The Endpoint Management Meeting Minutes for the August meeting have been posted to the Endpoints@Duke Wiki.
As mentioned in the last Endpoint Management Meeting, an officially licensed version of Malwarebytes is now available for use. The Malwarebytes Incident Response product is a different experience than the freely-downloadable home-use product, but we are already scanning and cleaning almost 800 endpoints and have seen plenty of malware being removed. Please see the Malwarebytes IR page on this site and the Endpoints wiki for more information.
With only one week until Microsoft releases patches that are *not* freely available to Windows 7/2008/R2 devices, there are still plenty of managed devices running these operating systems at Duke. As seen by Planisphere in the last 24 hours, there are:
302 Windows 7 devices with an assigned Support Group (of which only FOUR have Quarantine Exemptions)
51 Windows 2008/R2 devices with an assigned Support Group (of which only TWO have Quarantine Exemptions)
Please do not wait until next week! Make any requests for Quarantine Exemptions (along with the date by which you expect to have these devices remediated or retired) to the IT Security Office as soon as possible. The best way to do this is to submit a ServiceNow Request to “Security-University” with as much information as you can give. This also applies to devices that cannot be migrated and will need to have long-term compensating measures put in place. Do not assume a previous conversation or e-mail thread is enough; if you do *not* see that your non-upgradable legacy device has been granted a Quarantine Exemption in Planisphere, submit a ServiceNow Request for it to receive a Quarantine Exemption as soon as possible.
(tl;dr: Windows 7/2008/R2 quarantines delayed to February 11, 2020. Pre-existing EOL OS quarantines to start July 31, 2020. We still have a lot of work ahead.)
Instead of the previously announced date of January 30, 2020, quarantines of Windows 7/2008/R2 devices from the Duke University network will now begin on *February 11, 2020*. This rescheduling is based on two factors:
- The true threat to Windows 7/2008/R2 will come on the “Patch Tuesday” *after* the EOL date for the OSes, which is this next “Patch Tuesday” on February 11. It is at this time, when Microsoft ostensibly releases patches that affect vulnerabilities in *supported* versions of Windows, that individuals will then look for the same vulnerabilities in *unsupported* versions of Windows, likely finding that some do indeed exist and can be exploited.
- The previous ITSO policy regarding quarantines of Windows XP/2003/R2 from the Duke University network was scheduled using this same logic.
Please note that the ITSO reserves the right to immediately quarantine devices running unsupported operating systems if a vulnerability of significant severity is announced before the scheduled quarantine date.
In addition, as hinted at previously, quarantines for operating systems that have already reached EOL (but had not been widely discussed) will start on July 31, 2020. This allows six months to plan and remediate these older unsupported operating systems over summer before the Fall Semester starts in August.
As promised in last week’s Endpoint Management Meeting, below is the information from the slide presentation with numbers and dates for both currently and soon-to-be unsupported operating systems on the Duke University network. The numbers are from January 16, but they likely haven’t changed much since then (in fact, due to reporting changes, some have gone *up*!). We’ve cleaned up a few discrepancies and added quarantine dates to the slide information.
Unsupported Operating Systems
It’s worse than you think. O_O
Unsupported NOW (Quarantine Date: February 11, 2020)
– 558 Windows 7 devices
– 97 Windows Server 2008/R2 devices
– Viewable as “running an unsupported Operating System” in your Planisphere Dashboard right now.
ALSO Unsupported NOW (Quarantine Date: July 31, 2020)
– 10 Windows XP/Vista devices
– 98 Fed29/RHEL5/Deb8/Ubu14 and older
– 262 Windows 10 (1511), (1607), (1703), Home/Pro (1709), Home/Pro (1803)
– 1035 macOS 10.12 and older
– ALSO viewable as “running an unsupported Operating System” in your Planisphere Dashboard right now.
Unsupported in 2020 (Quarantine Date: Approximately 30 Days After EOL)
– 281 Windows 10 Enterprise (1709) (14 April, Quarantine: 12 May)
– 160 Windows 10 Home/Pro (1809) (12 May, Quarantine: 9 June)
– 1036 macOS 10.13 (End of September-ish, Quarantine: End of October-ish)
– 2090 Windows 10 Enterprise (1803) (10 November, Quarantine: 8 December)
– 785 Windows 10 Ent/Home/Pro (1903) (8 December, Quarantine: 12 January 2021)
– ALL THE LINUX 6s!!! (763) (30 November, Quarantine: 31 December)
Unsupported in 2021 (Quarantine Date: Approximately 30 Days After EOL)
– 2916 Windows 10 Enterprise (1809) (11 May)
– 94 Windows 10 Home/Pro (1909) (Also 11 May)
– 74 Ubuntu 16.04 (25 April)
-3058 macOS 10.14 (End of September-ish)
So, What NOW?!
