Employees working from home have come into focus due to COVID-19. The “bring your own device” (BYOD) practice has taken on a deeper meaning as people must now be productive with devices that, until recently, may not have been a primary workload tool. Alongside this comes another issue enterprises are now facing — the number of home computers still using Windows 7. While once thought of as a ‘backup’ system by employees, these legacy OS systems are getting more use due to COVID-19. This is escalating security risks for the corporate network with Microsoft ending Windows 7 support to focus on ramping up the pace of Windows 10 adoption and support.
However, the problem with moving to Windows 10 on a remote worker’s endpoint device(s) — or endpoint devices used at home – is that it still generates the same fundamental management and security challenges of other Windows versions.
Microsoft’s Windows update schedule further illustrates the management burden placed on IT to provide a secure compute environment. The current Windows 10 schedule calls for two ‘feature updates’ per year in addition to the traditional monthly “patch Tuesday” security and stability updates. The increased cadence and density of these updates is putting additional pressure on an already imperfect, time-consuming, and labor-intensive update process. Upgrading an operating system as large and complex as Windows at scale is an endeavor prone to errors and quality issues. In some cases, these errors may originate with Microsoft. In other cases, IT teams may encounter localized patch failures due to situational issues.
Patching itself is a significant burden at the endpoint, and unless executed in a timely, thorough fashion, creates more ongoing security exposure. The industry’s Common Vulnerabilities and Exposures (CVE) database reports 357 distinct Windows 10 vulnerabilities discovered in 2019 alone. Even organizations that are highly adept at applying Windows patches to their endpoints quickly find themselves in a near-constant state of vulnerability. Endpoint security products do bring added protection, but generally create even greater complexity on the endpoint devices and more management burden for desktop IT teams. For enterprises composed of thousands or tens of thousands of Windows endpoint devices to manage and control, it’s easy to understand how the constant endpoint patching process in itself has become untenable.
Another issue is that Windows 10 is a storage hog. In an April 2019 advisory, Microsoft warned users that they would need up to twice as much free storage to install its major update than previous upgrades required. These unplanned hardware requirements put desktop teams in the unenviable position of choosing between new hardware purchases or new security risks and feature trade-offs. The traditional “winning” choice has been to bite the bullet and buy more devices in what is known as the infamous “hardware refresh” cycle that occurs like clockwork every three or four years. For larger enterprises that can equate to millions of dollars spent (and IT budgets further depleted) during each refresh.
Windows off the Endpoint and in the Cloud
Clunky, labor intensive updates. A minimum 32GB of disk space required for a clean install of Windows 10 (compared to 16-20 GB for Windows 7). A tedious process of trying to free up hard drive disk space to accommodate an update from a previous Windows 10 version, and the automatic loss of some applications if you’re updating from certain versions of Windows 7 or 8, or even earlier versions of Windows 10. All these point to Windows 10 at the endpoint being a productivity headache for years to come, even as Microsoft claims Windows 10 is “the last version of Windows.”
The solution to this problem is to free the endpoint from Windows and make Windows a cloud-based system. Organizations are already successfully delivering Windows desktops and applications from the data center using virtual desktop infrastructure (VDI) and remote desktop session hosts technologies from vendors like Citrix, VMware, and also Microsoft. More recently, it has become even easier to deploy and manage Windows desktops centrally using desktop-as-a-service (DaaS) offerings from Amazon Web Services and Windows Virtual Desktop (WVD) from the Microsoft Azure cloud.
Getting Windows off the endpoint is doable. Here are some considerations:
- Centralized management with a VDI or remote desktop session hosts dramatically improves both manageability and security. Virtualization platforms include superior capabilities for separating user settings and data from the underlying operating system. They also have advanced features like non-persistent desktops, linked clones, snapshots, and rollback that aren’t easily replicated on an endpoint that is running Windows natively on the device.
- Windows execution on server hardware eliminates many of the hardware- and environment-specific factors that complicate endpoint patching. In the data center backup and redundancy of compute resources and data is an inherent design requirement, supporting business continuity.
- DaaS as a Windows delivery option eliminates data center and virtualization platform management requirements. It also supports the widespread enterprise use of cloud-based Office 365 and other popular apps normally consumed from the cloud.
Windows and Work-from-Home
The phenomenon of so many people working from home as a result of COVID-19 has caused much stress for employees accustomed to social interaction. On a longer-term perspective, it has put new focus on what devices any of us are using at home and whether they are up to speed on security protocols, not to mention whether they’re using legacy OS systems like Windows 7. Transitioning to Windows 10 in the cloud benefits home and remote workers and enterprises with:
- More efficient updates.Since the endpoint device is now separated from the OS, updates and patching occurs on virtual desktops in one or two data center locations instead of potentially many thousands, and thus can be accomplished quickly without slowing down productivity.
- More secure workloads.Employees want to support an enterprise’s security standards but they also can’t be slowed down by cumbersome protocols. A centralized OS management can provide the right level of access for each employee based on company policies, without any frustrating additional steps by the end user.
- More valuable IT time available.Pushing updates out throughout the endpoint estate — via the cloud — can free up IT time for other projects and innovations that help the enterprise at large and provide the economic stability employees need.
- Greater user productivity.Enabling people to work from home eliminates time wasted commuting and enables them to achieve greater work/life balance. Since Windows updates occur in the data center or cloud, home and remote users have more time to work as they no longer must sit through endless updates and patches.
Time to Release Windows from the Endpoint
Windows remains the workhorse OS for business but for endpoint devices, it isn’t the only game in town. From x86 operating systems like MacOS, Chrome OS, and Linux to full-featured mobile operating systems like iOS and Android, there are more ways than ever for people to access corporate applications and workspaces. Linux OS is making great strides due to its much smaller footprint, its superior security benefits, and the fact that Windows endpoints can be converted into a Linux-powered endpoint by simply booting from Linux on a USB device.
But Windows desktops are also here to stay so moving Windows off the endpoint is the prudent long-term strategy. In fact, Microsoft itself is embracing the evolution of Windows into a centrally managed OS. The most notable example of this is the introduction of the WVD DaaS offering from the Azure cloud.
Adopting VDI, remote desktop session hosts, or DaaS with a highly efficient, secure, and fully managed Linux-based endpoint OS has emerged as the approach of the future. It gives users their familiar Windows desktop experience; the proven application capability that comes along with it, and greatly improves IT efficiency by:
- Vastly simplifying the update and patching process
- Improving security by eliminating many of Window’s common attack vectors at the network edge
- Eliminating the need to patch up to potentially many thousands of Windows endpoints
- Relieving the constant burden of implementing complex and costly third-party security products on each physical endpoint device
Now more than ever, out of either desire or necessity, organizations are rapidly realizing the many benefits of moving Windows to the data center or cloud, and using a simple, smart, and secure Linux-based OS at the network edge. It is turning out to be the right move, at the right time, for both IT teams and end-users.