Windows 10 security: Are you on the right version?

If you're running an older version of Windows 10, It's time to review security enhancements that later versions offer to see if you need to update.

A recent Microsoft Ignite session reminded me about how much Windows 10 has changed over the years. We often forget that when we don’t update to newer versions, we miss out on the improved security features in each release.

It’s easy to forget the advances and security features that Windows 10 has added over the years. So, here’s a reminder of the versions that Microsoft has released. Use this information to see what security features you have in your current Windows 10 deployment and determine whether you need the enhanced security of later versions.

Security features in each Windows 10 version

Version 1507, the first Windows 10, or the “release to manufacturing” (RTM) version, included Windows Defender, Windows Hello (passwordless login), Microsoft Edge (based on the original Edge browser), Device Guard, Bitlocker and SmartScreen technology. It had support for in-place upgrades, a voice assistant called Cortana and Continuum (a feature that adjusts a device's user interface to accommodate different form factors). It is still under support for Enterprise and IoT Enterprise LTSB/LTSC editions.

Version 1511 added Mobile device management, the Group Policy settings for Windows update called Windows Update for Business, and Azure Active Directory join. It is no longer serviced.

Version 1607 added Windows Information Protection, Windows Hello for Business and Hybrid Azure Active Directory join. It is still under support for Enterprise and IoT Enterprise LTSB/LTSC editions.

Version 1703 added Windows Defender Advanced Threat Protection, and Windows Defender Security Center. It is no longer under support.

Version 1709 added Windows Defender Exploit Guard, System Guard, Application Guard and Application control. It is unsupported as of October 13, 2020, for Enterprise and IoT Enterprise LTSB/LTSC editions.

Version 1803 added fixes for Spectre and Meltdown vulnerabilities, Windows delivery optimization, Windows Defender Advanced Threat Protection automated remediation, Conditional Access based on Windows Defender Advanced Threat Protection device risk, Threat Analytics, Emergency Outbreak updates, Advanced hunting, Cloud Credential Guard, and Windows 10 Enterprise in S mode. It is supported through May 11, 2021, for Enterprise and IoT Enterprise LTSB/LTSC editions.

Version 1809 reduced Windows Update packages to speed the servicing and installation of updates and feature releases. It added Microsoft Defender Advanced Threat Protection new attack surface area reduction controls, and Investigation and Remediation across Office 365 Advanced Threat Protection. Microsoft Edge added web authentication and Windows Hello added support for FIDO 2.0. Microsoft Edge added kiosk mode. Version 1809 drops out of support for Home, Pro, Pro Education, Pro for Workstations and IoT Core on November 10, 2020 but is under support for Enterprise and IoT Enterprise LTSB/LTSC editions through May 11, 2021.

Version 1903 received Microsoft Defender Advanced Threat Protection enhancements, Attack Surface Reduction enhancements, next-generation protection enhancements, tamper-proofing capabilities, Windows Sandbox, and Application Guard enhancements. It also added the ability to sign on with passwordless Microsoft accounts. Delivery optimization was also improved. Version 1903 is supported through December 8, 2020, for Home, Pro, Pro Education, Pro for Workstations and IoT Core as well as for Enterprise and IoT Enterprise LTSB/LTSC editions.

Version 1909 introduced BitLocker key-rolling and support for TLS 1.3. This release is supported through May 11, 2021, for Home, Pro, Pro Education, Pro for Workstations May 10, 2022, for Enterprise and IoT Enterprise LTSB/LTSC editions.

Version 2004 introduced Application Guard for Edge and Office, delivery optimization PowerShell commands, and Windows Autopilot Azure Active Directory join with virtual private networking. This release is supported through December 14, 2021, for Home, Pro, Pro Education, Pro for Workstations and IoT Core as well as for Enterprise and IoT Enterprise LTSB/LTSC editions.

Version 20H2 includes Microsoft Defender Application Guard, which now supports Office (with an E5 subscription), more Windows Hello options, and modern device management. It also combines the servicing stack update and the latest cumulative update. This change will mean that Windows Update settings and History shows a single update per operating system servicing release. In the Control panel, in “Add/remove programs”, it will displace the latest cumulative update with a knowledgebase attribution and the servicing stack update with a version number. Note that the servicing stack update entry is not actionable as something to be uninstalled. When you use DISM Get-Packages or Get-PackageInfo, it will continue to display the servicing stack update as a separate package just like all other packages for features on demand (FoDs).

Update considerations for Windows 10

If your firm is on an older Windows 10 version, ask yourself what is holding you back from deploying feature releases faster. Some enterprises chose the Long-Term Servicing Branch (LTSB) version because it didn’t require semiannual feature release updates. That choice means that you won’t obtain security enhancements that the new feature releases bring. While LTSB may be great for a point-of-sale system, a bank’s automatic teller machine, or a manufacturing tool, it is probably not the greatest choice for a user’s workstation.

If you have deployed LTSB on your workstations, there is no upgrade path from LTSB to the normal releases of Windows 10. You must start over and rebuild the machines. Windows Autopilot makes it easier to roll out Windows 10 to machines.

Since the 1909 release, the fall release now is designed to be no more disruptive than the monthly cumulative updates and will not take a lot of time to deploy if you’ve rolled out the prior spring release. If you’ve skipped the spring release (in this case, the 2004 feature release) the installation of 20H2 will be more like a normal feature release in its deployment timing.

Are you staying on an older version of Windows 10? With the pandemic changing how we do business, perhaps it’s also time to review the decisions made that kept you on older platforms that don’t have the security features you might need.

Copyright © 2020 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline