Direction on Windows 10 Desktop Operating System Migration and Configuration : IT Policy Implementation Notice (ITPIN)

ITPIN No.: 2018-03

Date:

On this page

1. Purpose

The purpose of this ITPIN is to direct departments to migrate to Windows 10 by . Consistent with ITPIN 2015-04, Departments are also directed to discontinue the use of unsupported Microsoft desktop operating systems on Government of Canada (GC) networks (i.e. Microsoft operating systems prior to Windows 7 SP1).

2. Effective date

This ITPIN is effective immediately.

3. Application

This ITPIN applies to all departments that are subject to the Policy on Management of Information Technology.

Departments, agencies and organizations in the Government of Canada not subject to the Policy on Management of Information Technology are encouraged to abide by this ITPIN.

The heads of the following organizations are solely responsible for monitoring and ensuring compliance with this ITPIN within their organizations:

  • Office of the Auditor General
  • Office of the Chief Electoral Officer
  • Office of the Commissioner of Lobbying of Canada
  • Office of the Commissioner of Official Languages
  • Office of the Public Sector Integrity Commissioner of Canada
  • Offices of the Information and Privacy Commissioners of Canada

4. Context

The use of modern operating systems that are correctly configured and maintained with up-to-date software is a key element of an IT asset lifecycle management strategy. Use of software past the mainstream support date presents challenges for organizations as hardware support diminishes and the complexity required to continue functionality on newer hardware becomes more challenging. Additionally, after mainstream support has ended, newer functionalities are not introduced. Further, adversaries often target known vulnerabilities in unsupported operating systems. Security fixes and updates are no longer being provided to unsupported operating systems, so users are unable to patch their systems, making these hosts extremely vulnerable to compromise.

The department’s Chief Information Officer (CIO), as per Treasury Board’s Operational Security Standard: Management of Information Technology Security (MITS), Section 9.4, is responsible for ensuring the effective and efficient management of the department’s information and IT assets. This includes implementing safeguards to prevent and detect the integrity of software and to "harden" software, while configuring software in accordance with security best practices, as per MITS section 16.4.11. The Communication Security Establishment (CSE) Top 10 IT Security Actions to Protect Government of Canada Internet-Connected Networks and Information action #2, also recommends implementing a timely patch maintenance policy for operating systems (OS) and third-party applications to reduce departmental exposure to threats that could exploit known vulnerabilities.

5. Direction

Effective Immediately:

  1. Per ITPIN 2015-04 Direction for Discontinued Use of Unsupported Microsoft Desktop Operating Systems on Government of Canada Networks, departments should no longer be running Microsoft desktop operating systems prior to Windows 7 SP1.

By

  1. Departments are directed to migrate to Windows 10. This will avoid the need for Custom Support Agreements (CSA) for older OS software. Windows 7 SP1 will end extended support by Jan 14, 2020, and Windows 8.1 will end extended support by January 10, 2023.
  2. Departments are not to put in place unilateral CSAs with Microsoft.
  3. Departments are directed to adopt the Windows as a Service (WaaS) Windows 10 deployment model, and to maintain currency with Feature Update and Quality Update releases.
    1. Departments should not implement the Long-Term Servicing Channel (LTSC) deployment model, except in special circumstances which must be pre-approved by the Government of Canada Enterprise Architecture Review Board (GC EARB) (accessible only on the Government of Canada network).
  4. Departments are also required to implement the Windows 10 GC Minimum version and configuration as specified on the GC Windows 10 Configuration Baseline (accessible only on the Government of Canada network) page as a mandatory standard for Windows 10 adoption. The GC Minimum configuration standard prescribes Windows 10 configuration standards which are necessary to maintain the security of GC networks and workplace technology devices.
    1. Departments with an elevated risk profile should consult the GC Enhanced configuration standard (accessible only on the Government of Canada network), which provides additional security configurations. All departments are strongly encouraged to implement the GC Enhanced configuration standard (accessible only on the Government of Canada network) to enhance their security posture.
  5. Departments which cannot implement Windows 10 by July 1, 2019, or who cannot implement all requirements of the GC Minimum standard must apply to GCEARB for an exception. Departments should contact the Office of the Chief Information Officer of Canada (OCIO) CIOB-DPPI IT-Division-TI for requirements for submitting an exception request. Exceptions will only be approved as a temporary measure as departments complete their migrations. OCIO may additionally request status updates on Windows 10 migration progress.
    1. Departments cannot request long-term or permanent exemption from migration to Windows 10 from previous Windows desktop OS software. Devices using unsupported Microsoft desktop operating systems after July 1, 2019, that are required to meet operational needs after that date, are to be isolated and contained within a tightly controlled network environment, with no access to GC networks or to the Internet.
    2. Operating unsupported desktop operating system devices in isolation zones is to be considered a temporary measure and the rationale and operating strategy (including migration and risk mitigation plans) is to be submitted to Treasury Board of Canada Secretariat’s (TBS) Office of the Chief Information Officer (OCIO) each year as part of the IT Risk section in the annual departmental IT Plan.
    3. Departmental Chief Information Officers or equivalents are directed to implement holistic measures to maintain their operating systems and desktop environment, including active measures to ensure that access to GC networks by unsupported desktop operating systems is denied. The CSE Top 10 Security Actions provides guidance on these measures and other preventative security activities.
  6. Departments are permitted to use a version of the security baseline which is newer than their Windows 10 image version as they are backward compatible, but are not permitted to use a version of the baseline that is older than their current image. After initial adoption of Windows 10, departments must migrate to the most current approved version and baseline within one year of approval by GCEARB.

