Managing Windows 7 and
Windows 8 Side-by-Side
Recommendations and Best Practices for the
Enterprise from Microsoft IT
Technical White Paper
Published: March 2013
The following content may no longer reflect Microsoft’s current position or infrastructure. This
content should be viewed as reference documentation only, to inform IT business decisions
within your own company or organization.
CONTENTS
Executive Summary ............................................................................................................ 1
Introduction ......................................................................................................................... 2
Planning and Preparation Considerations for a Mixed Windows 7 - Windows 8
Environment ........................................................................................................................ 3
How to Test Application Compatibility with Windows 8
3
How to Deploy Windows 8
4
How to Educate Users on Installing and Working with Windows 8
6
Planning Best Practices
7
Internet Explorer Considerations....................................................................................... 9
Internet Explorer Best Practices
10
Imaging Considerations ..................................................................................................... 11
Microsoft IT's Approach to Imaging
11
Imaging Best Practices
12
Security Considerations ..................................................................................................... 13
Microsoft IT's Approach to Security
15
Security Best Practices
15
Backend Systems Considerations..................................................................................... 17
Microsoft IT's Approach to Backend Systems
17
Backend Systems Best Practices
18
Conclusions ......................................................................................................................... 19
For More Information .......................................................................................................... 21
Imaging Resources
21
Security Resources
21
Backend Systems Resources
21
Situation
With the recent availability of
Windows® 8, Microsoft® IT needed to
prepare for the large-scale
introduction of the new operating
system into the same corporate
network where client systems running
Windows 7 are still being managed.
Solution
Microsoft IT planned for side-by-side
management of both client operating
systems by thoroughly testing for LOB
application compatibility, reviewing
and updating their system imaging,
security, and backend system
management processes to
accommodate the new OS.
Benefits
 Drove down costs for onboarding
and deploying Windows 8 into the
same managed environment where
Windows 7 is used
 Improved side-by-side OS
management for a variety of
factors, including planning and
preparation, browser and LOB
application compatibility, imaging,
security, and backend systems
 Deployed Windows 8 and
leveraged the existing
infrastructure while improving some
portions of the corporate
infrastructure. There was no need
to redesign group policies, or make
adjustments to VPN, SharePoint
sites, Smart Cards, plug-and-play
devices, or the WDS infrastructure
 Best practices can be repurposed
by other organizations to help with
their own side-by-side system
management efforts
EXECUTIVE SUMMARY
With more than 150,000 users in 89 countries connecting 300,000 client systems to
Microsoft's corporate network, Microsoft Information Technology (Microsoft IT) is responsible
for managing one of the largest enterprise infrastructures in the world. The rollout of
Windows 8―the company's flagship client operating system―requires Microsoft IT to
manage systems running the new operating system within the same environment where
other client machines are using Windows 7.
The intent of this white paper is to discuss the planning, line-of-business application
compatibility, imaging, security, and backend system considerations and experiences of the
Microsoft IT team when managing desktop and laptop machines running Windows 8 and
Windows 7 within the same corporate network. Many of the techniques and best practices
described in this paper can be employed by other companies to help them streamline their
side-by-side client system management processes―and ultimately to ease their transition to
Windows 8.
This paper assumes that readers are technical decision makers who are already familiar with
managing clients running Microsoft Windows 7 and Microsoft Internet Explorer® 9.
Note: This paper is based on Microsoft IT’s experience and recommendations and is not
intended to serve as a procedural guide. Each enterprise environment has unique
circumstances; therefore, each organization should adapt the plans and best practices
described in this paper to meet its specific operating system management needs.
Products & Technologies
 Windows 8
 Windows 7
 Internet Explorer 10
 Internet Explorer 9
 Microsoft System Center 2012
Configuration Manager
 Windows Intune
Managing Windows 7 and Windows 8 Side-by-Side
Page 1
INTRODUCTION
Adopting new client operating systems is a process that organizations typically undertake
every few years to keep their machines up to date and to support the latest applications. In
some cases, a company might develop a formal plan to migrate existing hardware to a new
operating system (OS) to gain the benefits offered by the new OS. The number of new
operating systems in a company can also grow over time as users purchase devices that run
on the latest OS and connect devices to the corporate network.
For enterprises whose daily operations depend on the proper functioning of an array of line—
of-business (LOB) applications, any transition to a new generation of operating system most
likely will require time and effort to test and validate compatibility of their business-critical
applications with the new OS. In a perfect world, organizations would be able to update all
their machines to the latest operating system instantly with the push of a single button. But
the reality is that the speed of shifting client systems from an older OS to a newer one varies
from company to company. Businesses with a culture of rapid adoption might promote a
short transition time, yet more conservative entities might plan for a prolonged period where
different versions of operating systems are found throughout the corporate network.
Regardless of the pace of the adoption of a new operating system, the factor for any
company to consider is to plan for a time period when the IT team must manage the old OS
and the new system together in the same corporate network. So if this adoption of new
operating systems is a necessary and recurring aspect of an enterprise's operations, what
impact does the process have on corporate IT teams? How should they plan to manage an
environment where the new version of the operating system is running side-by-side with
other systems that still use an older OS? What compatibility issues might there be? What
security considerations are there? How should IT best manage system images in such an
environment?
In the following sections of this paper, we will discuss these considerations in more detail,
focusing on Microsoft IT's enterprise strategy for deploying, testing, and managing Windows
8 desktop and laptop systems with other Windows 7-based machines in a managed
environment. Each section also provides best practices to help enterprises streamline how
they manage multiple client operating systems within their own corporate network.
Managing Windows 7 and Windows 8 Side-by-Side
Page 2
PLANNING AND PREPARATION CONSIDERATIONS FOR A MIXED
WINDOWS 7 - WINDOWS 8 ENVIRONMENT
How well an IT team plans for supporting multiple client operating systems side-by-side
within their corporate network will determine whether deployment and management of the
mixed-OS environment is relatively streamlined or burdensome.
There are three major areas that must be considered when planning for any new operating
system deployment:

