10 Tips for Feds to Ace Their Windows 10 Migration Part 1 of 2

The U.S. federal government’s migration to Windows 10 is currently being driven by government-wide mandates that favor industry standard technologies, along with increasingly stringent security requirements.

Agency IT executives fully understand that a lack of OS standards across the government has only generated confusion and complexity, especially when upgrading thousands of user devices at once. With so many devices running multiple, differing OS versions, agencies face difficult, time-consuming and budgetary challenges when deploying, maintaining and upgrading endpoint devices.

Security Concerns Rise, Windows 10 Migrations Do Too

Driven by security concerns and issues with OS standardization complexities, the Pentagon set a January 2017 deadline for Department of Defense agencies to migrate to Windows 10. While the entire DoD didn’t achieve this goal, the aggressive timeline mandated by the Pentagon kickstarted Windows 10 migration efforts across both DoD and civilian agencies. Meanwhile, Microsoft announced it will end all support for Windows 7 in January 2020. 

According to a recent global study by Dimensional Research:

  • 37% of IT organizations across the public and private sectors plan to fully migrate to Windows 10 within the next year
  • 35% plan to migrate within the next two years
  • 14% have not yet established a migration timeline

What We Have to Say About It

Ivanti’s created its Top Ten Tips for Windows 10 Migration, which is designed to help agency IT departments gather insights from our extensive, collective experience in helping all types of organizations across the public and private sector to complete Windows 10 OS migration processes.

Tip #1: PREPARE FOR A NEW RELEASE CADENCE

With Windows 10, Microsoft has introduced a far more frequent update cadence to ensure Windows 10 endpoints remain up to date. This twice-yearly cadence, called the Semi-Annual Channel, replaces the Current Branch for Business (CBB) and the Long-Term Servicing Branch (LTSB) options for servicing Windows, which was introduced with the advent of Windows 10.

Endpoints that employ the Semi-Annual Channel will receive two major updates per year, while endpoints that use the Long-Term Servicing Channel will receive major feature updates infrequently, perhaps every two to three years. In addition, Microsoft has removed many of the non-essential, built-in Semi-Annual Channel features from the Long-Term Servicing Channel — such as Windows Store Apps, Cortana, and Microsoft Edge — to reiterate its advice that the Long-Tern Servicing Channel is only for point-of-sale and industrial devices.

Most organizations will receive twice-yearly updates from the Semi-Annual Channel. Primary benefits include increased security and feature updates. The downside is that most IT teams will find themselves in a constant state of migration due to more frequent updates.

Tip #2: DON’T LET APPLICATIONS BE A BARRIER TO MIGRATION

One of the largest obstacles organizations face when migrating to Windows 10 involves application compatibility. Luckily, there are several alternative application-delivery platforms that help apps to be integrated seamlessly into desktop environments using techniques such as virtualization, layering, or streaming technologies.

When selecting an application delivery method, consider the questions below to help determine the best approach to fit your agency’s needs/requirements:

— Will my users need access to applications offline?

— What security privileges will users need to run these apps?

— How do I license these apps?

— How will my IT department handle upgrades/patches?

— Based on answers to the questions above, which approach is most cost-effective for this agency/department?

In addition, federal agencies must also consider Web applications.

If in-house agency web apps currently run without issue on IE9 in compatibility mode, or only with a specific version of Java, what will happen when migrating to IE11 or Microsoft Edge? Do you redevelop internal web applications, or do you virtualize them to continue support, which could be costly and time consuming?

Ivanti recommends re-testing mission-critical agency applications on Windows 10 before migrating them, with a specific emphasis on testing the most secure applications that require administrative rights in order to run.

Tip #3: PICK AN OS DEPLOYMENT STRATEGY

There are several device-related caveats to consider when embarking on a desktop migration initiative. Most importantly, some devices may not support Windows 10. Since late 2016, PCs no longer ship with Windows 7 pre-installed, and most modern processors will only be supported on Windows 10.

Federal agencies must decide whether to replace, re-image, or upgrade existing endpoints. The Dimensional Research survey found there is no single best approach to Windows 10 migration. Of respondents surveyed, 52% planned on re-imaging existing endpoints using systems management tools, while 49% were looking at hardware migration, or upgrading to Windows 10 as new devices are deployed. However, by timing computer replacement strategically to coincide with an OS migration, agencies may save time and expenses associated with in-place upgrades.

Tip #4: ENSURE WINDOWS AND APPLICATIONS ARE PROPERLY PATCHED

With ransomware and other malicious attacks on the rise, it’s increasingly difficult for federal agencies to satisfy security compliance requirements while protecting against new and more intelligent threats.

Social engineering tactics use deceptive techniques to manipulate users into performing non-secure actions or divulging private information. Many targeted attacks look for vulnerabilities and weaknesses in agency operating systems and application content, typically due to unpatched operating systems and applications.

A comprehensive patch management solution can help protect your agency’s Windows 10 environment, without disrupting the continuity of operations, by detecting vulnerabilities in both your Windows 10 endpoints and installed applications.

Tip #5: STOP MALICIOUS OR UNLICENSED APPLICATIONS

Will agency users employ Windows 10 Store apps? If so, how will agency IT administrators control which apps they may access, install, or run? Agencies are likely to encounter productivity, compliance, and security risks when they fail to use application controls.

In addition, it’s not solely Windows Store apps that must be controlled, but traditional Windows apps as well. Without proper app controls in place, users may introduce unlicensed software, ransomware, or other malicious executables, compromising agency security and increasing serious cybersecurity risks.

Traditional whitelisting and blacklisting technologies typically require ongoing maintenance when new service packs or upgrades are released, or when new, unknown malware is propagated. This can increase the burden on IT staff, along with the cost of IT support. In addition, these solutions are often easily bypassed by renaming unknown or blacklisted applications as an application on the whitelist.

Ivanti® Application Control uses a Trusted Ownership™ model in which any application installed by a non-trusted owner (any standard, typical agency user) is blocked automatically.

Application Control is recognized by Microsoft for enforcing device-based software license control. By controlling which users or devices have permission to run named applications, agency IT administrators can place limits on the number of application instances, which devices or specific users may run an application, as well as when users may run a program, and for how long.

The Next Five?

Be sure to check out 10 Tips for Feds to Ace Their Windows 10 Migration Part 2 of 2

Also, read the full report here.” Start your transition to Windows 10 with Ivanti now!