About the Author

Stephen Brown | Director Product Management, Security

Apple Mac OS X Security Updates for September 1, 2016

Mac OS X and Safari underwent a few updates today which appear to be a late response to the iOS zero-day vulnerabilities patched last week on iOS 9.3.5. These updates should be treated as critical and quickly applied quickly.

iOS 9.3.5

First, we must we must explore iOS 9.3.5 that came out on August 25, 2016 in order to better understand these updates.

Lookout and Citizen Lab analysts found that Pegasus, a spyware product, uses zero-day vulnerabilities and sophisticated techniques for mobile-targeted attacks.

This “Trident Exploit Chain” (the three vulnerabilities) are the following:

  • CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution
  • CVE-2016-4655: An application may be able to disclose kernel memory
  • CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges

The exploit actions are summarized by Lookout:

“The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.”

The spyware, once installed, can be used to gather data from everything from messages, phone calls, and application data. It has already targeted a human rights activitst from the United Arab Emirates, unknown people from Kenya, and a Mexican journalist.

Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite

These updates also included two kernal vulnerabilities.

There are a few insights with iOS 9.3.5 as a background. For starters, OS X and iOS have a lot of code in common. This isn’t news, but the latest update reinforces this fact. The potential for exploits exists on both platforms.

Secondly, why the delay? It could be a case of engineering timelines, but security professionals should again consider that what happens on iOS may affect Mac OS X and the other way around.

Noticeably absent from these updates is an update for the nearly three-year-old OS X Mavericks. There are a few conclusions that you can make based on this difference: OS Mavericks isn’t vulnerable, or Apple didn’t choose to fix these issues.

If there have ever been vulnerabilities worth fixing, this set would be it. That said, if I’m a betting man, I would say that Apple decided not to fix these issues. As I’ve noted in previous articles, Apple is selective about fixing issues for the older versions of Mac OS X and staying current on the latest version is important as applying the latest patches. I can’t state for a fact that OS X Mavericks is vulnerable, but I would be shocked if somehow it didn’t have these vulnerabilities.

Safari 9.1.3

Safari 9.1.3 fixes the vulnerability where a maliciously crafted website may lead to arbitrary code execution. We see such vulnerabilities addressed in almost every Safari update and, this should be a warning as these are prime for exploit through phishing or any other method which cons unsuspecting users to click on a link.

Summary

If there are few takeaways for IT and security teams here, they are:

  • Consider iOS and Mac OS X vulnerabilities to be related to each other
  • Older versions of Mac OS X are not going to have updates to fix every vulnerability including obvious critical ones
  • Don’t ignore your Apple devices – they get exploited too

Blog-CTA-Whitepaper-527x150

Pokémon Go Ransomware: Don’t Catch This One

GettyImages-185127135It appears that this summer’s creature-catching craze has caught something of its own: ransomware.

Any type of digital, cultural phenomenon like Pokémon Go is likely to be exploited by malware writers, so it’s no surprise that Pokémon Go is now a transmitter of the malicious code.

Fun vs. fear

Just last week we learned of Hitler ransomware, which, as I noted, leverages fear by using an offensive image as a way to drive irrational behavior.

Pokémon Go appears to tap into the opposite emotion—fun—by riding the wave of this cultural juggernaut. Just as someone might panic to pay a ransom due to fear, someone might download a file without thought due to the overwhelming desire for fun.

Supply and demand

There are a few interesting economic considerations with this ransomware.

First off, as noted in the analysis by Bleeping Computer, this ransomware targets Windows computers, and apparently Arabic speakers, too, based on the image in the infected splash screen.

According to a recent CNET article, Pokémon Go isn’t even available in the Middle East yet, so any hype that is building in the media (and there is a lot) only accelerates that interest for countries that do not yet have the game.

Secondly, Pokémon Go is a mobile game, so the developers of this ransomware would need to con someone who doesn’t have a basic understanding of the game to download the application to their Windows computer on the assumption that they could get the game that way.

Considering that Pokémon Go started in the United States and has been rolling out primarily to Western countries first, it is easy to see how truth could be lost in translation, only to be exploited by unsuspecting victims.

