TWM Solicitors has completed a sweeping migration from Microsoft Remote Desktop Services to Azure Virtual Desktop, equipping 240 staff with Windows IoT Enterprise LTSC-based 10ZiG thin clients that IT staff describe as “invisible.” Spread across three offices in Surrey, the deployment marks a deliberate shift toward cloud-powered desktops that vanish from the IT support radar once deployed. The firm’s infrastructure team no longer spends cycles on endpoint maintenance; instead, they manage the entire fleet from a central console, with zero-touch provisioning and silent, fanless hardware that users forget is even there.
The move isn’t just a hardware refresh. It’s a strategic realignment of how the law firm delivers Windows 11 to its solicitors, secretaries, and support staff. By swapping out legacy RDS session hosts for Azure Virtual Desktop multi-session host pools, TWM has cut ties with a decade-old remote desktop architecture and embraced a modern EUC platform that integrates natively with Microsoft 365, Entra ID, and advanced security controls. The endpoint choice—a locked-down, purpose-built thin client running a Long-Term Servicing Channel release of Windows IoT—underpins the entire transformation.
A Measured Migration
The journey from on-premises RDS to Azure Virtual Desktop was methodical. TWM started with a pilot group, testing 10ZiG 6010W devices against their daily workloads. These are physically compact units, often VESA-mounted behind monitors, with no moving parts and a fraction of the attack surface of a traditional PC. The pilot proved that document-heavy legal applications, dictation tools, and case management systems performed without latency over the firm’s existing network links.
Encouraged by the results, the IT team ordered roughly 240 units, enough for every desk across the firm’s three offices. Windows IoT Enterprise LTSC, specifically the 2021 release, was flashed onto each device before shipment. This operating system is the spiritual successor to Windows Embedded, stripped of consumer features and engineered for fixed-function workloads. It includes no Edge legacy browser, no Cortana, and no in-place upgrade mechanism—only security and quality updates for a full 10 years. For a law firm handling sensitive client data, that longevity and stability are non-negotiable.
Each thin client connects to Azure Virtual Desktop using the Remote Desktop client that ships with the OS. Behind the scenes, FSLogix profile containers roam user data, applications are layered dynamically via MSIX app attach, and multi-session Windows 11 Enterprise hosts scale automatically with demand. TWM’s users log in once and see a full, persistent desktop identical to what they’d expect from a physical PC, with all legal software and file shares pre-mapped.
The Endpoint That Disappears
“Invisible” isn’t marketing fluff. It’s the operational reality TWM lives every day. The 10ZiG endpoints draw less than 10 watts, generate no noise, and never require on-site firmware flashing. Using the 10ZiG Manager cloud platform, IT admins push configuration profiles, schedule reboots, apply certificate updates, and even deploy minor OS patches without interrupting billing work. Failed units—a rarity—are swapped in minutes, not hours, because there is no local data or app state to recover.
From the user’s perspective, the thin client is just a black box stapled to the monitor. Power it on, and the firm’s login screen appears within seconds. Because Windows IoT boots directly into the Remote Desktop client in kiosk mode, there’s no desktop, no start menu, and no way to install unauthorized software. That attack surface reduction is a compliance officer’s dream, particularly for firms regulated by the Solicitors Regulation Authority with its strict technology guidance.
The invisibility extends to helpdesk tickets. TWM reports a 70% drop in endpoint-related calls since the rollout. Printing, historically a nightmare in remote desktop scenarios, was tamed by redirecting locally attached USB printers through the AVD protocol and applying custom group policies. The remaining tickets cluster around user training—teaching staff that their “computer” is actually running in a London Azure datacenter.
Windows IoT LTSC: The Silent Workhorse
Windows IoT Enterprise LTSC is a quiet workhorse that rarely gets headlines, but it’s the engine behind millions of ATMs, digital signage screens, medical devices, and now, a growing number of enterprise thin clients. Unlike Windows 10/11 Enterprise, which receives feature updates twice a year, the LTSC branch receives no feature updates whatsoever. It’s a frozen snapshot of Windows, hardened and validated for a specific hardware set.
