Windows 10 Security Mitigations When You Can’t Apply Cumulative Updates

Managing-Windows-10-Updates

The introduction of Windows 10 cumulative updates will force enterprises to make a difficult choice: security or availability. Security in the sense of eliminating the risk of known vulnerabilities through patching. Availability where an application or Windows 10 feature only works when an update isn’t applied. Enterprises will need to plan on Windows 10 security mitigations when applying cumulative updates isn’t an option.

Bad Patches

Bad patches are like any other software bugs: they happen. In speaking with many of our customers, we hear about them experiencing bad Windows patches a few times a year. When these patches are applied they break functionality in Windows or 3rd party applications. Sometimes Microsoft needs to fix something – sometimes a 3rd party vendor (see Windows 10 Cumulative Updates Overview for an example with Citrix XenDesktop). In the past, the solution was fairly straight forward: don’t apply the bad patch, address the security risk of the vulnerabilities in that patch, wait for a fixed patch or 3rd party software to be released, apply the improved patch or software and move forward.

Windows 10 Security Mitigations

With the cumulative updates, selectively applying patches is over. Rather that fretting over the situation, there are a number of mitigations that might be applied in place of the update when issues arise. In April 2014, Gartner’s Neil MacDonald, wrote a report on Best Practices for Secure Use of Windows XP After Support Ends to address the issues of not being able to patch vulnerabilities that would continue to be found. Many of these practices can be used with Windows 10 for these situations where a patch breaks functionality. These practices can also be used persistently, but are often seen as too restrictive. Consider these approaches as part of a flexible security strategy that goes along with your patch management program. I will highlight a few of the practices in that report that can be addressed with LANDESK solutions.

Restrict Network Connectivity to the Minimum Possible

This can be challenging for many client systems, but easier to achieve with fixed function devices like kiosks or POS systems. LANDESK Security Suite can limit network connectivity through Windows firewall management or the LANDESK firewall.

Whitelisting

Whitelisting is a very effective method of securing a system as it stops unauthorized applications from running. LANDESK Security Suite and our recently acquired AppSense Application Manager both provide industry leading whitelisting with plans to blend both capabilities in future product releases.

Remove Administrative Rights

Many Microsoft vulnerabilities can be mitigated if the user does not run with an administrator account. Removing administrative rights is easy, but the limitations from such an action often stop organizations from taking this step. Privilege management software, including AppSense Application Manager, can be used to grant privileges to applications that need them so users can use non-administrative accounts. On the reverse, privilege management software can also be used to remove administrative rights from an application that is vulnerable and cannot be patched.

Address the Most Common Attack Vectors — Web Browsing and Email

There are a number of things that go into securing web browsing and email. Neil mentions the following controls:

  • Patch Management: As discussed in my previous article, 3rd party patch management is a strength of LANDESK Patch Manager
  • Containerization: there are a number of solutions that use technology to isolate applications including our partner Bufferzone. With these solutions, attacks are contained to that application unable to spread to the operating system or other applications.

Keep the Rest of the Software Stack Updated Where Possible, Including Office

Can I get one more amen for patch management? Enough said.

Use an IPS to Shield Systems from Attack

LANDESK Security Suite includes a Host Intrusion Prevention component to address behavioral based attacks and apply file protection rules. Add to that, LANDESK Antivirus brings an industry leading antimalware engine.

Disable USB Ports and CD\DVD Drives

Often malware is introduced through removable media. LANDESK Security Suite provides device control to disable external media devices, make them read-only, and\or shadow copy files that move across those devices.

Key Takeaways

Here are some points to remember and share:

  • Expect Windows 10 cumulative updates to occasionally break features or 3rd party applications
  • Selective application of patches is no longer an option with Windows 10
  • Build out a strategy of security mitigations when applying the cumulative update isn’t feasible

The article marks a stopping point for this series. There will likely be updates and changes to this conversation as new branch upgrades are released, but this gives you a solid foundation. Hopefully this series has been helpful and I wish you great success with Managing Windows 10 updates.

Managing Windows 10 Cumulative Updates with LANDESK

Managing-Windows-10-Updates

Managing Windows 10 cumulative updates with LANDESK leverages years of features and expertise in patch management. LANDESK Patch Manager provides automated assessment and targeting, robust network-sensitive update distribution, third-party patching, and custom patch definitions all of which make a comprehensive solution for Windows 10 patch management. This article will explore the capabilities in LANDESK Patch Manager that address Windows 10 cumulative updates.