Compatibility with existing line-of-business (LOB) applications and other business-critical
applications

Deployment of the new operating system

User education about the new operating system
The following sections discuss each of these areas in more detail.
How to Test Application Compatibility with Windows 8
The starting point for any accurate assessment of application compatibility is an
understanding of the underlying environment. This is a fundamental requirement: the IT
department must have a good understanding of their own infrastructure, including details
concerning the current types and versions of client operating systems, service packs, version
of Internet Explorer used for web-based LOB applications and their dependencies on plugins, and so forth. Without this knowledge, there is no means to create an effective plan to
manage change.
However, surveying the existing OS ecosystem is just the beginning in the quest to determine
LOB application compatibility with a new OS -- especially when the new OS comes in various
versions to support desktops, laptops, tablets, and smart phones. Effort must be made to
survey all applications in use and identify the subsets that are business-critical. For Windows
8, this research might include determining which types of tablets and smart phones are used
to access the key LOB applications.
The resulting information can be used to build a test matrix of the type and level of testing
that should be performed on each key application running on Windows 8. In addition, the test
matrix should identify whether the application is an executable that runs directly within the
OS, or whether instead it is a web-based application, which might require web browser
testing in addition to the OS testing to confirm compatibility.
Tip: Knowing which applications are the most critical in your environment and what
technologies are used by these applications will help you determine which applications must
be tested with the new OS.
Microsoft IT's Approach to Compatibility Checking
Microsoft IT is similar to other enterprises in that it manages large numbers of domain-joined
clients and servers within their corporate infrastructure. A top priority is to ensure Microsoft IT
has a good understanding of its managed client systems, applications, and dependencies.
Managing Windows 7 and Windows 8 Side-by-Side
Page 3
Consequently, Microsoft IT performs monthly reviews of System Center 2012 Configuration
Manager data to understand the business. From an application portfolio perspective,
Microsoft IT also performs annual (and sometimes more frequent) reviews to align with
product releases.
Out of approximately 1,300 applications, Microsoft IT focuses iterative (repeated) testing on
about 85 key business continuance applications during each compatibility test cycle. In
addition, Microsoft IT performs voluntary testing of additional non-critical applications on an
ad hoc basis, which expands the total number of applications tested to approximately 400. In
total, this set of applications represents the most critical, most used, and typically most
complex applications in the portfolio.
Web Applications Versus Desktop Applications
With approximately 94 percent of Microsoft IT's application portfolio being web-based,
Microsoft IT focuses most of its compatibility testing on any browser updates that come with a
new version of Windows. These tests are designed to learn how incorporating a new OS
might affect any key web-based LOB application.
At the end of an application compatibility test, Microsoft IT has identified the set of
applications that are confirmed to work within the new Windows 8 environment, as well as the
subset of applications that have some aspect that is incompatible with Windows 8. This latter
set is flagged to remain running on Windows 7 for the time being. When appropriate, details
concerning application incompatibilities are noted so that once the particular technology
dependency is resolved in the future, the application can be considered to be compatible with
Windows 8.
How to Deploy Windows 8
After the infrastructure is well understood, dependencies are mapped and application-OS
incompatibilities are identified, the next major area IT must tackle is defining how the new
operating system will be deployed―and to whom. The following areas must all be considered
by the IT team that is planning to deploy the new OS.

How will the new OS be deployed? Is the new OS being deployed to existing
hardware, or is new hardware with Windows 8 already in place being distributed to
employees? When upgrading existing systems, will it be a user-driven event or backenddriven via policy? For managed deployments, what will the mechanism
be―management tools like Microsoft System Center 2012 Configuration Manager
Operating System Deployment? If no existing solution is in place, a company might want
to plan to build out a new management solution before tackling the OS deployment.

Who gets Windows 8? Not all enterprises will want to have users decide what OS to
run and when they should make the change. In fact, some organizations might need to
mandate who gets what and when. Should the deployment process be prioritized by role
or by department? What criteria should be used? Is there a compelling business function
for a certain group that can be enabled with the new OS? Furthermore, what devices
does this group use? Should all their systems receive the new OS or just their primary
machines? Will new devices with the new OS be deployed, or will existing devices be
upgraded? Which existing devices are able to be upgraded? What is the common screen
size in use by the most productive workers? What network access edges are most
Managing Windows 7 and Windows 8 Side-by-Side
Page 4
prevalent for over 50 percent of the client census? For wireless? For mobile broadband?
If the organization is always connected at scale and mobile, what is the calculated
benefit of Windows 8 rapid boot time and expanded battery run time? Is there another
customer problem solved or a sale that could be landed in that extra two hours' capacity
of the mobile workday?

What impact will the side-by-side deployment have on support? IT must work
closely with the company's support team to ensure they will be ready to offer support to
employees when they have questions concerning Windows 8. Consider the expected
timeline for the transition period when both Windows 7 and Windows 8 are actively
supported. What does this mean in terms of call volume? How similar or different are the
two supported operating systems, and how might that map to planning for changes to
support call volume?

