Windows 10 systems must be maintained at a supported servicing level.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-63349	WN10-00-000040	SV-77839r6_rule		High

Description
Windows 10 is maintained by Microsoft at servicing levels for specific periods of time to support Windows as a Service. Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities which leaves them subject to exploitation. New versions with feature updates are planned to be released on a semi-annual basis with an estimated support timeframe of 18 months. The initial release of a feature update is the Semi-Annual Channel (Pilot), previously referred to as the Current Branch (CB). Approximately 4 months after a new release it is declared ready for broad deployment, previously referred to as the Current Branch for Business (CBB). Only 2 active versions will typically be supported with updates at any given time (with some overlap during the period the latest version is declared ready for broad deployment and support ending for the oldest version.) Note: Microsoft has extended support for an additional 6 months with supplemental servicing for versions 1607, 1703, and 1709. Supplemental servicing provides critical and important updates for Windows 10 Enterprise only. A separate servicing branch intended for special purpose systems is the Long-Term Servicing Channel (LTSC, formerly Branch - LTSB) which will receive security updates for 10 years but excludes feature updates. Systems using an LTSC\B version may not be able to meet all requirements of the STIG as new features are added, which organizations will need to address.

Description

Windows 10 is maintained by Microsoft at servicing levels for specific periods of time to support Windows as a Service. Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities which leaves them subject to exploitation. New versions with feature updates are planned to be released on a semi-annual basis with an estimated support timeframe of 18 months. The initial release of a feature update is the Semi-Annual Channel (Pilot), previously referred to as the Current Branch (CB). Approximately 4 months after a new release it is declared ready for broad deployment, previously referred to as the Current Branch for Business (CBB). Only 2 active versions will typically be supported with updates at any given time (with some overlap during the period the latest version is declared ready for broad deployment and support ending for the oldest version.) Note: Microsoft has extended support for an additional 6 months with supplemental servicing for versions 1607, 1703, and 1709. Supplemental servicing provides critical and important updates for Windows 10 Enterprise only. A separate servicing branch intended for special purpose systems is the Long-Term Servicing Channel (LTSC, formerly Branch - LTSB) which will receive security updates for 10 years but excludes feature updates. Systems using an LTSC\B version may not be able to meet all requirements of the STIG as new features are added, which organizations will need to address.

STIG	Date
Windows 10 Security Technical Implementation Guide	2018-04-06

Details

Check Text ( C-79095r3_chk )
Run "winver.exe". If the "About Windows" dialog box does not display: "Microsoft Windows Version 1607 (OS Build 14393.0)" or greater, this is a finding. Note: Microsoft has extended support for an additional 6 months with supplemental servicing for versions 1607, 1703, and 1709. Supplemental servicing provides critical and important updates for Windows 10 Enterprise only. Currently supported Semi-Annual Channel versions: v1607 - Microsoft support is scheduled to end 9 October 2018. v1703 - Microsoft support is scheduled to end 9 April 2019. v1709 - Microsoft support is scheduled to end 8 October 2019. v1803 - Microsoft support tentatively scheduled to end October 2019. No preview versions will be used in a production environment. Special purpose systems using the Long-Term Servicing Branch\Channel (LTSC\B) must be at "Version 10.0 (OS Build 10240)" or greater. LTSC\B versions at Build 10240 or greater are not a finding. Current LTSC\B versions are v1507 (Build 10240) and v1607 (Build 14393).

Check Text ( C-79095r3_chk )

Run "winver.exe".

If the "About Windows" dialog box does not display:

"Microsoft Windows Version 1607 (OS Build 14393.0)"

or greater, this is a finding.

Note: Microsoft has extended support for an additional 6 months with supplemental servicing for versions 1607, 1703, and 1709. Supplemental servicing provides critical and important updates for Windows 10 Enterprise only.

Currently supported Semi-Annual Channel versions:
v1607 - Microsoft support is scheduled to end 9 October 2018.
v1703 - Microsoft support is scheduled to end 9 April 2019.
v1709 - Microsoft support is scheduled to end 8 October 2019.
v1803 - Microsoft support tentatively scheduled to end October 2019.

No preview versions will be used in a production environment.

Special purpose systems using the Long-Term Servicing Branch\Channel (LTSC\B) must be at "Version 10.0 (OS Build 10240)" or greater. LTSC\B versions at Build 10240 or greater are not a finding.

Current LTSC\B versions are v1507 (Build 10240) and v1607 (Build 14393).

Fix Text (F-86251r1_fix)
Update systems on the Semi-Annual Channel to "Microsoft Windows Version 1607 (OS Build 14393.0)" or greater. It is recommended systems be upgraded to the most recently released version. Special purpose systems using the Long-Term Servicing Branch\Channel (LTSC\B) must be at Version 10.0 (OS Build 10240)" or greater.