Managing Windows 10 Branch Upgrades with LANDESK Part 2

Managing-Windows-10-Updates

In the previous article, I explore the first part of how LANDESK can help with Windows 10 branch upgrades through pre-upgrade education and communications. In this the second part, I will discuss how LANDESK solutions manage Windows 10 branch upgrades with the solution preparation, rollout, and issue management.

Solution Preparation

  • Upgrade Readiness: The large size of branch upgrades elevates the need to monitor free disk space. Using LANDESK Management Suite’s inventory capabilities, one can periodically review a report to see who is running out of space.

 12 - Free Disk Space

If a manual report is a hassle, alerts can also be generated to automatically prompt for action.

Free Disk Space Alerts

  • Targeting: LANDESK Patch Manager will inventory hardware, software, branch types (Current Branch or Current Branch for Business), and Active Directory users and groups to use in targeting of branch upgrades. This targeting becomes particularly valuable when used for staged rollouts (see more in next section).
  • Distribution: With the need to push large upgrade files, a robust software distribution capability is a must. LANDESK Patch Manager has numerous capabilities for distributing branch upgrades efficiently across your network including:
    • Targeted multicasting
    • Peer-to-peer downloading
    • Bandwidth throttling
    • Distribution servers
    • Checkpoint restart
  • Off-Network Systems: How many of your enterprise clients are off the corporate network at any given time? With so many employees who work remotely or travel, the LANDESK Cloud Services Appliance enables management of systems without a VPN. Using a virtual or physical appliance, the Cloud Services Appliance can enable branch upgrades to occur anywhere.

Upgrade Rollout with LANDESK Patch Manager

Having a methodical rollout process is critical in large enterprises. The version 2016 release of LANDESK Patch Manager includes a new capability, Rollout Projects, for systematically rolling out patches or branch upgrades. Rollout projects is ideal for automating the deployment and execution of branch upgrades to specific groups of computers in a specific order.

LANDESK Patch Manager Rollout Projects

As part of the automation, each step can have exit criteria before moving on. Such exit criteria include:

  • Minimum success rate of systems upgraded
  • Minimum duration of executing that step to give time to identify potential issues
  • Email approval if you need manual change control to proceed

These exit criteria enable the complex process of rolling out branch upgrades to proceed automatically, but with controls to prevent issues from spreading to the next phase.

Issue Management

Addressing service issues related to branch upgrades can be achieved with LANDESK Service Desk where incidents can be tracked, problems managed, and service levels measured. Unlike most service management tools, Service Desk’s integration with LANDESK Management Suite enables service management to include taking actions such as remote assistance when users need help with upgrade issues, system reimaging when upgrades go bad, or software upgrades to maintain compatibility with branch upgrades. This combination of capabilities comes together in LANDESK Workspaces for the IT Analyst where a user and their devices can be found and actions applied such as remote control or installation of software.

LANDESK Workspace - End User Assistance

Key Takeaways

As usual here are some key points to remember:

  • Windows 10 branch upgrades are complex and LANDESK helps automate this process
  • LANDESK Service Desk gives end to end service management before, during, and after the upgrades
  • LANDESK Patch Manager automates phased upgrades with network-sensitive distribution and intelligent targeting
  • LANDESK Management Suite helps prepare for upgrades and address issues should they arise

This concludes the discussion on branch upgrades. I will next proceed with a series of articles on patching in Windows 10.

September 2016 Patch Tuesday

September 2016 Patch Tuesday

Here is the analysis for this month’s Patch Tuesday from Chris Goettl of our Shavlik team:

This September 2016 Patch Tuesday will be the final Patch Tuesday on the old servicing model. Starting in October Microsoft has announced a change to the servicing models for all pre-Windows 10 operating systems. I have had a number of questions from customers, partners, other vendors and companies I have spoken to since the announcement. My advice remains the same, which I describe in this post.  This change will require all of us to make some adjustments, and application compatibility and the risks associated with exceptions are the areas that will be most impacted.

I went through an exercise earlier today to show what I mean.

If you look at the average bulletin and vulnerability counts for each Patch Tuesday this year we are averaging about three CVEs per bulletin. Given the explanation from Microsoft’s blog post I revisited each Patch Tuesday for 2016 and refigured the total bulletin count we would have seen in under the new model and the average CVEs per bulletin changes to around 12 CVEs per bulletin.

The bottom line here is exceptions due to application compatibility issues will become more compounded from a risk perspective. Companies will have to do more rigorous application compatibility testing to ensure things to don’t break when these larger bundled security updates are pushed to systems. If there is a conflict, vendors that conflict with the updates are going to be under more pressure to resolve issues. Where companies may have accepted an exception for one or two vulnerabilities, an exception that causes 20 vulnerabilities to go unpatched will have a very different reaction.

Next month as we investigate the October Patch Tuesday release we will have more details, and will discuss the realities of the new servicing model in our monthly Patch Tuesday webinar, so plan to join us for that.

My forecast for this Patch Tuesday was pretty close. There’s the Flash Player update and 14 bulletins from Microsoft. Microsoft’s 14 bulletins include seven critical and seven important updates resolving a total of 50 unique vulnerabilities, including an IE zero day (CVE-2016-3351) and a public disclosure (CVE-2016-3352).

Adobe released a total of three bulletins, but only Flash Player was rated as critical or priority 1 in Adobe severity terms. This update resolves 29 vulnerabilities. The other two Adobe bulletins resolve nine vulnerabilities, but both are rated Priority 3, which is the lowest rating Adobe includes for security updates.

As I mentioned last week, Google also recently released a Chrome update, so be sure to include this browser update in your monthly patch maintenance as it includes additional security fixes.

Digging in a layer deeper on higher priority updates:

MS16-104 is a critical update for Internet Explorer that resolves 10 vulnerabilities, including a zero day exploit (CVE-2016-3351), making this a top priority this month. This bulletin includes vulnerabilities that target end users. The impact of several of the vulnerabilities can be mitigated by proper privilege management, meaning if the user exploited is a full user, the attacker also has full rights. If the user is less than a full user, then the attacker must find additional means to elevate privileges to exploit the system further.

MS16-105 is a critical update for edge browser that resolves 12 vulnerabilities. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-106 is a critical update for Windows Graphics that resolves fives vulnerabilities. GDI patches often impact more than just the Windows OS, as GDI is a common component used across many Microsoft products. This month it appears the GDI update is only at the OS level, which I believe was a first this year.

MS16-107 is a critical update for Office and SharePoint which resolves 13 vulnerabilities. Now when I say this affects Office and SharePoint, I mean ALL variations — all versions of Office, Office Viewers, SharePoint versions including SharePoint 2007. You may see this show up on machines more than once depending on what products and viewers are on each system. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-108 is a critical update for exchange server that resolves three vulnerabilities. In reality, this update addresses more, as it includes Oracle Outside in Libraries which released an update in July. This adds 18 additional vulnerabilities to the resolved vulnerability count for this bulletin. This bulletin does include a user targeted vulnerability. An attacker could send a link that has a specially crafted URL which would allow redirection of an authenticated exchange user to a malicious site designed to impersonate a legitimate website.

MS16-110 is an important update resolving four vulnerabilities. Now, you may be asking, why include this one important update in the high priority updates for this month? Well, that is because of CVE-2016-3352, which was publicly disclosed. This means enough information was disclosed before the update was released, giving attackers a head start on building exploits. This puts this bulletin into a higher priority, as it stands a higher chance of being exploited. The vulnerability is a flaw in NTLM SSO requests during MSA login sessions. An attacker who exploits this could attempt to brute force a user’s NTLM password hash.

MS16-116 is a critical update in VBScript Scripting Engine that resolves one vulnerability. This update must be installed along with the IE update MS16-104 to be fully resolved. This bulletin includes vulnerabilities that target end users and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-117 is a critical update for Adobe Flash Player plug-in for Internet Explorer. This bulletin resolves 29 vulnerabilities, several of which do target a user.

APSB16-29 is a priority 1 update for Adobe Flash Player that resolves 29 vulnerabilities. With Flash Player updates you will typically have two to four updates to apply to each system. Flash Player and plug-ins for IE, Chrome, and FireFox.

For more in depth analysis and conversation regarding this Patch Tuesday, join us for the Shavlik Patch Tuesday Webinar tomorrow morning.

Originally published at http://blog.shavlik.com/september-patch-tuesday-2016/

Windows 10 and Enterprises: Top Reasons They Won’t Make the Switch

Businessman working at desk in officeThere is no denying the success of Windows 10; it has had a great adoption rate, surpassing the adoptions of both Windows 8 and Windows 8.1.

But as with everything in life, the data gets more interesting as you delve into some of the finer points.

The two factors that have really helped accelerate the adoption of Windows 10 are the return of the start menu and the free upgrade.

So the question is, who is adopting Windows 10 and who isn’t?

Softchoice has published statistics on their customer base, some of which are:

  • Less than one percent of devices in 169 North American companies are using Windows 10.
  • 91 percent of systems are running Windows 7—an 18 percent increase over last year.

Additional data from both StatCounter and Netmarketshare show that the percentage of Windows 10 devices on the internet tends to spike over the weekend, indicating that consumers have been the largest users of Windows 10 and that many enterprises have not started the migration yet.

What are the main IT concerns and how are the migrations going? 

Spiceworks conducted a survey with results from over 900 IT professionals. The data revealed something very interesting:

  • 85 percent of companies that have deployed Windows 10 are generally satisfied, but Windows 7 is still getting higher end-user satisfaction.

Companies that had started adopting Windows 10 were asked to list their top challenges. Compatibility of software and hardware, as well as migration time, were listed as the biggest challenges.

What is stopping enterprises from migrating?

Over the past year, we have had many discussions with enterprise companies about their plans, concerns, and expectations. It seems that the IT professionals have been correct in identifying the biggest challenges, wins, and roadblocks companies are facing.

The recurring themes that we have heard from IT regarding the adoption of Windows 10 involve application compatibility, migration issues, and Windows updates. The larger enterprises always face the most compatibility issues; they know this and are always having to work to limit the risks in this area.

According to the Spiceworks survey, 62 percent of companies had not started any Windows 10 implementations. Top reasons companies are delaying include the fact that many of them are satisfied with current OS, they are concerned about compatibility issues, and they want control over Windows updates.

There is also a common theme of how to make sure the end-user is satisfied with their computing experience and that they can be productive.

Windows cumulative update model

The cumulative update model of Windows has been discussed, namely, how it increases the application compatibility risks.

Enterprises will be forced to choose between not patching or having an application broken due to the patch for at least 30 days if Microsoft has to make the change or until a third-party vendor can make a change.

This discussion has caused many IT professionals great concern and has impeded many people’s decision to move to Windows 10. An interesting twist was announced last week, that Windows 7 and 8.1 will be moved to this patch model in October.

Does this refuel the Windows 10 migrations or does it just add an additional application testing tax on IT departments that will slow the adoption of patches?

Clearly, the above data shows that IT professionals in the enterprise are approaching Windows 10 with caution and concerns.

Blog-CTA-Whitepaper-527x150