What impact will the side-by-side deployment have on administration? Building and
maintaining multiple images is an obvious factor. Regardless of the selected deployment
mechanism, IT must be able to distribute images for both operating systems to the end
users. That process could be fairly simple if the deployment will be user-driven, but
placing restrictions on which department or user role can access a particular image can
add complexity. How will IT admins control who has access to which images?

What deployment considerations should be addressed for LOB application
standards for modern applications? Organizations must manage a separate process
to develop and deploy Modern applications that run in Windows 8. Are the LOB
developers familiar with the Modern application development process and tools? Do they
know how to deploy the applications through the corporate application store? Has
support for the corporate application store feature been enabled for Windows 8 users to
access? Are users aware of the corporate application store, and do they understand that
the applications are only supported on Windows 8 systems? Do users know how to
register their Windows 8 devices so they can access the store? In addition, consider the
following points:

A policy has to be applied to allow for sideloading of LOB applications so that the
Windows 8 clients will install and run applications from outside of the public
application store.

If applications are installed through a corporate application center, that will relate to
a product or service that is generally used for the purpose of security controls and
reporting, such as Windows Intune.

Application developers need to learn not only about how to make good Modern
applications but especially to understand the differences in security when
developing them.
Note: Security considerations are covered in more detail in a later section of this
paper.
Microsoft IT’s Approach to Windows 8 Deployment
At Microsoft, the corporate culture is one of rapid adoption of the latest technologies with
relatively few administrative mandates for client systems. Instead of making prescriptive
Managing Windows 7 and Windows 8 Side-by-Side
Page 5
changes to domain-joined systems, Microsoft IT encourages users to adopt the latest and
greatest OS while allowing them to choose when to make the change.
The technical background of Microsoft employees enables Microsoft IT to promote selfinstallation of client operating systems. The expectation is that users should be able to
perform most client OS installations on their own with minimal assistance from the company's
support team.
Knowledge is what enables this type of deployment. For Windows 8, Microsoft IT wanted to
provide users with clear guidance to help them make appropriate choices of which OS to use
for each device. To do so, Microsoft IT:
1.
Reviewed the actual user installation experience and compared it with the expected
installation experience.
2.
Developed scenarios based on these experiences to help guide users with the end-toend user self-installation process.
3.
Established a pilot program to test the installation scenarios and to validate that the
process was effective.
4.
Determined that the call volume for Windows 8 was comparable for Windows 7, and then
rolled out a production-scale program based upon the positive results of the pilot.
5.
Created a special internal website and produced additional user-oriented
communications to educate users about the availability of upgrading their systems to
Windows 8 and where they could obtain more guidance about the process. The site
offered FAQs, lists of top and known issues, and other related information to help users
self-serve their move to Windows 8.
Note: More information concerning Microsoft IT's user education for Windows 8 selfinstallation is provided in the following section.
How to Educate Users on Installing and Working with Windows 8
The third aspect of planning for a new operating system deployment is educating users on
any application compatibility issues and describing what the deployment process will be. To
ease user adoption of a new OS, the IT team should consider the following:

What recommendations to make? When a new OS becomes available to employees,
which OS should they use? What choices do they have, and how will people know what
they are? Were any incompatibilities with existing LOB applications identified that should
be communicated?

Who to contact? As discussed in the deployment considerations previous section, who
receives communications and guidance concerning the new OS―everyone? Only select
groups? Will IT initially target a small group to help test the communications and overall
process before sending out communications corporate-wide?

What training materials to develop? How will employees learn about the availability of
the new OS and what options they have? What types of materials should be created to
help users gain familiarity with the new OS? What types of scenarios will be covered?
Will information be posted in a new portal or Microsoft SharePoint® site? Will quick
Managing Windows 7 and Windows 8 Side-by-Side
Page 6
reference guides or short, how-to videos be created to help end users with initial
installation, configuration, and basic usage?
Microsoft IT's Approach to User Education
Developing an effective set of materials to educate employees about self-installing and using
Windows 8 was critical to Microsoft IT's success in driving this process as a self-installation
process. In order to help users help themselves, Microsoft IT:
1.
Created a custom internal application that provides a "one-stop shop" for all sorts of
information about Windows 8 and how to install it.
2.
Built a number of task-oriented training materials such as Work Smart guides and/or
how-to videos to help users onboard to Windows 8 quickly. Topics included:
3.

Navigating the new Start screen

Working with the new Internet Explorer 10 browser that comes with Windows 8

Connecting to devices, such as printers

IT services, including using virtual private networks or Direct Access to connect to
the corporate network remotely
Launched a moderated forum called Pointers where:

Users can help other users with Windows 8 questions

Moderators track and help resolve issues

Microsoft IT could identify and update their materials to better serve the selfinstallation effort
Planning Best Practices

Understand your environment. First and foremost, you must perform a thorough
survey of your systems and identify what OS and browser dependencies your LOB
applications and other business-critical applications have. Not knowing one's
environment can be an automatic blocker to adopting any new technology―OS,
application, or otherwise. Only by understanding your environment can you accurately
identify which subset of applications should be tested and where incompatibilities are
most likely to occur. Although such a survey can require time and budget, knowledge of
your infrastructure is the foundation that enables good decision-making for any future
change. Microsoft IT regularly surveys the company's infrastructure and performs
compatibility testing for each new OS and browser release for desktop, tablet, and
smartphone platforms.

