Getting ready for 21H2 (and maybe Windows 11)

Microsoft recently announced it’s getting ready to test and release Windows 10, version 21H2. The features included in the release are mostly geared towards businesses, and include:

1. New WPA3 H2E (Hash to element) standards for enhanced Wi-Fi security. In 2019, researchers used a side-channel attack to steal a WPA3 password. This standard increases security against current and future side-channel attacks.
2. A new deployment method for Windows Hello for Business that Microsoft calls “Cloud Trust.” It supports simplified passwordless deployments and “get to deployed state” within minutes.
3. GPU compute support in the Windows Subsystem for Linux (WSL) and Azure IoT Edge for Linux on Windows (EFLOW) deployments for machine learning and other CPU intensive workflows. This enables the graphics card to “to accelerate math-heavy workloads and uses its parallel processing to complete the required calculations faster, in many cases, than utilizing only a CPU.”

Microsoft indicated that users will see a routine deployment and servicing process and it’s expected to be a relatively quick installation. I still highly recommend that if you have Windows 10 on any computer, be sure you have an SSD as your main hard drive. If you use old-fashioned IDE drives, you will have a less-than-ideal experience with Windows 10.

I remain a strong believer in installing feature updates when you want them. So if you manage just one PC, or you’re an IT pro who doesn’t use patching tools such as WSUS or SCCM, that you rely on the targetreleaseversion setting to ensure you stay on 21H1. (Hopefully by now most users have installed 21H1.)

There are two ways to ensure you don’t move to 21H2 until you are ready. The first way is to use a registry key method that sets the value to 21H1. You can download the registry key from the AskWoody website and use it to set the following value:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate] “TargetReleaseVersion”=dword:00000001 “TargetReleaseVersionInfo”=”21H1”

Alternatively, if you have Windows 10 professional, you can click on the search box and type in “edit group policy.” Browse to Computer Configuration> Administrative Templates>Windows Components>Windows Update, then to Windows Update for Business. In the right pane, double-click “Select the target Feature Update version” policy. Select the Enabled option and enter 21H1. Click OK, close group policy and reboot the computer.

Either method will keep you on 21H1 rather than 21H2 when it rolls out. If your computer doesn’t meet the requirements to run Windows 11, which Micorosft is testing now, and you are an Insider, you’ll be moved to the Release channel and offered 21H2 as a test. Windows 10 21H2 will provide 18 months of support for Home and Pro editions and 30 months of support for Enterprise and Education editions. If you can’t get the 21H2 preview installed on your system, Bleepingcomputer has ways to manually trigger the installation.

After 21H2, then what?

There’s been a lot of speculation that 21H2 might be the last official release for Windows 10. As a result, users are wondering if there will be extended security updates available for Windows 10. In a recent “Ask me Anything” (AMA) for Windows servicing, Joe Lurie, a senior program manager for Microsoft Endpoint Manager, was non-commital: “We’re not quite ready to talk about any extended security update program for Windows 10. Stay tuned to the Tech Community blogs for info when its available. Note that even with Windows 7, ESU is Extended Security Updates, not Extended Support.”

Dave Backman, an evangelist in the Windows Servicing & Delivery organization, also reiterated that nothing has been officially announced other than the availability of 21H2.

For IT professionals wondering about the Long Term Servicing Channel — the version of Windows 10 that doesn’t have semi-annual releases and is used for more specific configurations, Lurie simply noted that, “We announced the next Windows LTSC would be built on Windows 10, version 21H2, and yes it will be a 5-year support lifecycle. We can expect that the next LTSC *after* Windows 10 Enterprise LTSC 2021 will be built on Windows 11. And it will also keep the 5-year support. However, that’s expected in 3 years or so, so anything can happen in that timeframe. If you need to use LTSC for a longer period, we recommend moving to Windows 10 IoT LTSC.”

During the AMA, Lurie indicated that 21H2 will again arrive as an enablement package; features will roll out over time and once the feature release is finalized, they’ll be turned on with the enablement feature.

For future servicing, Windows 11 is expected to have a different ADMX than Windows 10, according to Lurie. But “many of the existing ones will also work, so long as the feature or service it manages is available in Windows 11. …You do not need to reconfigure all of your policies for Windows 11.” 

Microsoft’s Jason Sandys said Windows configuration service providers (CSPs) are the preferred channel going forward for configuring Windows. CSPs or are similar “to Group Policy client-side extensions in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files, or permissions. Some of these settings are configurable, and some are read-only.”

CSPs can be used in deployment, as can Intune.

The bottom line is that Windows 10 21H2 may — or may not — be the final release of Windows 10. The only thing we can be sure of is that there will be a 21H2 release later this year around the same time Windows 11 shows up. This fall, you’ll have to decide when — or if — either one is installed on your computers.