Automated Assessment and Targeting

LANDESK Patch Manager provides content to identify computers missing cumulative updates and then target those computers for automated or approved remediation. Content is specific to Windows 10 branches which enables proper targeting of cumulative updates to the appropriate computers.

16 - Windows 10 Update Definitions

Update Distribution

As detailed in my Windows 10 Cumulative Updates Overview, the large size of the updates is one of the biggest challenges that enterprises will need to address. The challenge of distributing these large packages, at least monthly, requires strong software distribution capabilities. LANDESK Patch Manager leverages best in industry distribution capabilities to quickly push packages while minimizing the impact on the network. Such capabilities include:

  • Targeted multicasting: efficiently distributes packages to multiple computers through network efficient communications.
  • Peer-to-peer downloading: peer-to-peer technology enables computers on the same subnet to share packages eliminating the need to communicate across slow links or overwhelming a single server.
  • Bandwidth throttling: throttling limits the amount of traffic a computer uses to preserve network capacity for other communications.
  • Distribution servers: Distribution servers can be designated to host packages in different locations so updates only need to be downloaded once across slow WAN links that connect remote sites to a central datacenter.
  • Checkpoint restart: nothing is more annoying than having to restart a download. With automated checkpoint restart, package downloads can continue where they left off if a system gets disconnected.

Third-Party Application Patching

I continue to be shocked when I speak with enterprises who are not patching their third-party applications. Some are painfully packaging applications for distribution one update at a time, while many others are doing nothing. If there is one thing to be learned from Windows 10 cumulative updates, it is that 3rd party application compatibility is at continuous risk and the need to update such applications rapidly is more important than ever. With LANDESK Patch Manager, thousands of common third-party applications are analyzed to create content that enables silent detection and update of such applications.

Custom Application Patching

For those applications not in our extensive catalog, there is also the option to create a custom definition to detect and update the application. This capability can be particularly beneficial for internally developed applications which will also be under compatibility pressure with Windows 10 updates.

Systematic Rollout of Cumulative Updates

In my previous article on using LANDESK for Branch Upgrades, I discussed the use of the feature, Rollout Projects, to systematically deploy branches. The same feature can be used to deploy Windows 10 Cumulative Updates (as well as any other update, branch, or software package). Rollout projects automates the assessment, distribution, and installation of updates to groups of computers in a predefined order.

16 - Patch Rollout Projects

Steps can be defined to sequence different rollout groups to have a measured approach to updates. Each step can have exit criteria before moving on to the next step. Exit criteria includes:

  • Minimum success rate of systems upgraded
  • Minimum duration of executing that step to give time to identify potential issues
  • Email approval if you need manual change control to proceed

These exit criteria enable the complex process of rolling out branch upgrades to proceed automatically, but with controls to stop rollout issues from spreading.

16 - Patch Exit Criteria

Key Takeaways

LANDESK Patch Manager solves the challenge of managing Windows 10 cumulative updates through:

  • Automated identification of vulnerable Windows 10 computers
  • Network-sensitive update distribution
  • Extensive catalog of third-party application patching
  • Custom patch definition
  • Systematic project-style roll out of patches

In the next and final article in this series, I will explore security mitigations for when you can’t apply Windows 10 cumulative updates.

Windows 10 Cumulative Updates and Branches

Managing-Windows-10-Updates

Windows 10 cumulative updates and branches have a critical relationship. Failing to understand the branch lifecycle can create risk for any patch management program. Much of this article will be a rehash of previous articles I’ve written on Windows 10 branch upgrade management, but it is so important to understand this relationship that I’m going to cover this topic again with an angle on the impact to cumulative updates.

Windows 10 Branch Lifecycle

From the time that a new branch is released, there is a minimum lifecycle of 18 months broken down in the following phases:

  • General Availability (GA) with Current Branch
  • Current Branch for Business declared at least 4 months after GA
  • Grace period begins at least 16 months after GA and lasts for 60 days
  • Once grace period is complete, new cumulative updates are not released for that branch

Let me repeat that last point: once a branch has finished the grace period, there will be no more patches. Here’s a visualization of this lifecycle:

Windows-10-Patch-Support-Life

An Update for Every Branch

As mentioned in my Windows 10 Cumulative Updates Overview, there are distinct update packages for each branch. To date, there is one for 1507, 1511, and 1607. Each package only installs on that specific branch – this is how support will likely be curtailed for older branches.