Forbidden fun

Another interesting note is the fatwa against Pokémon games that was issued years ago by Saudi Arabia clerics and recently renewed due to issues around certain images and concepts including that of evolving the creatures.

Nothing drums up more interest than that which has been banned. Again, this is perhaps another emotion-based tactic used to lure unsuspecting victims into being exploited.

Ransomware’s future plans

Other interesting notes about this ransomware are the inclusions of a backdoor account called Hack3r which is created and hidden from users. There is no apparent use for the account except for perhaps as a seed for future devious use.

Also, there is the creation of a network share with no apparent use except as a potential delivery vehicle.

In addition to the network share, there is also an attempt to write to any removable media with and autorun entry that would attempt to launch the ransomware when loaded by other computers.

Finally, the executable is written to a drive other than C: with an autorun when the user logs into Windows. None of these techniques are new, but it appears that the authors were looking to develop something pervasive and easy to spread.

It appears that the ransomware is in development based on an incomplete encryption approach that uses a fixed key of 123vivalalgerie.

Also, the incomplete propagation techniques mentioned earlier indicate that this ransomware was caught early. Kudos to Michael Gillespie (@demonslay335) who caught this sample in the wild before it has evolved into something nastier.

Key takeaways

If there is one thing to learn with this latest ransomware discovery, it’s that malware writers leverage trending events and interests to drive the spread of their scams.

Ransomware hits at our digital hearts (our data) and therefore emotions are key to spreading and monetizing their work.

As always, beware of things that are too good to be true and take good precautions such as those listed in our article Everything You Need to Know to Prevent Ransomware.

Now back to capturing the local gym!

Blog-CTA-Whitepaper-527x150

Hitler Ransomware: How Low (and How Lame) Can They Go?

Red shield on a digital backgroundThe short answer to this question is pretty low and very lame.

Hitler ransomware, targeting Windows computers, was recently discovered and presents two newer angles to ransomware: an offensive presentation and the ability to destroy files without using encryption (ransom scams).

Offensive, fear-based presentation

Part of ransomware’s power is the ability it has to instigate fear in the user. Namely, the fear of losing personally valuable files. Anything that can exacerbate that fear–such as an offensive image–will trigger an even stronger primal response to protect at all costs (literally). This is the reaction that malicious developers are seeking.

As noted in an article on Hitler ransomware by Bleeping Computer, one of the elements that gives this variant of ransomware its name is the lock screen with a picture of Adolf Hitler.

He is giving his militaristic salute followed by a message that files have been encrypted and then demanding payment in the form of a Vodafone card.

Using universally-offensive imagery of a historical figure creates an immediate negative reaction in the user. This fear-based reaction, compounded by the ransom demand, is more likely to trigger irrational responses that lead to higher payments.

Crash and delete instead of encryption

The second element of this ransomware is an action other than encryption of files.

Hitler ransomware developers were either too lazy or too inept to develop encryption capabilities, so they simply decided to crash infected computers and, upon reboot, delete files.

The command used with this ransomware (del *.* /s /q) unfortunately doesn’t put files into the Recycle Bin, but a positive note is that there are many utilities available for recovering deleted files.

Key takeaways

Here few things to learn from this offensive ransomware:

  1. Implement some best practices, such as those in our article Everything You Need to Know to Prevent Ransomware, to prevent ransomware from affecting you.
  2. Use good Internet hygiene when it comes to opening attachments in email or browsing websites.
  3. If you or your business gets hit by ransomware, take a deep breath and don’t emotionally respond. Remember that fear is a tool that is used by ransomware authors.
  4. Not all files are permanently lost. In the case of Hitler ransomware, a file recovery tool may be able to help. Some ransomware has been cracked and there are utilities for decrypting files. Do some research or get an expert to help see if your data is recoverable.

Be safe out there and be sure to get your free copy of our white paper on how to protect against ransomware below.

