To LTSB or not to LTSB? It depends…

Effective use of Windows 10 Enterprise LTSB will depend on your specific needs and the needs of your users.

With the release of Windows 10 in 2015, Microsoft introduced a new sub-edition of Windows 10 Enterprise called “Long Term Servicing Branch” or “LTSB”. Each release of Windows 10 Enterprise LTSB will remain relatively unchanged–receiving only security updates and bug fixes, but no feature updates–through a 10-year lifespan.

To date, Microsoft has delivered two releases of Windows 10 Enterprise LTSB (2015 and 2016) with the next expected in 2019. While, according to Microsoft, LTSB was “designed for special-purpose PCs such as those used in point-of-sale systems or controlling factory or medical equipment”, some in IT have deployed it to common end-user computers, citing the benefit of having no Windows Store apps (which includes Microsoft Edge and Cortana) and no semi-annual feature updates to deal with.

However, recent articles and an updated Microsoft FAQ point out that, as released versions of Windows 10 Enterprise LTSB will not receive newer features, they will also not be supported on newer computer processors (such as Intel’s eighth-generation “Kaby Lake Refresh” architecture, released in August, 2017) . This introduces a potential down-side to deploying LTSB, but it’s not a new concept, as both Windows 7 and Windows 8.1, both still fully supported by Microsoft on older hardware, are only partially supported on Intel’s sixth-generation “Skylake” processors and are not supported on the seventh-generation “Kaby Lake” processors.

So, should we be deploying Windows 10 Enterprise LTSB here at Duke? That’s a question each group will have to answer for themselves. There are no security reasons to not deploy LTSB. There are no system management reasons to not deploy LTSB. There are only functionality and hardware requirements to be considered, and those requirements will be different from department to department and, in some cases, from user to user.

You should not deploy Windows 10 Enterprise 2016 LTSB if…

  • …the user requires Windows Store apps (which includes Microsoft Edge and Cortana).
  • …the user requires core Windows 10 functionality that’s been introduced since the latest LTSB release (Windows Subsystem for Linux, for example).
  • …the user has a new computer running on an Intel eighth-generation “Kaby Lake Refresh” or newer processor.
  • …your environment requires that all computers be running the exact same operating system.

You might want to consider deploying Windows 10 Enterprise 2016 LTSB if…

  • …none of the previously stated requirements apply to your users or your environment.
  • …you would like to completely opt out of Microsoft’s “Windows as a service” twice-per-year feature upgrade cycle.
  • …you would like to opt out of the optional Windows Store software pre-loaded onto other Windows 10 editions.
  • …you can support having multiple editions of Windows 10 in production on newer hardware.

With Windows 10 Enterprise 2016 LTSB, Microsoft provides a more stable and business-like environment, but at the expense of cutting-edge functionality and compatibility. Whether or not LTSB is right for you and your users is for you to decide. For some (like the author), the benefits outweigh the cost.

Posted in Uncategorized | Comments Off on To LTSB or not to LTSB? It depends…

Special Note Regarding Self-Managed Endpoint Clients And Duke Health Devices

If you are part of the School of MedicineSchool of Nursing, or are connected to the Duke Health System Network, you will need to install the BigFix client that communicates with the Health System instance of BigFix, not the Self-Managed Endpoint Client installers available through the OIT Software Licensing website.  You can find the proper installers on the Duke Health Intranet BigFix page.  Windows, Macintosh, and Linux clients are available along with instructions.

Posted in Uncategorized | Comments Off on Special Note Regarding Self-Managed Endpoint Clients And Duke Health Devices

Endpoint Management Operational and Privacy Protocols

The purpose of Duke’s endpoint security program is to secure laptops and desktops purchased by Duke and used by faculty and staff.  The applications used to support this efforts may only be used to: (a) report on missing software updates; or (b) apply missing software updates if the machine is fully managed by departmental or central IT staff.  It will also be used to report and automatically address security issues on the machine such as the presence of viruses or malware.

