Kurt Shintaku's Blog

Still considering using Windows 10 Long Term Servicing Channel (LTSC) for desktop deployment? Think real hard.

The LTSC servicing option is designed for device types and scenarios where the key attribute is for features or functionality to never change.
It is a edition of Windows 10 that is specifically designed for special purpose devices such as embedded systems. To be clear, it is not designed for end user desktops. Examples of the intended target system for LTSC include systems that power manufacturing or medical equipment or embedded systems in kiosks such as ATMs or airport ticketing systems. (LTSC is also the same build as Windows IoT Enterprise, the next generation of Windows Embedded.)

The reason LTSC exists is that specialized systems—such as PCs that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Windows 10 Enterprise LTSC devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date.

To be clear, Long-term Servicing channel is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices. As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the Semi-Annual servicing channel.

Here’s a list of considerations regarding the use of LTSC:
(Thank you to former Microsoft Southwest Windows Technology Specialist, Prasad Naik, for providing much of this background!)

1. No realization of Windows 10’s evolving value.
   Windows 10’s value in the semi-annual channel increases with every evolutionary release. Today’s 1803 release is a very different operating system from 1507 with added functionality that improves the end user experience, provides business value or mitigates risk. For example, RS3/1709 received a variety of invaluable endpoint security advancements including:
   1. Application Guard
   2. Exploit Guard
   3. Improved ransomware protection including Controlled folder access protections & Smart application whitelisting
2. Lack of support for new/old CPU architectures between releases.
   LTSC is designed specifically to the silicon available at the time of release & is architected for close alignment with that particular hardware. It will not receive new chipset support for hardware architectures (such as Intel’s Coffee Lake, Cannon Lake, and beyond) until subsequent full releases of LTSC. Users of LTSC are locked in to one non-evolving hardware standard, even as newer PC models displace an organization’s current standard. Because hardware vendors generally cease producing PCs with older architectures after a certain time, company’s may need to either warehouse/stock a certain number of your standard PCs to ensure they have them into the future, or negotiate long term purchasing agreements. Organizations using LTSC on desktops will generally also need to maintain multiple versions of LTSC for the hardware platforms they own.
3. Risk of not getting OS functional fixes for an improving experience.
   LTSC-based PCs are in some ways rolled out in “Extended support” from day 1 of deployment. While LTSC will receive security patches, it will not necessarily receive fixes associated with functionality. Features & functionality will be fixed regularly with the Semi-Annual Channel releases providing dramatically improved performance, security, stability and productivity. LTSC users will not necessarily get those fixes until the next release of LTSC.
4. Lack of common application support/compatibility such as Office 365 Pro Plus
   LTSC is not the same Windows 10 as semi-annual channel and lacks certain OS components that desktop applications, particularly legacy applications, can rely on. For example, common applications that do not work on Windows 10 LTSC include: Office 365 Pro Plus & Visual Studio
5. Loss of support for available Windows 10 security features
   The following security features do not exist on the LTSC 2016 release of Windows 10:
   1. Memory protection features
      1. Control Flow Guard (CFG) – a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities
      2. Data Execution Prevention (DEP)
      3. Structured Exception Handling Overwrite Protection (SEHOP)
   2. Address Space Layout Randomization (ASLR)
   3. Hardening against recent zero-day exploits
      1. Win32k elevation of privilege
      2. Open type font elevation of privilege
      1. Windows Hello for Business on-premises
         
6. No support for Windows Analytics
   The capabilities of Windows Analytics to collect and present information to IT around Upgrade Readiness, Update Compliance, and Device Health across all enterprise PCs is not available to LTSC machines.

Gartner’s Recommendation
If you’d like to see what analysts say about the matter, here’s a research report that you can view online where Gartner discusses the impact and recommendations for use of LTSC:

• Rethink Windows 10 LTSB Deployment Based on Microsoft’s Updated Guidance
  https://www.gartner.com/doc/reprints?id=1-3V8VD56&ct=170309&st=sb

References:

• • https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview
  • https://support.microsoft.com/en-us/help/18581/lifecycle-faq-windows-products
  • https://blogs.windows.com/windowsexperience/2016/01/15/windows-10-embracing-silicon-innovation
  • https://blogs.windows.com/business/2016/08/11/updates-to-silicon-support-policy-for-windows
  • https://docs.microsoft.com/en-us/windows-hardware/design/minimum/windows-processor-requirements
  • https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-readiness-requirements
  • https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#servicing-branches
  • https://www.visualstudio.com/en-us/productinfo/vs2017-system-requirements-vs
  • https://support.office.com/en-us/article/Change-management-for-Office-365-clients-9d9fc2d3-23e1-4309-8ae6-12ef5b6a8dcd?#branches
  • https://docs.microsoft.com/en-us/windows/deployment/upgrade/windows-10-upgrade-paths

Dependent upon the ISV / IHV:

• ISV – https://developer.microsoft.com/en-us/windows/ready-for-windows/get-listed
• IHV – https://support.microsoft.com/en-us/help/18581/lifecycle-faq-windows-products
• https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#servicing-branches

On June 7 at 10:30a PT Nat Friedman did a Reddit “Ask Me Anything” (AMA) about Microsoft’s planned acquisition of GitHub, and our work with developers and open source.

