Windows 10 Security Mitigations When You Can’t Apply Cumulative Updates


The introduction of Windows 10 cumulative updates will force enterprises to make a difficult choice: security or availability. Security in the sense of eliminating the risk of known vulnerabilities through patching. Availability where an application or Windows 10 feature only works when an update isn’t applied. Enterprises will need to plan on Windows 10 security mitigations when applying cumulative updates isn’t an option.

Bad Patches

Bad patches are like any other software bugs: they happen. In speaking with many of our customers, we hear about them experiencing bad Windows patches a few times a year. When these patches are applied they break functionality in Windows or 3rd party applications. Sometimes Microsoft needs to fix something – sometimes a 3rd party vendor (see Windows 10 Cumulative Updates Overview for an example with Citrix XenDesktop). In the past, the solution was fairly straight forward: don’t apply the bad patch, address the security risk of the vulnerabilities in that patch, wait for a fixed patch or 3rd party software to be released, apply the improved patch or software and move forward.

Windows 10 Security Mitigations

With the cumulative updates, selectively applying patches is over. Rather that fretting over the situation, there are a number of mitigations that might be applied in place of the update when issues arise. In April 2014, Gartner’s Neil MacDonald, wrote a report on Best Practices for Secure Use of Windows XP After Support Ends to address the issues of not being able to patch vulnerabilities that would continue to be found. Many of these practices can be used with Windows 10 for these situations where a patch breaks functionality. These practices can also be used persistently, but are often seen as too restrictive. Consider these approaches as part of a flexible security strategy that goes along with your patch management program. I will highlight a few of the practices in that report that can be addressed with LANDESK solutions.

Restrict Network Connectivity to the Minimum Possible

This can be challenging for many client systems, but easier to achieve with fixed function devices like kiosks or POS systems. LANDESK Security Suite can limit network connectivity through Windows firewall management or the LANDESK firewall.


Whitelisting is a very effective method of securing a system as it stops unauthorized applications from running. LANDESK Security Suite and our recently acquired AppSense Application Manager both provide industry leading whitelisting with plans to blend both capabilities in future product releases.

Remove Administrative Rights

Many Microsoft vulnerabilities can be mitigated if the user does not run with an administrator account. Removing administrative rights is easy, but the limitations from such an action often stop organizations from taking this step. Privilege management software, including AppSense Application Manager, can be used to grant privileges to applications that need them so users can use non-administrative accounts. On the reverse, privilege management software can also be used to remove administrative rights from an application that is vulnerable and cannot be patched.

Address the Most Common Attack Vectors — Web Browsing and Email

There are a number of things that go into securing web browsing and email. Neil mentions the following controls:

  • Patch Management: As discussed in my previous article, 3rd party patch management is a strength of LANDESK Patch Manager
  • Containerization: there are a number of solutions that use technology to isolate applications including our partner Bufferzone. With these solutions, attacks are contained to that application unable to spread to the operating system or other applications.

Keep the Rest of the Software Stack Updated Where Possible, Including Office

Can I get one more amen for patch management? Enough said.

Use an IPS to Shield Systems from Attack

LANDESK Security Suite includes a Host Intrusion Prevention component to address behavioral based attacks and apply file protection rules. Add to that, LANDESK Antivirus brings an industry leading antimalware engine.

Disable USB Ports and CD\DVD Drives

Often malware is introduced through removable media. LANDESK Security Suite provides device control to disable external media devices, make them read-only, and\or shadow copy files that move across those devices.

Key Takeaways

Here are some points to remember and share:

  • Expect Windows 10 cumulative updates to occasionally break features or 3rd party applications
  • Selective application of patches is no longer an option with Windows 10
  • Build out a strategy of security mitigations when applying the cumulative update isn’t feasible

The article marks a stopping point for this series. There will likely be updates and changes to this conversation as new branch upgrades are released, but this gives you a solid foundation. Hopefully this series has been helpful and I wish you great success with Managing Windows 10 updates.

Managing Windows 10 Cumulative Updates with LANDESK


Managing Windows 10 cumulative updates with LANDESK leverages years of features and expertise in patch management. LANDESK Patch Manager provides automated assessment and targeting, robust network-sensitive update distribution, third-party patching, and custom patch definitions all of which make a comprehensive solution for Windows 10 patch management. This article will explore the capabilities in LANDESK Patch Manager that address Windows 10 cumulative updates.

