Using Horizon Mirage for Windows 7 Migration of Windows XP Endpoints with Disk Encryption
By Judy Wu, Solution Engineer, End-User Computing, VMware
Microsoft ends support for Windows XP on April 8, 2014, so it is an urgent requirement for businesses of all sizes to migrate from Windows XP to Windows 7. VMware Horizon Mirage provides centralized image management for Windows desktops with enhanced OS migration capabilities. It is quite straightforward to migrate your Windows XP endpoints to Windows 7 with Horizon Mirage. However, you need a different methodology if your endpoint devices are encrypted with a third-party full-disk-encryption tool.
This blog tells you how to migrate to Windows 7 using Horizon Mirage without decrypting the endpoint devices that are encrypted by a third-party full-disk-encryption tool. This blog uses Sophos SafeGuard Enterprise 5.5 as an example.
Important: You might use another third-party full-disk-encryption tool. Windows 7 migration for endpoints encrypted with another full-disk-encryption tool might work with the methodology described here, but VMware has not explicitly tested other tools. Therefore, endpoints using a third-party full-disk-encryption tool other than Sophos SafeGuard Enterprise 5.5 should be decrypted before proceeding with Windows 7 migration, because the encryption software might interfere and cause the migration to fail. If your endpoint devices are decrypted before migration, the device for the base layer capture does not need to be encrypted before capturing the base layer, as in the following method.
Usually, the Horizon Mirage environment has the following topology:
- Mirage Components in the Datacenter – Mirage Server, Mirage Management Server, Database, and Storage
- A reference CVD machine (a physical or virtual machine)
- A virtual machine for app layer capturing (or a physical machine)
- Endpoints – Windows XP endpoints centralized and managed by Mirage, and encrypted by a third-party full-disk-encryption tool
- A server for the third-party full-disk-encryption tool
- Other servers that are not in this diagram, such as the Active Directory Server, do not impact the Windows 7 migration process
The third-party full-disk-encryption tool in this example is Sophos SafeGuard Enterprise 5.5.
Installation and Preparation
There are three installation and preparation steps to migrate your encrypted endpoints from Windows XP to Windows 7:
1. Install Horizon Mirage.
2. Capture a base layer on the reference CVD machine.
3. Capture an app layer on the virtual machine for app layer capturing.
For step 1, refer to the VMware Horizon Mirage Installation Guide. The methodology in this blog focuses on the steps after Horizon Mirage is installed. To capture the base layer and app layer, use the following instructions.
Capture a Base Layer
Before capturing a base layer
1. Important: Encrypt the base layer device with the same third-party full-disk-encryption tool used on the Windows XP endpoints. Not only the version of the Sophos SafeGuard Enterprise tool, but also the configuration package or policy, must be the same as those used on the Windows XP endpoints.
2. Install the Mirage Client on the base layer device and leave it in Pending status. Refer to the VMware Horizon Mirage Administrator’s Guide.
3. Go to the Mirage Management Console and create a new reference CVD from the device. Refer to the VMware Horizon Mirage Administrator’s Guide for detailed steps.
4. Go to the Mirage Management Console and import USMT Settings. Refer to the VMware Horizon Mirage Administrator’s Guide.
5. Go back to the base layer device, right-click the Horizon Mirage icon in the notification area, and select Tools > Windows 7 Image Setup. When the process ends, click the OK button to finish.
To capture a base layer:
1. In the Mirage Management Console, select Common Wizards > Capture Base Layer.
2. In the Capture Base Layer window, choose to capture a base layer from the reference CVD created before.
3. Follow the prompts to select the pending device you prepared, and finish the task.
Upon successful completion of the task, the captured base layer is listed under Image Composer > Base Layers in the Mirage Management Console.
Capture an App Layer
After installing the Mirage Client on a device, you can capture an app layer without encrypting the device.
In the Mirage Management Console, select Common Wizards > Capture App Layer. Follow the wizard to capture an app layer, and refer to the VMware Horizon Mirage Administrator’s Guide.
Windows 7 Migration
Now that you have completed the necessary installation and preparation steps, you can begin to migrate to Windows 7.
1. In the Mirage Management Console, select Common Wizards > Windows 7 Migration.
2. In the Windows 7 Migration window, select your CVDs or collections.
3. Select the base layer you captured.
4. Select the app layer you captured.
5. Follow the wizard to finish the task.
When you finish the wizard, migration starts. The Mirage Client on each endpoint shows that a migration is in progress. Users can keep using the endpoints as usual. Once this process finishes, the Mirage Client prompts for a restart. You can choose to restart the endpoint immediately or later. During the restart, Horizon Mirage makes several configurations, so it will take several minutes. This is the only period during migration that the endpoint is unavailable.
As soon as the endpoint restarts, the Windows 7 migration finishes successfully. The endpoint restarts as Windows 7 and is encrypted as before. From now on, it is a Windows 7 device that is managed by Horizon Mirage.
I will write again when we have further improvements and enhancements to report. You can provide feedback or send questions about migrating to Windows 7 with Horizon Mirage using the Leave a Reply feature at the bottom of this blog.