Blog-CTA-Whitepaper-527x150

August Patch Tuesday 2016

2015_12_08_Patch01

Here is this month’s analysis from Chris Goettl, of our Shavlik Product Management team:

Third-party coverage for the August Patch Tuesday is pretty light. But just because we have no releases from Adobe, Google, Apple or Mozilla doesn’t mean there is nothing to worry about. Last week Google Chrome and Mozilla Firefox released security updates. Mozilla addressed four critical vulnerabilities in Firefox 48 and Chrome resolved four high vulnerabilities (their critical equivalent) in Chrome 52.

Microsoft has released nine bulletins this month. Five are rated as critical and four as important. There are no public disclosures or exploits in the wild this month! Also, for those of you looking at Windows 10 1607, you may want to hold off for a little bit. There are a lot of issues circulating because systems did not successfully upgrade, and the recovery options are not spectacular.

Let’s take a closer look at the five critical bulletins this month. All five include fixes for user targeted vulnerabilities and many of them could be reduced in impact if the user is running as less than a full administrator. User-targeted vulnerabilities are easier for an attacker to exploit as they only have to convince a user to click on specially crafted content; it is an easy and quick way for them to gain entry to your network. Understanding which bulletins include vulnerabilities that are user targeted can help you prioritize where to focus your attention first. Endpoints are the entry point for many forms of attacks, from APTs to Ransomware. Plugging as many user-targeted vulnerabilities on the endpoints is a good practice to reduce entry points to your network.

The Five Critical Bulletins

MS16-095 is a cumulative update for Internet Explorer. This bulletin is rated critical and resolves nine vulnerabilities, most of which are user targeted.

MS16-096 is a cumulative update for Edge. This bulletin is rated as critical and resolves 10 vulnerabilities, most of which are user targeted.

MS16-097 resolves three vulnerabilities in Microsoft Graphics Component. The bulletin is rated as critical and affects both Windows and Office. In Office, the Preview Pane is an attack vector for these three vulnerabilities, so an attacker does not even need to convince a user to click on content if the preview is enabled.

MS16-099 resolves seven vulnerabilities in Microsoft Office. This bulletin is rated as critical and one of the resolved vulnerabilities is exploitable through the Preview Pane.

MS16-102 is rated as critical and resolves one vulnerability in Microsoft PDF. This vulnerability is user targeted. If you are using the Edge browser on Windows 10 it is possible to exploit this vulnerability simply by visiting a website with specially crafted PDF content. On all other OS versions, the attacker would need to convince users to click on the specially crafted content because Internet Explorer does not render PDF content automatically.

For more details on Patch Tuesday, Patch Tuesday Infographics or to sign up for our Monthly Patch Day webinar visit us at www.shavlik.com/Patch-Tuesday.

Originally published at http://blog.shavlik.com/august-patch-tuesday-2016/

Ransomware Bytes! How to Recover Quickly in 5 Steps

Uh oh… you’ve been infected by ransomware! What do you do?

First, don’t panic. It’s possible that you didn’t protect against ransomware as well as you could have. But don’t dismay; we’re here to help!

Here are five key steps to recover from ransomware.

1. Isolate Infected Computers 

As with other types of malware, ransomware wants to spread to other computers. If one computer is infected, it should be isolated from others by taking it off the network and considering it viral until the system can be reimaged.

2. Recover Your Data from Backup 

Hopefully, you have your data backed up. If there was ever a good reason to backup your data, ransomware is that reason. The risk of ransomware is in the value of your data and what the loss of that data means. With regular backups, you can ignore ransomware’s threat to destroy your data and move forward with your computer.

3. Reimage Your Computer

Rather than trying to remove the ransomware from your system, consider it lost and reimage the entire operating system and reinstall applications. See the previous step for getting the data back.

If you have the right tools in place, this is a quick procedure. If you don’t, get your software installs out and buckle up for a few hours. Once you’ve done this and the previous step, you’re ready to go.

4. Update Your Software

Consider this a step to prevent future infections. You may be able to identify ransomware got onto your computer and if it was through a malicious website or web ad, it is likely that it exploited a vulnerability in your browser or other web software. Keeping these and all software up to date minimizes the risk of vulnerabilities getting exploited to deliver ransomware.

This can be a difficult process to do manually, but a good patch management solution will automate this process.

