I'm sure Sandeep or James will be glad to earn their keep fixing what MS breaks but across a network, the business math of that sucks.
To minimize attack surface and maintenance costs, some practices are wiping old machines and installing graphical Linux desktops, and using terminal services.
Actually I recommend using Terminal Services/RDS as well. (More than 80% of our practices use it) But I'm still not a huge fan of using Linux desktops. A lot of the RDP implementations are done by third parties and aren't always updated. For example, there's still many Android/iOS Apps and third party RDP programs (thin clients, Linux, etc.) that haven't been patched for a major flaw in CredSSP (authentication used by RDP)
https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018If a lot of your practices are using Linux-based thin clients and such, their firmwares will need to be updated. Not sure what Linux RDP client you use, but I would make sure that gets updated/patched as well. There's not a major price difference between Windows-based thin clients and Linux ones anymore either. You can get full blown Windows 10 Pro mini PC's for <$200 that make great "thin" clients.
One big plus is that Microsoft does have official apps for Android, iOS, and OSX. Linux however is still not on that list. So I would stick those if you decide to use non-Windows devices.
There's lots of other device compatibility issues with Linux. But hopefully you have mostly networked devices if you're going with RDS.
.png "ACUF Donor I")