Hi, I’m Nat Friedman, future CEO of GitHub (when the deal closes at the end of the year). I’m here to answer your questions about the planned acquisition, and Microsoft’s work with developers and open source. Ask me anything.

To review the archives of the AMA, visit the link below:

• INFO: Nat Friedman, future CEO of GitHub does a Reddit AMA
  https://www.reddit.com/r/AMA/comments/8pc8mf/im_nat_friedman_future_ceo_of_github_ama/

Whitelisting in Windows 10 has advanced quite a bit since the initial days of AppLocker.  AppLocker still exists however there is a new capability called Windows Defender Application Control that provides stronger software whitelisting:

• Windows AppLocker prevents unsigned, unapproved user applications from running on a Windows 10 PC through user/group/role specific policies.
  It does not prevent the usage/execution of unsigned drivers or non-interactive applications (services) on that PC.
• Windows Defender Application Control provides kernel-level, Enterprise-grade software whitelisting, leveraging Windows code integrity
  It can be applied to drivers, services, and user applications but sets a single, machine policy for the entire enterprise.
  It also has available to it, cloud-based whitelists generated by Microsoft based on the Microsoft Intelligent Security Graph.

The following is a video presentation of this technology and is available at the link below:

• MICROSOFT IGNITE 2017 – BRK 2080: “Deploying and managing Windows Defender Application Control in the real world  “
• VIDEO: https://techcommunity.microsoft.com/t5/Microsoft-Ignite-Content-2017/Deploying-and-managing-Windows-Defender-Application-Control-in/m-p/105785
• POWERPOINT:
  https://8gportalvhdsf9v440s15hrt.blob.core.windows.net/ignite2017/session-presentations/BRK2080.PPTX

Distributed systems enable different areas of a business to build specific applications to support their needs and drive insight and innovation. While great for the business, this new normal can result in development inefficiencies when the same systems are reimplemented multiple times. This free e-book provides repeatable, generic patterns, and reusable components to make developing reliable systems easier and more efficient—so you can free your time to focus on core development of your app.

In this 160–page e-book, you’ll find:

• An introduction to distributed system concepts.
• Reusable patterns and practices for building distributed systems.
• Exploration of a platform for integrating applications, data sources, business partners, clients, mobile apps, social networks, and Internet of Things devices.
• Event-driven architectures for processing and reacting to events in real time.
• Additional resources for learning more about containers and container orchestration systems.
  

“There are more distributed systems that need to be built then there are people who know how to build them. The development and sharing of patterns for building distributed systems (especially in container orchestration technology like Kubernetes) enables both novice and veteran system builders to rapidly build and deploy reliable distributed systems.”

—Brendan Burns

• DOWNLOAD: Free eBook, “Designing Distributed Systems”
  https://azure.microsoft.com/en-us/resources/designing-distributed-systems/en-us/?wt.mc_id=AID627576_QSG_SCL_251431

Get Current, Stay Current on Windows 10

Windows 10 is changing the way IT manages and services enterprise computing. The time is now to take advantage of Windows 10 within your organization.

Attend this workshop to:

• Learn about the architectural changes to the Windows Deployment and Servicing model
• Participate in a roundtable discussion of Microsoft’s Operating System Deployment Strategy
• Gain hands on experience with the tools and resources you need to help deploy and support Windows as a service in your organization

Who should attend this session?

• IT Managers interested in deploying and managing Windows 10 enterprise-wide
• Business leaders looking to upgrade from previous versions of Windows

As this is an interactive session, please bring your laptop with you.

• Date/Time:
  Jun 13, 2018 — 9:00 AM – 3:30 PM PST
• Location:
  Microsoft Technology Center – Irvine
  3 Park Plaza, Suite 1600
  Irvine, California 92614
• Registration:
  https://www.microsoftevents.com/profile/form/index.cfm?PKformID=0x40705429f5a&wt.mc_id=AID700872_QSG_EML_NLTR_252123&mkt_tok=eyJpIjoiT1RWak56SmlPRFUxT1RNMyIsInQiOiJIZHlMR0xjUjZHYmQyZTJvOFNiQmdVN3ZoWk52UDNTbWt5VEZFekJUUmJUZERaUHR4K09RSU9oRUxBNXpETWhaNVpHdHNTbk1TTkxqdGh5dG9qZEdBS21OVVwvclVSbHpIRUM4bWQ4MWErK1kxRXJWTkdYcXVVUUZXenRXSGhPTXIifQ%3D%3D

Join us Wednesday, June 27 for the Emerging Tech Virtual Summit: AI Unlocked, streaming live.

A revolution is coming, one that will overcome challenges we can only imagine, powered by technology we won’t even see. The next generation of life-changing technologies goes far beyond keyboards, screens, smartphones, cameras, watches, and hard drives.

If you want to be part of the next-gen digital revolution, this is the event to attend! Join us live online to hear from industry thought leaders as they explore what’s possible.

