Support for LTSC and Enterprise versions.

[1593358539]

Hi there,

I notice this project requires you to use the absolute latest version of Windows 10/11 (and segregate to Pro edition), from my very limited understanding of this project, there are no means of skipping the version check, or interactively applying the recommended configuration.

In the future, would it be possible to support for LTSC/LTSB versions of Windows? Since there are very good use cases for them, and in my opinion, have a reduced attack surface. The rationale behind this is that Windows LTSC (Preferably older than 2021) are great for systems which turn feature updates off, in order to prevent Microsoft from adding features which might break functionality, result in bugs, or are not needed at all.

Having the latest versions of windows can be important for compatibility, yes, but in terms of security, these LTSC versions still receive the latest security patches. In my opinion, maintaining compatibility (if using an older version of windows, such as installing PShell v7) should be left up to the user.

Tested ver.: Windows 10 IoT Enterprise LTSC 2021(21H2)

[HotCakeX]

Hi,
How do you expect the same new features that the module requires and activates in the OS to be used in the LTSC editions when they don't exist there?

[mketab]

Best of both worlds would be to enable the features which are present in LTSC versions, and then after a compatibility check to apply the rest of them?

[1593358539]

As mketab suggested,

Rather than strictly checking the NT ver. wouldn't it be possible to make sure that the features required for certain patches are present? E.g., WDAC/Credential guard group policy options, powershell version, applied hotfixes and KBx's, etc.

Again, I'm not really familiar with the module's inner workings, but it would be preferable the allow the user to apply each configuration or 'patch' interactively, and for them to be responsible for making sure it is compatible (after acknowledging that their windows version isn't up-to-date and or not meant to be used with this module).

Thank you for your time :)

[HotCakeX]

First, Some Clarifications For Future Readers

LTSC editions of Windows are supposed to be used in mission critical areas such as submarines or flight computers. You should never ever use them at home or even enterprises unless you absolutely need it. LTSC is the platform for no updates ever. LTSC is for devices where you install the OS and don't plan on touching it for the next 10 years.

It's true that LTSC has a lot of its components stripped out, but that also means many of the security features are also unavailable. The security features in the normal edition of the OS decrease the attack surface more than anything LTSC has to offer.

Normal editions of the OS have policy for everything, most components can be configured or removed using policies, Intune CSPs etc.

For example, if you don't want Windows store apps to run, then you can uninstall them and set the store app disable policy, but that's not good at all. Many store apps are sandboxed and have more security than non-store programs. You should always search in the Windows store for your app and if you don't find it there then search for it in Winget or other places.

Most organizations that implement LTSC don't know about and are only doing it because of not being aware of the policies' existence.

Note about LTSC edition and how it's not just an ordinary edition, it's suitable for enterprise use cases.

---

Lots of assumptions are being made here...

in order to prevent Microsoft from adding features which might break functionality, result in bugs, or are not needed at all.

What you need is not LTSC edition of the OS. You need to version lock your OS using policies and that can be done on normal edition of the OS too.

• CSP

• Optimize on-premises monthly update delivery using the cloud

maintaining compatibility (if using an older version of windows, such as installing PShell v7) should be left up to the user.

Saying it should be up to the user, but do you know the difference between Windows PowerShell and PowerShell? For starters, lots of features aren't available in the older Windows PowerShell, not even a simple ternary operator which is one of the most basic things.

You can read the release notes that are all available on this repo where I spend lots of time moving away from old Windows PowerShell, everything is already explained there.

More importantly, as an end-user, there is no reasons you shouldn't use the new PowerShell. The script now takes care of installing it so end-user shouldn't need to do a thing.

If it's about "attack surface" again then without any reproducible proof, it's just speculation that leads to nowhere.

and in my opinion, have a reduced attack surface

Is there any proof though other than opinion? Do you know of any specific attack that works against a 24H2/23H2 build hardened with what this repo offers, but fails in LTSC edition? If you do then please let me know, I want to reproduce it.

