GET YOUR HOUSE IN ORDER Patching and Imaging Creation Strategies
SPEAKERS Phil Schwan Solution Architect Netrix, LLC
Agenda Windows Image Management Windows Servicing Patch Management
Build and Capture? WaaS means new build every 6 months Quality Updates are cumulative Secure = Current Branch + a couple patches Thicker image still a valid case TRADITIONAL IMAGING
Designed for Modern IT Simplify device lifecycle management Keep platform secure & up to date Make the user the center of IT Drive scale with cloud Stay secure as cyber threats evolve
Modern IT Modernize and simplify, across the stack. No imaging, use what comes on device Transform new devices so they are ready for productive use Lower effort, lower cost Cloud-focused, light weight MDM management Just enough management, the end of the IT overlords Windows Store for apps Office 365 Pro Plus Cortana 2:1 devices with touch, ink, etc. Azure Active Directory Windows Defender stack, minimize thirdparties Many core OS features Sync with the cloud, for automatic availability, migration, backup Proactive rather than reactive; discover issues and fix them before users report them (or in some cases, even notice)
Traditional vs Modern Management Provisioning OSD/Imaging AutoPilot/Provisioning Package Identity/Authentication Active Directory Azure Active Directory Membership Domain Join/Workgroup Azure AD Join Software Updates Applications Granular selection, targeting and scheduling Win32, Windows Store for Business Windows Update for Business Update rings/deferrals UWA, Windows Store, SaaS, Win32* Management Agent ConfigMgr MDM (OMA-DM) Policies Group Policy MDM (OMA-DM) * Sidecar capability for delivering complex MSI, scripts, etc.
When does modern management make sense?
DEMO Modern Management Provisioning AzureAD + Intune
Windows Servicing
Twice-per-year feature releases 18 month support cycle for each OS build Two branches (no more Current Branch for Business) Semi-Annual Channel Long-Term Servicing Channel ISOs updated monthly with latest cumulative updates Servicing Model Updates
Windows 10 Servicing Old Timeline 2016 2017 July Nov Feb July Nov Feb July Nov 2018 Feb 1507 Evaluate Pilot Deploy / Use (done) 4 months 12 months 60+ days (Support ends May 2017) 1511 Evaluate Pilot Deploy / Use 4 months 4 months ~ 16 months 60 days (Support ends October 2017 Anniversary Update 1607 Evaluate Pilot Deploy / Use ~8 months 4 months ~16 months 60 days Creators Update 1703 Evaluate Pilot Deploy / Use ~8 months ~4 months
Windows 10 Servicing New Timeline Mar 2017 Jun Sep Dec Mar Jun Sep Dec 2018 Mar 2019 Jun 1511 Deploy / Use 22 months (Support ends Oct. 10, 2017) 1607 1703 Deploy / Use ~ 16 months Pilot / Deploy / Use 1709 Evaluate (Insider Preview) ~6 months 18 months Pilot / Deploy / Use 1803 Evaluate (Insider Preview) ~6 months 18 months Pilot / Deploy / Use
Windows 10 Servicing - Controls Microsoft Microsoft hosts content Light management approach Clients point to Windows Update for scanning and availability Windows Update for Business = Controlled release Always relative to Microsoft s timing Non-selective (must eventually be installed) Internal IT You host the content Heavy, granular control Clients point to WSUS for scanning and availability WSUS approval means absolute control over All timing is controlled by policy Selective (can skip updates complete)
DEMO Windows Servicing Options Windows Update for Business Intune SCCM (WSUS)
Patch Management
Third Party Patching Options Two primary options: WSUS integrated Agent based
Utilize Windows Update Agent to govern patch compliance and installation System Center Updates Publisher (SCUP) Create in-house or use subscription service WSUS INTEGRATION
SCUP Methodology Create patch payload (patch install files Define compliance rules (what to target, how to tell) Sign with cert the clients trust Deploy (WSUS/SCCM) WSUS INTEGRATION Third party services such as PatchMyPC can do the heavy lifting You have to know what needs patched
Separate agent from normal management platforms like SCCM Agent handles installation as well as compliance evaluation Powerful option, but at an additional cost AGENT BASED PATCHING
Popular Third Party Options: Flexera Personal Software Inspector (Secunia CSI) Ivanti Patch (Shavlik) SolarWinds GFI LanGuard AGENT BASED PATCHING
DEMO Third Party Patching
Summary Windows Image Management Windows Servicing Patch Management