STATE OF THE UNION ADDRESS: ARTIFICIAL INTELLIGENCE
Norm Judah
Chief Technology Officer, Microsoft Digital, Services and Success

Join Norm, our keynote speaker, for a "state of the union" on the AI landscape: where the technology is at today, where it’s headed in the future, and how it’s proving its value in the workplace.

FUNDAMENTALS OF AI
Robbee Minicola
Global Lead, Wunderman AI

Hear from Robbee, an expert in the convergence of media and technology, as she explains the fundamentals of AI. Get grounded on the concepts of BI, Machine Learning and Artificial Intelligence, and explore the possibilities of how these technologies could revolutionize the way you do business.

We’ll also take you on a journey of exploration across several aspects of AI, including:

• The exploding world of AI: Insights and trends
• How companies are leveraging AI to transform their businesses
• How to responsibly build AI systems with an ethical foundation

The future is waiting—and you can help create it. Save the date for the Emerging Tech Virtual Summit: AI Unlocked, a can’t-miss streaming event, and follow #MSFTEmergingTech on Twitter to join the conversation before, during, and after this insightful event.

Details below:

• Date/Time:
  Wednesday, June 27, 2018
  9:00 AM – 11:00 AM PT
• Registration:
  https://onlinexperiences.com/scripts/Server.nxp?LASCmd=AI:4;F:QS!10100&ShowKey=52000
  

When Microsoft rolled out Intune to all its employee’s personal devices, (all devices accessing any corporate data at Microsoft must be enrolled in Intune) folks were naturally interested in knowing what information might be collected by Microsoft IT.

Microsoft is as vigilant about it’s employee’s privacy as it is with our customer’s.  The first thing users were presented with when enrolling their personal devices was information about what information the company would see and would not see:

• Microsoft can never see:
• Call & web history
• Location
• Email and text messages
• Contacts
• Password
• Calendar
• Camera roll
• Microsoft may see:
• Model
• Serial number
• Operating system
• App names
• Owner
• Device name
• Manufacturer
• Phone number (for corporate devices only)

This is available in greater detail online for individuals with questions about the data collected via Intune when enrolled.  You can read this info through the link below.

• INFO: "What information can your company see when you enroll your device in Microsoft Intune?”
  https://docs.microsoft.com/en-us/intune-user-help/what-info-can-your-company-see-when-you-enroll-your-device-in-intune

If you’re wondering why Microsoft needed GitHub & why GitHub needed Microsoft, there’s several reasons, but at the core of it is the fact that putting GitHub together with the power of Microsoft Azure is a 1+1=3.

Every GitHub developer has to download, compile, test, edit & post their code to the service. Doing all of this locally on one’s own development system is a waste of productivity when you can:

• keep code in GitHub
• compile code in the cloud
• orchestrate the creation of test environments (VMs & cloud services) – entirely in the cloud
• access rentable devices like iPhones, Samsung Galaxy, etc. with different OS revisions for test use in the cloud (Xamarin Test Cloud)
• test one’s code in the cloud
• edit code in the cloud
• lather rinse repeat – all online
• save revisions in GitHub

GitHub gets direct access to the world’s largest, most powerful cloud & Microsoft gets more potential users of Microsoft Azure. 

…GitHub+Microsoft means more productive developers.

For more resources around this acquisition, check out the following link:

• GitHub+Microsoft Resources:
  https://view.pointdrive.linkedin.com/presentations/963289ec-c65f-493a-9d52-30e79a7f727d?auth=69ecaf58-d8db-4ba3-880e-c417f14b00ff

Here are some great articles explaining why this acquisition is important:

• BUSINESS INSIDER: “Microsoft is buying GitHub for $7.5 billion — here’s why it’s a smart move for Microsoft in the cloud wars with Amazon”
  http://www.businessinsider.com/why-microsoft-should-buy-github-2018-6
• GEEKWIRE: “Why would Microsoft want GitHub? Developers, developers, developers ― and the cloud”
  https://www.geekwire.com/2018/microsoft-want-github-developers-developers-developers-―-cloud/
• ARS TECHNICA: “Microsoft snaps up GitHub for $7.5 billion”
  https://arstechnica.com/gadgets/2018/06/microsoft-snaps-up-github-for-7-5-billion/
• ARS TECHNICA: “Everyone complaining about Microsoft buying GitHub needs to offer a better solution”
  https://arstechnica.com/gadgets/2018/06/everyone-complaining-about-microsoft-buying-github-needs-to-offer-a-better-solution/

Join us on Tuesday, June 26, 2018 for a virtual experience to learn tips and tricks for modernizing your infrastructure and applications—regardless of whether you’re running it on-premises or in the cloud.

Windows Server 2019 Virtual Summit
(Agenda)

• Keynote
• Tracks
• Hybrid
• Security
• Hyper-converged infrastructure (HCI)
• Application Platform

Details below:

• Date/Time:
  June 26, 2018
  9:00AM-1:00PM (PST)
• Save the Date:
  https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2bymF
• Sign up for updates:
  https://info.microsoft.com/Windows-Server-Summit-Stay-Up-To-Date.html
• Registration:
  https://www.microsoft.com/en-us/cloud-platform/windows-server-summit