In the first of our three-part series on Windows 10 migration, Egon Rinderer, Senior Director of Technical Account Management at Tanium, explores why moving to the latest Microsoft operating system is so different from any that have come before. He breaks down the people, process, and technology requirements, and offers guidance on how you can accelerate key aspects of your pre- and post-migration journey.
Among the large organizations we work with, we see two primary factors motivating the migration to Windows 10. First is the desire to operate on a long-term, supported operating system which represents the vendor’s best-of-breed offering. In this case, Windows 10 is indeed where Microsoft is spending the lion’s share of its resources. Second, and perhaps more importantly, is the desire to make use of the improved security features available in the new operating system.
Windows 10 represents a bold new world of security features. The new OS offers a next-generation point security stack of antivirus (AV), host-intrusion prevention system (HIPS), data-loss prevention (DLP), code signing, and the crown jewel of them all – OS/hardware security stack integration. While these new features are no panacea to the security problems plaguing enterprises today, the overall security of Windows 10 is significantly improved over its predecessors.
Along with the benefits of these new security features comes a challenge. Unlike earlier Microsoft OS migrations, such as moving from Windows XP to Windows 7, migration to Windows 10, with its full accoutrement of next-generation security capabilities, requires you to gather volumes of data from each endpoint in order to determine your system inventory, configuration, and capabilities. For example, you need to determine the presence of capabilities such as Unified Extensible Firmware Interface (UEFI), Trusted Platform Module (TPM), Secure Boot compatibility, and others. If these features are not enabled on a device, a modern endpoint management platform would have no ability to report on them, much less determine their presence.
Most of our customers believe the only way to complete this process is by conducting a hands-on, system-by-system assessment. On average, we have found among our larger customers – those with more than 100,000 endpoints to migrate – this initial endpoint inventory, rationalization, and compatibility assessment process balloons to an 18-month, resource-consuming ordeal. And, even then, the results prove inaccurate to the point of being of questionable value. For many organizations, these initial steps of a typical migration – System Inventory, Rationalization, and Compatibility – are nearly impossible to complete for Windows 10.
Some time ago, our more ambitious customers began developing their plans of action for Windows 10 migration. They started approaching us here at Tanium to see how our platform could aid in their efforts. Since we’re fond of helping our customers solve difficult problems, Tanium’s Technical Account Managers (TAMs) immediately set about breaking down the problem into its piece parts and applying Tanium to the solution.
Here’s what we found out: for those companies already using Tanium content, the solution was not only simple, it drove return on investment (ROI) orders of magnitude greater than what we could have imagined. So great was the ROI, in fact, that we began working with our internal ROI modeler in order to look at Windows 10 migration differently. Rather than viewing it strictly as a major cost center, we took the approach that migration to Windows 10 could actually be a driver for our customers to uncover additional ROI.
The payoff was clear. If Tanium was used to surface the information required for a successful migration, it could provide the full host of hardware inventory, including advanced security capabilities and compatibility, in real time…not 18 months. While it took some time, Tanium’s dedicated team of TAMs developed a nearly instantaneous means of accomplishing this task. We didn’t stop there. Our team invested additional effort building in automation for the following:
We also took the liberty of including features to drive additional ROI from software license reclamation as part of the migration process. This way, our customers are able to not only determine which applications are deployed to the enterprise endpoints being migrated, they’re able to identify which high-cost software licenses are being wasted through non-use.
As we break down the steps involved, keep in mind that the Tanium content we’re discussing here is freely available to any customer using Tanium’s Core product (ver. 6.5 or newer) under our Tanium Labs content program.
Before we delve into the details, let’s explore how we break down the three phases of Windows 10 migration.
Each of the three logical phases of Windows 10 migration offers opportunities to achieve return on investment, often in unexpected ways. Here’s what you need to know about each of the phases:
While Tanium improves all phases of Windows 10 migration, the first phase is where our software can make the most significant contribution. With Tanium Labs Windows 10 Migration content, the process of discovery, inventory, rationalization, and compatibility assessment across the enterprise is condensed from an 18-month, labor-intensive undertaking to something you can accomplish in mere minutes.
While this may sound too good to be true, let’s consider how and why this is possible.
With some effort, our TAMs were able to create new content allowing Tanium to surface the otherwise “impossible” information buried in endpoint hardware around UEFI, TPM, and other hardware capabilities, even when these features are disabled altogether. These data elements can now be included in our inventory report which, like any other data we’re collecting from endpoints, is returned in seconds.
If you’ve tried to find a way to gather this data using other tools, you’ll think this is a pipe dream. This is not smoke-and-mirrors. We have worked with customers in the real world who had allotted 18 months to the completion of this task. After the content was loaded, these customers saw Tanium complete the task in a couple of minutes.