5. Use Endpoint Security Software 

Again, this step is similar to the previous in that it focuses on eliminating future infections. You could break this down into a few different sub-steps which include:

  • Installing antivirus software and keeping it up to date
  • Use advanced endpoint security capabilities which block ransomware behavior
  • Minimize administrator privileges to limit what a malicious attack can do
  • Consider whitelisting to prevent untrusted software from running

Protect your valuable business assets today with LANDESK Security Suite (LDSS) and check out our free white paper below.

Blog-CTA-Whitepaper-527x150

Apple July 2016 Mac OS X Updates

AppleBuilding(own)(editorialuseonly)

Apple’s July 2016 Mac OS X Updates apply to Mac OS X, including versions El Capitan 10.11.6; Security Update 2016-004 for Mavericks 10.9.5 and Yosemite 10.10.5; and Safari with a new version 9.1.2. In total, there were 72 vulnerabilities fixed, many creating high risk to enterprises.

For the full analysis, see this post on Shavlik.com.

Windows 10 Branch Upgrade Solution Architecture Part 2

Managing-Windows-10-Updates

In part 1 of this discussion on Windows 10 branch upgrade solution architecture, I set out the key elements of a Windows 10 branch upgrade solution architecture. The points of upgrade education, end user communication, and solution preparation were discussed in that first article. Let’s complete this discussion by diving into the upgrade rollout model and issue management.

Upgrade Rollout Model

In the article on Windows 10 Branch Upgrade Strategy, I outlined different models and timelines for how to rollout your upgrades. Create a similar rollout model for your organization making sure you have nailed down these key elements:

  • Rollout Groups: Hopefully you have already structured your organization into groups for patching, software rollouts, and previous operating system migrations. If you haven’t, now is the time to do so. At minimum have a pilot or test group and a production group. It is very likely you will have more than 1 of each. Here is one example to get you thinking:
    • Pilot Group 1 – IT: Start here as you should have the most communication with these individuals and they should be technical enough to provide detailed feedback if issues are encountered.
    • Pilot Group 2 – Power Users and Application Owners: Find the tech heads of different departments who will, again, provide detailed feedback if issues are encountered. Also, find the business application owners who aren’t in IT. If you don’t know who these people are, start networking internally. They will surface if you ask.
    • Production 1 – Non-Critical Systems and Users: This is a loaded term, but figure out what systems and users won’t cripple the business if the upgrade has issues. Different departments may be more critical at different times or the year or quarter (sales, finance, etc.). This difference in time of year and quarter could merit breaking this group into 2 or timing very strategically. Every organization is different so make sure you understand yours before assigning anyone to a group.
    • Production 2 – Critical Users: This is the phase to address those critical users like sales, finance, or service delivery. This phase may need to be paused depending on the time of the year or quarter.
    • Product 3 – Critical Systems: This probably includes any system that has material impact on the business in terms of generating review or delivering a service or product to a customer. It could include systems that control medical devices for example. Again timing may apply criticality here, but understanding your business is paramount.
  • Timing: Each rollout group should have a set time in which the upgrade occurs. Remember the 80\20 rule in that you will likely get 80% of the group upgraded quickly and will have to work hard for the other 20%. Also, the upgrade is not the end goal, but making sure business continuity is maintained with optimal service levels. If you have 3 months for pilot group 1, try and get the upgrades completed in month 1 so the remaining 2 months can be used to assess impact.
  • Acceptance Criteria: Before moving to the next phase, know what you consider success. Is it 100% desktop usability (or 95%)? Is it based on a review of all critical incidents related to user’s who were upgraded? Who makes the approval decision? Answer these questions before moving on to the next phase.

Issue Management

One can expect a certain percentage of systems to have issues during the upgrade process. Part of the solution architecture should take into account how to address issues so as to not slow down the overall rollout and to ensure that systems are upgraded before patch support is discontinued.

There are likely many areas to plan for, but I will throw out two that you can prepare for:

  • Hardware: Two examples: Do drivers impact the upgrade? Are storage limitations an issue?
  • Application compatibility: This is likely the number one issue you will run into. What business and 3rd party application teams\vendors do you need to call on when issues are encountered? If a compatibility issues become an upgrade blocker, what is the plan?