For TWM, that means the OS behaves identically on day 1,000 as it did on day one. There’s no regression testing after Patch Tuesday, no unexpected driver incompatibilities, and no bloated servicing stack updates that can choke a 16 GB eMMC drive. Security updates still arrive monthly, but they are scoped to critical and important bulletins only. The result is a predictable, appliance-like endpoint that aligns perfectly with a zero-trust security model: the device stores no data, runs minimal services, and exists only as a conduit to the cloud desktop.
Critics sometimes argue that LTSC limits hardware flexibility—newer peripherals may lack drivers—but 10ZiG validates its entire portfolio against each LTSC build, so the firmware baseline is known and controlled. For law firms that keep endpoint hardware for five to seven years, that approach removes the churn of semi-annual channel migrations and lets IT focus on higher-value projects.
Azure Virtual Desktop vs. RDS: Why the Switch Matters
Migrating from RDS to Azure Virtual Desktop isn’t just a lift-and-shift into the cloud. The two platforms share some DNA—both leverage multi-session Windows and Remote Desktop Protocol—but AVD decouples the control plane from the infrastructure. There’s no Connection Broker, no Gateway, and no Session Host server to license. Instead, Microsoft manages the gateway, licensing is bundled with eligible Microsoft 365 plans, and host pools scale in and out based on demand.
For TWM, that translated into immediate financial relief. The firm eliminated three aging server racks spread across its offices, along with the associated air conditioning, UPS, and backup circuits. Monthly Azure consumption costs are predictable thanks to reserved instances, and burst capacity during month-end closings costs the firm only cents per hour. FSLogix profile technology—licensed separately under RDS—comes included, providing fast logins and a consistent desktop persona that follows solicitors from one building to another.
The operational benefits go deeper. AVD integrates natively with Azure Monitor, so IT can track user density, CPU heat, and memory pressure across host pools with near real-time dashboards. When a solicitor complains of a slow desktop, the team doesn’t guess; they look at the telemetry, add a host, or identify a rogue application. RDS never offered that degree of visibility without third-party tooling.
Security and Compliance Built In
Law firms are high-value targets for cybercriminals, and the SRA continually warns about ransomware, business email compromise, and data leakage. TWM’s thin-client-plus-AVD architecture directly addresses several of those risks. Client data never resides on the endpoint, so a stolen or lost thin client yields zero documents. The device cannot execute arbitrary code; even if a user clicks a malicious link on a web page inside their virtual desktop, the attack surface is contained at the host level, where Defender for Endpoint, network segmentation, and just-in-time access policies actively thwart lateral movement.
Conditional Access policies, enforced through Entra ID, further lock down access. A solicitor working from home must authenticate with multi-factor authentication, have a compliant device, and connect from a recognized IP range. The thin client itself participates in device-based conditional access as an Azure AD registered device, verifying its hardware identity before even presenting the login screen. That double-blind validation—device plus user—is table stakes for modern law firm IT and was impossible to achieve with the firm’s old RDS deployment, which relied on weaker NTLM-based gateway authentication.
Data sovereignty is another win. TWM’s clients frequently demand that their files remain within the jurisdiction of England and Wales. By placing the AVD host pools in Azure’s UK South region, the firm provides contractual assurance that data at rest and in flight never leaves the country. Independent auditors have validated the configuration, and it has become a selling point during client onboarding.
Day-to-Day Impact on Solicitors and IT Staff
Solicitors at TWM aren’t technologists, and the firm goes to lengths to keep the technology invisible to them, too. AVD sessions are pinned to Windows 11 multi-session hosts, so the user interface is familiar—Taskbar, Start menu, File Explorer—just delivered over a network. Applications launch instantly because they are pre-cached on fast SSDs in the host. Printers work. USB drives work, if policy allows them. The experience is so transparent that several partners initially believed the thin clients were tiny PCs until IT explained otherwise.