It’s important to note here that, when we talk about an 18-month process, we’re also talking about an army of staff working tirelessly to gather, collate, and normalize the inventory in a very manual process. So, when we speak about a reduction of 18 months, we’re talking about potentially eliminating hundreds or even thousands of man-months for very large organizations.
The Tanium content allows you to set custom thresholds for things like minimum CPU/RAM/Disk space, required TPM versions, etc. This makes an otherwise Herculean task seem trivial, allowing you to automatically bucket systems into readiness categories and provide a high-level enterprise-wide readiness overview – updated with up-to-the-minute fidelity (see image below).
In order to determine application compatibility, you first have to know two things: what software is installed, and what software is in use. These are two very different questions.
Determining installed applications in Tanium is trivial. It’s done with a 20-second query (“list every single piece of software with version/patch information”), which can be writ large across your enterprise, or by conducting a machine-by-machine inventory. In either case, it’s information Tanium can retrieve from every endpoint online in under a minute (including the time it takes to redirect the output to the external inventory system of authority of your choosing, if you like). Tanium also can be used to collect this information from additional systems coming online in the future. Having this information greatly eases the burden of determining application compatibility. (Editor’s note: Tanium has the ability to integrate with Microsoft tools for the automation of application compatibility checking, which are not discussed in this article.)
Now, you can set about application mapping (e.g. all users with any version of Adobe Reader will be standardized on Adobe Reader _current _at migration time), and developing those targeted applications packages, which Tanium can surgically deliver to the endpoints that need them.
With sufficient information about which applications you have in the enterprise, the real value is in knowing which subset of “what you have” is actually in regular use. For example, perhaps you have 15,000 copies of some legacy piece of software across your enterprise that doesn’t map to a newer Windows 10-compatible version. Do you invest the time researching to determine whether a package and configuration for this piece of software can be developed that will allow it to run on a migrated workstation? What criteria come into play to make this determination?
You could send out an email to those with the application, asking if they “need” it post migration. My guess is you’ll get a resounding “Yes! Absolutely!” from about 99.9% of those who respond.
You could, instead, let Tanium monitor the utilization of all of your applications (which it does by default immediately upon install). This allows you to decide who really needs the legacy software based on its actual production use in your enterprise. You may well have 15,000 copies installed, only to discover there are two people actually using it, and they can be accommodated by moving to a more modern, Windows 10-compatible alternative.
Armed with this content from Tanium, you’ll literally knock months off your Phase 1 process. You’ll have absolutely accurate inventory because you’re directly interrogating the endpoint at the time of inventory, instead of relying on information collected over time. You’ll have accurate configuration and compatibility data at your fingertips. That alone is incredible. But it goes further.
Because this query runs so quickly, it can be run as often as needed to accommodate change. Imagine, for a moment, if this task had been completed manually, over the course of weeks or months. There is a very high likelihood the systems inventoried and assessed early on will have changed by the time migration is executed on them. This can prove problematic, at best, and catastrophic at worst. Perhaps a new piece of software was installed that is not Windows 10 compatible. Perhaps a problem has surfaced on a subset of systems you didn’t account for (and look for by attribute) in your first round of inventory, which ends up breaking the migration in practice (a migration “Zero Day,” if you will).
With Tanium providing current data, you’re never relying on dated information collected months earlier. Tanium can provide ongoing information, giving you the ability to track deltas over time. Additionally, a “moment of migration” re-inventory can be run at the time of migration as a final safety check, thereby providing the highest level of assurance possible of a successful migration. There is no other tool on the planet able to do this en masse across your enterprise in real time.
Thanks for reading. We hope you found Part 1 of our Windows 10 migration series useful. In Part 2, we explore how Tanium can be used in Phases 2 and 3 to ease the burden on your resources. In Part 3, we share how you can uncover considerable ROI by using Tanium in your Windows 10 migration process.
Like what you see? Click here and sign up to receive the latest Tanium news and learn about our upcoming events.
About the author: Egon Rinderer has more than 25 years of experience in Federal- and private-sector cyber-warfare, cybersecurity operations, and IT operations. In his role as VP of Technical Account Management for Tanium, he manages an organization of 35 engineers who specialize in the deployment and use of Tanium throughout the Federal government. He was previously head of the Tanium Federal engineering team. Prior to joining Tanium, Egon was Senior Liaison to the Intelligence Community for Intel Corporation and served in the US Navy as a Cryptologic Technician, cross-assigned as Tactical Cryptologic Support to the Joint Special Operations Command.