What you're asking is not impossible, but I don't see any justification for considering it. So I'm going to be honest here with some facts:

1. There needs to be hard proof that if I'm going to spend so much of my time doing something, it will have proportional benefits and good outcome for many people.

2. Everything is free. I use all of the things I make myself on my own machines. I don't use older OS versions. I don't know about any attack that works against newest OS version but fails on older version or LTSC edition.

3. Time is definitely not free. There needs to be financial incentives accompanying such special extraordinary requests that potentially only benefit very small group of individuals.

To summarize, if you don't want to use up to date OS like everybody else, have special requests for something tailor-made for your own use case, then you can hire me, pay for the work. Many open-source projects offer subscriptions etc. This is how the industry works and survives.

On top of everything already mentioned, the title, "Support for LTSC and Enterprise versions", essentially things that are made to be used in enterprises, have their conditions and works for them are contractual and non-free. If you're a home user and go out of your way to use enterprise class software, then that's a whole different story.

[mketab]

Firstly, thank you for the detailed response, but I have a few things to say.

You should never ever use them at home or even enterprises unless you absolutely need it.

What is with the urgency in this sentence? What about the LTS channel is unacceptable for ordinary use? Certainly if the target hardware for this channel is mission critical and often used in places that are often targets of cyber-criminals and nation states it must be secure enough for the corporations/governments that choose to deploy it?

LTSC is for devices where you install the OS and don't plan on touching it for the next 10 years.

This is exactly the appeal, and would probably make maintaining a security script that much easier because of the lack of feature updates.

that also means many of the security features are also unavailable

I don't doubt you here, but could you provide an example? AFAIK security fixes are provided for 10 years, so no security features are back-ported to LTSC with these fixes?

Normal editions of the OS have policy for everything, most components can be configured or removed using policies, Intune CSPs etc.

I'm aware of this, but wouldn't it be easier to build upon the LTSC release than to have to go through a normal release and disable all the stuff that's tacked on?

I agree with all the stuff about the Windows Store, and the stuff you said in the security recommendations section, fortunately the Windows store is 1 command away from an installation wsreset -i and winget is easy to install.

What you need is not LTSC edition of the OS. You need to version lock your OS using policies and that can be done on normal edition of the OS too.

Again why go through all this trouble with the latest release when the LTSC does it for you and has security fixes? Can you version lock to a specific feature update and still receive security fixes on the SAC? If you can, is it as streamlined as on the LTSC?

do you know the difference between Windows PowerShell and PowerShell?

Yes, but I've got an irrelevant question: can you fully replace WP with pwsh in all cases and integrate it into the OS? Having so many powershell/windowspowershell versions is getting annoying lol.

Do you know of any specific attack that works against a 24H2/23H2 build hardened with what this repo offers, but fails in LTSC edition?

Not specifically, but its a pretty safe assumption that the more stuff you tack onto an OS the larger the attack surface. Whether the new security features present in the SAC mitigate more than they introduce is something I cannot answer.

If you're a home user and go out of your way to use enterprise class software, then that's a whole different story.

Made me smile, but enterprise stuff is just generally better. It's kinda like my sister buying stuff from the mens' section because it's usually better quality.

Regardless, I've used your script on family computers to save myself the headache, and it has worked flawlessly. I'm enticed to install Windows 11 just for it. Thank you tremendously for your work.

[HotCakeX]

I pretty much covered everything, but to answer the new questions:

We can't remove Windows PowerShell from the OS yet, i think in the future we will be able to do that just like we can do it with PowerShell v2 (which is removed by default from Windows Server 2025), but it's just there and you can install PowerShell from Microsoft store and you will only use that. The Windows PowerShell engine is actually required for some legacy stuff, i have to use it in my other module.

The links to documents should have the info you need for version locking, I haven't tried doing it myself so don't have much experience to share at the moment.

There are a LOT of misinformation on the internet, i myself saw one tweet with many likes on X couple of days ago, someone telling people to use LTSC for some made up reason, without considering the licensing requirements, or the fact that the target audience for LTSC is not what they think it is.

Security features aren't backported to LTSC AFAIK.

And you're welcome, glad you did that, i do the same!