Operating System
This section describes the design decisions associated with Windows 10 and 11 endpoints configured according to guidance in ASD's Blueprint for Secure Cloud.
Estimated reading time: 3 minutes
The operating system enables software applications to interface with the hardware. The operating system manages input and output device components like the mouse, keyboard, network and storage. Windows 10 and 11 are available in several editions, including:
- Home – minimal management and deployment features and cannot be joined to either an on-premises or Microsoft Entra ID domain. It is targeted from home use only.
- Professional – this edition includes management and deployment features and can be joined to both an on-premises and Microsoft Entra ID domain.
- Enterprise – this edition has additional enterprise security features as well as the UE-V and App-V clients built in and only distributable through Microsoft’s Volume Licensing Program.
Servicing of Windows 10 and 11 falls into three distinct channels (previously known as rings):
- Windows Insider Program – Windows Insider Program receive feature updates immediately enabling pilot machines to evaluate builds earlier than the General Availability channel. A business must opt-in for this service and install a specific Windows Insider Program for Business Preview build.
- General Availability – General Availability Channel receives feature update annually and is designed for the broad population of general-purpose devices within organisations. The General Availability Channel is the default servicing channel for all Windows 10 and 11 devices with the exception of Long Term Servicing Channel (LTSC) release of Windows 10 and 11 Enterprise.
- Long-Term Servicing Channel – Long-Term Servicing Channel (LTSC) receives releases much more gradually (expected every 2 - 3 years) and is designed for special purpose devices such as those used in Point of Sale (POS) systems or controlling factory or medical equipment, and those machines without Microsoft Office. Additionally, a number of applications are not supported on LTSC Windows devices, for example Microsoft Edge, Microsoft Store, and Microsoft Mail, amongst others.
Design Decisions
| Decision Point | Design Decision | Justification |
|---|---|---|
| Windows 10/11 Edition | Enterprise (64-bit) | Enterprise is required to support BitLocker. The 64-bit edition of Windows is required to support security such as BitLocker and Windows Defender Application Control (WDAC) as specified by ASD’s Hardening Microsoft Windows 10 version 21H1 Workstations guidance. |
| Windows 10/11 Servicing Channel | General Availability Channel | The General Availability Channel is the recommended ring to deploy to most enterprise clients, especially those with Office 365. |
| Windows 10 Build | 22H2 | Microsoft recommends deploying the latest General Availability version, please refer to (Windows 10 release information). |
| Windows 11 Build | 22H2 | Microsoft recommends deploying the latest General Availability version, please refer to (Windows 11 release information). |
Related information
Security & Governance
Design
Configuration
- None identified
References
- None identified