The 12 Tips of ConfigMas

It’s that magical time of year again! A time for friendship, feasts and festivities. I’m talking, of course, about ConfigMas! That special occasion when Adaptiva delivers a holiday ConfigMgr roundup for all to enjoy. As we prepare to greet the new year, we’ve compiled some of the best advice from MVPs and leading industry experts into the 12 Tips of ConfigMas.

If you prefer to hear the 12 tips in a song, please enjoy this rousing rendition from the ConfigMas Carolers.

1. Use the SCCM Office 365 Wizard to Create Your Office 2019 Install

Prajwal Desai @PrajwalDesai

With Office 2019 utilizing click-to-run technology, MSI technology is no longer used. Instead, Microsoft lets you create your Office 2019 install via the Office 365 installer wizard in the ConfigMgr console. To get the best from this installer use ConfigMgr 1806 onward.

Prajwal takes you through an informative step-by-step on how to do this in his blog post.

2. Upgrade to Current Branch with the Latest Baseline

Niall Brady @ncbrady

If you are still on ConfigMgr 2012, then it’s time you looked at upgrading to ConfigMgr Current Branch. You’ll get the latest and greatest features, continued support for Windows 10, and the chance to take advantage of all the latest cool cloud management roles.

Eight-time Enterprise Mobility MVP Niall Brady explains what baseline releases are and where you can get them.

3. Move Your ContentLib to a Remote Location

Peter van der Woude @pvanderwoude

Start to plan ConfigMgr high availability, or just free up some space on a cramped CM site server, by moving your ContentLib folder to a remote share location. Using this for HA purposes will ensure that the ContentLib is still available should your active site server go offline.

Peter van der Woude takes you through the flow of the process to shift that data to another location.

4. Sort Your WSUS out 

Johan Arwidmark @jarwidmark

WSUS, please go away! One day ConfigMgr will not rely on this much-maligned solution, but until then we live with it. We embrace it as much as we can. Earlier this year, WSUS was a big problem for businesses with severe traffic being generated across estate on port 8530 and huge amounts of data being downloaded by devices. ConfigMgr admins took to the Internet to share stories and collaborate on how they had tackled their issue or put up with it.

Johan’s blog takes the approach of collating some of that information from various sources. So this meta-blog has become the go-to blog for WSUS maintenance and troubleshooting.

5. Embrace ADR’s for Patching

Bryan Dam @bdam555

Automatic Deployment Rules (ADR) can be used in ConfigMgr to automate your patching process and take away some of that monthly admin overhead. Use them wisely and configure them in a way that works for your environment.

ConfigMgr expert Bryan Dam’s notes from the field are the perfect starting point for ADRs. Bryan doesn’t tell you how to set them up. Instead, he gives you food for thought on the options you should consider when implementing.

6. Reduce Your Attack Surface with Defender Application Control

Paul Winstanley @sccmentor

Restrict application execution within your environment to only trusted apps with Windows Defender Application Control. The complexity behind its implementation is reduced significantly with ConfigMgr and Intune’s managed installers, which automatically authorize the apps deployed by these management tools.

In this blog post, Paul explains what WDAC is. Then he runs through the methods to implement it via both CongfigMgr and Intune.

7. Think about High Availability

Robert Marshall @robmvp

High availability of the ConfigMgr site server has been a much-requested, long-awaited feature. The feature is slowly being drip fed into ConfigMgr. Its power and flexibility are developed and improved upon with each release. In addition to doing the job of keeping the site up and running, this feature could be used to move site servers from one server OS to another. With the passive system containing the updated OS, you remove the restriction of not being able to change the hostname of the site server.

Ten-time Enterprise Mobility MVP Robert Marshall’s extremely detailed blog highlights the technical requirements to spin up a passive site server when the active goes offline.

8. Build Your CM Lab in Azure

Dan Padgett @danjpadgett

New to ConfigMgr and need some assistance in getting your site built or just want to crank up an Azure lab nice and fast? The blog post includes links to the free Azure sign-up, where you can get $200 of Azure credit for 30 days and a handy calculator that will give you an idea of any ongoing costs.

ConfigMgr consultant Dan Padgett runs through the step-buy-step process to get the site up and running so you can play and learn.

9. Learn the True Facts about SUP in CM

Jason Sandys @JasonSandys

Demystify the myths and misconceptions around the ConfigMgr Software Update Point role.

  • Where are the EULA’s stored?
  • Does the SUP distribute content?
  • Is WSUS needed on the SUP server?
  • Does anyone out there like WSUS?

Super MVP Jason Sandys’ myth buster blog is the place to find the answer to the above questions and more.

10. Understand Application Install Workflow

Dawn Wertz @wertzdm3

As they say, a picture is worth 1,000 words, and the workflow diagram presented at the configgirl blog does just that. It breaks down troubleshooting ConfigMgr application installation into series of steps relating to which log to refer to at which time in the process. The analysis goes deeper with references to the log file events with an example installation of 7-Zip. Fail to bookmark this page at your peril.

Dawn Wertz’s expert analysis can be found here.

11. Patch Third-Party Updates 

Nick Hogarth @nick_hogarth

The Adaptiva Managing Windows 10 Security Features with ConfigMgr report https://t.co/y82fa8jjK8 overviewed the new third-party features introduced with ConfigMgr 1806. This feature imports software catalogs and publishes update information to a configured WSUS server. ConfigMgr then synchronizes the updates into the site server database and makes the updates available to endpoints via the SUP role.

Enterprise and Mobility MVP Nick Hogarth’s guide shows you how to enable the feature on your SUP and how to get things flowing in your environment.

12. Remove Built-In Apps for Windows 10 1809

Nickolaj Anderson @NickolajA

With another major release of Windows 10 comes another reason to update your remove built in apps script. Some new apps have been added to the mix, so you may wish to consider removing some or all of these during your OSD deployment.

The new apps are:

  • Microsoft.ScreenSketch
  • Microsoft.HEIFImageExtension
  • Microsoft.VP9VideoExtensions
  • Microsoft.WebMediaExtensions
  • Microsoft.WebpImageExtension

SCConfigMgr MVP Nickolaj Anderson’s handy script assists you with that very task. Grab a copy of the script and learn how to use it here.

 

 

Custom Configuration Items: Maybe the Most Underrated Tool in Your ConfigMgr Kit

ConfigMgr has many little gems tucked away, underutilized, forgotten at times. Configuration Items (CI) is one of these gems.

CIs have been around since Microsoft System Center Configuration Manager (ConfigMgr) 2007 days, when they were known as Desired State Configuration. Configuration Items are created, set to a Configuration Baseline (CB) that is then deployed to a collection. Compliance is evaluated against the baseline and reported back to ConfigMgr. Non-compliance can be remediated to bring devices back into a compliant state–super-cool, super-powerful and really easy to set up.

A CI can be created using different item types. These range from registry, file system, Active Directory query, WQL query, and WMI query to a script; a CB can contain one or more CIs to add power and flexibility to the evaluation.

CIs can be created for Window servers and clients, and Mac OS X systems with a ConfigMgr client installed. CIs can be deployed to MDM devices that aren’t running a ConfigMgr client. (Note that as of Aug. 14, 2018, hybrid mobile device management is a deprecated feature of ConfigMgr).

  • The Configuration Item itself stores information based on the following:
  • Detection method information. This is required if the configuration item contains applications settings. A checkbox for this is enabled during the CI wizard.
  • Settings. The settings contain the conditions that need to be assessed for compliance on device.
  • Compliance rules. These contain the conditions that exist to check compliance against a device.
  • Supported platforms. These are the platforms against which the compliance is assessed. If the platform matches the one selected, then evaluation can take place.

Creating your first Configuration Item

Let’s create a CI to get a feel for the information that can be assigned during the configuration item wizard.

CIs can be created in the ConfigMgr console from the location \Assets and Compliance\Overview\Compliance Settings by right-clicking Configurations Items and selecting Create Configuration Item.

In the General section of wizard, a name for the CI must be entered. A choice of supported platforms is available, as previously mentioned. CIs can be categorized, like drivers, so they can be easily searched for and filtered.

On the Supported Platform screen, granular selection of the platform type can be performed.  Since I had chosen to create the CI for Windows Desktop and Servers (Custom), I have a choice of various operating systems to target the CI at. For this example, I have narrowed down my choice to just Windows 10 x64 device types.

Now we can start to build up the required compliance rules. Clicking New will launch the Setting window.

The full set of setting types are available to choose from. For the example I’m going to choose a Registry value type. I want to check the registry value for the Office 365 update channel on my client devices and remediate any that are not using the Semi Annual Channel CDNBaseURL http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114. This is set in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\CDNBaseUrl.

By browsing a local or remote device, the exact details required can be collated simply and effectively.

The CI and the compliance rules are created with minimum fuss.

In the Compliance Rules tab, conditions can be set to be remediated. Double-clicking one of the defined conditions brings up the dialog window which enables you to do this. In my example, I have checked the box to Remediate noncompliant rules when supported for the CDNBaseURL.

With the CI configured, it’s time to create the baseline for deployment to targeted devices.

Configuring the Configuration Baseline for deployment to devices.

In the console, navigate to \Assets and Compliance\Overview\Compliance Settings\Configuration Baselines, right-click and select Create Configuration Baseline.

Give the CB a name and choose Configuration Items from the Add drop down.

Now it’s a simple case of selecting the CI created previously and adding it to the baseline.

Next up, we can set a schedule for the compliance evaluation of the baseline. Use this sensibly, you don’t want to impact SCCM performance with overzealous schedules. Also, set to remediate. If the collection being targeted has a maintenance window, allow remediation outside the window. With the baseline set, the CB is deployed to a collection.

A little-known feature is the ability to right-click a baseline deployment and create collections of devices that are either Compliant, Error, Non-compliant or Unknown. This is a super handy feature.

Let’s see what happens on a targeted device which isn’t running in the Semi Annual Channel. By using the CI baseline, I can set this to flip into the Semi Annual and therefore become compliant which is how I want to deploy Office 365 in my environment.

As you can see, the device is currently set with CDNBaseURL http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf, which is the Semi Annual Channel (targeted) URL.

In the SCCM console, take a note of the CI Unique ID for the baseline you create. You may need to add this column in to be able to see it.

When policy is run, you will see that the processing of the baseline takes place by checking in the CIAgent.log.

When your CI and baseline are not set to remediate then the device will report back as non-compliant, if this is not set to the registry value you want for a compliant state to be achieved. In the ConfigMgr applet in the Control Panel, you will see a Non-Compliant state reported in the Configurations tab.

You can click the report to see the full details of the compliance check.

With remediation set on the CI and baseline, the device will be updated to enforce compliance.

As you can see the registry value is updated to reflect the desired state.

Having run through the overview of setting up a CI and CB, why not dig deeper by creating a script CI and associated remediation script. Or you could create a child configuration item which inherits the original configuration from the parent configuration item. How about creating a configuration baseline from a defined set of software updates, and reporting back on their compliance? The power of Configuration Items and Baselines is at your fingertips.

Obviously in today’s security-conscious world, maintaining a consistent maintaining consistent configuration crucial. Windows 10 gives you many more options and settings than you had to know in Windows 7/8/8.1. If you’d like to learn what ConfigMgr can do for security beyond CI’s you might want to check out a new report of I’ve written, Managing Windows 10 Security using ConfigMgr.

DOWNLOAD REPORT

Windows 10 Security Checklist Starter Kit

I love it when a tech speaker lays out an overwhelming topic so clearly that it starts to feel approachable. That’s how I felt during a recent ITPro Today webinar with Orin Thomas on security configuration management for Windows endpoints in the enterprise.

I’ve gone through Orin’s webinar and pulled out many of the items into a checklist that you can use as a starting point. It’s obviously not a complete checklist. That’s why I’m calling it a “starter kit.”

You can use it to see how your company stacks up on these essential items. Then you can take steps to address any shortcomings and toward building a comprehensive checklist to help make your organization more secure.

Organization-Wide Checklist
These items apply to all Windows 10 endpoints the entire organization.

□ Managing All Systems
You can check this box if every endpoint is managed. This is often done with software such as Microsoft System Center Configuration Manager (ConfigMgr) and Intune. However, many effective solutions are available.

□ Monitoring and Correcting Configuration Drift Regularly
You can check this box if every endpoint in your organization is monitored (ideally, at least daily) for compliance with company endpoint configuration policy. Deviations must be tracked and corrected quickly.

Per-Windows 10 System Security Checklist
These items apply to every endpoint individually. The “per-machine” checklist. As you go through it, you may recognize a need for policies you haven’t thought of before.

□ Device Guard Enabled
Check this if the system is running Device Guard. You can also check it if your company policy does not require this system to run Device Guard.

Device Guard uses hardware-based code integrity checking, virtualization and other security techniques to ensure the integrity of the operating system. Unless there are specific reasons to allow exceptions such as compatibility, every company should require use of Device Guard on all systems.

□ Credential Guard Enabled
Check this if the system is running Credential Guard. You can also check it if your company policy does not require this system to run Credential Guard.

Credential guard mitigates credential-theft attacks which attempt to gain access to credentials stored in memory or caches. Unless there are specific reasons to allow exceptions such as compatibility, every company should require use of Credential Guard on all systems.

□ Application Guard Enabled
Check this if the system is running Application Guard. You can also check it if your company policy does not require this system to run Application Guard.

If using Microsoft Edge (or IE), Application Guard can allow IT to define trusted or untrusted resources. When browsing to untrusted resources, the session is virtualized (isolated Hyper-V container) to protect the host. This works for websites, cloud resources and internal networks. However, most companies allow non-Microsoft browsers, which are not secured by Application Guard.

□ Application Control Enabled
Check this if the system is running Application Control. You can also check it if your company policy does not require this system to run Application Control.

Application Control restricts what applications, code, scripts and MSIs can run. It also restricts PowerShell (Constrained Language Mode).

□ Exploit Guard Enabled
Check this if the system’s Exploit Guard settings are in line with company policy.

Exploit Guard is a collection of features to prevent exploits around browsing, applications, attack surface reduction, network protection and folder access. Most apply system-wide, but some can be customized for different applications. Your company should have a policy defined for each of these settings for the system and for each application.

□ Attack Surface Reduction Applied
Check this if your company has a policy for Attack Surface Reduction and the endpoint complies with it. Below are some suggestions provided by Orin. A full list, however, is really up to you!

  • Block executable content from email client and webmail
  • Block Office applications from creating child processes
  • Block Office applications from creating executable content
  • Block Office applications from injecting code into other processes
  • Block JavaScript and VBScript from launching downloaded executable content
  • Block execution of potentially obfuscated scripts
  • Block Win 32 API calls from Office macros

□ Pre-boot Environment Locked Down

Check this box is you have ensured that:

  • No one can modify BIOS/UEFI settings without a password.
  • The device will not boot via PXE or from USB without authorization.

□ Storage Protected from Offline Attack

Check this box if all hard disks, SSD and other form of storage are encrypted. This prevents scenarios where people remove storage and access it elsewhere. Microsoft provides BitLocker. Many third-party options are available as well.

□ Unneeded Services Disabled

Check this box if all unneeded services are disabled per company policy. Windows ships with services that most companies do not need and do not want running. This is both a check for pre-existing services (OOBE) and rogue services.

□ Local Accounts Locked Down

Check this box if a system’s local accounts are in line your company’s policy of what local accounts and groups should exist as well as which ones should have which privileges. Solutions like Microsoft’s Local Administrator Password Solution (LAPS) can help.

□ Windows Firewall Secured

Check this box if the local firewall blocks outbound traffic by default and whitelists exceptions.

□ Applications Hardened

Check this box if all applications are hardened per company policy. Few applications are hardened in their default configuration. For example, for Microsoft Office you should only allow trusted macros to run and block browser extensions. Hardening is typically a combination of common sense and vendor guidelines.

□ Windows Fully Updated

Check this box if all of the latest security patches for Windows have been applied.

□ Applications Fully Updated

Check this box if all applications are updated to the current security patching level.

□ Firmware Fully Updated

Check this box if firmware on all systems is up to date.

□ Secure Authentication Used

Check this box if authentication best practices are set up per company policy.

Like so much in security, it’s a deep topic. Orin suggests as things to consider:

  • Picture password policy sign on disabled
  • PIN sign on disabled
  • Password policies set to something like:
  • 10 Chars minimum
  • 90 days maximum age
  • Credential caching group policies set:
  • Only one previous logon stored in cache where DC isn’t available
  • Passwords for network authentication are not stored
  • Biometric or two-factor authentication used
  • Authentication allowed only during authorized hours
  • Device recently inspected for keyloggers
  • IPSec implemented on local networks

□ Browsers Hardened

Check this item if your browsers are hardened. Specific hardening will depend on your browsers and environment. As an example, here are some things you might harden with Microsoft Edge.

  • Configure Edge …
  • Disable Flash
  • Disable Developer Tools
  • Enable Do Not Track
  • Enable Pop Up Blocker
  • Enable Windows Defender Smart Screen
  • Prevent users and apps from accessing dangerous websites

How Many Items Did You Check?

In all likelihood, you were not able to check most of this items. If you were, please tweet me (@itsystemsman) about it!

This blog merely scratches the surface of what your organization needs to put in a complete endpoint security checklist. However, it’s an important list of basics that should be covered if they’re not already.

If you’d like to get a lot more detailed information from Orin on endpoint security, you can view the full webinar on demand: SecOps Strategies for the Windows Endpoint.

Survey: IT Pros Want to Secure Endpoints Daily but Don’t Have the Time

If you work in IT today, you are walking on a razor’s edge trying to get security right. The Adaptiva 2018 Endpoint Security Survey can help you avoid missteps.

We polled over 300 IT professionals about Windows security in a business environment. Findings include:

  • Windows 10 deployments measured (past the half way point!)
  • Security hygiene tasks prioritized
  • Staffing shortages
  • The biggest help desk time sinks
  • So much more …

 

Windows 10 Deployments Pass the “50/50” Milestone

Adaptiva has been polling IT pros about their Windows 10 deployment plans and progress since the OS was released in 2015. Windows 10 is crucial for IT security. In fact, security is the top reason enterprises are moving to Windows 10—if you don’t count “we have to in order to keep getting support.”

For the first time, the majority (57%) of respondents reported that their organizations are running most of their computers on Windows 10. Note though that 14% are on the other end of the spectrum, running Windows 10 on a tenth or fewer of their systems.

 

Security Hygiene Is a Massive Job and Bigger Priority

Everyone in IT agrees it is important to regularly check systems’ health, performance and patching levels. Our new security survey asks just how important it is to run these checks, and how often they should be run.

  • A whopping 90% of respondents reported that maintaining current, compliant security configuration was very or extremely important.
  • The majority (53%) of IT pros surveyed said that every endpoint should be inspected daily or even hourly to determine if all software is up to date and the configuration complies with company security policy.
  • Plain old Windows OS health was the second-highest security hygiene priority at 44%. The only higher priority was—you guessed it—OS and application patching at 66%.

 

Staffing Struggles, Help Desk Pains, and Automation

Other highlights include:

  • Over half of respondents are stretched too thin to ensure proper security hygiene on all systems all the time.
  • Software break/fix is the biggest help desk time-eater.
  • A quarter of help desk tickets could be automated.

