Advice for Windows Migrations: Automate as Much as Possible

The recent news that the WannaCry virus had impaired the UK's National Health Service's ability to provide care for its tens of millions of patients was scary for all of us working in IT. As a systems administrator for more than 20 years at nonprofit US healthcare provider Riverside Health System, I felt sympathetic.

When reports emerged suggesting that the vulnerability exploited by the hackers was caused by the NHS running Windows XP, I identified in a whole new way. Although Riverside migrated from Windows XP some time ago, it was a challenging process and had a steep learning curve. Riverside isn't on the scale of the NHS (we have about 9,500 machines now, mostly Windows), but all healthcare providers will face similar challenges.

Fortunately for us, and unlike many other healthcare providers, we could take solace in knowing that 90% of our environment was already protected through our normal monthly patch cycle, because we've automated that process. The remaining 10% for which we had to take special measures are those "problem children" unable to receive a patch because of their own technical faults. This is something we're hoping we can remedy as we move to Windows 10.

Riverside completed its Windows 7 migration a couple of years ago. However, if there's a lesson in last month's unfortunate events, it's that none of us should rest on our laurels. The more up-to-date your software, patches, and operating system are, the better. WannaCry is a loud wake-up call reminding us that we all need to stay current. As a result, we're planning to accelerate our move to Windows 10.

Key Lesson
When we started our Windows 7 migration, we did it the old-fashioned, manual way, running a master image (also known as a golden image) for Windows 7 that we provided to our techs. It was a very hands-on approach — each tech had time to build one, maybe two per day, if he or she was lucky — and we had about 4,800 devices to update. We had tons of different makes and models of hardware that hadn't been standardized. It quickly became clear to managers that they were going to have to hire more than $600,000 worth of labor to come in and do the process if we wanted it done within two to three years.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

The other option was automation. We thought we could leverage Microsoft's Configuration Manager, but it would not allow us to propagate such a large image across the T1 network. Then we decided to research third-party vendors that offer automation. In the end, we went with 1E, whose peer-to-peer technology suited our needs. Automation proved key for ensuring that machines could be migrated quickly but consistently to Windows 7: each individual machine has a lot of unique data on it, so it was great to use the migration tools, back up the data on a local machine on the subnet, capture everything, and then restore it cleanly. In the end, 1E's tools helped us compress our Windows 7 upgrade from the two to three years we expected down to one year.

The Road to Windows 10
As we ready ourselves for Windows 10, we face a similarly challenging environment: lots of unique data on the machine, the question of where and how you store it, and how you get these packages across the network quickly. We still have our automation infrastructure in place to deal with these problems. But there are other lessons we're looking to carry over, too, as well as some new challenges we will face.

One difference with Windows 10 concerns its high-speed release cadence. As the WannaCry attack reminds us, from a security point of view, you want to not only be using the latest OS but the latest version of it, and patched as much as possible. In addition, we're planning to migrate swiftly, to avoid having several different flavors of Windows 10 at the same time. Automation will help.

Another challenge for us is that we're looking to go to a 64-bit operating system across the board. With the last migration, to simplify the migration process we stayed with the same OS processor architecture type on each device for compatibility reasons. If the PC was a 64-bit XP machine, then it got 64-bit Windows 7, and if it had a 32-bit system, it got 32-bit Windows 7. We've had vendor applications that absolutely will not run in one version or another. Without an operating systems deployment migration process that allows us to quickly rebuild those machines, that, too, would be a very big undertaking.

We begin our Windows 10 migration very soon. Despite all the challenges and changes,  although consultants told us Windows migrations typically take several years, we believe we can do it in one (or even faster) with automation. Accelerating the move not only improves our security posture but also helps us continue to give our end users and medical professionals a consistent experience — something they've come to value from our IT team.

Related Content: