- Privileged access workstation (PAW) and lateral movement - Wed, Jul 14 2021
- Securing timeouts in Remote Desktop Session Host (RDSH) and Virtual Desktop Infrastructure (VDI) environments - Wed, Sep 23 2020
- Manage OneDrive caches with Windows Storage Sense - Thu, Jul 9 2020
As I covered in a previous article, the main issue that enterprises face when deploying Windows 10 is choosing between upgrading in-place or performing a "wipe and reload" every time a new operating system version becomes available. The answer to this question depends on many factors, such as applications, estate, environment and several more. However, the very nature of Windows 10 means that for many of us, the possibility exists that we may well be doing more reimaging of devices than ever before.
Even if you go the "upgrade" route, mop-up of failed upgrades will naturally require operating system reinstalls. And as enterprise IT admins know, reimaging means interruptions to the user base. It is therefore essential that the reimaging process is as clean as possible and preserves as many of the user's pertinent settings as is feasible.
The user "personality" consists of three main areas:
Maintaining access to these areas is crucial. If you can abstract away these key areas, any reimaging situation can be much less intrusive for the user. Once the endpoint has Windows reinstalled, you can then apply the fundamental aspects of the user personality on-demand, reducing the downtime and impact on the overall user experience.
Of course, it is also very desirable that the methods used for abstracting and reapplying the applications, data and profile are as simple and sustainable as possible. Adopting a complex and expensive stack of products or technologies to deal with this is not something enterprises will readily embrace. Windows 10 brings enough challenges of remediation, testing and verification without adding to this, so a solution that is easy to learn and deploy is imperative.
Application virtualization is now a fairly mature technology. Thus, a number of vendors provide a service for abstracting applications into virtual packages that admins can invoke without complex install processes. However, you can group the various technologies in this area into three main groups:
- Isolation solutions: early application virtualization tech, such as App-V, arose in the days of "DLL Hell" when compatibility was vital. The tech isolated applications from each other to prevent them from crashing or conflicting and delivered them through a client.
- Deployment solutions: more modern techs, such as VMware AppVolumes, Unidesk (now part of Citrix) and Liquidware Labs FlexApp, use "layering" to slot the applications into the operating system at logon time. This allows for rapid deployment and updating of applications without the need for installation routines. In addition, it allows all delivered applications to integrate tightly with each other and the underlying operating system.
- Hybrid solutions: intermediate solutions exist that combine the capability to isolate or integrate application packages, such as Numecent Cloudpaging, Cloudhouse, Turbo.net and to an extent, App-V 5.x. In some cases, the mix of isolation and integration can take place within individual packages.
Which "class" of solution you could use depends mainly on the applications you have in your estate. In our experience, a lot of environments still have some legacy applications. This makes solutions such as Cloudpaging, Cloudhouse and Turbo.net very compelling, as they allow the use of isolation technology while still providing the benefits of rapid deployment. Additionally, each solution also allows you to host applications directly (and quite easily) into cloud services like Azure, thus preparing your enterprise for cloud adoption, should it be on the radar.
Maintaining data access is tricky. In environments where users have redirected data folders or those that have a reliable EFSS (enterprise file synchronization and sharing) solution, this shouldn't normally be an issue. However, both redirected storage and EFSS always raise the specter of trading off between utilization and data relevance. In some cases, users end up storing documents and data in other places outside of the "standard" areas, and there is always the chance that some of this data is vital to their everyday productivity.
There aren't many players in this area currently, but AppSense's DataNow product has an interesting feature called In-Location Sync (ILS). Basically, this allows you to capture user "non-standard" data areas and silently synchronize them to the network in the background. Reimaging the user's workstation restores the data with placeholders. This then allows data synchronization back down to the endpoint in the background or upon access. The DataNow configuration occurs completely through Group Policy, making it very easy to deploy.
The user profile doesn't just contain shortcuts and preferences, but it also hosts supplementary data files that users find vital such as Outlook data files, custom dictionaries, signatures, and AutoTexts. If you can also capture and restore these, then you have covered just about all of the necessary bases.
Abstracting the profile is another fairly mature area, with players such as RES, AppSense (now Invanti), FSLogix, Liquidware, Citrix, VMware, Microsoft and a few others all having products available. Making the decision depends on whether you need your users to roam between different operating systems or profile versions (Windows 10 Anniversary Update shifted from a .v5 to a .v6 profile version, for example).
If you want smooth profile roaming between operating systems or profile versions, then it is essential to adopt one of the higher-end solutions, such as RES or AppSense. On the other hand, if you're anticipating simply running Windows 10 (and trusting that Microsoft doesn't choose to upgrade the profile version on a regular basis), then one of the less complex solutions would fit in perfectly.
We've had great success in this area with FSLogix Profile Containers. This method simply mounts the user's profile as a VHD (virtual hard disk) file across the network, and is very simple to deploy and maintain. You can also do the same using the Microsoft User Profile Disks feature if you're running VDI (virtual desktop infrastructure), and Liquidware Labs also has a similar product called ProfileDisk.
If you can abstract these settings away from the operating system, not only do you give your users a ready-made roaming solution, but you are also well prepared for the challenges of Windows 10 updates and migration.
Even if you go the "upgrade in place" route, there are always failures and errors. We recently performed a 1511 to 1607 upgrade for a client and found a number of flat-out failures, as well as the loss of some applications and user settings.
But because we had virtualized the applications and captured the user data and profiles, reimaging the failed endpoints wasn't a disaster that required lots of time and resources. SCCM reinstalled the base image, and applied the applications, data and user profiles at first logon. This massively reduced the impact to the users and saved the IT department hours in mop-up time.
Subscribe to 4sysops newsletter!
There are whole hosts of technologies you can use to facilitate this "upgrade safety net." Whether you need to or not depends on the potential for interruption and impact that a widespread upgrade failure can bring. Small enterprises may be content to restore service manually, but in businesses where user downtime is critical to revenue streams, adopting a stack of technologies such as those mentioned above can make a huge difference in terms of support. Moreover, it allows an enterprise to embrace the Windows 10 CBB (Current Branch for Business) model readily with much less fear and trepidation.