 

The Big Picture

Security will continue to be a vexing challenge for IT because it will never be “done.” The threatscape is always changing and growing. Keeping a company secure is an almost-impossible effort that touches every corner of IT, from infrastructure to endpoints to help desks and beyond.

If you’d like to dig into the details, you can download the full 2018 Enterprise Endpoint Security Survey.


Not having the time to secure the environment doesn’t have to be an excuse! – not if you have the opportunity to dedicate a small chunk of valuable time to figure out how to automate it.

Join us at IT/Dev Connections 2018 where we have an entire track dedicated to Security! There’s still time. IT/Dev Connections 2018 runs October 15 – 18, 2018 in Dallas, Texas.

Register today!  http://itdevconnections.com

ConfigMgr Pros Get Help from OneSite

ConfigMgr implementers, architects and administrators don’t have the luxury of getting it wrong. You have to nail everything in order for the organizations you support to succeed. That’s a lot of pressure!

More and more, ConfigMgr professionals are enlisting Adaptiva OneSite to help businesses and government organizations prosper. Instead of telling you why, I’ll let you hear it directly from them.

DXC Technology (Adaptiva Partner)

Learn why DXC Technology includes Adaptiva OneSite in solutions offerings. As Senior Technical Consultant in the Workplace & Mobility Offering Delivery (OD&T) group, Tom Gibson helps some of the world’s largest companies manage their endpoints. Click here to hear from Tom.

NetCentrics (Adaptiva Partner)

Thomas Cook, Senior Security Engineer with NetCentrics, talks about a unique ConfigMgr problem that vexed a government agency. Find out how Adaptiva OneSite solved it by clicking here.

Learn More

To dig deeper into how OneSite can help you succeed with ConfigMgr, visit the Adaptiva Academy for videos, datasheets, podcasts, webinars and more!

Bill Bernat, director at Adaptiva, has worked in the technology industry for over 25 years. Before joining the team at Adaptiva, Bill was the web publisher at OpenText and a technical editor for Penton’s Streaming Media Magazine. He spent many years as a programmer and engineering manager for a variety of organizations including NASA, Union Bank of California, and Banc of America Securities. For more information, please visitwww.adaptiva.com and follow the company on LinkedIn, Facebook, and Twitter.

MMS 2018 Recap: A Day in the Life of an OSD Guru

At MMS, I presented a session with Johan Arwidmark called “A Day in the Life of an OSD Guru.” Times certainly are changing, and unless you’ve been living under a rock, you know that the way operating systems are traditionally deployed is facing some challenges. Our session attempted to address those challenges by conveying how we think IT pros should handle deployments in their organizations and providing some forward-thinking ideas.

Policy Management
On-prem management by group policy, while still supported, is considered legacy. As an OSD guru, you need to be forward thinking when applying policy to a device. First, ideally, you should have a new OU for your Windows 10 devices and make sure you’re not trying to apply unsupported policies. If you can’t do that (typically for political reasons), at very least configure WMI filters on your policies so that a Windows 7 policy does not apply to a Windows 10 computer. While many of them are harmless, there are quite a few that can bite you.

Microsoft wants organizations to move to cloud management with Azure AD and Intune. This doesn’t mean ConfigMgr is going away. This is obvious by all the work we see around co-management and capabilities added to it with subsequent ConfigMgr Current Branch releases. That doesn’t mean you should sit on your hands and wait for the day, maybe 15 years from now, when traditional products are gone, and you make a panic move to the cloud. (Disclaimer: I do not have any information on the lifespan of ConfigMgr. I believe that if customers keep using it and keep asking for innovations/improvements, then the product team will continue their work. If you don’t believe me, start playing around with the Technical Preview builds.)

Since Microsoft is adding more and more MDM policies so that you can manage your devices from Intune, it is worth looking at what policies you are applying to your devices and if they are supported in MDM. You can use MMAT, a tool that helps transition from legacy group policy to MDM by analyzing policy applied to a device and providing a report that maps those policies to MDM, if they exist. The MMAT tool can be downloaded from the GitHub link, which includes instructions on prerequisites and use: https://github.com/WindowsDeviceManagement/MMAT.

It is also possible to create a custom CSP using an ADMX-backed policy. This means you could download the latest ADMX templates for Office and create an MDM policy for it. For information on how to do that, Microsoft has created a blog post and video that is easy to follow: https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies.

Patch Management

ConfigMgr offers patch management so that technicians can secure servers and workstations with the latest updates with greater control and under a single pane of glass. There are plenty of posts and sessions available talking about how to set up software updates, things to watch out for and various tips and tricks.
Intune also provides patch management with the ability to update via deployment rings. You simply create rings and add devices to them. Patch compliance and minimal reporting is available under a single pane of glass. Detailed reports will require Update Compliance. With deployment rings, technicians can:

  • Toggle Delivery Optimization settings
  • Set the servicing channel (targeted or broad).
  • Control update settings for Insider Preview builds.
  • Defer quality and feature updates.
  • Set device restart timing and behavior including restart “pre-flight” checks such as battery or user presence.

Using Windows Update for Business group policy settings allows organizations to manage patches in rings using the normal Windows Update client. There is no reporting available outside of Update Compliance, which requires telemetry data to be sent to the OMS cloud platform.

Deployment

Now for the fun part of the session. Intune has brought changes that lead many spectators and keyboard warriors to believe that this is the beginning of the end for ConfigMgr. Traditional deployment looks something like this:

  • Wait for new version of Windows to be released to download channel.
  • Create custom image.
  • Deploy custom image to a test group.
  • Broad deployment.
  • Manage patches in some way.

This will continue to work well for organizations that are infrastructure-heavy because they can use traditional or third-party methods to manage the content transfer as well as deployment method. This does not work well for organizations lacking infrastructure, or those wanting to reduce infrastructure. I once worked for a very well-established global architecture firm that wanted to remove all dependency on on-prem infrastructure–this is a thing companies are doing. Running a task sequence from the cloud can be very expensive because of compute, storage and network costs. What works in that scenario are the device reset features that Intune provides. With Intune, a technician can:

  • Control the OOBE experience from the day the device ships via AutoPilot
  • Reset a device
  • Refresh a device
  • Allow the end user or on-site technician to initiate redeployment using AutoPilot Reset
  • Assign applications
  • Make applications available through the Windows Store for Business (doesn’t require Intune, only Azure AD)

You can read about why Microsoft rebranded Automatic Redeployment to AutoPilot reset here: https://docs.microsoft.com/en-us/education/windows/autopilot-reset.

Looking back again at on-premises deployments, I need to address the argument of servicing versus task sequences for moving between versions of Windows. In general, I recommend the task sequence approach because it gives you so much control. That can be a very good thing in environments that are complex. Task sequences allow you to plan for failure and adjust accordingly. Task sequences also allow you to put in a pause to debug issues.

You can’t do that with servicing. Using servicing in ConfigMgr is allowing software updates features to move between versions. While there is no way to plan for failure or add pauses for debugging, it is a great option for a collection of machines with very little likelihood of failure. It also works well in environments where software updates are already working quite well and perhaps the team has little time for developing and testing sequences. The Windows team at Microsoft added in a ton of new features for Windows 10 1803 for deployment, including new DISM command line options that can possibly start paving the way for a switch from sequences to servicing. You can read about all the changes in this blog post: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1803/ba-p/188568.

Now, to answer the question, “Should I use sequences or servicing?” I say in general to use sequences until it stops making sense for your organization. If sequences add in too much complexity for creation, edits and troubleshooting, then perhaps servicing is your best option.

Looking Forward

For most organizations, it would be nearly impossible to make an immediate shift to the cloud. Many can’t simply because of privacy regulations. This post isn’t about arguing for or against governing policies, but it’s worth considering that some IT shops are governed by policies written for the industry by fairly non-technical individuals or organizations. They simply can’t move at light speed to new technology.

That is where the Cloud Management Gateway (CMG) and co-management fit very nicely into the picture. Technicians can shift certain workloads to cloud MDM via co-management that would traditionally be solely managed by ConfigMgr. CMG provides a means to manage ConfigMgr clients over the internet without the need for additional on-premises infrastructure or exposing the on-premises infrastructure to the Internet.

You can read about CMG and co-management from the following two links:
https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/plan-cloud-management-gateway
https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview

As workers become more mobile, cloud access is becoming a necessity. In poorly connected areas or places where VPN is blocked, it is difficult if not impossible for the ConfigMgr agent to call home. A Cloud Management Gateway or CMG removes the limitation by allowing the ConfigMgr clients on Internet-based networks to perform many of the normal actions. A CMG is not required for co-management, and co-management isn’t just for clients that roam. Both features lessen the likelihood that a device remains completely unmanaged.

This means that the argument stops being MDM vs ConfigMgr but rather, more of a question of which scenario is best for an organization. The end goal isn’t to shift from one technology to another in the blink of an eye–it’s for Microsoft to provide ways for organizations to efficiently manage devices in their entire lifecycle regardless of their geographic location. By cutting infrastructure and other IT costs where necessary, IT is free to spend time and money on other–dare I say–more interesting efforts.

Oh, and Writing!

While doing all this, Microsoft MVPs and OSD experts often share with the community. This includes writing blogs, books and e-books. Last week, I completed an e-book that leverages the expertise of many gurus in the community. If driver management in ConfigMgr gives you pain, you may find it helpful.

E-book
ConfigMgr Driver Management Primer: From Total Chaos to Total Control
Download here

Hopefully, this post provides some insight into the balancing act of an OSD guru. There are many changing parts and different fits for each organization. Fortunately, when you attend conferences like MMS, you can spend time with your peers learning new things and assessing whether your current plans are working for your organization.

Amy Casto is an Adaptiva Technical Evangelist.

Is Windows Defender Mature Enough to Replace Third-Party Anti-virus/Anti-malware?

Think you already know everything you need to know about Windows Defender Antivirus versus third-party solutions? If you haven’t heard what Sami Laiho has to say, then I suggest you read on just to be 100% certain.

Sami is an elite global cybersecurity speaker and author. He provided a very interesting take in a recent webinar, Get Smart on Windows 10 Application Security. (View the full webinar here.)

The Young Adulthood of Windows Defender

When Windows Defender was first released in 2006, Microsoft described it as “not great, but better than nothing.” I’m paraphrasing, but was the essence of their message at launch.

Microsoft told corporate customers not to abandon third-party anti-malware solutions in favor of Windows Defender. (Note: I’m using “anti-malware” even though the official name is “Windows Defender Antivirus” because viruses are a subset of malware.)

In the past dozen years, businesses’ need for comprehensive cybersecurity has skyrocketed. In response, Microsoft has continued to improve Windows Defender. As IT pros roll out Windows 10, they are re-evaluating their need for third-party anti-malware.

Is Windows Defender Grown Up Enough?

Instead of being coy, I’ll tell you flat out: Yes, Windows Defender is good enough to replace third-party anti-malware in most businesses, regardless of size. This does not mean it’s the right choice for every business, but it’s a viable option.

Now let’s talk about why! The logic is not very intuitive, so I’ll break it down. It starts with this premise:

Traditional anti-malware software—whether Windows Defender or third party—cannot be your primary endpoint protection anymore.

For many years, traditional anti-malware software was the backbone of Windows application security. At the core of these technologies is an engine that looks for software on your system—both on disk and in memory—that matches patterns of malware. The search for malware can be more sophisticated than just matching patterns, but that’s historically been the heart of it.

The patterns are stored in a definition file. You can think of it as a catalog of data used to identify malware. That definition file is frequently updated and distributed to all endpoints.

You are probably aware of more advanced anti-malware solutions that use things like real-time telemetry, cloud databases and artificial intelligence. One example of these is Microsoft Advanced Threat Protection (ATP), though many third-party solutions compete here, too. This blog references only traditional anti-malware engines, where Windows Defender competes.

If you suggest using Windows Defender, some IT pros may argue, “Third-party anti-malware solutions catch 99% of malware, and Windows Defender only catches around 94%. So why would I use Windows Defender?” While the exact numbers may vary, nobody disputes that third-party engines catch more malware than Windows Defender.

This is where it gets interesting …

All the major anti-malware providers find more than 1,000,000 new malware samples every day.

Whoa, what!? Yes, it’s right here on Sami’s slide from the webinar.

So, even at 99% coverage, an antimalware engine is missing more than 10,000 different pieces of malicious software every day. That’s a lot of pieces of badness flying under your radar daily. It only takes one to compromise your organization.

To make your company’s applications totally secure, you have to take additional measures. These start with using other Windows 10 security features such as whitelisting, exploit protection and many others. You may want to deploy other types of third-party security software (beyond anti-malware). Plus, you’ll need to apply myriad best practices throughout your organization.