15 - Cumulative Update Does Not Apply

As to the size, cumulative updates are generally smaller for newer branches as fixes are rolled into the branch upgrade.

Triggering Events

Current Branch for Business

This milestone signifies that a branch is at a higher level of quality and begins with Microsoft declaring a cumulative update that distinguishes a branch to be Current Branch for Business. Only branch 1511 has gone through the Current Branch for Business declaration event. In that case, Current Branch for Business was simply a combination of the GA 1511 release and the March 2016 cumulative update meaning ongoing updates gives the same level of stability to Current Branch systems as those who waited and applied the Current Branch for Business upgrade.

Grace Period

Based on various articles and conversations with Microsoft, we believe the Grace Period for the oldest branch (latest branch – 2) will begin when the latest branch reaches Current Branch for Business. There is a lot of potential variability here as the declaration of Current Branch for Business for 1511 occurred in early April 2016, but didn’t reach Windows Update until late May.

End of Support

Once the Grace Period is complete, there are no more patches for that branch. With the exception of the Long-Term Servicing Branch version of Windows 10, this means systems will need to be upgraded as frequently as 18 months.

Deconstructing a Branch Lifecycle

To date, no branch (including the original 1507) has gone through the entire lifecycle that Microsoft has outlined. Here is a table outlining the three Windows 10 branches to date and their lifecycle milestones with some estimated dates for future milestones.

1507 1511 1607
Current Branch Availability July 29, 2015 November 12, 2015 August 2, 2016
Current Branch for Business July 29, 2015 April 8, 2016 December 2016*
Grace Period Begins December 2016* Unknown Unknown
Grace Period Ends February 2017* Unknown Unknown

* Estimated dates

Upgrade Your Branches or…

With this new continuous update model, businesses must have a plan to continuously update to newer versions of branches to be able to apply the latest security fixes. As I discussed in earlier articles, there is a whole strategy to this (see Windows 10 Branch Upgrade Strategy). If upgrading systems is an issue one option is to consider using Windows 10 Long-Term Servicing Branch (LTSB) which will have a patch support lifecycle of 10 years.

Key Takeaways

Here are the points to remember from this article:

  • Cumulative updates are specific to branch versions
  • Branches have a lifecycle as short as 18 months
  • If you can’t keep up with branch upgrades, consider Windows 10 LTSB version

With this discussion on the relationship between cumulative updates and branches finished, I will next discuss managing Windows 10 cumulative updates with LANDESK Patch Manager.

Windows Update for Business

Managing-Windows-10-Updates

When Windows 10 launched, there was talk of a new update mechanism known as Windows Update for Business (WUB). What sounded like a new platform ended up being a set of policy settings to configure Windows 10. Let’s explore some of these settings and how you can use them in your enterprise.

Windows Update for Business is…. Just a Bunch of New Policy Settings

Some of the initial press around Windows Update for Business could lead you to think that a new update platform or product was in the works. The reality is that Windows Update for Business is simply additional policy settings that you can configure with Group Policy Objects or any other comparable tool.

The other point, when you look closely, is that these settings are just an extension of those in previous versions of Windows found under the Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Update.

Before diving into the new settings, look at one of the most important settings that has existed for previous versions of Windows.

Configure Automatic Updates via Policy Only

With Windows 10, you can no longer configure update settings in the Control Panel. These settings are available in the policy only – unless you are on Windows 10 Professional with the Anniversary Update branch (1607).

The new settings specific to Windows 10 include:

  • Turn off auto-restart for updates during active hours
  • Do not include drivers with Windows Updates
  • Defer Upgrades and Updates (only with 1507 and 1511 branches)
  • Select when Feature Updates are received (new with the Anniversary Update)
  • Select when Quality Updates are received (new with the Anniversary Update)

Turn off auto-restart for updates during active hours

This setting prevents Windows from restarting for up to 12 hours. Good for the grumpy business user who hates restarting during work.

Do not include drivers with Windows Updates

Fairly self-explanatory, this setting prevents Windows Update from applying driver updates with monthly patches, also known as cumulative updates, also known at quality updates.

Defer Upgrades and Updates (Windows 10 1507 and 1511)

In the first two branches of Windows 10, this setting lets you defer branch upgrades for up to 8 months. With the Anniversary Upgrade, this feature disappeared and was replaced by the following two below.

14 - Windows Update for Business - Windows 10 Anniversary Update

Select when Feature Updates are received

Feature Updates are Microsoft speak for branch upgrades (one wonders why they didn’t just call this setting Branch Upgrades). With this setting, the computer can be configured to use Current Branch or Current Branch for Business with a deferral up to 180 days.

Select when Quality Updates are received

Quality Updates refer to the monthly (sometimes more) cumulative updates, also known as patches, that are typically released on Patch Tuesday, the second Tuesday of the month. Again, it’s surprising why they used a name that isn’t well understood. With this configuration, updates can be deferred for up to 35 days.

Sorry Windows 10 Professional

One of the changes in the Anniversary Update is the loss of the policy settings for Windows 10 Professional. Such settings that can no longer be managed by Windows 10 Professional include:

  • Turning off Microsoft consumer experiences
  • Do not show Windows Tips
  • Not showing the Lock Screen
  • Disabling apps from Windows Store

See the ghacks.net article and the Microsoft TechNet article for details.

Summary

Far from a replacement for patch management, Windows Update for Business offers new settings that complement a comprehensive patch management strategy. You should leverage these settings to keep enterprise deployments of Windows 10 consistent as the default is always “update”. As a best practice, use these settings to configure systems on Current Branch or Current Branch for Business to prevent the end user from doing whatever they want.

Key Takeaways

Here are the key points to share with your boss and peers:

  • Windows Update for Business (WUB) is simply a few additional update settings
  • Settings are very basic and do not replace a robust patch management solution
  • Some settings have gone away for Windows 10 Professional with the Anniversary Update

With this discussion on Windows Update for Business complete, I will next explore the relationship between cumulative updates (patches) and branches.

Windows 10 Cumulative Updates Overview

Managing-Windows-10-Updates

With my previous article finishing the discussion on Windows 10 branch upgrades, I will now tackle Windows 10 cumulative updates or patching. Windows 10 patching is one of the biggest changes and challenges for enterprises as they roll out this operating system. Unlike older versions, Windows 10 has a new approach to patching with cumulative updates where granularity and size will have impacts on 3rd party application compatibility and general operating stability. This article will explore the changes and what to expect.

Cumulative Updates Versus Single Patches

The first thing to notice is the cumulative nature of the updates. Unlike previous versions of Windows, there are no individual patches. This is changing somewhat in October 2016 with Windows 7, 8.1, and Server 2012, but still not the same thing. Windows 10 cumulative updates have all fix types and are additive from release to release meaning each update has all previous updates.

Security and Non-Security

Somewhat obscured is the fact that Windows 10 cumulative updates include both security and non-security patches. This may account for the size (see below). Documentation for the security fixes can still be found on the TechNet Security Bulletin webpage, while non-security fix documentation is less detailed in nature found on the Window 10 Update History webpage.

3rd Party Application Impact

With the cumulative nature of Windows 10 updates, there will be 3rd party application compatibility issues. Most customers we speak with encounter issues with a patch a few times a year. Now with the cumulative updates, customers who encounter issues will need to make the difficult decision between application availability and security. This is because unlike the granular patches of the past, one must choose to apply or not apply an entire update. Should one choose to not apply one month’s update, the problem compounds as the next month’s update also cannot be applied. So instead of being exposed to one or two vulnerabilities fixed by a single patch, not applying a cumulative update would expose that system to a dozen or more vulnerabilities.

A recent example was the incompatibility of the Windows 10 January update with Citrix XenDesktop. In that case, the update would not even install if an incompatible version of XenDesktop was detected (for details see my article from our Shavlik blog). In this case, Citrix was able to create a fix in a few days and then update could then be applied.

Big and Growing

With Windows 10 cumulative updates comes size. As you can see from the tables below, updates are specific to a branch, grow massively over time, but do reset in size with the release of a new branch.

Windows 1507 Cumulative Update Sizes

Update x86 Size (MB) x64 Size (MB)
13-Sep-16 459.9 1020.7
9-Aug-16 367.0 776.0
12-Jul-16 330.2 699.6
14-Jun-16 320.7 680.1
10-May-16 315.8 664.4
12-Apr-16 314.0 661.1
8-Mar-16 292.1 624.3
9-Feb-16 286.6 612.4
12-Jan-16 278.5 596.5
8-Dec-15 270.1 580.0
10-Nov-05 234.8 515.2
13-Oct-15 223.2 496.6
18-Aug-15 184.4 367.7

Windows 1511 Cumulative Update Sizes

Update x86 Size (MB) x64 Size (MB)
13-Sep-16 550.5 1054.2
9-Aug-16 502.3 916.9
12-Jul-16 501.0 914.9
14-Jun-16 402.4 713.3
10-May-16 390.8 677.3
12-Apr-16 383.6 645.1
8-Mar-16 327.9 573.2
9-Feb-16 270.3 489.3
12-Jan-16 184.0 325.6
11-Dec-15 137.5 240.2
10-Nov-15 24.6 48.6

Windows 1607 Cumulative Update Sizes

Update

x86 Size (MB)

x64 Size (MB)

13-Sep-16

255.4

431.1

9-Aug-16

63.7

113.0

To help comprehend the size of the updates, here are a couple of stats for consideration:

  • The 1507 x64 cumulative update on September 13, 2016 is 177% larger than the first update released on August 18, 2015
  • The 1511 x64 cumulative update on September 13, 2016 is 2069% larger than the first update released on November 15, 2015
  • The total size of individual patches for Windows 8.1 x64 on September 13, 2016 was 84.3 MB. The corresponding sizes of Windows 10 x64 cumulative updates for 1507, 1511, and 1607 were 12.1, 12.5, and 5.1 times larger respectively
  • At the current growth rate, the 1511 x64 cumulative update could top 2 GB in size in early 2017

Key Takeaways

As with previous articles, here are some key takeaways on Windows 10 Cumulative Updates:

  • Updates are cumulative making it near impossible to not apply a patch without creating significant risk
  • Updates include security and non-security fixes
  • 3rd party application compatibility will be a bigger issue in Windows 10 than previous versions of Windows
  • Cumulative updates start out big and become enormous over time

No before you panic, be aware that I will cover how to address these challenges with process and LANDESK solutions. Before going down that path, let’s take a quick detour to discuss Windows Update for Business.

Managing Windows 10 Branch Upgrades with LANDESK Part 2

Managing-Windows-10-Updates

In the previous article, I explore the first part of how LANDESK can help with Windows 10 branch upgrades through pre-upgrade education and communications. In this the second part, I will discuss how LANDESK solutions manage Windows 10 branch upgrades with the solution preparation, rollout, and issue management.

Solution Preparation

  • Upgrade Readiness: The large size of branch upgrades elevates the need to monitor free disk space. Using LANDESK Management Suite’s inventory capabilities, one can periodically review a report to see who is running out of space.

 12 - Free Disk Space

If a manual report is a hassle, alerts can also be generated to automatically prompt for action.

Free Disk Space Alerts

  • Targeting: LANDESK Patch Manager will inventory hardware, software, branch types (Current Branch or Current Branch for Business), and Active Directory users and groups to use in targeting of branch upgrades. This targeting becomes particularly valuable when used for staged rollouts (see more in next section).
  • Distribution: With the need to push large upgrade files, a robust software distribution capability is a must. LANDESK Patch Manager has numerous capabilities for distributing branch upgrades efficiently across your network including:
    • Targeted multicasting
    • Peer-to-peer downloading
    • Bandwidth throttling
    • Distribution servers
    • Checkpoint restart
  • Off-Network Systems: How many of your enterprise clients are off the corporate network at any given time? With so many employees who work remotely or travel, the LANDESK Cloud Services Appliance enables management of systems without a VPN. Using a virtual or physical appliance, the Cloud Services Appliance can enable branch upgrades to occur anywhere.

Upgrade Rollout with LANDESK Patch Manager

Having a methodical rollout process is critical in large enterprises. The version 2016 release of LANDESK Patch Manager includes a new capability, Rollout Projects, for systematically rolling out patches or branch upgrades. Rollout projects is ideal for automating the deployment and execution of branch upgrades to specific groups of computers in a specific order.

LANDESK Patch Manager Rollout Projects

As part of the automation, each step can have exit criteria before moving on. Such exit criteria include:

  • Minimum success rate of systems upgraded
  • Minimum duration of executing that step to give time to identify potential issues
  • Email approval if you need manual change control to proceed

These exit criteria enable the complex process of rolling out branch upgrades to proceed automatically, but with controls to prevent issues from spreading to the next phase.

Issue Management

Addressing service issues related to branch upgrades can be achieved with LANDESK Service Desk where incidents can be tracked, problems managed, and service levels measured. Unlike most service management tools, Service Desk’s integration with LANDESK Management Suite enables service management to include taking actions such as remote assistance when users need help with upgrade issues, system reimaging when upgrades go bad, or software upgrades to maintain compatibility with branch upgrades. This combination of capabilities comes together in LANDESK Workspaces for the IT Analyst where a user and their devices can be found and actions applied such as remote control or installation of software.

LANDESK Workspace - End User Assistance

Key Takeaways

As usual here are some key points to remember:

  • Windows 10 branch upgrades are complex and LANDESK helps automate this process
  • LANDESK Service Desk gives end to end service management before, during, and after the upgrades
  • LANDESK Patch Manager automates phased upgrades with network-sensitive distribution and intelligent targeting
  • LANDESK Management Suite helps prepare for upgrades and address issues should they arise

This concludes the discussion on branch upgrades. I will next proceed with a series of articles on patching in Windows 10.

Managing Windows 10 Branch Upgrades with LANDESK Part 1

Managing-Windows-10-Updates

In the last article, I finished the discussion on a Branch Upgrade Solution Architecture. Time to dive in and learn about managing Windows 10 branch upgrades with LANDESK solutions. As outlined, there are many elements of a solution architecture and I will proceed to map LANDESK products to that architecture.

Upgrade Education

As mentioned in previous articles, Windows 10 branch upgrades are disruptive. If someone has not experienced this before, they may do something stupid like powering off their computer in the middle of the upgrade process (never a good thing). A solid knowledge base article will go a long way to educate them. This is easily achieved in LANDESK Service Desk.

Here is a sample article you could use to communicate the upgrade process to users:

As you may be aware, Microsoft recently released an update for Windows 10 known as the Anniversary Update or version 1607. IT is currently testing this update and will begin rolling it out widely in December.

As with other Windows 10 updates, there will be disruption to your ability to work. IT is planning to launch the upgrade at noon when we expect you can step away from your computer. You will have the option to defer the upgrade if you fear it will be too disruptive to your work. We advise saving all documents and shutting down applications to minimize any potential loss of work.

When the upgrade begins, you will see the following screens. Do not power off your computer during any of the upgrade process.

Windows 10 Branch Upgrade Confiugration Screen

Windows 10 Branch Upgrade Updating Screen

Once the upgrade is complete, you will need to login and wait for some additional configuration to occur. You will see the following:

Windows 10 Branch Upgrade Post Logon Screen 1

Windows 10 Branch Upgrade Post Logon Screen 2

Windows 10 Branch Upgrade Post Logon Screen 3

Windows 10 Branch Upgrade Post Logon Screen 1

Should you have any issues with the upgrade, please contact IT and we will promptly assist you.

Upgrade Communication

  • Pre-Upgrade Application Owners: Email is often the default method of communication, but there are other options. Using LANDESK Workspaces, application owners can be alerted to pending upgrades with a Notice Board message.

11 - Windows 10 Upgrade Notice

  • Pre-Upgrade End Users: The obvious solution is to send an email (or series of emails) with the information listed in the example knowledge base article. With the LANDESK End User Workspace, that information can be accessible anywhere: web, desktop, or mobile device. Putting the information everywhere will increase the likelihood of users knowing about the upgrade beforehand.
  • Upgrade Launch: LANDESK Patch Manager allows user notification before the download and\or before the execution of a branch upgrade. This can be a last minute opportunity to inform the users of the process that will ensue.
  • Post Upgrade: After an upgrade, users can submit issues or be notified of information via LANDESK End User Workspace.

11 - LANDESK Workspace Incident

In the next article I will cover the second half of this discussion on how LANDESK can help in managing Windows 10 branch upgrades.

Windows 10 and Enterprises: Top Reasons They Won’t Make the Switch

Businessman working at desk in officeThere is no denying the success of Windows 10; it has had a great adoption rate, surpassing the adoptions of both Windows 8 and Windows 8.1.

But as with everything in life, the data gets more interesting as you delve into some of the finer points.

The two factors that have really helped accelerate the adoption of Windows 10 are the return of the start menu and the free upgrade.

So the question is, who is adopting Windows 10 and who isn’t?

Softchoice has published statistics on their customer base, some of which are:

  • Less than one percent of devices in 169 North American companies are using Windows 10.
  • 91 percent of systems are running Windows 7—an 18 percent increase over last year.

Additional data from both StatCounter and Netmarketshare show that the percentage of Windows 10 devices on the internet tends to spike over the weekend, indicating that consumers have been the largest users of Windows 10 and that many enterprises have not started the migration yet.

What are the main IT concerns and how are the migrations going? 

