In Q4 2015 Terry Halvorsen, the Chief Information Officer for the US Department of Defense decreed that all branches of the military needed to migrate to Windows 10 by Q1 2017. As it often does, the US Marine Corps (USMC) volunteered to go first in this effort. In all the DoD has around three million desktops (including both physical and virtual machines) to update, so it made sense for the smallest of the four major military branches (Army, Navy, Air Force, and Marines) to go forth as a kind of initial pilot group anyway. Alas, along the way the USMC found that it encountered an unexpected Win10 update snag: the target hardware platforms lag far enough behind current technology that remote, unattended upgrades have proved more problematic than initially projected.
Older hardware makes no-touch Windows 10 upgrades less likely to succeed.
As reported in a May 12 story from FederalNewsRadio.com entitled “Outdated hardware snags Marines’ migration to Windows 10” the service found that only about 10 percent of its computers were amenable to remote, no-touch upgrades to Windows 10. They had been expecting that this approach would work with somewhere between 60 and 70 percent of the computers on the Marine Corps Enterprise Network (MCEN). Thus, this result comes as something of an unpleasant and potentially expensive surprise. In proffering an explanation for the Win10 update snag at a meeting of the Washington, DC chapter of the AFCEA, USMC CIO Brigadier Dennis Crall said:
Our challenges are with hardware, and hardware that is older than a couple years is having more difficulty accepting Windows 10 than hardware that is new. And when you look at what ‘new’ means within DoD, we purchase yesterday’s technology tomorrow. A lot of our brand-new systems are having difficulty with the upgrade as soon as they come out of the box, and we didn’t anticipate that.
What’s Causing the Win10 Update Snag?
I’ve got to give General Crall credit for the wonderful tagline bolded in the preceding quote (emphasis mine), but this upgrade effort faces serious problems for several reasons:
- Increasing the level of human interaction means more time, effort, and expense in achieving the overall upgrade. Add more expense for refreshing those machines that remain unable to be upgraded despite the added effort.
- The services now have to juggle the cost of the added expense for human effort against the costs of purchasing newer Win10-ready hardware. In cases where the cost of effort surpasses that for new gear, it makes more sense to “buy up,” but that was clearly not part of the original budgetary equation.
- Some upgrades will not be able to exploit all of Windows 10’s advanced security features (for example, only UEFI machines can use Secure Boot and only machines that support the latest virtualization features can use Credential Guard). This means not all upgraded machines — especially older ones — may not be able to comply fully with the DoD’s “secure host baseline.” This is a common set of security configurations across the many millions of PCs under its aegis. Making exceptions for security poses well-known problems, too.
Virtualization appears to offer a partial remedy to the Win10 update snag. Bill Marion, deputy CIO for the Air Force, questions the need for thick clients for all circumstances, and observes that “the cost of a traditional desktop and office software and the security that goes around that is pretty expensive.” The USAF is pondering more use of “mobile devices[s] with a containerized cloud application [that is] lightweight, better encrypted, [and] easier to defend” as a possible alternative, he says. Admittedly, virtualization is better suited for what he describes as a “garrison environment” but native hardware appears better suited for the “tactical environment” for field operations. This approach could provide some much-needed relief for the services upgrade effort, though, and let the military concentrate on hardware upgrades where they could do the most good and create the greatest impact for the expense involved.
In general the military seems convinced that Windows 10 is a much more secure OS than earlier Windows versions, and fairly eager to get to that platform so as to benefit from what Halvorsen calls “security baked in from the beginning.” He remains positive that 80-plus percent of the DoD’s laptops and desktops will meet the January 2017 upgrade deadline, because most of them reside in offices on military bases and are managed through the Navy-USMC Intranet or the Air Force AFNET. The remaining 20-odd percent is another story, and may have to stay where they are on waiver status for years because they are integrated into weapons systems that might be at sea, are outside the USA, or are engaged on active military service missions. Thus, for example, the Navy has shipboard platforms still based on Windows XP that probably won’t be upgraded for years to come. Let’s hope that such systems never get exposed to external penetration attempts! But that means the Win10 update snag appears poised to persist for some time for specific hard-to-upgrade systems.
[Note: thanks to Cluster Head at TenForums.com who brought this story to my attention: Danke Schoen, mein Freund!]