In the context of this bigger picture, Windows Defender makes sense:

  • It will catch the overwhelming majority of malware.
  • It’s distributed and updated as a part of Windows 10 itself.
  • A strong security strategy does not rely on antimalware to catch everything.

What’s the Catch?

Windows Defender’s biggest disadvantage is that it does not have a centralized logging and alerting system. This can, however, be mitigated in several different ways:

  • Microsoft System Center Endpoint Protection can address this need for businesses using Microsoft System Center Configuration Manager.
  • Companies using Microsoft  can set up alerting through Windows Defender ATP.
  • A third-party security information event management (SIEM) system can track Windows Defender activity and provide alerting.
  • Event forwarding (a.k.a. log forwarding) may be a good option as well for smaller companies.

Log Forwarding

For organizations that don’t have an advanced solution for managing centralized logging and alerting from Windows Defender, log forwarding is a viable option. Log forwarding was originally released as part of Windows Vista, so it’s been around for a while.

Basically, you could allocate a centralized server for alerting and management with Windows Defender. Use group policy to forward events from every client to the central server. Create a task on the server that runs a PowerShell script to evaluate events, and send an email or take other action when alerting is merited.

Yes, Windows Defender Is All Grown Up

Windows Defender is a mature technology that is more than adult enough for your company to rely on. Even large enterprises can adopt it, though that doesn’t mean they should. Your organization’s technologies, challenges and processes are unique. Nobody can rightfully tell you “XYZ is the best anti-malware in all cases.”

That said, you can’t ignore Windows Defender anymore! It may make your life a little easier because it’s built into Windows. So, if you can make it work, it could free up some of the time you now spend managing anti-malware engines. Then you can use that time to work on the million other cybersecurity tasks on your list!

Bill Bernat, director at Adaptiva, has worked in the technology industry for over 25 years. Before joining the team at Adaptiva, Bill was the web publisher at OpenText and a technical editor for Penton’s Streaming Media Magazine. He spent many years as a programmer and engineering manager for a variety of organizations including NASA, Union Bank of California, and Banc of America Securities. For more information, please visitwww.adaptiva.com and follow the company on LinkedIn, Facebook, and Twitter.

 

Planning Your Company’s Win10 move? 3 Ways Applications Could Get in the Way

By Will Min (Consultant, IBM Services)

The majority of businesses today find themselves either in the midst of their Windows 10 migration or planning for it.

At IBM Services, we recently assisted a global engineering firm with a presence on seven continents undergo its Windows 10 migration, upgrading 12,000 to17,000 machines a year largely through hardware replacement.

Things are now moving smoothly. However, as we prepared to embark on the project, there was a realization that in at least one area the transition would not necessarily be as straightforward as we had hoped and assumed: application management.

App management caused serious irritation during those Windows XP-to-7 migrations due to incompatibility of existing applications with the new OS. Certainly Microsoft–along with many other software vendors–has made real strides to limit much repetition of that notoriously tricky transition. However, there are still some challenges that many organizations–not least, larger ones with complex application estates and highly specific requirements–still need to be aware of.

The “Point” of Windows

Although they’re rarely given due prominence, applications are the reason operating systems exist in the first place. It’s a fact that stands out that much more clearly in a highly technical and specialized industry such as our client’s, which is engineering.

Besides a very large application estate (which we’ll touch upon shortly), this engineering firm has countless customized apps that it needs to be very conscious of during a hardware refresh and Windows upgrade. Without the right apps on their new machine, employees can’t do their work–it’s as simple as that.

To make matters even more complex, many of this conglomerate’s divisions require that individual machines retain multiple versions of the same application. For these to all continue to function, these had to be installed in a specific order.

There also were other challenges that would be an obstacle to almost any Windows 10 migration at scale, creating huge amount of manual intervention (and so slowing the process right down) and expenditure.

  1. Application Volume

Above a certain size, any organization is extremely likely to be managing thousands of individual apps.

As the engineering firm prepared for Windows 10, it became evident that the number of applications in use were in the tens of thousands.

With most IT teams relying on Configuration Manager inventory to track tens of thousands of application entries with, perhaps, only one in 100 being a real application of interest, it’s no wonder application management is so difficult with that much noise.

  1. Application Sprawl

With hundreds of applications in use across the organization, and individual devices commonly running 30 or more, managing that volume is hard.

What’s worse is that each installed application is a potential attack point for cyber-attack. These applications also have a cost impact as there will be a subscription or maintenance charge associated with each installation. This is known as “application sprawl.” If those applications aren’t being used, then these vulnerabilities and costs should be avoided if possible.

  1. Scale and Precision

Meanwhile, for any global organization–or, indeed, for any kind of conglomerate–there is still greater complexity around application management during a migration.

Different lines of business have different organizational policies and (crucially) licensing agreements. It’s imperative your Windows migration project respects and honors those specific application policies.

Manual … or Automated?

Once, these applications would all have had to be manually installed by support staff. That process could take anywhere from two days to a couple of weeks. Looking at a global Windows 10 migration, this was going to be far too long, expensive and disruptive a process.

In addition, the engineering firm in question needed to be able to provide a customized load for each user. Surely there should be a way to automate the process?

Initially, we worked with a third party to try and utilize an SCCM imaging tool.

This was an improvement, but the process was still taking around 20 minutes per load. This was proving nowhere near quick enough to keep up with the required pace of migration. The vendor just couldn’t keep up. Its build rate was about half the target rate.

Ultimately, we opted for 1E’s Windows Servicing Suite and its Application Migration tool.

This allowed the client to deal with all the challenges listed above, through a curated software catalog that automatically distinguishes between real applications and noisy ones.

Application Migration allowed IT to set specific migration rules during the migration. This was not only significantly more efficient, it was also millions of dollars cheaper than the previous automated approach. The ability to view a machine prior to migration saved our client precious build time so they could make sure they were happy with the load before the migration happened.

Whatever solution you settle on, it’s important, as you plan your Windows 10 migration, to establish whether application management could indeed impede or slow down your progress toward Windows 10. It bears repeating: Applications are the reason we all use Windows in the first place, something 1E is clearly cognizant of.

William Min is a consultant working for IBM Services. Previously he worked in operations and information technology management and has broad experience as a systems specialist for a variety of engineering, civil design and architecture firms.

Cloudlisting Is the New Whitelisting for Windows 10 Application Security

Your Windows 10 enterprise is only as secure as the shadiest app allowed to run. No matter how carefully you configure the OS itself, it can still run recklessly insecure applications. The obvious solution is:  Don’t let users run garbage apps!

