Using Horizon Mirage for Windows 7 Migration of Windows XP Endpoints with Disk Encryption

Mar 20, 2014
Jessica Flohr


Jessica Chapin (Flohr) is a contract technical writer and editor in End-User Computing at VMware in Palo Alto, California. She graduated from the University of Colorado Denver with a bachelor of arts degree in English Writing and has a certificate in editing from Poynter News University. Currently, she is working on the Professional Sequence in Editing through the UC Berkeley Extension program. In addition to editing technical papers and formatting blog posts for the End-User Computing blog, Jessica writes for her local community newspaper.

Share This Post On

By Judy Wu, Solution Engineer, End-User Computing, VMware

Microsoft ends support for Windows XP on April 8, 2014, so it is an urgent requirement for businesses of all sizes to migrate from Windows XP to Windows 7. VMware Horizon Mirage provides centralized image management for Windows desktops with enhanced OS migration capabilities. It is quite straightforward to migrate your Windows XP endpoints to Windows 7 with Horizon Mirage. However, you need a different methodology if your endpoint devices are encrypted with a third-party full-disk-encryption tool.

This blog tells you how to migrate to Windows 7 using Horizon Mirage without decrypting the endpoint devices that are encrypted by a third-party full-disk-encryption tool. This blog uses Sophos SafeGuard Enterprise 5.5 as an example.

Important: You might use another third-party full-disk-encryption tool. Windows 7 migration for endpoints encrypted with another full-disk-encryption tool might work with the methodology described here, but VMware has not explicitly tested other tools. Therefore, endpoints using a third-party full-disk-encryption tool other than Sophos SafeGuard Enterprise 5.5 should be decrypted before proceeding with Windows 7 migration, because the encryption software might interfere and cause the migration to fail. If your endpoint devices are decrypted before migration, the device for the base layer capture does not need to be encrypted before capturing the base layer, as in the following method.


Usually, the Horizon Mirage environment has the following topology:

MirageComponentsHere are the components in the environment:

  • Mirage Components in the Datacenter – Mirage Server, Mirage Management Server, Database, and Storage
  • A reference CVD machine (a physical or virtual machine)
  • A virtual machine for app layer capturing (or a physical machine)
  • Endpoints – Windows XP endpoints centralized and managed by Mirage, and encrypted by a third-party full-disk-encryption tool
  • A server for the third-party full-disk-encryption tool
  • Other servers that are not in this diagram, such as the Active Directory Server, do not impact the Windows 7 migration process

The third-party full-disk-encryption tool in this example is Sophos SafeGuard Enterprise 5.5.

Installation and Preparation

There are three installation and preparation steps to migrate your encrypted endpoints from Windows XP to Windows 7:

1. Install Horizon Mirage.

2. Capture a base layer on the reference CVD machine.

3. Capture an app layer on the virtual machine for app layer capturing.

For step 1, refer to the VMware Horizon Mirage Installation Guide. The methodology in this blog focuses on the steps after Horizon Mirage is installed. To capture the base layer and app layer, use the following instructions.

Capture a Base Layer

Before capturing a base layer

1. Important: Encrypt the base layer device with the same third-party full-disk-encryption tool used on the Windows XP endpoints. Not only the version of the Sophos SafeGuard Enterprise tool, but also the configuration package or policy, must be the same as those used on the Windows XP endpoints.

2. Install the Mirage Client on the base layer device and leave it in Pending status. Refer to the VMware Horizon Mirage Administrator’s Guide.

3. Go to the Mirage Management Console and create a new reference CVD from the device. Refer to the VMware Horizon Mirage Administrator’s Guide for detailed steps.

4. Go to the Mirage Management Console and import USMT Settings. Refer to the VMware Horizon Mirage Administrator’s Guide.

5. Go back to the base layer device, right-click the Horizon Mirage icon in the notification area, and select Tools > Windows 7 Image Setup. When the process ends, click the OK button to finish.

To capture a base layer:

1. In the Mirage Management Console, select Common Wizards > Capture Base Layer.

2. In the Capture Base Layer window, choose to capture a base layer from the reference CVD created before.

3. Follow the prompts to select the pending device you prepared, and finish the task.

Upon successful completion of the task, the captured base layer is listed under Image Composer > Base Layers in the Mirage Management Console.

Capture an App Layer

After installing the Mirage Client on a device, you can capture an app layer without encrypting the device.

In the Mirage Management Console, select Common Wizards > Capture App Layer. Follow the wizard to capture an app layer, and refer to the VMware Horizon Mirage Administrator’s Guide.

Windows 7 Migration

Now that you have completed the necessary installation and preparation steps, you can begin to migrate to Windows 7.

1. In the Mirage Management Console, select Common Wizards > Windows 7 Migration.

2. In the Windows 7 Migration window, select your CVDs or collections.

3. Select the base layer you captured.

4. Select the app layer you captured.

5. Follow the wizard to finish the task.

When you finish the wizard, migration starts. The Mirage Client on each endpoint shows that a migration is in progress. Users can keep using the endpoints as usual. Once this process finishes, the Mirage Client prompts for a restart. You can choose to restart the endpoint immediately or later. During the restart, Horizon Mirage makes several configurations, so it will take several minutes. This is the only period during migration that the endpoint is unavailable.

As soon as the endpoint restarts, the Windows 7 migration finishes successfully. The endpoint restarts as Windows 7 and is encrypted as before. From now on, it is a Windows 7 device that is managed by Horizon Mirage.

I will write again when we have further improvements and enhancements to report. You can provide feedback or send questions about migrating to Windows 7 with Horizon Mirage using the Leave a Reply feature at the bottom of this blog.


VMware Horizon Mirage Documentation


VMware Horizon Mirage

468 ad