Automated Assessment and Targeting

LANDESK Patch Manager provides content to identify computers missing cumulative updates and then target those computers for automated or approved remediation. Content is specific to Windows 10 branches which enables proper targeting of cumulative updates to the appropriate computers.

16 - Windows 10 Update Definitions

Update Distribution

As detailed in my Windows 10 Cumulative Updates Overview, the large size of the updates is one of the biggest challenges that enterprises will need to address. The challenge of distributing these large packages, at least monthly, requires strong software distribution capabilities. LANDESK Patch Manager leverages best in industry distribution capabilities to quickly push packages while minimizing the impact on the network. Such capabilities include:

  • Targeted multicasting: efficiently distributes packages to multiple computers through network efficient communications.
  • Peer-to-peer downloading: peer-to-peer technology enables computers on the same subnet to share packages eliminating the need to communicate across slow links or overwhelming a single server.
  • Bandwidth throttling: throttling limits the amount of traffic a computer uses to preserve network capacity for other communications.
  • Distribution servers: Distribution servers can be designated to host packages in different locations so updates only need to be downloaded once across slow WAN links that connect remote sites to a central datacenter.
  • Checkpoint restart: nothing is more annoying than having to restart a download. With automated checkpoint restart, package downloads can continue where they left off if a system gets disconnected.

Third-Party Application Patching

I continue to be shocked when I speak with enterprises who are not patching their third-party applications. Some are painfully packaging applications for distribution one update at a time, while many others are doing nothing. If there is one thing to be learned from Windows 10 cumulative updates, it is that 3rd party application compatibility is at continuous risk and the need to update such applications rapidly is more important than ever. With LANDESK Patch Manager, thousands of common third-party applications are analyzed to create content that enables silent detection and update of such applications.

Custom Application Patching

For those applications not in our extensive catalog, there is also the option to create a custom definition to detect and update the application. This capability can be particularly beneficial for internally developed applications which will also be under compatibility pressure with Windows 10 updates.

Systematic Rollout of Cumulative Updates

In my previous article on using LANDESK for Branch Upgrades, I discussed the use of the feature, Rollout Projects, to systematically deploy branches. The same feature can be used to deploy Windows 10 Cumulative Updates (as well as any other update, branch, or software package). Rollout projects automates the assessment, distribution, and installation of updates to groups of computers in a predefined order.

16 - Patch Rollout Projects

Steps can be defined to sequence different rollout groups to have a measured approach to updates. Each step can have exit criteria before moving on to the next step. Exit criteria includes:

  • Minimum success rate of systems upgraded
  • Minimum duration of executing that step to give time to identify potential issues
  • Email approval if you need manual change control to proceed

These exit criteria enable the complex process of rolling out branch upgrades to proceed automatically, but with controls to stop rollout issues from spreading.

16 - Patch Exit Criteria

Key Takeaways

LANDESK Patch Manager solves the challenge of managing Windows 10 cumulative updates through:

  • Automated identification of vulnerable Windows 10 computers
  • Network-sensitive update distribution
  • Extensive catalog of third-party application patching
  • Custom patch definition
  • Systematic project-style roll out of patches

In the next and final article in this series, I will explore security mitigations for when you can’t apply Windows 10 cumulative updates.

Windows 10 Cumulative Updates and Branches


Windows 10 cumulative updates and branches have a critical relationship. Failing to understand the branch lifecycle can create risk for any patch management program. Much of this article will be a rehash of previous articles I’ve written on Windows 10 branch upgrade management, but it is so important to understand this relationship that I’m going to cover this topic again with an angle on the impact to cumulative updates.

Windows 10 Branch Lifecycle

From the time that a new branch is released, there is a minimum lifecycle of 18 months broken down in the following phases:

  • General Availability (GA) with Current Branch
  • Current Branch for Business declared at least 4 months after GA
  • Grace period begins at least 16 months after GA and lasts for 60 days
  • Once grace period is complete, new cumulative updates are not released for that branch

Let me repeat that last point: once a branch has finished the grace period, there will be no more patches. Here’s a visualization of this lifecycle:


An Update for Every Branch

As mentioned in my Windows 10 Cumulative Updates Overview, there are distinct update packages for each branch. To date, there is one for 1507, 1511, and 1607. Each package only installs on that specific branch – this is how support will likely be curtailed for older branches.

15 - Cumulative Update Does Not Apply

As to the size, cumulative updates are generally smaller for newer branches as fixes are rolled into the branch upgrade.