The Garbage App Law: Windows 10 apps are guilty of being garbage until proven to be totally secure.

This does not mean that the apps are insecure. It just means that your IT department must classify them as insecure until and unless there is evidence to the contrary.

So, how do you prevent users from running them? Traditionally the answer is whitelisting. However, the answer is increasingly becoming cloudlisting. In this blog, I’ll explain both. I’ll also tell you why I believe that the future of app security is in the cloud.

A Brief History of Windows Whitelisting

You’re all familiar with whitelisting, right? This is where you take time to make a list of all known-good applications that are specifically allowed to run in your organization. Then you enforce the list, so people can run only the applications on it. If somebody tries to run an application that is not on the list, the operation is denied.

Microsoft introduced AppLocker in Windows 7 Enterprise and Ultimate to address this need. It’s available in Windows 10 Enterprise and Education. AppLocker is more than just a simple allow list. It lets administrators to create a set of rules to allow (or deny) applications based on the name of the file, who the publisher is or where the application is installed.

It’s not automatically foolproof. There are several common methods for bypassing it, such as installing a forbidden executable to a whitelisted location. Of course, with careful implementation and maintenance, AppLocker is extremely secure.

Whitelisting is effective, and it’s a great security tool for enterprises. However, it can take a fair amount of time and effort to create whitelists and keep them current. Enter cloudlisting.

A Briefer History of Cloudlisting

Cloudlisting uses the cloud reputation of desktop apps (downloaded installers and executables) and web apps (websites/URLs) to build allow/deny lists. Cloudlisting lets you enforce application security using an automatically maintained whitelist in the cloud.

(Disclaimer: “Cloudlisting” is not technically a word. I made it up because the technology needed a clearer identifier.  So, if you mention it by the water cooler, you can expect blank stares.)

What Is Cloud Reputation?

In the Windows world, cloud reputation refers to the trustworthiness of an app as ranked in a “service that Microsoft maintains.” This service may look at things like telemetry data on how many people are using it without problem, services that report on phishing and malware websites, the credibility of an app publisher, whether an app is registered in the Microsoft Store, or other factors.

Microsoft’s exact algorithm is not published, so cloudlisting is predicated on trust of Microsoft. Seems safe to me! Microsoft has never steered me wrong (with the possible exception of Windows ME).

Cloudlisting Started in the Browser

Microsoft introduced cloudlisting for websites/URLs in Internet Explorer (IE) 7 with the Phishing Filter. IE 8’s SmartScreen Filter enhanced the checking of websites/URLs for trustworthiness. IE 9 introduced SmartScreen Application Reputation, which looked at downloads of executable files to warn if they didn’t have a safe reputation.

Then It Moved to the Desktop

The Windows 8 SmartScreen Filter brought cloudlisting to desktop apps downloaded from the Internet. In Windows 10 the technology is called Windows Defender SmartScreen and is very mature. Group Policy or MDM settings can prevent users from running apps that lack a good reputation or are known as malicious.

Windows 10 still protects web browsing with cloudlisting, via Edge browser’s SmartScreen Filter for websites/URLs.

Cloudlisting Will Go Virtual

Microsoft recently introduced the Windows Defender Application Guard. The word application here refers to web apps, ostensibly because of all the cloud services that appear to users as websites. Application Guard lets administrators whitelist websites, cloud resources and internal networks. Anything not whitelisted is considered untrusted and is automatically run in a virtualized browsing session.

Forcing untrusted apps into a virtual Edge browser session is brilliant. Any damage an attacker inflicts will be limited to the virtual machine it’s running in, not the host OS. Access to resources will be limited, as well.

For now, Application Guard does not use cloudlisting; it’s pure whitelisting. Mark my words, though: It’s just a matter of time before this concept is extended to use cloud reputation. It makes perfect sense to virtualize apps that are neither known to be safe nor proven dangerous.

The Cloud Will Save Us

Some companies will always maintain comprehensive allow/deny lists, straight-up whitelists. Enterprises and certain industries such as financial institutions usually require total control. These companies may never use cloudlisting.

Many smaller companies are already using cloudlisting and calling it a day. Cloudlisting will get smarter and more secure every day. Microsoft will continue to improve it. (This is my prediction, not an official Microsoft statement, but I’d be surprised if it weren’t true.)

Over time, though, most companies will trust cloudlisting. The world is moving too fast to keep up with it all the new applications and threats and countermeasures in every application. Business will let cloud reputation be your guide.

Which Should You Use Today?

Is SmartScreen good enough for your Windows 10 users, or do you need a whitelist? Hear what global security expert Sami Laiho suggests in this upcoming webinar.

Get Smart on Windows 10 Application Security

Friday, April 27
9 a.m. PDT / 12 p.m. EDT / 6 p.m. CEST

Click to register

You’ll learn a variety of tools, tips, and techniques for Windows 10 Application Security, including:

  • How to reduce apps’ attack surfaces with Windows Defender Exploit Guard
  • Best practices for application security in a Windows 10 enterprise
  • How to leverage Application Guard, Application Control and Edge browser virtualization
  • The basics of Office 365 Encryption
  • Techniques for saving time securing tens of thousands of endpoints

Whether you choose whitelisting, cloudlisting or both, one thing is clear: You can’t let people run all the applications they want to. The modern security landscape demands that you lock down the list apps people are allowed to use. Do that, and you’ll be one step closer to a secure Windows 10 enterprise.

Bill Bernat, director at Adaptiva, has worked in the technology industry for over 25 years. Before joining the team at Adaptiva, Bill was the web publisher at OpenText and a technical editor for Penton’s Streaming Media Magazine. He spent many years as a programmer and engineering manager for a variety of organizations including NASA, Union Bank of California, and Banc of America Securities. For more information, please visit www.adaptiva.com and follow the company on LinkedInFacebook, and Twitter.

 

Infographic: Windows 10 Security Features

I probably don’t need to convince you that Microsoft Windows 10 is a security must-have for enterprises. As a myITforum reader, you must know that security is critical to your company’s success. You also know that Windows 10 contains scores of must-have business security features.

You may not know, however, exactly what all the key Windows 10 security features are.

This infographic explains each feature and what it can do for your organization. It is arranged by operating phase (offline, boot, logon, running).

(Tap or click for larger view)

If you’d like to learn more, click through to the full infographic and blog for:

· A PDF version of the infographic with links to more information on each Windows 10 security feature

· A blog that provides more information about each item, as well as links to learn even more

· A high-resolution JPG of the infographic

Click here for the full infographic and blog.