Find the right balance between too much and too little testing. Unless you are
dropping support of an older OS after a new OS becomes available, adding support for a
new OS can effectively double your compatibility test matrix. Estimate the additional time
and cost required to perform each type of test and balance its impact against the
criticality of the particular application's compatibility. Over time, Microsoft IT has built a
list of a subset of applications that are tested on each new Windows OS. These
represent applications that are critical to business continuance as well as those most
likely to have issues with OS changes.
Managing Windows 7 and Windows 8 Side-by-Side
Page 7

Keep as much of the client environments between Windows 8 and Windows 7 the
same. Promote use of the same browser and the same version of Microsoft Office to
minimize the amount of variables that you must test. This allows you to focus your
testing on what is specific to the new OS.

Plan for a pilot. Start small. Test and validate that things work as expected. Expand the
scope of your pilot until you are into production deployment. Microsoft IT used this
approach, deciding to work with a small number of systems that initially tested only with
Internet Explorer 10’s desktop style browser (which resembles Internet Explorer 9). Over
time, the tests have expanded to include many more users and testing on Internet
Explorer 10’s modern style browser (which is a leaner version of the browser that mirrors
the Windows 8 look-and-feel).

Create targeted user training to streamline adoption and potentially reduce
support calls. Being proactive with your communications and providing clear
educational material is essential for any self-installation effort. Furthermore, the more
information is readily available to end users, the less likely they are to contact your
support team for help.
Managing Windows 7 and Windows 8 Side-by-Side
Page 8
INTERNET EXPLORER CONSIDERATIONS
Enterprises that run browser-based LOB applications need to consider the impact that a new
web browser that comes with a new OS might have on their operations. When considering
browser-based LOB application compatibility and Windows 8, compatibility has more to do
with the differences between Internet Explorer 10 Classic Browser and Modern Browser than
the OS-level differences between Windows 7 and Windows 8.
When considering web browsers and browser-based LOB applications in Windows 8, the IT
team should consider the following:

Which technologies are supported by which browser. A new feature of Microsoft
Internet Explorer version 10 is that it is now available either in Classic Browser (the
traditional look-and-feel similar to Internet Explorer 9), or in the new Modern Browser
(whose style reflects the new Windows 8 look-and-feel). In many ways, the Classic
Browser is functionally equivalent to Internet Explorer 9, supporting many plug-ins and
extensions. The Modern Browser, however, is a simplified subset of Classic Browser
functionality that does not support Microsoft Silverlight® or any Microsoft ActiveX® plugin except for Flash. Therefore, browser-based LOB applications that depend on plug-ins
are more likely to be incompatible with Modern Browser.

How to ensure LOB applications correctly identify the new browser. Based on the
survey of an enterprise's infrastructure that was described in this paper's Planning
section, are there any ASP applications running Microsoft ASP.NET 2.0? If so, has the
patch that enables ASP.NET 2.0 to recognize the Internet Explorer 10 2-digit value
correctly been installed sitewide? How are the browser-based applications coded to
parse the user agent (UA) string―will they at least treat any new browser as equal to or
greater than Internet Explorer 9?
Microsoft IT's Approach to Browser Testing
As discussed previously, approximately 94 percent of the company's LOB applications are
browser-based. Consequently, Microsoft IT focused a significant proportion of its application
compatibility testing on Internet Explorer 10.
Microsoft IT tested browser compatibility by:
1.
Testing for browser-based LOB applications compatibility on Internet Explorer 10 Classic
Browser on Windows 8. This initial test sequence ran through two complete test cycles
that comprised 403 applications on Classic Browser and 346 applications on Modern
Browser. Each application had its own test process that reflected its functionality,
ranging from a half-dozen manual test cases for simpler applications to hundreds of test
cases for some larger, automated applications.
2.
Including as close to 100 percent of the primary applications as possible within each test
cycle, plus whatever voluntary applications were selected for testing in a particular cycle.
Note: The list of voluntary applications is not consistent from test cycle to test cycle.
New applications may be tested on subsequent test cycles that were not previously
tested, and previously tested applications may not be tested again.
Managing Windows 7 and Windows 8 Side-by-Side
Page 9
3.
Providing separate compatibility results for Classic and Modern Browsers in a single
report to help users understand what to expect when using either browser.
Internet Explorer Best Practices

Try to reduce the scope of your test matrix. A complete browser-based application
compatibility test matrix includes two operating systems (Windows 8 and Windows 7),
three platforms (desktop, tablet, and smartphone), two browser versions (Internet
Explorer 10 and Internet Explorer 9), and two forms of browser per platform (Classic
Browser and Modern Browser). How you reduce scope depends on what relevant
compatibility testing you have already performed.

If you have already performed browser-based application compatibility testing for
Internet Explorer 9 on Windows 7, you can reduce your testing on Internet Explorer
10 on Windows 8. Why? Internet Explorer 10 is more standards-based than Internet
Explorer 9. Therefore, if your application is compatible with Internet Explorer 9, it is
likely to be compatible in the Internet Explorer 10 Classic Browser.

If you have not yet performed any Internet Explorer 9 testing or if you want to futureproof your environment as much as possible, then focus your compatibility testing
using Internet Explorer 10 on Windows 8. Assuming you will not have users working
with Internet Explorer 9, limit your compatibility testing to Internet Explorer 10 to gain
the benefits of its improved W3C compliance and enhanced security features.

Focus your compatibility tests using Classic Browser. Classic Browser's support of
browser plug-ins and extensions makes Classic Browser more likely to be compatible
with your LOB applications. This is an easy approach that should provide compatibility
results very similar to Internet Explorer 9.