Key Takeaways

As the challenge is big, so is the solution. Here are the key points to share around an upgrade solution architecture

  • Upgrade education: prepare your users for the changes
  • End user communication: remember to communicate expectations before, during, and after the upgrade
  • Solution Preparation: the solution architecture needs to be robust and automated
  • Upgrade Rollout Model: break your enterprise into groups and upgrade methodically
  • Issue Management: Windows 10 forces tight timelines so prepare for issues in advance

With the solution architecture setup, I will next explore how LANDESK can help with Windows 10 branch upgrades.

July Patch Tuesday 2016

Shavlik_Patch_July12

Here is this month’s analysis from Chris Goettl:

Even though there are no ‘Zero Day’ vulnerabilities, July’s Patch Tuesday is far from boring. So far, we have Adobe releasing updates for Adobe Flash, Acrobat and Reader. Additionally, Microsoft is releasing 11 updates, six of which are critical. In upcoming news, Oracle is due to have its quarterly Critical Patch Update release next Tuesday, July 19th. We also have the one year anniversary of Server 2003 end of life on July 14th, and it looks like the anniversary update for Windows 10 is slated for August 2nd – although the Insider build looks like it may have just stabilized on 1607 this week.

Starting with Adobe, they have released two bulletins. The first was preannounced last week as APSB16-26, which is a Priority 1 update resolving 30 vulnerabilities. As a reminder, the last Acrobat\Reader update was in May, which was also a priority two with 82 vulnerabilities resolved.

Flash player also has an update this month. APSB16-25 is a Priority 1 update resolving 52 vulnerabilities, the worst of which would allow an attacker to take full control of the affected system. If you recall last month, Adobe announced a ‘Zero Day’ on June’s Patch Tuesday, but released APSB16-18 on June 16th, along with 35 other CVEs. With that said, if you have not updated Flash Player in a while, you’ll want to put extra emphasis on updating this month ASAP.

Oracle’s Quarterly Critical Patch Update will be coming down the pipeline later this month, and is scheduled for next Tuesday, July 19th.  Be on the lookout for a Critical Java release and plan to include it in your monthly patch maintenance.

Microsoft’s release this month includes six critical updates and five important ones. This month, Microsoft is reporting two public disclosures and is resolving 41 distinct vulnerabilities.

First, let’s talk browser updates: MS16-084 for Internet Explorer is rated critical and fixes 15 vulnerabilities. MS16-085 for Edge is also rated critical and fixes 13 vulnerabilities. Both updates include vulnerabilities that are user targeted, meaning an attacker would be able to exploit a user through specially crafted content. These updates also include several vulnerabilities that can be mitigated by proper privilege management, meaning, if a user who clicks on the specially crafted content is a full admin, the attacker will have full control over the target system.

MS16-086 is a cumulative update for Jscript and VBscript. The bulletin is rated critical and resolves vulnerabilities that are user targeted and mitigated by proper privilege management. This is a continuation of a bulletin chain dating all the way back to MS10-022 and released in April 2010.  The replacement chain is nine deep, and back in December 2015, Microsoft changed the title from “Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution” to “Cumulative Security Update for JScript and VBScript to Address Remote Code Execution.”  The last three in the chain appeared in consecutive Patch Tuesdays from May to July 2016.  It seems a cumulative Jscript\VBScript update may be a fairly regular addition to Patch Tuesdays, so keep an eye out for that.

MS18-087 addresses two vulnerabilities in Windows Print Spooler that could allow for Remote Code Execution and Elevation of Privilege attacks, if the attacker is able to perform a man-in-the-middle attack on either a workstation or print server, or by setting up a rogue print server on a target network.

MS16-088 addresses seven vulnerabilities in Microsoft Office and SharePoint. This update is also rated critical and includes vulnerabilities that are user targeted, and some that can be mitigated by proper Privilege Management. The vulnerabilities could allow Remote Code Execution if a user opens a specially crafted office document. An attack could come in the form of an email attachment or through hosted web content. On SharePoint, the vulnerabilities appear to only allow for Information Disclosure by documentation, provided by Microsoft, and the rating drops to important for SharePoint and Web Apps components. Thus, the urgency is lessened somewhat for those products.

