Windows as a service - nuisance or necessity?

High profile security breaches have become a reoccurring theme in 2017. The breach of Equifax was a sign of things to come with a relatively obscure piece of code bringing down a giant corporation and placing millions of citizen’s sensitive data at risk. Earlier in the year, Windows 7 users narrowly avoided a greater possible threat. The WannaCry ransomware would have no doubt continued encrypting hard drives around the globe were it not for a security researcher inadvertently finding the “Achilles heel” and saving more than a few computers.

Whilst there are people out there with the expertise to halt these cyberattacks, many businesses would prefer not to rely on the kindness of strangers and instead should ensure that a stronger defence is in place for future security threats. What has been discovered is that the longer a platform or operating system is in place, the costlier it becomes to defend. Additionally, over that period of time vulnerabilities that are revealed tend to multiply and the potential for damage soon reaches catastrophic proportions.

Therefore if your company has not already started its migration to Windows 10 then the chances of it falling foul to hacks, attacks and cybercrime will only increase. Windows 7 is already beyond mainstream support and comes to the end of its life in January 2020, yet many businesses haven’t even started their migration to Windows 10. Which begs the question, why the reluctance?

What’s holding businesses back?

Enterprises who have not yet migrated to Windows 10 often have many explanations and excuses as to why they haven’t yet begun the process. Here are three of the most common:

1. Upgrade fatigue

Previously, OS migrations have been seen as very tedious activities for IT departments. Moving from Windows XP to Windows 7 seemed to be extremely punitive for most IT organisations. Business end-users can be vocal and in many cases the complaint most heard from them was, “why does the migration project take so long?”.

In many of these migrations the time consuming elements have derived from application testing, compatibility and remediation, which were also the reasons why these projects rarely finished within budget. Microsoft understands this and has gone to great lengths to partner with software publishers to determine a high level of compatibility and also to provide outstanding application remediation technology.

If your organisation hasn’t begun a software asset management (SAM) program, your Windows 10 project should include funding for starting one. A working SAM process will be a requirement to ensure Windows as a Service (WaaS) can progress at the speed it needs to secure your organisation.

To streamline the difficult process of migration, major software publishers have adopted an ISO standard for tagging software. The benefit of a standard ID tag is that it allows software inventory tools to work more efficiently, easily reporting on lifecycles of software versions and improving the overall accuracy of reports on licence count. Over time this can save business money in purchasing, vendor audits and support contracts. A further benefit of software ID tag is that it gives security vendors free reign to scan and determine vulnerabilities with the highest degree of accuracy possible.

2. The difficulties of UEFI migration

Another reason for enterprise hesitation towards WaaS has down to the inability to non-destructively transition a computer’s file system during legacy BIOs to UEFI migration. Several key components that make up security features and manageability items in Windows 10 require a computer’s BIOS to be in UEFI mode. UEFI mode has been around for several years, but was not widely adopted until the release of Windows 10 gave compelling reasons to make the change.

Previous changes to UEFI have not been possible without destructively formatting the hardrive as an additional prerequisite of switching the file system from Master Boot Record (MBR) to GUID Partition Table (GPT) was required

UEFI and GPT conversion could be accomplished in the field, but would require either a technician or an expert in using PXE servers and chained operating system task sequences, which surprisingly were few and far between in most organisations. This was mainly an issue for two reasons. The first, it was expensive, and the second, the PXE server option carried great risk as a failure could result in loss of user data or at worst a non-functional computer. Therefore enterprises were forgiven in not making the change to UEFI mode.

Microsoft realised UEFI and GPT was a barrier shortly after Windows 10 was released and started work on a tool that allows for non-destructive conversion. This tool was made available with the 1703 release of Windows 10 and was named MBR2GPT.

3. Mastering content distribution through peering 

The third and final factor in enterprise reluctance to deploy WaaS is content distribution. The hub and spoke model associated with content distribution has probably caused more Severity 1 outages and project stoppages than any other factor within the IT landscape.

With WaaS, enterprises are now expected to push complete operating systems (4 GB or greater) twice a year to every computer in the environment. This is quite a change from the normal 3 to 5 years, operating system upgrade project. To add to the pressure admins are also now required to push monolithic patches (1GB+) each month.

To help with the more mundane tasks of migration, Microsoft offers support by allowing access to a setting within SCCM Content Transfer Manager (CTM) allowing content to be pulled from peers invoking what’s known as the Alternate Content Provider (ACP). This seems like a small change but it has a big impact by shifting 90 per cent of network traffic to the edges of the network where capacity abounds, and in turn makes IT security tighter.

So while in the past Microsoft upgrades have been a slow and tedious process, with the software tools available to enterprises today the reluctance to migrate to a newer system has been drastically reduced. Enterprises can now move to a technology that gives them the capability to rebuild faster, stronger and better… Windows 10.

Steve Dunkley, SCCM Engineer at Kollective
Photo credit: Anton Watman / Shutterstock