For the IT team, the rewards are equally tangible. Patching cycles, once coordinated around weekends and billable hours, now happen during off-peak times with zero user impact. Host images are updated through Azure Shared Image Gallery and rolled out with a canary deployment; if an update breaks a legacy case management plugin, the team can revert the entire pool to a known-good snapshot in under ten minutes. The 10ZiG Manager console provides fleet analytics, warranty lookups, and mass configuration changes from a single pane of glass.
Support calls have shrunk from several per day to a handful per week. A typical call now involves walking a user through MFA setup on a new phone, not troubleshooting a crashing hard drive. When a physical thin client does fail, next-business-day replacement from 10ZiG’s UK depot puts a fresh unit on the desk; IT pre-loads it with the correct configuration via the cloud before the user even turns it on.
Managing the Fleet with 10ZiG
Centralized management separates a successful thin-client rollout from a frustrating one. TWM relies on 10ZiG Manager to orchestrate its fleet. The tool handles firmware updates, OS configuration, certificate deployment, and peripheral policies through a secure cloud relay. IT can group devices by office, user persona, or software requirements, then push profiles that auto-install AVD workspaces upon first boot.
The platform also monitors device health: if a thin client exceeds a temperature threshold or reports a SMART disk error, 10ZiG Manager flags it for proactive replacement. The team has used this telemetry to justify an additional air conditioning duct in one server closet—data that would have been invisible on a standard PC.
Integration with Azure Active Directory (now Entra ID) simplifies identity management. Each thin client is registered as an Azure AD device, inheriting compliance policies from Intune. Should a device fall out of compliance—for example, if BitLocker recovery keys aren’t escrowed properly—Conditional Access can block it from authenticating to AVD, effectively rendering the hardware useless until it’s re-compliant. That closed-loop enforcement gives the firm’s compliance officer peace of mind.
The Bigger Picture: Endpoint Modernisation
TWM’s deployment is a microcosm of a broader endpoint modernisation wave sweeping through regulated industries. Law firms, accounting practices, financial advisors, and healthcare providers are gravitating toward thin clients precisely because they shift the security burden away from the desk and into the datacenter. When combined with Azure Virtual Desktop or Windows 365, these devices turn the traditional PC lifecycle on its head: hardware refresh cycles extend, energy costs plummet, and the risk of lost endpoints becomes a non-event.
Microsoft’s own strategy reinforces this trend. The company continues to invest in Windows IoT LTSC, recently confirming a new LTSC release based on Windows 11, while steadily adding features to AVD—such as App Attach, custom image support, and GPU-enabled hosts for CAD workloads. Analysts predict that within three years, over 60% of professional services firms will run virtual desktops for at least a subset of their workforce, up from roughly 30% today.
TWM’s experience offers a blueprint. It shows that the “invisible” endpoint isn’t just about shrinking the hardware footprint; it’s about creating a compute model where the device is too boring to attack, too simple to break, and too standardized to manage individually. For a mid-sized law firm, that translates into a small, overworked IT staff suddenly able to focus on strategic initiatives—like deploying AI-powered document review—rather than reimaging desktops.
What’s Next for TWM and the Industry
The firm isn’t standing still. Plans are already underway to pilot Windows 365 Enterprise for specific use cases, such as temporary staff or high-security matters that require a dedicated, persistent cloud PC. The 10ZiG hardware can connect to either service, so the fleet won’t need replacing. IT leadership is also evaluating single sign-on integration with third-party legal SaaS platforms, aiming to eliminate the last few passwords solicitors must remember.
For other law firms watching, the message is clear: the technology is mature, the management stack is solid, and the financial case closes faster than ever. Microsoft’s per-user pricing for AVD (via eligible licenses) removes the friction of upfront VDI licensing, while thin client OEMs like 10ZiG compete on service and simplicity. The result is a partnership that makes endpoints disappear—and in doing so, lets lawyers focus on the law, not the computer.