Sustaining Windows in Government Clouds

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

If you’re an IT professional working in a highly regulated industry, particularly the government sector, managing Windows devices can be challenging. Due to tighter rules and restrictions, you may not be able to use important tools like Update Compliance or Endpoint Analytics in Impact Level Microsoft Clouds, or perhaps your security posture does not allow diagnostic data to be transmitted to Microsoft, reducing the visibility of these highly effective tools.

 

In this blog, we will explore the Microsoft service description for impact levels, security requirement considerations around cloud features, observations of government customers pre- and post-pandemic, and some recommendations to help manage Windows quality and feature updates in highly regulated environments.

 

Service descriptions and impact levels

 

Service descriptions

 

Not all clouds are the same, nor are the organizations interacting with cloud computing, especially when it comes to our United States (US) government clouds. Microsoft publishes service descriptions – for Endpoint Manager Intune and EMS specific service descriptions look here and here – that discuss “offerings”, or the services that are available in each cloud. Generally, while most features are available, the service descriptions do a great job of keeping our customers informed of what is and is not currently available.  As features are added or updated, the service description is also updated. It’s always a good idea to keep an eye out for changes to these documents, as well as Message Center in your Microsoft 365 Admin Center console.

 

*The links above are scoped to our Enterprise Mobility & Security and Intune Service descriptions, but we do have service descriptions of all other Azure and Microsoft 365 Services.

 

Impact levels

 

These clouds may sometimes be referred to as the Government Community Cloud (GCC) for Impact Level 2 (IL2), Government Community Cloud High (GCC High) for IL4, and Department of Defense (DoD) for IL5.

In the US government sector, Microsoft supports several “Impact Level” (IL) clouds that comply with US regulatory controls and security standards. Each Impact Level has limitations as to what type of data can be processed in it. Depending on data processing requirements,

For more information on Microsoft Cloud Compliance offerings and Impact Levels please visit our supporting docs page.

 

Government security guidelines

 

Drawing from the information above, there could be any number of government compliance and security regulatory standards governing an environment. Given that the list is quite extensive, we highly recommend that you inquire about required standards for data processing, and follow the guidance referenced in our Azure documentation and Office documentation.

 

Top customer questions

 

Below you’ll find some common questions we’re often asked, and the answers we share with our government customers.

 

How does Microsoft sustain its own Windows devices?

 

Microsoft IT (MSIT) utilizes both on-premises Microsoft Endpoint Configuration Manager and Microsoft Endpoint Manager Intune to keep devices up-to-date and secure. For most devices, Windows Update for Business policies are used to deploy quality and feature updates to keep them current. Additionally, established deployment rings are used to apply deferral polices. We use them for the deployment of both quality and feature updates and even give our user base the ability to “self-host” or elect to test early builds of Windows though Insider Rings

 

The great news here is that Windows Update for Business polices are supported across all government clouds!

 

How does Microsoft keep its devices current without adding IT overhead or impacting its users?

 

Windows Update for Business polices provide the ability to create necessary update rings, give users the option of when they want to reboot their device, and if that deadline is missed, also sets a deadline to reboot the device as necessary. Through active hours, users can also choose their busiest times, preventing reboots in the middle of critical work cycles. Again, another great set of features that are available in all government clouds!

 

Government observations in shifting to hybrid work

 

Working across a range of government agencies, we’ve experienced a host of customer observations around cloud adoption. One of the biggest factors in reduced cloud adoption has been the traditional security approach of the network perimeter as the security boundary, where there is a heavy reliance on on-premises infrastructure to keep devices current.

 

Applications like Microsoft Endpoint Configuration Manager or Windows Server Update Services (WSUS) served as the primary sustainment methods for quality updates and application deployment. Direct-to-vendor patching was typically not allowed, as vendors were not considered internal authoritative sources. Further, testing requirements and other internal processes had to be satisfied prior to updating devices. Instead, Windows upgrades were usually done via in-place upgrade task sequences, or by wiping and re-loading a computer to a new “golden image” standard.

 

While effective, these approaches to device management and updates can be slow and labor intensive, as they rely heavily on an on-premises IT team and infrastructure. With the significant shift to remote work over the last 18 months, it was quickly apparent that a new approach was needed to keep devices updated and secure. It also exposed gaps in how customers across all sectors managed their devices.

 

One of the biggest gaps was losing the network perimeter as a meaningful security boundary, and how that impacted device management. While our Zero Trust strategy moves that boundary to three key pillars – Identities, Endpoints and Apps – several customers quickly realized that they could keep their devices current while implementing one of the pillars of Zero Trust – Endpoint Management, directly as a result of the need to support remote workers.

 

With Microsoft Endpoint Configuration Manager and Microsoft Endpoint Manager Intune, you can maintain a Zero Trust strategy even for remote devices, not only keep devices current in an “evergreen” model, but also protecting your data should devices not receive critical quality (security) updates through compliance policies and conditional access.

 

If you are in a cloud where we do not yet support Update Compliance or Endpoint Analytics, in the next section we will discuss why compliance polices and conditional access are important tools for your overall security posture, and how they can help you start adopting Endpoint Manager Intune today.

 

Recommendations

 

If you’re using Microsoft 365, or SKUs within Microsoft 365 that you have not yet adopted, let’s talk about some of the ways forward with Enterprise Management and Security (EMS) if some of the analytic tools are not available.