Triggering Events

Current Branch for Business

This milestone signifies that a branch is at a higher level of quality and begins with Microsoft declaring a cumulative update that distinguishes a branch to be Current Branch for Business. Only branch 1511 has gone through the Current Branch for Business declaration event. In that case, Current Branch for Business was simply a combination of the GA 1511 release and the March 2016 cumulative update meaning ongoing updates gives the same level of stability to Current Branch systems as those who waited and applied the Current Branch for Business upgrade.

Grace Period

Based on various articles and conversations with Microsoft, we believe the Grace Period for the oldest branch (latest branch – 2) will begin when the latest branch reaches Current Branch for Business. There is a lot of potential variability here as the declaration of Current Branch for Business for 1511 occurred in early April 2016, but didn’t reach Windows Update until late May.

End of Support

Once the Grace Period is complete, there are no more patches for that branch. With the exception of the Long-Term Servicing Branch version of Windows 10, this means systems will need to be upgraded as frequently as 18 months.

Deconstructing a Branch Lifecycle

To date, no branch (including the original 1507) has gone through the entire lifecycle that Microsoft has outlined. Here is a table outlining the three Windows 10 branches to date and their lifecycle milestones with some estimated dates for future milestones.

1507 1511 1607
Current Branch Availability July 29, 2015 November 12, 2015 August 2, 2016
Current Branch for Business July 29, 2015 April 8, 2016 December 2016*
Grace Period Begins December 2016* Unknown Unknown
Grace Period Ends February 2017* Unknown Unknown

* Estimated dates

Upgrade Your Branches or…

With this new continuous update model, businesses must have a plan to continuously update to newer versions of branches to be able to apply the latest security fixes. As I discussed in earlier articles, there is a whole strategy to this (see Windows 10 Branch Upgrade Strategy). If upgrading systems is an issue one option is to consider using Windows 10 Long-Term Servicing Branch (LTSB) which will have a patch support lifecycle of 10 years.

Key Takeaways

Here are the points to remember from this article:

  • Cumulative updates are specific to branch versions
  • Branches have a lifecycle as short as 18 months
  • If you can’t keep up with branch upgrades, consider Windows 10 LTSB version

With this discussion on the relationship between cumulative updates and branches finished, I will next discuss managing Windows 10 cumulative updates with LANDESK Patch Manager.

Windows Update for Business


When Windows 10 launched, there was talk of a new update mechanism known as Windows Update for Business (WUB). What sounded like a new platform ended up being a set of policy settings to configure Windows 10. Let’s explore some of these settings and how you can use them in your enterprise.

Windows Update for Business is…. Just a Bunch of New Policy Settings

Some of the initial press around Windows Update for Business could lead you to think that a new update platform or product was in the works. The reality is that Windows Update for Business is simply additional policy settings that you can configure with Group Policy Objects or any other comparable tool.

The other point, when you look closely, is that these settings are just an extension of those in previous versions of Windows found under the Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Update.

Before diving into the new settings, look at one of the most important settings that has existed for previous versions of Windows.

Configure Automatic Updates via Policy Only

With Windows 10, you can no longer configure update settings in the Control Panel. These settings are available in the policy only – unless you are on Windows 10 Professional with the Anniversary Update branch (1607).

The new settings specific to Windows 10 include:

  • Turn off auto-restart for updates during active hours
  • Do not include drivers with Windows Updates
  • Defer Upgrades and Updates (only with 1507 and 1511 branches)
  • Select when Feature Updates are received (new with the Anniversary Update)
  • Select when Quality Updates are received (new with the Anniversary Update)

Turn off auto-restart for updates during active hours

This setting prevents Windows from restarting for up to 12 hours. Good for the grumpy business user who hates restarting during work.

Do not include drivers with Windows Updates

Fairly self-explanatory, this setting prevents Windows Update from applying driver updates with monthly patches, also known as cumulative updates, also known at quality updates.

Defer Upgrades and Updates (Windows 10 1507 and 1511)

In the first two branches of Windows 10, this setting lets you defer branch upgrades for up to 8 months. With the Anniversary Upgrade, this feature disappeared and was replaced by the following two below.

14 - Windows Update for Business - Windows 10 Anniversary Update

Select when Feature Updates are received

Feature Updates are Microsoft speak for branch upgrades (one wonders why they didn’t just call this setting Branch Upgrades). With this setting, the computer can be configured to use Current Branch or Current Branch for Business with a deferral up to 180 days.