MS16-093 is the last of Microsoft’s critical bulletins this month. This is the Flash Plug-in for IE update. It resolves the 52 vulnerabilities included in APSB16-25, and should be a high priority this month, along with the other Microsoft critical updates.

In addition to the critical updates, there are two important updates this month that warrant special mention. MS16-092 and MS16-094 both include Public Disclosures, meaning they have a vulnerability included that has already leaked enough information to the public to allow an attacker to gain a head start on developing an exploit. As a result, this puts these vulnerabilities at higher risk of being exploited.

MS16-092 (CVE-2016-3272) is an important update in the Windows Kernel on 8.1, and later editions, that could allow a Security Feature Bypass. Likewise, MS16-094 (CVE-2016-3287) is a vulnerability in Secure Boot on the same platforms that could allow for Security Feature Bypass. In both cases, an attacker would need to either use an additional exploit (MS16-092) or have full administrative privileges or physical access to the system (MS16-094), making these two bulletins tougher nuts to crack.

This wraps up our early analysis of the July Patch Tuesday Bulletins.  For more detail join us tomorrow for our regular Patch Tuesday webinar.

Originally published at http://blog.shavlik.com/july-patch-tuesday-2016/

Windows 10 Branch Upgrade Solution Architecture Part 1

Managing-Windows-10-Updates

In previous articles, I’ve covered a lot of information on Windows 10 branches. As you have seen there are a lot of new concepts and challenges with Windows 10 branch upgrades that did not exist in previous versions of Windows. With all of that as background, this article is the first of two parts around a Windows 10 branch upgrade solution architecture.

Solution Architecture

In order to build an effective solution, the following elements should be in place:

  • Upgrade Education
  • End User Communication
  • Solution Preparation
  • Upgrade Rollout Model
  • Issue Management

Upgrade Education

Before doing an upgrade, consider the changes to the user experience. Branch upgrades are not as drastic as a new version of Windows, but instead introduce new features and usability gradually. Depending on your organization, you may simply inform them that a new version of Windows 10 will roll out and to expect changes. For change sensitive people, you may need to consider some deliberate training in preparation. Use experience from previous operating system migrations to determine what is best here.

Upgrade Communication

Do not underestimate the importance of communication as you develop your solution. As noted in the Windows 10 Current Branch article, upgrades will be disruptive and take around 30 minutes. With these challenges in mind, communications should be multi-phase:

  • Pre-Upgrade Application Owners: Application owners should be notified of the upgrade plan and schedule so they can test their application to ensure business continuity. Constant communication of the upgrade process should be delivered to the application owners.
  • Pre-Upgrade End Users: Users should be prepared to understand that the upgrade experience is unlike anything they have experienced in the past. It will take time and prevent them from doing work. Show them screen shots of what they can expect and remember users will ignore your emails. Per the upgrade education section, make sure to educate them on changes before the upgrade.
  • Upgrade Launch: Per my previous point, users will ignore any emails you send them. Before launching the upgrade, they should have an on screen notification that summarizes what will happen and point them to a web portal with detailed explanations.
  • Post Upgrade: Branch upgrades introduce new features and we all know that despite all the testing you may do, there is the potential for issues. Make sure that post migration, there is a method to gather feedback and measure upgrade issues.

Solution Preparation

  • Upgrade Readiness: An operating system migration requires many considerations (CPU, RAM, etc.). In the case of the branch upgrade, the one element that should be constantly monitored is free disk space. It isn’t clear how much space is required for a branch upgrade, but remember the upgrade file is 3 GB for x86 and 6 GB for x64 plus space for temporary files. As a safe bet, keep to the Windows 10 specifications for free disk space of 16 GB for x86 and 20 GB for x64.
  • Targeting: As mentioned in the Branch Upgrade Strategy, enterprises need to plan on having a systems on multiple branches. This will require that users and computers are assigned to groups identifying them with their branch. Once done, you need to plan on targeting migrations appropriately (for example Current Branch to Current Branch).
  • Distribution: As upgrade packages are large, enterprises will need a plan for how the package will be distributed and cached. The existing software delivery architecture needs to be ready for 4 GB files as that is the size of the 1511 x64 package.
  • Off-Network Systems: In many enterprises a significant minority if not majority of clients will be laptops many of which spend little time on the corporate network. With these systems, there must either be the option to remotely upgrade them or have a planned upgrade when they are on the network.

