• Important Advisory

    On Monday, Microsoft released an advisory to inform users of a vulnerability affecting all supported versions of Windows, including Windows 10, Windows Server 2012, Windows Server 2016, and Windows Server 2019.

    Microsoft is working on a fix for the vulnerabilities but did not provide a time frame on when the patch will be released. Or whether it will be available on patch-Tuesday or released as an out-of-band patch as it has for other zero-day exploits in the past. The next patch Tuesday is currently scheduled for April 14.

     

    Microsoft simply stated the attacks are “limited” and “targeted” and to let the advisory server as a warning until a patch is released.

     

    Microsoft has recommended the following workarounds until patch is released:

    • Disabling the Preview Pane and Details Pane in Windows Explorer
    • Disabling the WebClient service
    • Renaming ATMFD.DLL

    Additional Vulnerabilities with Windows 7 and Adobe Type Manager

    Windows 7 is also affected by this vulnerability. A patch will be developed for Windows 7, however, unless a user subscribes to Windows 7 Extended Security Updates, they will not have access to the patch. See link at the bottom for more information on the Extended Security Update program.

    The active attacks target a flaw in the Adobe Type Manager Library. Two remote code execution vulnerabilities exist in Windows when the Adobe Type Library Manager improperly handles a specially crafted multimaster font called Adobe Type 1 PostScript format.

     

    The advisory states, “There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.”

     

    The advisory link from Microsoft can be found here:

    https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006#march-23-flaw

    Information about how to get patches for products in the Extended Security Update program can be found here:

    https://support.microsoft.com/en-us/help/4497181/lifecycle-faq-extended-security-updates

     

    Please reach out to Zunesis if you have any questions regarding this advisory or need help with implementing the workarounds. We are here to help in any way that we can.

    Overview of Windows as a service

     

    Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. So, if you often find yourself wondering, “Are Windows updates necessary?” Consider this new approach. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before.  Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects.

     

    Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features. This scenario doesn’t work well in today’s rapidly changing world. A world in which new security, management, and deployment capabilities are necessary to address challenges. Windows as a service will deliver smaller feature updates two times per year, around March and September, to help address these issues.

     

    Deploying

     

    Deploying Windows 10 is simpler than with previous versions of Windows. When migrating from earlier versions of Windows, an easy in-place upgrade process can be used to automatically preserve all apps, settings, and data. And once running Windows 10, deployment of Windows 10 feature updates will be equally simple.

     

    One of the biggest challenges for organizations when it comes to deploying a new version of Windows is compatibility testing. Whereas compatibility was previously a concern for organizations upgrading to a new version of Windows, Windows 10 is compatible with most hardware and software capable of running on Windows 7 or later. Because of this high level of compatibility, the app compatibility testing process can be greatly simplified.

     

    Servicing

     

    Traditional Windows servicing has included several release types:

     

    Major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality twice per year, and quality updates that provide security and reliability fixes at least once a month. Are Windows updates necessary?

     

    Naming changes

     

    As part of the alignment with Windows 10 and Office 365 ProPlus, Microsoft is adopting common terminology to make it as easy as possible to understand the servicing process. Going forward, these are the new terms they will be using:

     

    • Semi-Annual Channel – They will be referring to Current Branch (CB) as “Semi-Annual Channel (Targeted)”, while Current Branch for Business (CBB) will simply be referred to as “Semi-Annual Channel”.
    • Long-Term Servicing Channel – The Long-Term Servicing Branch (LTSB) will be referred to as Long-Term Servicing Channel (LTSC).

     

    Servicing tools

     

    There are many tools with which IT pros can service Windows as a service. Each option has its pros and cons, ranging from capabilities and control to simplicity and low administrative requirements. The following are examples of the servicing tools available to manage Windows as a service updates:

     

    • Windows Update (stand-alone) provides limited control over feature updates. IT pros manually configure the device to be in the Semi-Annual Channel. Organizations can target which devices defer updates by selecting the Defer upgrades check box in Start\Settings\Update & Security\Advanced Options on a Windows 10 client.
    • Windows Update for Business is the second option for servicing Windows as a service. This servicing tool includes control over update deferment and provides centralized management using Group Policy. Windows Update for Business can be used to defer updates by up to 365 days, depending on the version. These deployment options are available to clients in the Semi-Annual Channel. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Intune.
    • Windows Server Update Services (WSUS)provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready.
    • System Center Configuration Manager provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.

     

     

    Using SCCM

     

    System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.

     

    You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation.

     

    Conclusion

     

    Windows servicing is changing. For disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build.

     

     

     

    GET IN TOUCH

    EMAIL: info@zunesis.com

      

    NAVIGATION

    CORPORATE OFFICE

    Zunesis, Inc.
    4B Inverness Ct E Suite 100,
    Englewood, CO 80112
    (720) 221-5200

    Las Vegas
    6671 Las Vegas Blvd S
    Building D Suite 210, Office 260
    Las Vegas, NV 89119
    (702) 837-5300

    Copyright © 2023 Zunesis. All Rights Reserved. | Website Developed & Managed by C. CREATIVE, LLC