Any IT administrators with access to the endpoint security tools, including the IT Security Office, are required to adhere to the Duke Acceptable Use Policy, particularly those statements regarding the expectation of privacy for the Duke community:

Duke cherishes freedom of expression, the diversity of values and perspectives inherent in an academic institution, the right to acknowledgment, and the value of privacy for all members of the Duke community. At the same time, Duke may be required by law to access and disclose information from computer and network users’ accounts or may find it necessary do so in order to protect Duke’s legal interests, uphold contractual obligations, or comply with other applicable Duke policies. Duke may also be required to access information to diagnose and correct technical problems.

IT administrators may not use their access to look at content on the systems they maintain, except for the conditions outlined above.  Any additional access must be approved by the President or Executive Vice President of Duke University.  Use of the security management tools is audited for this reason.  Any concerns regarding inappropriate access should be directed to the school’s IT Director or campus IT Security Office.

In addition the departmental IT groups, IT administrators for the endpoint security software, and IT Security Office are bound by confidentiality agreements to keep any system information reported by the tools private.  A copy of the confidentiality agreement may be found on Duke HR’s website.

This information is also available on the Duke IT Security Office website.

Posted in News | Comments Off on Endpoint Management Operational and Privacy Protocols

Duke University Self-Managed Endpoint Clients Now Available

Due to of the risks posed by devices that are missing security updates, the University has implemented a policy that requires all Duke-owned endpoints (laptops, desktops, and Windows/Linux tablets) to be enrolled in a campus security management system by September 30, 2017. This policy applies not only to endpoint devices that are managed by a departmental IT support group, but also to Duke-owned devices that are managed by their primary user.

Endpoint Management software configured for self-managed endpoint devices is now available from the Duke Software Licensing site. Users with Windows or Linux devices should download the appropriate IBM BigFix client; users with macOS devices should download either the IBM BigFix client or the Jamf Casper client for that platform.

If you have any questions, please contact the OIT Service Desk or the University IT Security Office.

Note: If you are part of the School of MedicineSchool of Nursing, or are connected to the Duke Health System Network, you will need to install the BigFix client that communicates with the Health System instance of BigFix.  You can find these client installers on the Duke Health Intranet BigFix page.  Windows, Macintosh, and Linux clients are available along with instructions.

Posted in News | Comments Off on Duke University Self-Managed Endpoint Clients Now Available

New Policy Requires Enrollment in Device Management

Due to the risks posed by systems that are missing security updates, the University is implementing a policy that requires all Duke-owned computers to be enrolled in a campus security management system by Sept. 30, 2017.

This policy is designed to provide the University with the direction and support needed to ensure that devices connecting to our network are kept up-to-date with security patches and can be associated with an individual or group. While the methods may differ depending on the device type, the intent is to make sure all devices are well-protected.

Below is additional guidance for IT staff on implementation priorities:

  1. Planisphere: Use Planisphere for tracking your IT assets and identifying which are enrolled in one of the endpoint management tools. A new report shows the status of machines on a per-VRF and per-subnet basis. We’re still tweaking the report and adding more data sources for context. However, you should be able to pick the subnet or VRF you are interested in and get a list of what is connecting that needs to be addressed. As your Planisphere Support Groups are created, you will need to assign tags to filter your devices in Planisphere. We’ll be running informational sessions on Planisphere in the coming weeks to help you get started and to collect feedback.  We’ll also be discussing Planisphere at various user group meetings, including SLG (early August), win-admin and unixgroup. In the meantime, please send feedback to planisphere-feedback@duke.edu.
  2. Servers and VMs: Servers are considered to be different from laptops/desktops, but they should still be managed. OIT and other departments have made good use of SCCM, BigFix, WSUS, Puppet, Ansible, and Spacewalk as options. VM’s should also be maintained. VM’s running on enterprise infrastructure like ESX should be managed or tracked, and a process should be in place to track and/or update them.  For VM’s on desktops and laptops, the priority is to ensure the host OS is kept up-to-date and tracked. Dual boot machines should have coverage on both OS’s, and will be reported in Planisphere.
  3. Research labs: If you have research lab environments, Duke OIT and ITSO would like to know about them so we can work with you on which alternative protections might be needed. Please email itso@duke.edu for assistance with labs.
  4. Mobile devices: Phones and tablets are not in the policy’s current scope, but, if you have Duke-purchased phones and tablets, please begin considering how these are managed and tracked. Casper is available for iOS devices today, with information available on this site.