Bill Bernat, director at Adaptiva, has worked in the technology industry for over 25 years. Before joining the team at Adaptiva, Bill was the web publisher at OpenText and a technical editor for Penton’s Streaming Media Magazine. He spent many years as a programmer and engineering manager for a variety of organizations including NASA, Union Bank of California, and Banc of America Securities. For more information, please visitwww.adaptiva.com and follow the company on LinkedInFacebook, and Twitter.

Infographic: Enterprises’ Greatest Endpoint Security Challenges

This infographic shares some of the key insights from Adaptiva’s Enterprise Endpoint Security Survey of 175 IT professionals. The survey focuses on Microsoft Windows endpoints. The findings reveal that most companies are unable to keep all endpoints secure at all times. To learn more about the many factors contributing to the vulnerabilities, download the full report.

2017-11-27-security-infographic
(Tap or click to open in larger view.)

Download Report

Download Infographic as PDF

Bill Bernat, director at Adaptiva, has worked in the technology industry for over 25 years. Before joining the team at Adaptiva, Bill was the web publisher at OpenText and a technical editor for Penton’s Streaming Media Magazine. He spent many years as a programmer and engineering manager for a variety of organizations including NASA, Union Bank of California, and Banc of America Securities. For more information, please visitwww.adaptiva.com and follow the company on LinkedInFacebook, and Twitter.

The One Third-Party Patching Best Practice ConfigMgr Pros Need to Know

For most ConfigMgr pros, third-party patching is a bear of a problem—and that’s putting it politely. In a recent Adaptiva Endpoint Security Survey, 48% of IT pros called it “especially challenging.” At the same time, they rated it as one of their top security priorities.

What Exactly Is Third-Party Patching?

Third-party patching is the process of updating non-Microsoft software applications and drivers.

When it comes to updating Windows itself, Microsoft has a mature process in place for companies using ConfigMgr. Administrators can rely on timely notification of updates to Windows. Microsoft also provides an organized and consistent mechanism for delivering the updates, though it’s up to each organization how quickly it rolls them out.

However, Microsoft does not include updates for other companies’ software in Windows updates. The OS updates do include hardware drivers for many manufacturers and devices, though not all.

This leaves companies on their own to update non-Microsoft:

  • web browsers
  • productivity applications
  • vertical applications
  • anti-virus and anti-malware solutions
  • utilities like FTP software and PDF readers
  • specialized software tools for specific job-functions
  • drivers for some hardware
  • much, much more

Why Is It So Important?

I can explain the importance of third-party patching in one word: security. It really should be in all caps, but I don’t like to yell.

Before the Internet was a thing, PCs were not easily or commonly attacked from the outside. Many PCs didn’t connect to anything. Some used dial-up modems to connect to BBSs and things like that. Vendors patched software infrequently, and usually to fix bugs or add features—not to improve security.

Now we live in the age of Internet everything and broadband everywhere. Productivity is through roof, but so is the danger. Everything that is cloud-enabled opens up an attack surface —even small things like Notepad++ or Evernote.

Cyberattackers are relentless, and an exploit of even the tiniest vulnerability in an application or driver can crush an enterprise. To remain as secure as possible, patches must be applied as soon after the vendor releases them as possible.

Why Is It So Hard?

As technology has progressed, the sheer volume of applications is massive. A midsize company can easily manage hundreds of different software applications, and an enterprise may have thousands.

Adding to this, the pace of updates is extremely rapid. Some applications may be patched as often as multiple times within a week. By the time an IT department is notified of an update, tests it, gets it packaged and deploys it, the next update may already be released!

There is no unified mechanism for keeping track of updates to all of these applications. A company has to formulate a plan for tracking updates for each package from each vendor.

Admins may consider some of the patching solutions on the market. These solutions maintain their own database that they update daily with all the metadata and patches for applications from hundreds of vendors. So a ConfigMgr admin can use one service to update hundreds of vendors’ apps.

Another challenge is the actual rollout of patches. Microsoft ConfigMgr is a strong solution for deployment of patches. However, not all ConfigMgr environments are equal. A ConfigMgr architecture with dozens or hundreds of DP servers may see high numbers of delivery failures due to problems with distribution point servers. If just 1% or 2% of DP servers fail, the result can be thousands of unpatched endpoints.

Peer-to-peer delivery technology such as Adaptiva OneSite can make rollouts faster and easier. OneSite eliminates the need for servers, speeds delivery, and does a lot more improve your success rates and shrink troubleshooting time and effort.

MDM solutions such as Microsoft Intune and VMware AirWatch bring cloud-based distribution to the rollout process, and will see increased adoption in the years ahead.

Here is a recap of things of key challenges you need to solve:

  • Tracking applications and versions across endpoints
  • Knowing what patches vendors have released for which applications
  • Prioritizing which patches to deliver to which endpoints first
  • Having the person-hours and cycles to deal with it
  • Keeping pace with the speed of updates

The One Most Important Best Practice

When I speak to people working in IT, and when I talk to vendors of third-party patching solutions, I hear one thing: Somebody needs to own it. Admins tell me stories of nobody knowing “whose week it is to patch.” I’ve also heard of everybody in IT sort of ducking responsibly for patching. If nobody own third-party patching, it may get done well, or it may not.

So, the one best practice is:

Anoint a Patching King, Queen, Czar, Etc.

This person may also do all the patching, or they may coordinate others. This may be their only responsibility, or it may be one of many. They may also be responsible for operating systems updates, or not. However you organize it, somebody in your company needs be given the responsibility—and the time—for third-party patching.

You need on person responsible for:

  • Tracking all patches from vendors
  • Prioritizing the patches and machines to deliver them to
  • Confirming successful rollout / deployment

Ideally, you will also get executive sponsorship of patching. It is a critical security function. If it is visible at the CSO level, the people in the trenches are more likely to have the time and resources they need to get it right.

How to Implement

Usually when I ask people working in IT to give me their list of best practices, they offer technical advice. In this case, they all gave me the same answer, and it wasn’t technical at all. So the solution for you isn’t terribly technical, either.

Do you know who is responsible for third-party patching in your company? If not, ask your boss–maybe he or she knows. Of course, there is a good chance nobody owns it. In that case, I’ve provided you all the ammo you need to make case to anoint a third-party patching czar—forward this blog. Just be prepared–you could be picked!

Learn More

To learn more about how to accelerate deployment of Windows 10, and speed delivery of updates and patches post-deployment, check out our archived  Windows 10 Accelerator Program Webinar.