Select when Quality Updates are received

Quality Updates refer to the monthly (sometimes more) cumulative updates, also known as patches, that are typically released on Patch Tuesday, the second Tuesday of the month. Again, it’s surprising why they used a name that isn’t well understood. With this configuration, updates can be deferred for up to 35 days.

Sorry Windows 10 Professional

One of the changes in the Anniversary Update is the loss of the policy settings for Windows 10 Professional. Such settings that can no longer be managed by Windows 10 Professional include:

  • Turning off Microsoft consumer experiences
  • Do not show Windows Tips
  • Not showing the Lock Screen
  • Disabling apps from Windows Store

See the article and the Microsoft TechNet article for details.


Far from a replacement for patch management, Windows Update for Business offers new settings that complement a comprehensive patch management strategy. You should leverage these settings to keep enterprise deployments of Windows 10 consistent as the default is always “update”. As a best practice, use these settings to configure systems on Current Branch or Current Branch for Business to prevent the end user from doing whatever they want.

Key Takeaways

Here are the key points to share with your boss and peers:

  • Windows Update for Business (WUB) is simply a few additional update settings
  • Settings are very basic and do not replace a robust patch management solution
  • Some settings have gone away for Windows 10 Professional with the Anniversary Update

With this discussion on Windows Update for Business complete, I will next explore the relationship between cumulative updates (patches) and branches.

Windows 10 Cumulative Updates Overview


With my previous article finishing the discussion on Windows 10 branch upgrades, I will now tackle Windows 10 cumulative updates or patching. Windows 10 patching is one of the biggest changes and challenges for enterprises as they roll out this operating system. Unlike older versions, Windows 10 has a new approach to patching with cumulative updates where granularity and size will have impacts on 3rd party application compatibility and general operating stability. This article will explore the changes and what to expect.

Cumulative Updates Versus Single Patches

The first thing to notice is the cumulative nature of the updates. Unlike previous versions of Windows, there are no individual patches. This is changing somewhat in October 2016 with Windows 7, 8.1, and Server 2012, but still not the same thing. Windows 10 cumulative updates have all fix types and are additive from release to release meaning each update has all previous updates.

Security and Non-Security

Somewhat obscured is the fact that Windows 10 cumulative updates include both security and non-security patches. This may account for the size (see below). Documentation for the security fixes can still be found on the TechNet Security Bulletin webpage, while non-security fix documentation is less detailed in nature found on the Window 10 Update History webpage.

3rd Party Application Impact

With the cumulative nature of Windows 10 updates, there will be 3rd party application compatibility issues. Most customers we speak with encounter issues with a patch a few times a year. Now with the cumulative updates, customers who encounter issues will need to make the difficult decision between application availability and security. This is because unlike the granular patches of the past, one must choose to apply or not apply an entire update. Should one choose to not apply one month’s update, the problem compounds as the next month’s update also cannot be applied. So instead of being exposed to one or two vulnerabilities fixed by a single patch, not applying a cumulative update would expose that system to a dozen or more vulnerabilities.

A recent example was the incompatibility of the Windows 10 January update with Citrix XenDesktop. In that case, the update would not even install if an incompatible version of XenDesktop was detected (for details see my article from our Shavlik blog). In this case, Citrix was able to create a fix in a few days and then update could then be applied.

Big and Growing

With Windows 10 cumulative updates comes size. As you can see from the tables below, updates are specific to a branch, grow massively over time, but do reset in size with the release of a new branch.

Windows 1507 Cumulative Update Sizes

Update x86 Size (MB) x64 Size (MB)
13-Sep-16 459.9 1020.7
9-Aug-16 367.0 776.0
12-Jul-16 330.2 699.6
14-Jun-16 320.7 680.1
10-May-16 315.8 664.4
12-Apr-16 314.0 661.1
8-Mar-16 292.1 624.3
9-Feb-16 286.6 612.4
12-Jan-16 278.5 596.5
8-Dec-15 270.1 580.0
10-Nov-05 234.8 515.2
13-Oct-15 223.2 496.6
18-Aug-15 184.4 367.7

Windows 1511 Cumulative Update Sizes

Update x86 Size (MB) x64 Size (MB)
13-Sep-16 550.5 1054.2
9-Aug-16 502.3 916.9
12-Jul-16 501.0 914.9
14-Jun-16 402.4 713.3
10-May-16 390.8 677.3
12-Apr-16 383.6 645.1
8-Mar-16 327.9 573.2
9-Feb-16 270.3 489.3
12-Jan-16 184.0 325.6
11-Dec-15 137.5 240.2
10-Nov-15 24.6 48.6

Windows 1607 Cumulative Update Sizes


x86 Size (MB)

x64 Size (MB)







To help comprehend the size of the updates, here are a couple of stats for consideration:

  • The 1507 x64 cumulative update on September 13, 2016 is 177% larger than the first update released on August 18, 2015
  • The 1511 x64 cumulative update on September 13, 2016 is 2069% larger than the first update released on November 15, 2015
  • The total size of individual patches for Windows 8.1 x64 on September 13, 2016 was 84.3 MB. The corresponding sizes of Windows 10 x64 cumulative updates for 1507, 1511, and 1607 were 12.1, 12.5, and 5.1 times larger respectively
  • At the current growth rate, the 1511 x64 cumulative update could top 2 GB in size in early 2017

Key Takeaways

As with previous articles, here are some key takeaways on Windows 10 Cumulative Updates:

  • Updates are cumulative making it near impossible to not apply a patch without creating significant risk
  • Updates include security and non-security fixes
  • 3rd party application compatibility will be a bigger issue in Windows 10 than previous versions of Windows
  • Cumulative updates start out big and become enormous over time

No before you panic, be aware that I will cover how to address these challenges with process and LANDESK solutions. Before going down that path, let’s take a quick detour to discuss Windows Update for Business.

macOS Sierra and Safari 10 Security Updates


Today brings a new version of macOS (formerly known as Mac OS X formerly known as Mac OS) with macOS Sierra 10.12. It also includes a new version of Safari with the release of version 10. While many will write about the cool new features such as Siri on the Mac or Apple Pay via the web, let’s talk about the vulnerabilities fixed and why enterprises should care.

macOS Sierra

macOS Sierra 10.12 fixed 65 vulnerabilities. Many of the vulnerabilities relate to escalation of privilege, denial of service, information disclosure. Some of the more interesting vulnerabilities include:

  • CVE-2016-4702: an Audio component vulnerability where a remote attacker may be able to execute a malicious program.
  • CVE-2016-4738: an libxslt component vulnerability where malicious web content could lead to executing a malicious program

These examples are noteworthy because they are often used as the starting point to exploiting a system through social engineering. Once the hacker has access, the other vulnerabilities may be useful to gain additional access or information.

Safari 10

Today also marks the release of Safari 10 which is embedded with macOS Sierra and available as an update for OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6. This update fixed a total of 21 vulnerabilities, 16 for which processing malicious web content may lead to arbitrary code execution. This is Apple speak for visiting bad websites or web ads may result in running malware. Needless to say, this update should be applied on all systems. If you still have systems on OS X Mavericks v10.9.x, time to upgrade.


With 60 vulnerabilities fixed in macOS Sierra and 21 in Safari 10, there are many reasons to upgrade. Based on the nature of the vulnerabilities, upgrading all systems to Safari should take priority as many of those vulnerabilities could be used in phishing and other web exploits. Finally, this release effectively ends support for OS X Mavericks.

I.T.’s a Real Ditch Sometimes: Time to Make a Switch

GettyImages-607604884I.T. can be a real ditch

if there’s a patching glitch.

Down in the trenches

amid all the stenches?

Time to make a switch.

Okay, I admit it. I love limericks. So much so that I’ve penned a few on the job about the world of I.T.

Take patch management for example. Even though patching and updating computers have been around for years, organizations of all sizes still struggle to patch systems effectively. Which provides some good grist to wax poetic.

Patching Is “Not a Solved Problem”

Whether computers are behind the firewall or remote, the challenge of patching the OS and applications in a timely fashion persists.

The US National Vulnerability Database, operated by the National Institute of Standards and Technology (NIST), says that as many as 86 percent of reported software vulnerabilities affect third-party applications, not operating systems. As IT environments become more heterogeneous, the vulnerabilities of third-party applications become larger threats to enterprise security and user productivity.

Whatever the mix of operating systems and applications in an environment, that environment needs protection from malefactors as well as from mistakes by legitimate users and system malfunctions.

At the October 2015 Gartner Symposium/ITxpo in Orlando, Florida, Marc van Zadelhoff, VP, IBM Security, presented on “Rethinking the Challenge of Security.” According to a Ponemon/IBM survey of some 200 customers who have been breached, “only 45 percent of the breaches are caused by malicious activities, and 55 percent are caused by mistakes, inadvertent errors [by legitimate users], or problems with systems—system glitches,” Zadelhoff said.

The challenges to delivering the protection IT environments and users need grow along with the heterogeneity of those environments. Perhaps the most pervasive example of the growth and evolution of that challenge is Microsoft’s Windows 10. With the release of that software, Microsoft replaced its traditional method of releasing patches and updates with a collective, “cumulative” approach. However, such an approach creates additional risk in some environments.

Controls Three and Four of the SANS “First Five”

Those who don’t possess effective methods for software updates open up serious vulnerabilities within their infrastructure.

In the John Pescatore-authored SANS white paper that you can download below, he writes that SANS has created a subset of the Center for Internet Security’s (CIS) Critical Security Controls, Version 6.0. This subset, known as the SANS “First Five”, delivers the highest payback in reducing risk from advanced targeted attacks:

  1. Software whitelisting
  2. Secure standard configurations
  3. Application security patching
  4. System security patching
  5. Minimization of administrative privileges

Let’s consider the third and fourth of the five controls, “Application security patching” and “System security patching,” and how the LANDESK and Shavlik family of solutions can help with continuous vulnerability assessment and remediation.

Application security patching

Patching operating systems is a common practice, but 86 percent of vulnerabilities attack third-party software not part of the OS. Shavlik® Patch™ for Microsoft System Center maximizes your organization’s investment in Microsoft System Center Configuration Manager (SCCM) to reduce security risks from unpatched non-Microsoft third-party applications. Shavlik delivers the latest software updates for hundreds of third-party apps, including Windows, Mac, and VMware.

Shavlik also offers several options to deliver software updates and ensure patch compliance, whether a system is on the network or air-gapped: agentless, agent-based, or cloud-based. It also performs hypervisor, offline virtual machine, and virtual template patching.

System security patching

LANDESK Security Suite scans for vulnerabilities that it can remediate with a patch and correlates its actions with vulnerability scanner output. Scan events are logged and can be audited. Vulnerability data is stored based on a first detection.

The LANDESK solution can also scan for vulnerabilities that it can remediate with a patch in authenticated mode with agents running locally. You can use a dedicated account. Role-based access controls ensure that only authorized employees have access.

Shavlik Empower is a cloud-based solution delivers patch management for and asset intelligence about Windows and Mac OS X devices. Empower sentinels scan for devices across your environment, then leverage Microsoft Active Directory to extract and map significant intelligence about your organization’s IT assets. Empower then deploys agents that enable comprehensive, flexible patching of Windows and Mac OS X systems, wherever they are. Shavlik Empower also produces reports that quickly highlight the status of your Windows and Mac devices, their third-party applications, and their patching profiles.

LANDESK assesses state and applies patches across the enterprise, allowing you to establish policies for when devices are patched, leveraging distribution technologies to reduce the impact on the network and disruption to the user. Rollout automation allows for an automated process from definition download through pilot and production rollout phases.

LANDESK uses multiple technologies to distribute patches quickly across the network. Integrated project rollout features can deploy patches at scale and at speed while optimizing bandwidth utilization and hardware resources. Risk rating is based on the vendor patch. Devices can be patched in and out of network.


Managing Windows 10 Branch Upgrades with LANDESK Part 1


In the last article, I finished the discussion on a Branch Upgrade Solution Architecture. Time to dive in and learn about managing Windows 10 branch upgrades with LANDESK solutions. As outlined, there are many elements of a solution architecture and I will proceed to map LANDESK products to that architecture.

Upgrade Education

As mentioned in previous articles, Windows 10 branch upgrades are disruptive. If someone has not experienced this before, they may do something stupid like powering off their computer in the middle of the upgrade process (never a good thing). A solid knowledge base article will go a long way to educate them. This is easily achieved in LANDESK Service Desk.

Here is a sample article you could use to communicate the upgrade process to users:

As you may be aware, Microsoft recently released an update for Windows 10 known as the Anniversary Update or version 1607. IT is currently testing this update and will begin rolling it out widely in December.

As with other Windows 10 updates, there will be disruption to your ability to work. IT is planning to launch the upgrade at noon when we expect you can step away from your computer. You will have the option to defer the upgrade if you fear it will be too disruptive to your work. We advise saving all documents and shutting down applications to minimize any potential loss of work.