Spiceworks conducted a survey with results from over 900 IT professionals. The data revealed something very interesting:

  • 85 percent of companies that have deployed Windows 10 are generally satisfied, but Windows 7 is still getting higher end-user satisfaction.

Companies that had started adopting Windows 10 were asked to list their top challenges. Compatibility of software and hardware, as well as migration time, were listed as the biggest challenges.

What is stopping enterprises from migrating?

Over the past year, we have had many discussions with enterprise companies about their plans, concerns, and expectations. It seems that the IT professionals have been correct in identifying the biggest challenges, wins, and roadblocks companies are facing.

The recurring themes that we have heard from IT regarding the adoption of Windows 10 involve application compatibility, migration issues, and Windows updates. The larger enterprises always face the most compatibility issues; they know this and are always having to work to limit the risks in this area.

According to the Spiceworks survey, 62 percent of companies had not started any Windows 10 implementations. Top reasons companies are delaying include the fact that many of them are satisfied with current OS, they are concerned about compatibility issues, and they want control over Windows updates.

There is also a common theme of how to make sure the end-user is satisfied with their computing experience and that they can be productive.

Windows cumulative update model

The cumulative update model of Windows has been discussed, namely, how it increases the application compatibility risks.

Enterprises will be forced to choose between not patching or having an application broken due to the patch for at least 30 days if Microsoft has to make the change or until a third-party vendor can make a change.

This discussion has caused many IT professionals great concern and has impeded many people’s decision to move to Windows 10. An interesting twist was announced last week, that Windows 7 and 8.1 will be moved to this patch model in October.

Does this refuel the Windows 10 migrations or does it just add an additional application testing tax on IT departments that will slow the adoption of patches?

Clearly, the above data shows that IT professionals in the enterprise are approaching Windows 10 with caution and concerns.

Blog-CTA-Whitepaper-527x150

Windows 10 Branch Upgrade Solution Architecture Part 2

Managing-Windows-10-Updates

In part 1 of this discussion on Windows 10 branch upgrade solution architecture, I set out the key elements of a Windows 10 branch upgrade solution architecture. The points of upgrade education, end user communication, and solution preparation were discussed in that first article. Let’s complete this discussion by diving into the upgrade rollout model and issue management.

Upgrade Rollout Model

In the article on Windows 10 Branch Upgrade Strategy, I outlined different models and timelines for how to rollout your upgrades. Create a similar rollout model for your organization making sure you have nailed down these key elements:

  • Rollout Groups: Hopefully you have already structured your organization into groups for patching, software rollouts, and previous operating system migrations. If you haven’t, now is the time to do so. At minimum have a pilot or test group and a production group. It is very likely you will have more than 1 of each. Here is one example to get you thinking:
    • Pilot Group 1 – IT: Start here as you should have the most communication with these individuals and they should be technical enough to provide detailed feedback if issues are encountered.
    • Pilot Group 2 – Power Users and Application Owners: Find the tech heads of different departments who will, again, provide detailed feedback if issues are encountered. Also, find the business application owners who aren’t in IT. If you don’t know who these people are, start networking internally. They will surface if you ask.
    • Production 1 – Non-Critical Systems and Users: This is a loaded term, but figure out what systems and users won’t cripple the business if the upgrade has issues. Different departments may be more critical at different times or the year or quarter (sales, finance, etc.). This difference in time of year and quarter could merit breaking this group into 2 or timing very strategically. Every organization is different so make sure you understand yours before assigning anyone to a group.
    • Production 2 – Critical Users: This is the phase to address those critical users like sales, finance, or service delivery. This phase may need to be paused depending on the time of the year or quarter.
    • Product 3 – Critical Systems: This probably includes any system that has material impact on the business in terms of generating review or delivering a service or product to a customer. It could include systems that control medical devices for example. Again timing may apply criticality here, but understanding your business is paramount.
  • Timing: Each rollout group should have a set time in which the upgrade occurs. Remember the 80\20 rule in that you will likely get 80% of the group upgraded quickly and will have to work hard for the other 20%. Also, the upgrade is not the end goal, but making sure business continuity is maintained with optimal service levels. If you have 3 months for pilot group 1, try and get the upgrades completed in month 1 so the remaining 2 months can be used to assess impact.
  • Acceptance Criteria: Before moving to the next phase, know what you consider success. Is it 100% desktop usability (or 95%)? Is it based on a review of all critical incidents related to user’s who were upgraded? Who makes the approval decision? Answer these questions before moving on to the next phase.