Looking Ahead

There is a lot of information to cover for a Windows 10 branch upgrade solution architecture. In part 2, I will dive into the upgrade roll out model and issue management.

Windows 10 Branch Upgrade Strategy

Managing-Windows-10-Updates

A Windows branch upgrade strategy is a necessity for enterprises. With the short patch support life cycle for branches, not upgrading will result in significant security risk. This is going to require a new level of upgrade planning and execution.

Upgrade or Be Vulnerable

With Windows 10, the imperative to upgrade branches is critical to staying secure. In May 2016 at the WinHec 2016 conference, Microsoft clarified that branch upgrades would come out twice a year instead of the 2-3 that had been communicated earlier (see the slides from the presentation for details). There was also some clarity on the life cycle of a branch.

Windows-10-Patch-Support-Life

As you can see, the full lifecycle (excluding Insider Preview) is at least 18 months. Using this a foundation, enterprises should plan out their Windows 10 branch upgrade strategy.

Upgrade Model

With a constant stream of updates, enterprises will need to develop constant rollout processes which often will overlap. Here is a three step approach that can be applied to different rollout plans:

  • Pilot on Current Branch: As branches are progressive in nature, rollouts should schedule the pilot phase to commence with the release of Current Branch. Current Branch will stabilize over time so pilot systems can detect issues that may affect production systems.
  • Production on Current Branch for Business: When the branch is declared Current Branch for Business, it should be very stable and the pilot rollouts should have already identified branch compatibility issues that can be addressed before this phase begins.
  • Grace Period for Problem Upgrades: Enterprises should be done with upgrades before hitting the grace period and use this time to address problem upgrades only.

With this as a basic model, let’s explore a few examples on upgrade rollouts through the end of 2018. All examples are speculative on release timing and versioning. That said, we have seen 2 branch releases per year with 1511 and 1607. With the upcoming Anniversary Update, likely in July, there appears to be a pattern to release in July for back to school and consumer sales. Whether the 2nd release continues to be in November is yet to be seen, but this release does align with business computer releases that are common at the beginning of the year.

5-Step Rollout Example

In this example, rollouts occur in 5-steps with most systems spending 4-6 months on any given branch. As you will see, there is a constant upgrade occurring.

Windows-10-Branch-Upgrade-Plan-5-Phase

3-Step Rollout Example

This example has fewer phases which allows a consistent 6 months on any given branch.

Windows-10-Branch-Upgrade-Plan-3-Phase

3-Step Branch Skipping Rollout Example

This example requires aggressive rollouts, but the resulting benefit is the ability to keep systems on the same branch for 12 months by skipping every other branch.

Windows-10-Branch-Upgrade-Plan-3-Phase-Skipping

Too Fast? Long-Term Servicing Branch

If you find an 18-month lifecycle to be overwhelming for some or all of your systems, then you need Long-Term Servicing Branch (LTSB). Cost and some limitations will apply (see Windows 10 LTSB (Long-Term Servicing Branch) for details), but upgrades are in years versus months. The limitations are not trivial (Enterprise Edition only, high cost, reduced features) so be aware that LTSB my not be an option.

Key Takeaways

Here the key points to share with colleagues and the boss:

  • From the availability of Current Branch, plan on a minimum life of ~18 months
  • Once a branch reaches the end of the support life, no patches will be provided
  • Plan on perpetually upgrading systems every 4-12 months when using a phased approach
  • If the upgrade lifecycle is too fast, consider Long-Term Servicing Branch

With branch explanations and strategies done, I will next explore a Windows 10 branch upgrade solution architecture.