Risks and Considerations for Win10 LTSC over Win10 Current Channel

Posted on August 14, 2017 Updated on March 21, 2018

It’s no secret that with the introduction of Windows 10 that Microsoft has moved into the direction of releasing new feature updates twice per year, which is commonly referred to as Windows as a Service.  An organization could be faced with challenges around the frequency, size, and the new administrative cadence of feature updates to Windows (even though Microsoft has done and is doing great work to address these challenges).

In light of these challenges, it can be tempting for an organization to try to “standardize” on version of Windows 10 that is supported for 10 years.  This version is called the Long Term Servicing Branch Channel, or LTSC for short, and is designed for “Specialized systems—such as PCs that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization.”  (Side note that the nomenclature usage of the word “Branch” was recently dropped

While it may sound great that there is a version of Windows 10 which is supported for 10 years, there are many considerations and risks with trying to use it across the board.  This posting is an attempt to pull together and consolidate disparate references to help highlight, educate, and inform on Win10 LTSC for general production use.  Even Gartner says Rethink Windows 10 LTSB Deployment Based on Microsoft’s Updated Guidance.

Consideration #1

General guidelines state that devices that fulfill the following criteria are considered general-purpose devices and should be paired with Windows 10 using the Current Channel servicing option:

• Devices that run productivity software such as Microsoft Office
• Devices that use Windows Store applications
• Devices that are used for general Internet browsing
  (for example, research or access to social media)

Reference: https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#long-term-servicing-channel

Consideration #2

Support for the latest processor / chipsets:

• LTSC will support the currently released silicon at the time of release of the LTSC version
• As future silicon is released, support will be created through future LTSC releases that customers can deploy for those systems
• This enables Microsoft to focus on deep integration between Windows and the silicon, while maintaining maximum reliability and compatibility with previous generations of platform and silicon

Implications:

• Multiple LTSC versions would be required to be used and managed within the organization for the life of the hardware
• Hope you’re ready to buy hundreds or thousands of computers with supported chipsets to just keep on hand

Consideration #3

LTSC, being that it’s code base and features are set “in stone” for 10 years and will not be modified, then it will be unable to keep up with current security capabilities and needs.  Case in point, the LTSB 2015 and 2016 releases do not have support for the following, only the current channels of Win10.  This would further widen the security gap of an organization until they are added into a future LTSC release (which is only every few years).

• Memory protection features
  • Control Flow Guard (CFG) – a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities
  • Data Execution Prevention (DEP)
  • Structured Exception Handling Overwrite Protection (SEHOP)
  • Address Space Layout Randomization (ASLR)
• Hardening against recent zero-day exploits
  • Win32k elevation of privilege
  • Open type font elevation of privilege
• Windows Hello for Business on-premises
• Windows Defender Application Guard (also because LTSC does not support Edge)
• Windows Defender Exploit Guard (formerly known as EMET)

Consideration #4

Windows Analytics provides data-driven insights that reduce the cost of deploying, servicing, and supporting Windows 10.  It gives an organization actionable information to help gain deep insights into operational efficiency and the health of Windows 10 devices in the environment. But Windows 10 LTSC is not supported for Upgrade Readiness.  The three tools include:

• Upgrade Readiness provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements.
• Update Compliance provides a unified view of Windows Update and Windows Defender Antivirus compliance for Windows 10 devices, regardless of the management solution being used. It allows organizations to keep their devices secure and up-to-date, track protection and threat status, and monitor update deployments and troubleshoot issues as they arise.
• Device Health provides proactive insights to help detect and remediate end-user impacting issues. This new service uses telemetry data to provide such insights without additional infrastructure requirements. Proactively remediating end-user issues enables you to reduce support costs and improve efficiency.

Consideration #5

Examples of functionality missing that was included in the Windows 10 Creators Update (1703) in April 2017 include the following.  For each and every release of Windows 10, this list would grow.

• Unified Update Platform
• MBR to GPT conversion tool
• New MDM and MAM capabilities
• Customization of the Settings app to hide/show different pages
• Dynamic lock
• Express updates in SCCM
• The list goes on…
  • What’s new in 1703
  • What’s new for IT Pros in 1703

Consideration #6

Various other limitations

1. Fewer non-security and reliability fixes
2. Visual Studio is not supported on LTSC
3. Office ProPlus (traditional MSI) is highly recommended, and not using Office 365 ProPlus (aka click-to-run) on LTSC
4. In-place upgrade of Win7 to LTSC is not supported – a full reimage, backup/restore of data and applications, just like the old days
5. Depending upon IHV and ISV, there may be support and limitations on LTSC
   • Software vendor – https://developer.microsoft.com/en-us/windows/ready-for-windows/get-listed
   • Hardware vendor – https://support.microsoft.com/en-us/help/18581/lifecycle-faq-windows-products
6. Doesn’t contain in-box apps, such as Store, Calculator, Photos, Camera, Music, Clock, and Edge – and yes, Edge is also a more secure browser

Consideration #7

Core Surface device experiences are impacted.

• Windows Feature Updates, including enhancements such as:
  • Improvements to Direct Ink and palm rejection provided in Windows 10 1607
  • Improved support for high DPI applications provided in Windows 10 1703
• Pressure sensitivity settings provided by the Surface app
• The Windows Ink Workspace
• Key touch-optimized in-box applications including Microsoft Edge, OneNote, Calendar, and Camera
• Driver and firmware updates are not explicitly tested against releases of Windows 10 Enterprise LTSC
• If you encounter problems, Microsoft Support will provide troubleshooting assistance. However, due to the servicing nature of the Windows LTSC, issue resolution may require that devices be upgraded to a more recent version of Windows 10 Enterprise LTSC, or to Windows 10 Pro or Enterprise with the Current Channel servicing option.

Summary

In summary, in this blog post I have tried to outline evidence to support you in your decision making process for choosing Windows 10 Current Channel over LTSC.  I hope that it leads to the proper choice for you!  Points covered were

1. Guidelines of what is a general use device vs. a specialized device
2. Support for the latest processor / chipsets
3. Security features that are not present in LTSC
4. Windows Analytics for data-driven insights, is not supported
5. Example of missing functionality that was delivered in Windows 10 Creators Update (1703)
6. Various other limitations and their potential impact
7. Core Surface device experiences are impacted

Updated 3/21/18 to account for changes in support for the Windows Analytics tools.