Perform shallow testing on Modern Browser. Modern Browser's lack of support for
Java, ActiveX, Silverlight, and other plug-ins translates to a greater likelihood that more
applications will be incompatible. Consider limiting your Modern Browser testing to a
small set of applications or to a specific scenario that needs to be supported (such as
Field Sales personnel using Windows Phone 8 devices who need to access a particular
LOB application in Modern Browser).

Profile your applications properly. As mentioned previously, any web application that
performs specific tasks or formatting based on the browser version should have its script
updated to recognize Internet Explorer 10 as a new browser. Furthermore, any site that
uses ASP.NET 2.0 should also be updated so that ASP.NET will properly recognize
Internet Explorer 10. At a minimum, any current updates to your site code should either
identify a new browser as Internet Explorer 9 or greater. Ensure that your web pages use
page-based redirect or site-based redirects as appropriate.
Managing Windows 7 and Windows 8 Side-by-Side
Page 10
IMAGING CONSIDERATIONS
Effective management of client OS images begins with a good understanding of an
enterprise's infrastructure and knowledge of the desktop LOB applications that are in place
and their dependencies. One obvious concern for IT administrators who are managing
machines running Windows 8 and with other systems running Windows 7 is imaging support
for the two operating systems. Which differences in the operating systems require
modifications to how an enterprise manages its client images?
From a compatibility perspective, desktop applications that work in Windows 7 are likely to
run in Windows 8 without requiring any change in their code. However, there are other
differences between Windows 7 and Windows 8 that could effect client OS images:

Customization of the start screen: The start screens are treated differently between
Windows 7 and Windows 8. In Windows 8, the Start screen has effectively supplanted
the Desktop metaphor. The Windows 8 Start screen is the "prime real estate" whose
content and look-and-feel can be controlled by administrators if a team or organization
wants to standardize the user experience. Do existing Windows 7 images have
applications, shortcuts or other items pinned to the desktop? How will these items
translate to the new Windows 8 Start screen? Are there variations of how the Start
screen should appear to different teams or roles?
Tip: Using the AppFolderLayout.bin file to control the default Windows 8 Start screen
layout is documented on TechNet. This technique gives administrators total control over
the appearance of the Windows 8 Start screen, which is the new system's prime real
estate. The "Desktop" is no longer a key interface component in Windows 8.The Start
screen is more than a new look and feel. It is a key resource whose contents and layout
can be customized by enterprise administrators to standardize employee user
experience―and even to offer specific configurations for various departments or roles.

Managing language packs: Language packs are installed and managed differently
between Windows 7 and Windows 8. In Windows 8, the Input Method Editor (IME)
decouples the various language settings, such as the keyboard layout is now
independent of the OS language. For multinational enterprises, which language settings
should be taken into account for client OS imaging? Is there a need for systems in
locations that support multiple languages to have multiple language packs installed?
Microsoft IT's Approach to Imaging
At Microsoft, each user is the administrator of their own machine, so there is no need to
manage multiple personas. Instead, Microsoft IT uses a single persona that highlights key
internal resources and applications for all domain-joined Windows 8 systems.
Microsoft IT also offers guidelines on what applications can be published as a part of
corporate standard image and controls which applications go into the default package.
General guidance includes:

Include applications which are relevant to 95 percent of the user population.

Applications should meet the "productivity enhancer" application rule. Examples of these
are Microsoft DirectAccess, Microsoft IT VPN, Microsoft Office, and other applications
that are used by a large percentage of employees on a daily basis.
Managing Windows 7 and Windows 8 Side-by-Side
Page 11
Imaging Best Practices

Customize and/or standardize the Start screen enhance the user experience. With
Windows 8, administrators have the opportunity to define the look-and-feel and content
that appears on users' start screens. For certain companies that restrict administrative
access of client systems to IT administrators, a set of Windows 8 images could be
created with different pre-defined Start screen experiences that cater to the needs of
various teams, roles, and regions (such as, Sales, HR, Finance, Executive, Americas,
and Europe).

Confirm that your images are bundled with the appropriate language packs and
settings. If your enterprise is global and supports multiple languages within your
systems, ensure that your standard image includes the relevant language packs.
Microsoft IT currently supports five languages in its default client installation images.

Utilize Unified Extensible Firmware Interface (UEFI) mode in your client OS images
to improve system boot time. Windows 8 has been fine-tuned to take advantage of the
64-bit UEFI mode that effectively replaces the older and slower 16-bit BIOS mode.
Windows 7 can also be deployed in UEFI mode so be sure to build images that utilize
UEFI to speed boot times for all UEFI-compatible hardware for both Windows 7 and
Windows 8.
Note: Security aspects related to UEFI are discussed in this paper's Security section.
Managing Windows 7 and Windows 8 Side-by-Side
Page 12
SECURITY CONSIDERATIONS
Management of many security aspects in Windows 8 is similar to Windows 7, so enterprises
who have been working with Windows 7-based clients can leverage most of their security
processes with minimal change. However, there are a few aspects of client OS security that
should be considered when managing a side-by-side Windows 7-Windows 8 infrastructure:

Security differences between Modern applications and traditional applications.
When working with Modern applications, keep the following points in mind:

By design, Modern applications run in a sandboxed environment, and therefore they
do not have the same system access that a traditional application does. Remember
that a traditional application can do anything that the user account has authorization
to do. New for Modern applications is the requirement that they must list which
capabilities they do have.

Whereas users can install traditional applications from any source, Modern
applications can only be installed from approved sources―and they must be signed
using a certificate from a trusted authority.