When the upgrade begins, you will see the following screens. Do not power off your computer during any of the upgrade process.

Windows 10 Branch Upgrade Confiugration Screen

Windows 10 Branch Upgrade Updating Screen

Once the upgrade is complete, you will need to login and wait for some additional configuration to occur. You will see the following:

Windows 10 Branch Upgrade Post Logon Screen 1

Windows 10 Branch Upgrade Post Logon Screen 2

Windows 10 Branch Upgrade Post Logon Screen 3

Windows 10 Branch Upgrade Post Logon Screen 1

Should you have any issues with the upgrade, please contact IT and we will promptly assist you.

Upgrade Communication

  • Pre-Upgrade Application Owners: Email is often the default method of communication, but there are other options. Using LANDESK Workspaces, application owners can be alerted to pending upgrades with a Notice Board message.

11 - Windows 10 Upgrade Notice

  • Pre-Upgrade End Users: The obvious solution is to send an email (or series of emails) with the information listed in the example knowledge base article. With the LANDESK End User Workspace, that information can be accessible anywhere: web, desktop, or mobile device. Putting the information everywhere will increase the likelihood of users knowing about the upgrade beforehand.
  • Upgrade Launch: LANDESK Patch Manager allows user notification before the download and\or before the execution of a branch upgrade. This can be a last minute opportunity to inform the users of the process that will ensue.
  • Post Upgrade: After an upgrade, users can submit issues or be notified of information via LANDESK End User Workspace.

11 - LANDESK Workspace Incident

In the next article I will cover the second half of this discussion on how LANDESK can help in managing Windows 10 branch upgrades.

September 2016 Patch Tuesday

September 2016 Patch Tuesday

Here is the analysis for this month’s Patch Tuesday from Chris Goettl of our Shavlik team:

This September 2016 Patch Tuesday will be the final Patch Tuesday on the old servicing model. Starting in October Microsoft has announced a change to the servicing models for all pre-Windows 10 operating systems. I have had a number of questions from customers, partners, other vendors and companies I have spoken to since the announcement. My advice remains the same, which I describe in this post.  This change will require all of us to make some adjustments, and application compatibility and the risks associated with exceptions are the areas that will be most impacted.

I went through an exercise earlier today to show what I mean.

If you look at the average bulletin and vulnerability counts for each Patch Tuesday this year we are averaging about three CVEs per bulletin. Given the explanation from Microsoft’s blog post I revisited each Patch Tuesday for 2016 and refigured the total bulletin count we would have seen in under the new model and the average CVEs per bulletin changes to around 12 CVEs per bulletin.

The bottom line here is exceptions due to application compatibility issues will become more compounded from a risk perspective. Companies will have to do more rigorous application compatibility testing to ensure things to don’t break when these larger bundled security updates are pushed to systems. If there is a conflict, vendors that conflict with the updates are going to be under more pressure to resolve issues. Where companies may have accepted an exception for one or two vulnerabilities, an exception that causes 20 vulnerabilities to go unpatched will have a very different reaction.

Next month as we investigate the October Patch Tuesday release we will have more details, and will discuss the realities of the new servicing model in our monthly Patch Tuesday webinar, so plan to join us for that.

My forecast for this Patch Tuesday was pretty close. There’s the Flash Player update and 14 bulletins from Microsoft. Microsoft’s 14 bulletins include seven critical and seven important updates resolving a total of 50 unique vulnerabilities, including an IE zero day (CVE-2016-3351) and a public disclosure (CVE-2016-3352).

Adobe released a total of three bulletins, but only Flash Player was rated as critical or priority 1 in Adobe severity terms. This update resolves 29 vulnerabilities. The other two Adobe bulletins resolve nine vulnerabilities, but both are rated Priority 3, which is the lowest rating Adobe includes for security updates.

As I mentioned last week, Google also recently released a Chrome update, so be sure to include this browser update in your monthly patch maintenance as it includes additional security fixes.

Digging in a layer deeper on higher priority updates:

MS16-104 is a critical update for Internet Explorer that resolves 10 vulnerabilities, including a zero day exploit (CVE-2016-3351), making this a top priority this month. This bulletin includes vulnerabilities that target end users. The impact of several of the vulnerabilities can be mitigated by proper privilege management, meaning if the user exploited is a full user, the attacker also has full rights. If the user is less than a full user, then the attacker must find additional means to elevate privileges to exploit the system further.