Issue Management

One can expect a certain percentage of systems to have issues during the upgrade process. Part of the solution architecture should take into account how to address issues so as to not slow down the overall rollout and to ensure that systems are upgraded before patch support is discontinued.

There are likely many areas to plan for, but I will throw out two that you can prepare for:

  • Hardware: Two examples: Do drivers impact the upgrade? Are storage limitations an issue?
  • Application compatibility: This is likely the number one issue you will run into. What business and 3rd party application teams\vendors do you need to call on when issues are encountered? If a compatibility issues become an upgrade blocker, what is the plan?

Key Takeaways

As the challenge is big, so is the solution. Here are the key points to share around an upgrade solution architecture

  • Upgrade education: prepare your users for the changes
  • End user communication: remember to communicate expectations before, during, and after the upgrade
  • Solution Preparation: the solution architecture needs to be robust and automated
  • Upgrade Rollout Model: break your enterprise into groups and upgrade methodically
  • Issue Management: Windows 10 forces tight timelines so prepare for issues in advance

With the solution architecture setup, I will next explore how LANDESK can help with Windows 10 branch upgrades.

Windows 10 Branch Upgrade Solution Architecture Part 1

Managing-Windows-10-Updates

In previous articles, I’ve covered a lot of information on Windows 10 branches. As you have seen there are a lot of new concepts and challenges with Windows 10 branch upgrades that did not exist in previous versions of Windows. With all of that as background, this article is the first of two parts around a Windows 10 branch upgrade solution architecture.

Solution Architecture

In order to build an effective solution, the following elements should be in place:

  • Upgrade Education
  • End User Communication
  • Solution Preparation
  • Upgrade Rollout Model
  • Issue Management

Upgrade Education

Before doing an upgrade, consider the changes to the user experience. Branch upgrades are not as drastic as a new version of Windows, but instead introduce new features and usability gradually. Depending on your organization, you may simply inform them that a new version of Windows 10 will roll out and to expect changes. For change sensitive people, you may need to consider some deliberate training in preparation. Use experience from previous operating system migrations to determine what is best here.

Upgrade Communication

Do not underestimate the importance of communication as you develop your solution. As noted in the Windows 10 Current Branch article, upgrades will be disruptive and take around 30 minutes. With these challenges in mind, communications should be multi-phase:

  • Pre-Upgrade Application Owners: Application owners should be notified of the upgrade plan and schedule so they can test their application to ensure business continuity. Constant communication of the upgrade process should be delivered to the application owners.
  • Pre-Upgrade End Users: Users should be prepared to understand that the upgrade experience is unlike anything they have experienced in the past. It will take time and prevent them from doing work. Show them screen shots of what they can expect and remember users will ignore your emails. Per the upgrade education section, make sure to educate them on changes before the upgrade.
  • Upgrade Launch: Per my previous point, users will ignore any emails you send them. Before launching the upgrade, they should have an on screen notification that summarizes what will happen and point them to a web portal with detailed explanations.
  • Post Upgrade: Branch upgrades introduce new features and we all know that despite all the testing you may do, there is the potential for issues. Make sure that post migration, there is a method to gather feedback and measure upgrade issues.

Solution Preparation

  • Upgrade Readiness: An operating system migration requires many considerations (CPU, RAM, etc.). In the case of the branch upgrade, the one element that should be constantly monitored is free disk space. It isn’t clear how much space is required for a branch upgrade, but remember the upgrade file is 3 GB for x86 and 6 GB for x64 plus space for temporary files. As a safe bet, keep to the Windows 10 specifications for free disk space of 16 GB for x86 and 20 GB for x64.
  • Targeting: As mentioned in the Branch Upgrade Strategy, enterprises need to plan on having a systems on multiple branches. This will require that users and computers are assigned to groups identifying them with their branch. Once done, you need to plan on targeting migrations appropriately (for example Current Branch to Current Branch).
  • Distribution: As upgrade packages are large, enterprises will need a plan for how the package will be distributed and cached. The existing software delivery architecture needs to be ready for 4 GB files as that is the size of the 1511 x64 package.
  • Off-Network Systems: In many enterprises a significant minority if not majority of clients will be laptops many of which spend little time on the corporate network. With these systems, there must either be the option to remotely upgrade them or have a planned upgrade when they are on the network.

Looking Ahead

There is a lot of information to cover for a Windows 10 branch upgrade solution architecture. In part 2, I will dive into the upgrade roll out model and issue management.