In addition to installing Modern applications from the public store, there can be other
Modern application sources, such as a Windows Intune Company Portal. With the
Company Portal, IT departments can manage their own application catalog for
deploying their own LOB Modern applications. Additionally, Microsoft IT put some
Modern applications into the install build on the internal deployment servers.

Supporting UEFI on Windows-compatible hardware. In addition to improving system
boot time as discussed in the previous Imaging Considerations section, UEFI offers
security benefits that include supporting boot hard drives larger than 2.2 TB and
mitigating security issues traditionally found in root kits and boot kits. But older hardware
might not be UEFI-compatible. Even if a corporate policy is adopted to ensure that all
new hardware is compatible, how will the IT department manage the existing systems
running on incompatible computers and peripherals? Will IT managers migrate their user
base to the secure boot profile to prevent undetected tampering exposures in legacy
boot OEM hardware?

Touch devices and BitLocker PINs. Organizations who have a corporate policy to use
Microsoft BitLocker® with a personal identification number (PIN) need to be aware of
applying such a policy to touch devices that have no keyboard, as they will not have the
ability to enter PINs. How does IT detect a tablet device and apply an alternate policy
that does not enforce a PIN?

Potential conflicts between EAS policies and group policies. Windows 8 uses
Microsoft Exchange ActiveSync® (EAS) to set certain policies on the system. If the same
machine is also receiving group policies, policy conflicts can occur if multiple
management systems are configuring the same settings―such as what period of
inactivity will prompt the system to lock the device's screen. This can be a special
concern for users who are working with a variety of different domain-joined devices. If
not properly planned and managed, the flexibility of Microsoft Active Directory® in
applying GPs differently to different machines might result in conflicts. For example, are
policies set at the user role and therefore likely to cause conflicts between the user's
different devices? Consider the following possible issues that can arise from Windows 8
machines obtaining policies from various sources (such as Active Directory, EAS,
System Center 2012 Configuration Manager, and Windows Intune):
Managing Windows 7 and Windows 8 Side-by-Side
Page 13

The same machine gets multiple configurations for the same thing (such as screen
lock timer) from multiple sources. Although the more strict policy is enforced, the
result may confuse both users and IT.

Variable user experience. For example, a domain-joined laptop running Windows 7
that is not using the Modern Mail application (which is available only on Windows 8)
might be locked after 15 minutes. However, a domain-joined Windows 8 machine
that is using the Modern Mail application might be locked after 5 minutes. These
different behaviors might also be confusing if someone was expecting a certain
behavior (such as lock mail after 15 minutes), but he or she experienced a different
behavior (such as lock mail after 5 minutes) because a more restrictive policy was
applied to the same machine from a different policy source.
Figure 1: Multiple policy sources might confuse Windows 8 users and IT.
Keeping these potential conflicts in mind, have all client OS policies been reviewed and
aligned across policy sources such as Windows 8 System Center 2012 Configuration
Manager and Windows Intune?

Password syncing between personal and corporate systems. In both Windows 7
and Windows 8, the Credential Vault is used to store cached passwords. The potential
security and privacy issue arises when a user links a personal account in Windows 8,
because these passwords could be synced between devices. Although the sync
password setting is off by default and users need to explicitly opt in to sync passwords,
organizations might want to establish a policy to disable password syncing on domainjoined machines. Has the IT team established group policies to control the syncing of
passwords through the Credential Vault?

Setting policy for AppLocker for Modern applications. Windows 8 maintains a
separate policy for Microsoft AppLocker® for Modern applications as opposed to the
traditional AppLocker settings for applications found in a Windows 7 environment. What
this means for domain-joined machines is that the Windows 8 domain-joined machines
will get the same AppLocker settings for traditional applications that Windows 7
machines do. But if there are AppLocker policies that IT wants to apply to Modern
applications on Windows 8 systems, they will have to manage a separate set of
Managing Windows 7 and Windows 8 Side-by-Side
Page 14
AppLocker policies for Modern applications in addition to managing their existing
traditional AppLocker policies for traditional applications on both Windows 8 and
Windows 7.
Microsoft IT's Approach to Security

In order to gain the security benefits of UEFI, Microsoft IT is implementing UEFI mode on
all machines whose hardware is UEFI-compatible, as default for Windows 8-based
systems, and for Windows 7 machines by running the UEFI-compatible mode with
support for legacy BIOS.

Microsoft IT has enabled a group policy for employee devices that connect to the
corporate network. By default, the policy will not synchronize information such as
browser favorites and browsing history, but users can explicitly change the setting to
synchronize data if they wish.
Note: This policy helps protect privacy when employees connect their devices using the
same Microsoft account that is also used on non-work machines.

Microsoft IT provides a corporate Microsoft SkyDrive® Pro account for every employee
to use for business-related activities, but employees can also maintain a personal
SkyDrive account (which can be created automatically and linked to when first running a
new Windows 8 system). Microsoft IT developed an internal website to help educate
users on overall use of SkyDrive, which includes a discussion of the appropriate terms of
use for the business versus personal accounts.

Microsoft IT configured the synchronization of users' web browser settings, history, and
favorites to be enabled but set to off by default. When a user connects their personal
Microsoft account (formerly known as a Live ID) to their Active Directory logon on a
particular device, this configuration allows them to enable the synchronization if they
want to, but synchronization will not occur with the user specifying it.

Even before deploying Windows 8, Microsoft IT created an AppLocker policy for Modern
applications that was configured to allow all applications to run. The proactive testing
and deployment of the policy allows Microsoft IT to block a Modern application at any
point in the future simply by configuring the application to be blocked.
Security Best Practices

Adopt UEFI wherever possible. The security benefits UEFI brings to client systems are
significant. Consider establishing a purchasing policy to ensure that all new client
hardware is UEFI-compatible. If there are UEFI-compatible systems that are currently
running Windows 7, consider upgrading them to Windows 8―or if there is a need to stay
with Windows 7, consider running UEFI in its compatibility mode.

Review group policies and EAS policies that apply to Windows 8 systems to
ensure there are no overlaps or conflicts. Make sure to review your policies and to
confirm which system is using policies to control the appropriate settings on client
systems. You might also want to consider educating your support team and your user
community about the options they have when working with different devices. This might
help mitigate potential policy conflicts.
Managing Windows 7 and Windows 8 Side-by-Side
Page 15

Be proactive in testing and deploying Windows 8 policies. Given that Modern
applications and AppLocker for Modern applications are new, IT should test and deploy
policies proactively for Windows 8 systems and Modern applications. Early testing
mitigates the risk of encountering a problem with a Modern application in the future and
not already having the appropriately vetted policies in place to block it quickly.
Managing Windows 7 and Windows 8 Side-by-Side
Page 16
BACKEND SYSTEMS CONSIDERATIONS
The final area of consideration for managing a Windows 7-Windows 8 in a side-by-side
environment relates to backend systems and which technologies or settings might need to be
adjusted.
Ccmexec is the System Center service (agent) that runs on both Windows 7 and Windows 8
client systems. However, in Windows 8, the "always on, always connected" state of a client
machine enables ccmexec to operate much more intelligently, optimizing when maintenance
tasks are activated. This is achieved by ccmexec determining whether to run processes
based on the following:

Network state: Is it connected to LAN or WLAN?

Power state: Is the system running under AC power or on battery?

Idle state: How much CPU and drive activity is there?

Existing/pending maintenance processes: Does Windows Automatic Maintenance
already have maintenance processes running or pending?
Microsoft IT's Approach to Backend Systems
Microsoft IT incorporates changes across products to ensure the best user experience and
consistency, based upon the following guidelines:

Avoid periodic CPU activity. Use event-driven designs instead (assuming average
frequency of events is low (under 1Hz)). Remove polling, spinning, and endless
loops. Performance team members can help investigate how to implement eventdriven functionality.

Use a coalescable timer with periodicity of 1 second (or a multiple of 1s) and
set the tolerance parameter to an acceptable value when the previous
guideline is not or is only partially doable. Threadpool timers are another viable
alternative.
o
Tolerance parameter rules of thumb: Maximum of either 25 percent of the
periodicity or 300ms.
o
Use true periodic timers rather than repetitive “one shot” timers.
Important: Do not base dependencies on the expiration of any timer. Scheduling
expectations might be broken for application threads during idle periods, especially
when the screen is off and/or the user is not present.

Avoid periodic disk activity (logging, timestamps, watchdog-style behavior) and
minimize explicit synchronization (meaning, write-throughs, and flushes). This
allows Disk Coalescing to reduce power consumption of the storage subsystem.

Avoid periodic network activity. Radios (especially those utilizing the 3G wireless
band) can be very expensive. A Windows 8 centralized notification infrastructure
that batches network I/O and decouples network requests from server responses
can be leveraged to reduce excessive network activity.

All periodic activity should cease when the display is off or the user is not
present. When a system becomes inactive and the display is turned off, make sure
to halt all activity – including stopping rendering of any UI updates.
Managing Windows 7 and Windows 8 Side-by-Side
Page 17

Do not adjust system timer resolution. Leave it at the default tick rate. All audio
and video playback should use hardware codec offloads if available to avoid timer
resolution changes.

Convert background activity to tasks. The task scheduler provides flexibility in
initiating and executing background code. Custom triggers, schedules, and
conditions can be defined. Background activity that doesn’t need to occur more than
once per day (such as data scanning or archiving) should be deferred to the
maintenance hour, which executes when it is the most energy efficient and least
impactful to the user experience (typically when the machine is connected to a
power source and the user not present).

Optimize hot code paths for performance. In general, accomplishing the same
work with fewer resources saves power.

Ensure that dependencies do not break the above guidelines. If you are
dependent on external platforms, libraries, or APIs, make sure to test your code for
periodic activity and resource usage.
Backend Systems Best Practices

Optimize your client system maintenance by combining Windows 8 with System
Center 2012 Configuration Manager. When reviewing how your backend system
maintenance systems manage domain-joined client machines, combine Windows 8 and
the System Center 2012 Configuration Manager agent (ccmexec) as much as possible.
Doing so enables you to benefit from the intelligence ccmexec obtains about the
operational state of the Windows 8 machine―and from its automatic optimization when
maintenance processes are run.

Build similar operational state intelligence into packages for Windows 7 systems.
If you want to approach a similar level of operational state intelligence (such as to deploy
software only when a PC is connected to a wired LAN) for your Windows 7-based
systems running ccmexec, you will need to build custom "checks" into your
package/application model executables.

Align policies across all backend server systems. Review client-side policies that are
being sent by all backend systems, including Configuration Manager, EAS, and
ActiveSync, so that Windows 8 desktops and laptops have a consistent set of policies.
Microsoft IT is currently reviewing the full set of group policies that include Configuration
Manager, EAS, ActiveSync, and Windows Intune, to ensure that all new Windows 8based machines are aligned with existing policies that are used on Windows 7 systems
across the enterprise.
Managing Windows 7 and Windows 8 Side-by-Side
Page 18
CONCLUSIONS
Over time, IT departments will support newer client operating systems―it is not a question of
if, but when and how. The rate of technological change continues to accelerate. Cloud
technologies, the rapid proliferation of smart mobile devices, and the consumerization of IT
are challenging enterprises to determine how to best manage all these domain-joined
machines and the various operating systems that they run.
The time to start planning is now. IT must take the lead on determining the best client OS
management processes and must communicate their recommendations and policies to
employees. The objective should be to minimize the impact on the business by leveraging a
common image between the two operating systems that uses the same Internet Explorer,
Microsoft Office, and other core applications; only the operating system is different. This will
minimize compatibility test requirements and save on costs.
Of course, each organization is different. Although there is no "one size fits all" approach that
companies should follow when determining how to best manage Windows 7 and Windows 8
machines in the same corporate environment, every IT department should properly plan, test,
and configure their environments to best support managing both Windows 8 and Windows 7
systems.
For enterprises, LOB application compatibility is a top concern. Having a long-term mixed
environment of Windows 8 and Windows 7 systems might influence LOB application updates
or new application development, because Modern applications will not run on the Windows 7
systems. Similarly, browser-based LOB applications might have additional functionality
restrictions based on what browser is in use. By standardizing on Internet Explorer 10 and
providing versions of your LOB applications that can run in Modern Browser or Classic
Browser, you can minimize your development costs and provide the optimal user experience
regardless of which system users are running.
Any time an enterprise is going to allocate resources for LOB application development effort,
the common sense approach and the best means of mitigating risk to business operations is
to take the "low hanging fruit" first. Instead of trying to convert an existing complex LOB
application as a Modern application, focus on developing a smaller, more targeted Modern
application that complements the existing application. The Modern application could perform
a subset of the complex application's functions where the touch elements and other
immersive capabilities available in Modern applications offer the best productivity gains. As
an example, the finance department might have a large monolithic LOB application that
includes a function for people to use when reviewing and processing expense reports.
Building a Modern application that provides a greatly improved user experience for expense
report processing―one that could run on a variety of mobile devices―could significantly
improve Finance's productivity with a relatively small-scale development effort.
Enterprises also need to think through their strategy for connected accounts when
onboarding Windows 8. You should expect to leverage your current investment in group
policies, making incremental changes for some new features. However, Microsoft IT strongly
recommends that you review your entire set of existing group policy objects and remove any
unnecessary ones to maximize system performance.
Now that Windows 8 is here, take the opportunity to review how you manage all domainjoined desktop and laptop clients―Windows 7, Windows Vista, and other systems in addition
to your new Windows 8 machines. You can also review your management processes on a
Managing Windows 7 and Windows 8 Side-by-Side
Page 19
larger scale: Windows 8 automates many important security processes such as BitLocker
encryption, but what are you doing to help secure older systems? IT departments should
make this review period an opportunity to improve their overall security strategies.
By following the best practices discussed in this paper, Microsoft IT was able to drive down
costs for onboarding and deploying Windows 8 into the same managed environment where
Windows 7 is used. And Microsoft IT has adjusted its client system management processes
to accommodate the side-by-side support of both operating systems. As with all enterprisescale IT shops, Microsoft IT is working on improving its client system management
processes. And Microsoft IT hopes that the considerations and best practices offered in this
paper might help you streamline your own processes to simplify administration and drive
down costs when onboarding Windows 8.
Managing Windows 7 and Windows 8 Side-by-Side
Page 20
FOR MORE INFORMATION
For more information about Microsoft products or services, call the Microsoft Sales
Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information
Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your
local Microsoft subsidiary.
For more information about the various subjects discussed in this paper, visit the following
locations on the World Wide Web:
General Links

Microsoft main site: http://www.microsoft.com

Microsoft IT Showcase: http://www.microsoft.com/technet/itshowcase
Planning and Preparing Links
Planning Resources

Plan for Windows 8: http://technet.microsoft.com/enUS/windows/hh974335.aspx?ocid=wc-tn-answr
Windows 8 Work Smart Guides

Work Smart productivity guides: http://technet.microsoft.com/enus/library/bb687781.aspx
Internet Explorer Resources

Microsoft IT Tests Line of Business Application Compatibility for Internet Explorer 9:
http://technet.microsoft.com/en-us/library/gg981681.aspx
Imaging Resources

UEFI and Windows: http://msdn.microsoft.com/en-us/windows/hardware/gg463149

Use the ApplicationsFolderLayout.bin file to control the default Windows 8 Start screen
layout: http://technet.microsoft.com/en-us/library/jj134269.aspx
Security Resources

Ten Must-Know Windows 8 Features

What's New in Windows Intune

AppLocker: Frequently Asked Questions

AppLocker Overview

Work Smart: Exploring Windows 8 (Download)
Backend Systems Resources

How Microsoft IT Deployed System Center 2012 Configuration Manager

System Center 2012 Configuration Manager product page

Intelligent Infrastructure white paper
Managing Windows 7 and Windows 8 Side-by-Side
Page 21
The information contained in this document represents the current view of Microsoft Corporation on the issues
discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it
should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
 2013 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, ActiveSync, ActiveX, AppLocker, BitLocker, Internet Explorer, SharePoint,
Silverlight, SkyDrive, and Windows, are either registered trademarks or trademarks of Microsoft Corporation in
the United States and/or other countries.
All other trademarks are property of their respective owners.
Managing Windows 7 and Windows 8 Side-by-Side
Page 22