bird: So how do you manage these new environments?
Jack Lewis: You are going to need to implement some tools to deploy and provision Windows 10. Larger enterprises typically would look to use something like a System Centre Configuration Manager, and it may already have that in place to manage Windows 7 as well. If you are using Configuration Manager, that would be considered a classic IT way of delivering services, which is a Microsoft terminology for the way we have delivered compute, apps, services and management of those services over the last 15 years. So in the classic IT world, we would join a device to the on-premises Active Directory, we would manage it using Configuration Manager, we would deliver services and apps from our on-premises datacentre and all those experiences would be great when you are inside the network and maybe not so great when you're outside of the network.
Adam Harding: But it's worlds apart from the way people work now, it's worlds apart from the modernisation, the mobilisation, the phones, the tablets, it comes from a world way before that time.
Jack Lewis: We speak to organisations on a daily basis that need to do more with the same, or more with less and this is where the modern IT approach tends to align quite nicely. The modern IT approach is a way of delivering your compute, apps and services using mobile device management toolsets, using the cloud, using services that are available, regardless of whether you are inside of the network or outside of the network and using self-service tools as well. In the modern IT world we would deliver settings to end users, so you target policies at users because they may have multiple devices and you may not own that device as well, keep in mind. In the modern IT world you would look to Azure AD join a device, so join it to the cloud version of Active Directory which is available from anywhere and you would use a mobile device management toolset to manage that device which as we've touched on before, doesn't provide same levels of micromanagement, and there are some limitations associated with the type of apps you can install, but it is cost-effective and it's agile and it's available from anywhere.
Adam Harding: I think that this also reflects Microsoft's reorientation towards trying to make sure they're seen as a company that don't just sell you some tools, but actually try and help you actually become more productive. What about mixing the two?
Jack Lewis: The typical use case that we see here is modern IT, to organisations, is very desirable because of the cost effective and agile nature of it, but unfortunately a large subset of their organisation needs some sort of micromanagement, or needs some sort of complex legacy-style app installing onto their endpoints. And as we've with touched on, it can be difficult to do that in the modern IT world via MDM management solutions. Microsoft have recently released something called Windows 10 core management which was released in the 1709 feature update for Windows 10. This allows you to manage devices using both Configuration Manager and in-tune at the same time, so you've got enrolment into both their classic IT and their modern IT management toolset, at that point you can then decide, as an organisation, where the functionality should be delivered from. You can decide on a function-by-function basis where that is delivered from, so you could say that you want to deliver compliance, configuration and update settings from in-tune for the rest of your organisation, but because you need to do complex app installs, you would deliver the applications from Configuration Manager, and Microsoft have been very clear about this, this is seen as the bridge to get organisations to modern IT.
Michael Bird: So what about the apps data and settings then?
Adam Harding: I think the first thing that they've got to do is identify what applications they've got out there. One of the biggest barriers to people moving forward with a Windows 10 update at the moment is that people have very little true data-driven visibility of what applications are in their estate, which ones are being used, which ones should be rationalised down and retired.
Jack Lewis: Around the applications piece, organisations need to really focus their efforts here, from the beginning of the migration, or even pre-migration, because we have seen a lot of migrations get stuck in limbo because the applications aren't ready and they do take time, it takes time to identify applications and then to go through the rationalisation process, and then also the prioritisation process as well, so we do have tool-sets that can be used, some of them are available from Microsoft, some of them available from some of our Partners, that will automate this process and get you away from the Excel spreadsheets as well. We've seen a lot of organisations that try to identify applications and use Excel spreadsheets to manage that process. It doesn't really work when you go into larger scenarios
Michael Bird: What about legacy apps? What about apps that maybe aren't yet supported, or are critical to an organisation, but will never be supported in Windows 10?
Adam Harding: When it comes to legacy applications, first thing we need to identify, is anybody actually using it? Is it of any value to the organisation, or is it just something that they've had knocking around for years and therefore they're just a little bit worried to get rid of?
Michael Bird: So you're saying that there could be an app that someone's saying "I really need to use this, I use it all the time, we can't get rid of it," and then you look at the data and you go, "Well this was opened once."
Adam Harding: How many people ask for Project and open it once, decide they have no idea what a Gantt chart is and never uninstall it?
Jack Lewis: But also if you don't go through a rationalisation process, you will look in Configuration Manager and you'll see thousands and thousands of applications. You don't know whether those applications are being used, so that's where the tool-sets assist as well, they will tell you whether that application has been opened.
Adam Harding: If it is genuinely being used, then we take it on to the next step, if it's not, we retire it and we focus our efforts on something that will make a difference. If it's being used, the first option is, well, is there an upgrade available? We will always prefer to do the right thing, not have to introduce workarounds if we don't have to, and look for the upgrade. We find that, quite often, these niche little applications in the corner, and that you find across the public sector all the time, have been produced perfectly well by a vendor for the last decade or so, and when they come to upgrade it they find that the vendor is no longer around and it happens all the time. So they're stuck on this existing version of the application, what do we do? Well, we start to look at the workarounds and I would say that a work around for the Windows 7 environment, the easiest, not the most inexpensive, is to look at a virtual desktop environment. It will allow you to essentially have a landing page for the application on a supported platform until January 2020 and we can then publish it back into your Windows 10 desktop and you can continue relatively merrily.