Configure a Cloud Management Gateway

 

US government cloud support, including Impact Level 4 and 5 clouds, was added to Microsoft Endpoint Configuration Manager version 1806, which enabled a Cloud Management Gateway (CMG) to be created and used with your hierarchy. If you meet the requirements and are not quite comfortable with jumping into Microsoft Endpoint Manager Intune, CMGs are an excellent way to begin leveraging cloud services to keep devices current.

Configure co-management

 

If you are running Microsoft Endpoint Configuration Manager version 1906 or later, you have the added option to configure co-management of your Windows 10 devices at no additional cost with Microsoft Endpoint Manager Intune. Co-management of devices allows testing via pilot collections – so pushing all your devices into the cloud is not required all at once – and allows you to begin moving to modern device management at a workload level.

Test with update rings and deferral periods

If you choose to deploy a Cloud Management Gateway or jump right into co-management, update rings via Microsoft Endpoint Configuration Manager device collection, or Azure Active Directory group assignment, are great ways to build out your rings.

 

For on-premises Microsoft Endpoint Configuration Manager collections, the following sample collection queries can be used to target devices for upgrade:

Ring 1

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SMSUniqueIdentifier like "%[0-3]"

 

Ring 2

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SMSUniqueIdentifier like "%[4-7]"

 

Ring 3

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SMSUniqueIdentifier like "%[8-b]"

 

Ring 4

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SMSUniqueIdentifier like "%[c-f]"

 

 

For targeting devices in Microsoft Endpoint Manager Intune, the use of dynamic groups can be used. The following is an example of how to target Windows 10 or 11 devices using dynamic groups:

 

RoyBarton_5-1636398408714.png

 

 

From a query such as this, you can exclude devices and filter based on the devices you want to target.

 

Create a remediation checklist for troubleshooting

 

Creating a remediation checklist for your environment will aid in troubleshooting common issues (such as corruption errors) that may arise during the update process. Fixes may include disconnecting external hardware, updating third-party drivers, checking Windows Device Manager for errors, or freeing up drive space so you can run updates.

 

Additionally, safeguard holds – which are currently not easily visible without the use of Update Compliance  –  can be discovered through this process.  A list of error codes and troubleshooting steps can be found in this article. For WSUS client agent troubleshooting, follow the steps outlined in this document.

 

Utilize features available to generate custom reports

 

If you find yourself working in a cloud that does not yet support Update Compliance or Endpoint Analytics, here are a few things you can use to capture similar data provided in those cloud services:

 

  • Device Compliance Policies – Windows compliance settings in Microsoft Intune offers a variety of ways to configure Windows 10 or 11 compliance polices
  • Conditional access – To reinforce data protection if device compliance isn’t met
  • PowerShell scripting

#Target OS Build is Windows 10 21H1 with the October 2021 Cumulative Update (KB5006670)

[version]$TargetBuild = "10.0.19043.1288"

 

$TargetBuildLevel = $TargetBuild.Build

$TargetPatchLevel = $TargetBuild.Revision

$CurrentBuildLevel = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name CurrentBuild).CurrentBuild

$CurrentPatchLevel = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name UBR).UBR

 

#Check if OS is at the correct build

If ($CurrentBuildLevel -lt $TargetBuildLevel)

{

    Write-Host "Windows needs to be upgraded"

#Check if OS is already beyond the target build

} ElseIf ($CurrentBuildLevel -gt $TargetBuildLevel)

{

    Write-Host "Windows is already beyond the target build"

} Else

{

    #OS is at the target build and patch level

    If ($CurrentBuildLevel -eq $TargetBuildLevel -and ($CurrentPatchLevel -ge $TargetPatchLevel))

    {   

        Write-Host "Windows is already patched with KBxxxxxxxx"

    #OS is at the target build but not yet at the current patch level

    } Elseif ($CurrentBuildLevel -eq $TargetBuildLevel -and ($CurrentPatchLevel -lt $TargetPatchLevel))

    {

        Write-Host "Windows is not yet patched with KBxxxxxxxx"

    }

}

 

Please share your feedback!

 

At Microsoft, we love and value your feedback to build a better product.

 

There are several ways to submit feedback. The first and easiest way is to utilize the Feedback Hub app in Windows. This can be done by searching for the app or pressing the Windows Key and “F”. We highly recommend you search your topic and upvote feedback if it’s like your feedback request.

 

In our cloud consoles, you will always find a feedback button in the upper right-hand corner near your badge or user initials.

 

Be or find a champion

 

One of the quickest ways forward in adopting new technologies or moving to the unknown is to leverage the champion program to assist in leading the charge. Consider finding a champion or being one yourself. We, Microsoft, stand ready to support you in your Digital Transformation journey.

 

Our company’s mission is to empower everyone on the planet to achieve more. If you are looking for ways to do more, please reach out to your Microsoft account team or email us us here, and let us help you explore paths that are available to you.

Please look for future blogs as we continue this story and build on the principals of Zero Trust and endpoint management.

 

Continue the conversation. Find best practices. Visit the Windows Tech Community.

Stay informed. For the latest updates on new releases, tools, and resources, stay tuned to this blog and follow us @MSWindowsITPro on Twitter.

 

 

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.