MS16-105 is a critical update for edge browser that resolves 12 vulnerabilities. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-106 is a critical update for Windows Graphics that resolves fives vulnerabilities. GDI patches often impact more than just the Windows OS, as GDI is a common component used across many Microsoft products. This month it appears the GDI update is only at the OS level, which I believe was a first this year.

MS16-107 is a critical update for Office and SharePoint which resolves 13 vulnerabilities. Now when I say this affects Office and SharePoint, I mean ALL variations — all versions of Office, Office Viewers, SharePoint versions including SharePoint 2007. You may see this show up on machines more than once depending on what products and viewers are on each system. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-108 is a critical update for exchange server that resolves three vulnerabilities. In reality, this update addresses more, as it includes Oracle Outside in Libraries which released an update in July. This adds 18 additional vulnerabilities to the resolved vulnerability count for this bulletin. This bulletin does include a user targeted vulnerability. An attacker could send a link that has a specially crafted URL which would allow redirection of an authenticated exchange user to a malicious site designed to impersonate a legitimate website.

MS16-110 is an important update resolving four vulnerabilities. Now, you may be asking, why include this one important update in the high priority updates for this month? Well, that is because of CVE-2016-3352, which was publicly disclosed. This means enough information was disclosed before the update was released, giving attackers a head start on building exploits. This puts this bulletin into a higher priority, as it stands a higher chance of being exploited. The vulnerability is a flaw in NTLM SSO requests during MSA login sessions. An attacker who exploits this could attempt to brute force a user’s NTLM password hash.

MS16-116 is a critical update in VBScript Scripting Engine that resolves one vulnerability. This update must be installed along with the IE update MS16-104 to be fully resolved. This bulletin includes vulnerabilities that target end users and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-117 is a critical update for Adobe Flash Player plug-in for Internet Explorer. This bulletin resolves 29 vulnerabilities, several of which do target a user.

APSB16-29 is a priority 1 update for Adobe Flash Player that resolves 29 vulnerabilities. With Flash Player updates you will typically have two to four updates to apply to each system. Flash Player and plug-ins for IE, Chrome, and FireFox.

For more in depth analysis and conversation regarding this Patch Tuesday, join us for the Shavlik Patch Tuesday Webinar tomorrow morning.

Originally published at

Shavlik Protect Wins Gold Award for Security at VMworld 2016

This just in! Our amazing team at Shavlik Protect just won the Gold Award of VMworld 2016 for the Security category by TechTarget’s!

While the win is not a complete surprise—it was wholeheartedly deserved, after all—here we’ll break down our perspective on why Shavlik took home the award.

Emphasis on virtualization

Chris Goettl, Sr. Product Manager for Shavlik Protect

Virtualization was one of the hottest topics at VMWorld 2016, and it also happens to be one of the greatest strengths of Shavlik Protect. Data centers are constantly choosing Shavlik for its ability to seamlessly patch virtual environments.

Some of the features offered in regards to patching virtual environments include:

  • Virtual machine template patching
  • Online and offline virtual machine patching
  • VMware vCenter integration
  • VMware ESXi Hypervisor patching
  • Snapshot critical assets for superior rollback

Third-party patching

Many organizations make the mistake of only focusing on their OS, forgetting that third party applications can also create system vulnerabilities.

Shavlik provides an immense catalog of third-party applications which is always expanding to include new products and updated versions.

Security foundation with patch management

Today’s security landscape is filled with all kinds of new and flashy products that promise protection from today’s latest threats.

But many organizations are overlooking the basic simplicity and efficiency of patch management. A robust patch tool doesn’t just eliminate vulnerabilities, it also eliminates the threats that target those vulnerabilities.

Go agentless

Shavlik’s agentless capabilities are great for many reasons:

  • Minimize impact to server workloads
  • Assess and deploy patches
  • New virtual systems are never missed

Add water and stir

Software for the enterprise has had a bad rap for being difficult to configure and install. Shavlik’s engineers have put a lot of effort into making sure their product is not only installed properly, but is also scanning for patches and deploying patches in half an hour or less. This might sounds too simplistic, but trust us, Shavlik Protect has the capability to work in large and complex environments.

Try it for yourself and you’ll quickly see why Shavlik Protect won the Gold Award of VMworld 2016 for the Security category!