By Steve Dunkley, SCCM Engineer at Kollective
September 21, 2017
In comics, myths and movies, no matter who the main character is, he or she always has a crippling vulnerability. Whether he’s Jedi, Son of Krypton or the Amazon Princess, the villain always finds their weakness. And while it shocks us when such a mighty archetype’s weakness is found and exposed, we only have to look to the real world to see that same paradigm play out time and again.
With the breach of Equifax, we’ve seen a relatively obscure piece of code bring down a giant and place great numbers of people in peril. Equifax wasn’t the beginning nor will it be the end. Earlier in the year, Windows 7 users narrowly avoided a greater possible threat. The WannaCry ransomware would have no doubt continued encrypting hard drives around the globe were it not for a security researcher inadvertently finding the “Achilles heel” and saving more than a few computers.
Sometimes it works both ways; both the good and bad can be defeated. But I’m certain most companies would prefer to not depend on the kindness of strangers and have a smarter defense in place for the next threat. What has been discovered is that the longer a platform or operating system is in place, the costlier it becomes to defend. Additionally, over that period it seems the vulnerabilities uncovered multiply and soon reach catastrophic proportions.
If your company has not started its migration to Windows 10, the target on its back will only grow larger. So, we come to the subject within our title: Windows 7 comes to its end of life on January 14th, 2020. It is already two years past mainstream support, but many, many businesses have yet to begin migration to Windows 10. Why the reluctance? Here I will share some of the objections I’ve heard from enterprises and attempt to offer solutions to ease the process.
- Conquering upgrade fatigue
The objection I hear most often is simply upgrade fatigue. Moving from Windows XP to Windows 7 seemed to be extremely punitive for most IT organizations. Business end-users can be vocal and in many cases the complaint most heard from them was, “why does the migration project take so long?”.
Usually application testing, compatibility and remediation are the laggards in a migration project and the reasons why enterprise migration projects fail to complete on budget. Microsoft understands this and has gone to great lengths to work with software publishers to insure a high degree of compatibility and to also provide outstanding application remediation technology.
If your organization hasn’t begun a software asset management (SAM) program, your Windows 10 project should include funding for starting one. A working SAM process will be a requirement to ensure Windows as a Service (WaaS) can progress at the speed it needs to secure your organization.
I usually get a lot of groans and moans on the topic of SAM, because it is a process and it must be perpetuated as a standard part of systems management. Fortunately, an ongoing SAM process inside the organization saves more money than it costs to maintain.
Also, in the last few years, major software publishers have adopted an ISO standard for tagging their software. The benefit of a standard ID tag allows software inventory tools to work more efficiently, easily report on the lifecycle of software versions and give accurate reporting of license count. Over time this will save your company money in purchasing, vendor audits and support contracts. Another benefit to a standard software ID tag is that it allows security vendors to scan and determine vulnerabilities with the highest degree of accuracy possible.
- Easing the transition to UEFI migration
The second reason for enterprise ambivalence to WaaS has been the inability to nondestructively transition a computer’s file system during legacy BIOs to UEFI migration. Several core security features and manageability items in Windows 10 require a computer’s BIOS to be in UEFI mode. UEFI mode has been around for several years, but not widely adopted, until the release of Windows 10 gave compelling reasons to make the change.
To change a BIOS from Legacy to UEFI, an additional prerequisite of switching the file system from Master Boot Record (MBR) to GUID Partition Table (GPT) is required. Unfortunately, there was no way to convert computers to UEFI and GPT without destructively formatting the hard drive.
UEFI and GPT conversion could be accomplished in the field, but would require either a deskside visit from a technician or some sophisticated wizardry using a PXE server and chained operating system task sequences. Deskside visits add considerable cost to the whole project and the PXE server option carries great risk as a failure could result in loss of user data or at worst a non-functional computer. Naturally enterprises were paralyzed given both options were poor.
Microsoft recognized UEFI and GPT as a barrier shortly after the release of Windows 10 and started work on a tool that allows for non-destructive conversion. This new tool, named MBR2GPT, was made available with the 1703 release of Windows 10.
- Mastering content distribution through peering
Lastly, we come to a thorn in the paw for enterprise deployments going back some time, which is content distribution. The hub and spoke model associated with content distribution has probably caused more Severity 1 outages and project stoppages than any other reason I’ve experienced.
With WaaS, enterprises are now expected to push complete operating systems (4 GB or greater) twice a year to every computer in the environment. This is quite a change in cadence from the normal 3 to 5 years, “gird your lions” operating system upgrade project. And just for good measure, rather than a trickle of security patches pushed each month, admins are now required to push monolithic patches (1GB) each month of the year.
As in every story, our heroes have a faithful companion to help carry out a seemingly mundane task that allows good to triumph. In recent years, Microsoft has allowed access to a setting within SCCM Content Transfer Manager (CTM) allowing content to be pulled from peers invoking what’s known as the Alternate Content Provider (ACP).
This seemingly small change allows for 90% or greater of network traffic shifted from servers out to the edges of the network where capacity abounds. This bit of magic, in addition to file-size optimization technologies from Microsoft, super charges SCCM and WaaS and helps keep villains away. No longer constricted by available bandwidth to the data center is like giving Popeye a 55-gallon drum of spinach. There is no bad time of day for pushing critical security patches or even full operating systems.
To hearken back to the title of our story…. while we mourn the demise of our hero, Windows 7, we now have the technology and capability to rebuild into faster, stronger, better…. Windows 10.
Cue the theme music.