Jack Lewis: So finally, the fourth key technical area is data and settings. This is focused around the data that resides on your endpoint devices. For some organisations this isn't too big of an issue; if they use redirected folders or OneDrive or some other backup-type tool where the data is offloaded to another location, you can quite happily wipe and load that device and not lose any data, then you've got nothing to worry about in this area. The other area of focus here is around the settings piece, so any kind of personalisation that has been done to the operating system or the applications that reside on that operating system, and this will vary on an organisation-by-organisation and an application-by-application basis. Organisations will need to make a decision as to whether, do they lift and shift those settings across? If so, what tool-set do they use? There are built-in tools within Configuration Manager and Microsoft Deployment Toolkit that will do the job quite happily.
Adam Harding: There are some more sophisticated tools out there to make it a more seamless transition. It is really important to take as much of the personalisation across as you can from your users because it's the bit that makes it familiar to them. They're going to have a set standard Windows 10 desktop, which is perfect for IT on day one, but it's layering over and draping over those personal settings from their applications that allow them to get back to productivity quickly and some of the most upset users I've seen out there, following migrations, have been because people took a shortcut on the profiles and they lost all their settings and they didn't have their signatures and they didn't have their favourite palette in AutoCAD. When you're dealing with a decent amount of people on a Monday morning after you've done a Windows 10 deployment, you need the change to be as light and as little as possible, we need to keep it familiar. So this is about your approach to user adoption. There are a couple of areas we really need to focus in on if we're going to make sure this is an actual success. Technology is one. Absolutely, we've covered that to a very high level degree during this session, but making sure your people are ready for the change, making sure they know where their Start menus have gone, making sure they understand how to load a browser and what Windows Edge is, and what this Windows Store thing is that's just popped up, is massively important. It's making sure, again, that it's familiar to them and that they are prepared and ready and it's not a shock and they don't feel that evergreen flow of the underlying Windows 10.
Michael Bird: So what about the future? What is the future for Windows deployment? Is there going to be a Windows 11? Windows 12?
Jack Lewis: We're led to believe that there won't be a Windows 11 or Windows 12, we're led to believe that this is the last version of Windows and the evergreen nature and the Windows as-a-service that is associated with Windows 10 tends to lead us to believe that, somewhat.
Adam Harding: It doesn't mean that it'll look the same forever, it's night and day from where it was back in mid 2015 when it was launched.
Jack Lewis: And you look at the original release of Windows 10, it is very different to the current state of Windows 10 now.
Adam Harding: So I don't think you can expect it to get tired, I think the focus from Microsoft is only going to be heavier and heavier on security it's only going to be heavier and heavier on user experience and striking that balance between the two. And I think it's only going to go in one direction with regards to the operational management; it will become lighter, it has to, because the pace of the releases puts a huge burden on organisations as they stand today and as they are organised today.
Jack Lewis: If you look at Windows as-a-service, Microsoft have essentially taken an agile software development approach to the operating system because it is a piece of software after all, so they are delivering smaller iterative changes on a more rapid basis to Windows 10 to allow it to be more secure and more productive.
Michael Bird: So does that mean the end of VDI then?
Adam Harding: No, I don't think so. VDI is a powerful tool and it's going to remain relevant, if not mission critical for a lot of organisations for a very long time to come. As an industry, we are under massive pressure to appease the risk averse and the paranoid whilst empowering mobility, collaboration, productivity and the work life balance, and also supporting this obsessive drive for consumer grade user experience. To strike the right balance, some organisations are going to need tools that allow people to access the applications and data they need without that data ever leaving the boundaries of the DC or the hyperscale instance. Most are going to need a fistful of 'get out of jail free' cards to enable users to consume legacy apps in ways that they were never intended to be consumed. And many will still need their people to have the freedom to securely access all of these services from whichever type of device the user picks up next.
Michael Bird: So, to summarise?
Adam Harding: So to summarise, Windows 10 is a more secure, more reliable, more robust and more user focused operating system from Microsoft.
Jack Lewis: Before moving to Windows 10, ensure that your applications and your infrastructure is in a Windows 10 ready state and ensure that you understand the complexities of Windows as-a-service and what the impact of Windows as-a-service has on your organisation and applications. From a starting point, make sure you have assessed your end user estate and understand how they interact with IT services and applications throughout the enterprise. Once you understand your current state and know where you're trying to get to, there are four key technical areas that need to be considered to allow you to migrate to Windows 10. Number one - deployment and provisioning. Make sure you have tools that can deploy or provision Windows 10, whether it's using traditional tools or the new over-the-air provisioning methods like Windows AutoPilot. Two - management and security. Make sure your tool-sets are able to effectively manage and secure Windows 10 and are able to keep up with the rapid update cycle that is associated with Windows 10. Number three - applications. Make sure you understand which applications exist in your environment, which applications are used in your environment, which ones require the most focus and which need to be completed first. Finally - data and settings. Make sure that you understand what data and settings need to be migrated for the migration to be considered a success.
Michael Bird: Well thank you. Jack and Adam, it's been really interesting talking to you both, thank you so much for your time. Listeners, if there's anything in the show that has piqued your interest, or if you'd like to speak to someone at Softcat about deploying Windows 10, or really anything that we've talked about across the podcast so far, do check out the show notes. We're going to put some links on there related to some of the stuff we've talked about in the show.