Security! It needs to be at the beginning and end of every conversation in the IT world. With Microsoft at the helm, it’s paramount that Managed Service Providers keep on top of Windows patching, especially related to Windows 10 patches. At this point, we believe the MSP community can agree, Windows 10 versioning and patching can be a challenge. There are 8 major version releases of Windows 10 but only 3 versions remain supported in production.
Tips:
- Know your versions!
- Windows 10 has only three supported versions with their current release cycle. These versions are currently 1803, 1809 and 1903. However, there are 5 more releases that are still unsupported. It’s important that your team stay on top of the latest builds and know what is live and End of Life. ProVal recommends using dataviews to compare the versions and see what is in compliance vs out of compliance. Conveniently, this information is now also housed in the CW Automate Web Portal on the Patching Metrics screen. This provides metrics so you can more easily understand what is up to date/out of date.
- Windows 10 patching metrics are a bit deceptive in Automate
- Windows 10 machines on an unsupported version of Windows 10 may show as “fully patched” or 100% compliant in Automate. However, these machines may be missing a major version release. They are in compliance for their current version, but they could be missing many patches because they are out of date for their build. A machine can only be considered up to date on patches if it is on a currently supported build of Windows.
- Make a version plan and stick to it!
- Depending on various factors (client vertical, acceptable downtime,software compatibility,etc.) it’s up to the MSP to decide what version their clients need to walk the line of functionality and security. ProVal recommends getting clients updated as soon as possible to at least 1809 (as of 8/30/2019). There are still various applications and complaints about 1903, but they are quickly getting patched and stabilized. 1803 will be unsupported after November 12 2019!
- Feature packs and the RMM
- RMMs are struggling to get these major releases installed via stock patch management automation. Right now, scripts are the best way to accomplish this situation. There is an ISO based solution provided by CW Automate in the solution center (Windows 10 Scripts). This script does require an ISO that the MSP will need to build and store in the LT Share.
- ProVal also has a scripted solution that automates the upgrade tool provided by Microsoft that upgrades to the latest build available. The only problem with our script is that it can only push to the latest, not to a targeted version. To prepare your clients and the team, we do recommend reaching out to the end client before pushing these updates since they usually take in excess of 3-5 hours!
- Get approvals done!
- To ensure these Windows systems are up to date with the latest patches for their specific builds, it is critical that a team member is approving patches on a set schedule. If patches are not approved, then you can be sure patches are not getting installed properly! ProVal recommends assigning a team member to be the “Patch Captain” and that person will be responsible to all approval and denial. We also recommend using askwoody.com to help vet out patches to ensure they are safe to install in client environments.
Hopefully, the above tips will help you build a solid framework to keep your clients secure from any Windows vulnerabilities. After all, security is only as strong as the weakest link! Have any questions? ProVal is here to help. Not only with best practices around when to get patches installed, but to get the reporting necessary to prove it works to your clients!