The workplace journey to the cloud
My goal for this year is to share my experiences in moving the workplaces of our enterprise to the cloud with a broader audience. I will create a series of blogs on different topics this year. But let’s start with an introduction as this is my first blog ever.
I am currently employed by ING, the largest Dutch Bank with around 60.000 employees and offices in over 40 countries worldwide. I have been working for ING for 8 years (of which 4 as external). Before I joined ING I was, this century, employed by Wortell, Siemens (Atos) and the Ceasar Group, as either Technical Specialist or (Technical) Project Manager. Mainly working on infrastructure and workplace projects. My career in IT started over 3 decades ago as an IT engineer at a small company building and selling personal computers, where I did everything from purchase to support. Back then I did beta testing of Microsoft DOS 4.01, but also installed Novell and Banyan Vines networks. In the years that followed I got certified as an IT engineer for Novell, Banyan, Compaq, Cisco and Microsoft. In 2004 I made the step to Project Management when I was working for Siemens. And now, after 15 years, I am back as IT engineer again!
Although this series will be about getting workplaces to the cloud, let’s have a quick look at the actual start of this journey. Our journey started with workplaces and workplace services being renewed when ING switch supplier back in 2014/2015. All those services were set up on-prem in a new global Active Directory. In 2015 we also started to migrate users from 17 separate Active Directory domains to a new global domain. We migrated over 120.000 user objects, hundreds of application environments and 10.000+ servers to the new domain. This took us about 5 years to complete. All with a limited impact for users; as the migration was done during the night and users could logon with their new account and continue to work the next day. In 2018/2019 we started the migration of workplace services (Exchange, OneDrive, Teams, and SharePoint) to the cloud whenever an entity was completely onboarded to the new domain. The COVID-19 pandemic boosted those migrations to the max while at the same time it made them more complex.
In the second half of 2019 the initial brainstorming started with a small team of engineers, architects, and our management on a new workplace. This was driven by the fact that ING would insource the workplace services again when the contract with our sourcing partner at that time would end. By the time we started testing, prototyping, and building the environment COVID-19 hit us. The first weeks our team was split in 2 parts, both working in different locations (Rotterdam and Amsterdam). After a month of working in different locations, we were only allowed to work from home for the next 18 months! Next to this challenge, we would also face an additional challenge in migrating workplaces, more on this later.
For the new workplace we decided to start from scratch, not taking over any existing setup or policies, keeping Windows as native as possible. The only applied changes where required by security. Of course, not only the pandemic, but also setting up a new workplace including management infrastructure gave a few challenges:
- For the client to work correctly, the clients needed lots of endpoints to be reachable. Our firewall and VPN setup was blocking a lot of the traffic needed.
- We have local support teams in almost every entity. We needed a model to delegate some control to those teams.
- Both on-prem and cloud services are managed by different teams spread over different areas and countries.
- Employees are working from home and the forecast was they would be for the next year or two. This begs the question: How do we get them migrated?
On the network part, we prepared a proposal to change the corporate standards for our networks. Of course, this is not done overnight. But after some debates and convincing of stakeholders, a new network standard was created and published. The important part for us; all client networks will be internet only and VPN configuration will be split tunneled, leaving everything on the internet except for the traffic that needs to go into the tunnel. The next challenge was implementing these new setups in the middle of a pandemic, hardware delivery really became the problem. But after 2 years we are nearly there.
As we have different teams managing cloud services, those teams can be in different business units and spread over multiple countries. So, a simple setting in Azure that we need for our workplace may just take 3 weeks. To get things done, we needed to draw up what, why and when we needed it, get it approved and then get it on the backlog of the correct team. This becomes even more complex when it involves multiple steps in multiple services managed by different teams. You get the picture. Luckily, our management was supporting us to get things moving in a timely manner.
Then let’s look at the migration from our “legacy” AD join, SCCM managed workplace to our new Cloud Managed Workplace. Before the pandemic hit us, my manager asked me whether we can get everyone on the new workplace in 10 months. My answer: “Yes, we can. If you order 60.000 new devices and have them shipped to the employee’s home addresses.”. As this was not an option, we needed another approach. We needed to limit the impact for employees and the business while doing it within 18 months. How could we manage that in a world where everyone was working from home? Where office networks were not up to pair with the standards yet. Where we wanted the devices to have a fresh install of Windows instead of dragging the old build in.
If we take a look at the steps needed to get a device migrated while we would have it on our desk, it will roughly consist of the following steps:
- Get the device hardware hash and get it imported into Autopilot
- Re-image the device with a fresh Windows image
- Enroll the device into Intune
Step one is easy, this information is centrally available within SCCM. So, collect it and import it. No need to have the device for it.
Step three is also straight forward; the Out of the Box Experience (OOBE) and Autopilot will do the job for you. All that is needed is to setup the configuration in Intune.
Step two was the complex part. In short, what we did was creating a task sequence that installed the fresh new Windows image and removed the old one. After the reboot, the device started in the OOBE. In one of my next blogs, I will go deeper on how we have set this up.
In 2022 we have successfully migrated 64.000 devices from “legacy” managed to cloud managed. Of course, this was a bumpy road with ups and downs. However, with the help of Microsoft, our project team, business migration managers, customer journey experts and local support teams we did it!
Next to these physical workplaces, we also had 13.000 virtual workplaces in our legacy estate which needed to be replaced by the end of the year. Lots of those virtual workplaces were replaced by physical devices, but we also needed a solution for the remaining 4.000. As we wanted to have the same experience for users and the support teams managing the workplaces, we looked at both AVD and Windows 365. When Windows 365 AzureAD joined became available, we hopped on the private preview. When it became generally available, we had already decided on implementing in. By the end of October 2022, we had provisioned 4000 Virtual Cloud Managed Workplaces and could decommission the complete on-prem infrastructure.
For this year, next to my personal challenge, our goal is to get advanced reporting in-place for entities, implement new features and get started with improved security by setting up new workplace profiles where we limit the access to corporate resources but give the engineer more freedom and a high privileged profile based on Microsoft’s PAW concept.
Comments
Post a Comment