– Finish Windows 7/2008/R2 efforts
– Start “catch-up” efforts with older OSes
– ALSO Start on Win10 (1709), macOS 10.13, Linux 6
– BE READY to keep this up. Windows and macOS OSes should be upgraded EVERY TWO YEARS.
DISCUSSION POINTS AFTER SLIDES:
– With Windows XX09 builds on a 30-month support cycle and macOS on a 36-month support cycle–both starting in or around early October–IT groups should get used to upgrading 27-month-old OSes starting in January. Whether IT groups install the new 3-month-old OS (allowing for a two-year refresh cycle) or the tested 15-month-old OS (requiring a one-year refresh cycle) is up to them. Participating in the Apple Beta program or Windows Insider program can give IT groups time to test *before* the new OS is released.
– ALL Windows 10 Home/Pro builds have an 18-month support cycle. ALL Windows 10 Enterprise XX03 builds have an 18-month support cycle. Unless IT groups are prepared to commit to a one-year refresh cycle for even a subset of their devices, *nobody* should be installing (or leaving installed) Windows 10 Home/Pro or Windows 10 Enterprise XX03 builds in general production.
– We’re working on a way to get “warning” information in Planisphere, but in the meantime, please reference the above schedule, which shouldn’t change much if at all.
Thanks! Let us know if you have any questions or concerns.
Did you know that Duke University has an AppleCare OS Support Select Agreement? We do! In addition to handling requests related to Apple OS, IOS and other products, Apple will work though this agreement to resolve issues related to Apple deployments managed via our Jamf Pro instance as well. A brief overview of the program details as well as the methods for getting tickets submitted can be found at the Duke Endpoints wiki.
Effective use of Windows 10 Enterprise LTSB will depend on your specific needs and the needs of your users.
With the release of Windows 10 in 2015, Microsoft introduced a new sub-edition of Windows 10 Enterprise called “Long Term Servicing Branch” or “LTSB”. Each release of Windows 10 Enterprise LTSB will remain relatively unchanged–receiving only security updates and bug fixes, but no feature updates–through a 10-year lifespan.
To date, Microsoft has delivered two releases of Windows 10 Enterprise LTSB (2015 and 2016) with the next expected in 2019. While, according to Microsoft, LTSB was “designed for special-purpose PCs such as those used in point-of-sale systems or controlling factory or medical equipment”, some in IT have deployed it to common end-user computers, citing the benefit of having no Windows Store apps (which includes Microsoft Edge and Cortana) and no semi-annual feature updates to deal with.
However, recent articles and an updated Microsoft FAQ point out that, as released versions of Windows 10 Enterprise LTSB will not receive newer features, they will also not be supported on newer computer processors (such as Intel’s eighth-generation “Kaby Lake Refresh” architecture, released in August, 2017) . This introduces a potential down-side to deploying LTSB, but it’s not a new concept, as both Windows 7 and Windows 8.1, both still fully supported by Microsoft on older hardware, are only partially supported on Intel’s sixth-generation “Skylake” processors and are not supported on the seventh-generation “Kaby Lake” processors.
So, should we be deploying Windows 10 Enterprise LTSB here at Duke? That’s a question each group will have to answer for themselves. There are no security reasons to not deploy LTSB. There are no system management reasons to not deploy LTSB. There are only functionality and hardware requirements to be considered, and those requirements will be different from department to department and, in some cases, from user to user.
You should not deploy Windows 10 Enterprise 2016 LTSB if…
- …the user requires Windows Store apps (which includes Microsoft Edge and Cortana).
- …the user requires core Windows 10 functionality that’s been introduced since the latest LTSB release (Windows Subsystem for Linux, for example).
- …the user has a new computer running on an Intel eighth-generation “Kaby Lake Refresh” or newer processor.
- …your environment requires that all computers be running the exact same operating system.
You might want to consider deploying Windows 10 Enterprise 2016 LTSB if…
- …none of the previously stated requirements apply to your users or your environment.
- …you would like to completely opt out of Microsoft’s “Windows as a service” twice-per-year feature upgrade cycle.
- …you would like to opt out of the optional Windows Store software pre-loaded onto other Windows 10 editions.
- …you can support having multiple editions of Windows 10 in production on newer hardware.
With Windows 10 Enterprise 2016 LTSB, Microsoft provides a more stable and business-like environment, but at the expense of cutting-edge functionality and compatibility. Whether or not LTSB is right for you and your users is for you to decide. For some (like the author), the benefits outweigh the cost.
If you are part of the School of Medicine, School of Nursing, or are connected to the Duke Health System Network, you will need to install the BigFix client that communicates with the Health System instance of BigFix, not the Self-Managed Endpoint Client installers available through the OIT Software Licensing website. You can find the proper installers on the Duke Health Intranet BigFix page. Windows, Macintosh, and Linux clients are available along with instructions.