Additional detail for direction can be found in Appendix A. Useful links to aid in migration can be found in Appendix C.

6. Enquiries

Please address any enquiries you may have by email to CIOB-DPPI IT-Division-TI.

Marc Brouillard

Chief Technology Officer of the Government of Canada
Office of the Chief Information Officer
Treasury Board of Canada Secretariat

7. References

Additional information may be found in the following resources:

Appendix A — Additional Implementation Detail

The current required Windows release version and configuration settings will be posted on the GC Common Desktop Operating Environment (CDOE) Working Group (accessible only on the Government of Canada network) GCconnex site. The CDOE is a multi-departmental working group, led by Shared Services Canada (SSC), which coordinates validation and testing of Windows 10 versions for broader adoption by GC Departments. Departments who are not presently members are strongly recommended to participate in this working group, to contribute requirements for version and feature approval, and to maintain currency with enterprise direction. Departments can contact itsclientservices@cse-cst.gc.ca to request membership to the CDOE. Major version and baseline changes will be presented to the Government of Canada Enterprise Architecture Review Board (GCEARB) (accessible only on the Government of Canada network) for approval.

The GC Windows 10 Configuration Baseline (accessible only on the Government of Canada network) should be reviewed frequently, as settings may be modified based on guidance from Microsoft, or from departments. Support for implementing the configuration standards can be found in the CSE Guidance for Hardening Microsoft Windows 10 Enterprise. Resources for migration processes and for ongoing management of desktop environments can be found on the CDOE GCConnex page (accessible only on the Government of Canada network). Some key guidance links are also provided in Appendix B of this ITPIN.

Minor modifications to Windows 10 configuration settings will be managed by the CDOE Workgroup. Major changes to the configuration settings will be presented and approved by GCEARB before publishing on the Configuration page.

Appendix B — Definitions

Government of Canada Enterprise Architecture Review Board (GCEARB) (accessible only on the Government of Canada network)
The Government of Canada Enterprise Architecture Review Board (GC EARB) furthers "the ’whole of government as one enterprise’ vision. It is integrated into the larger GC governance structure and looks at alignment of initiatives, system and solution gaps and overlaps, development of new digital capabilities and innovation opportunities, setting technology standards and providing IM-IT investment directionFootnote 1.
GCEARB has a mandate to prescribe government-wide architecture expectations and defining current and target architecture standards for the Government of Canada, and reviewing departmental plans to ensure alignmentFootnote 2.
GC Common Desktop Operating Environment (CDOE) Working Group (accessible only on the Government of Canada network)
Shared Services Canada (SSC) wants to work with its partners and clients to develop a common operating environment based on the upcoming release of Microsoft Windows 10 and Microsoft System Center Configuration Manager (SCCM) 2012. Membership in this working group will allow partners and clients to participate in various discussion meetings, in which members will discuss the use of Microsoft Windows 10 as the base for the next desktop platform. Areas of focus include:
  • Developing a CDOE framework;
  • Developing a deployment model; and
  • Developing a line of business application remediation model.

Appendix C — Useful Links for Windows 10 Migration

GC Common Desktop Operating Environment (CDOE) Working Group (accessible only on the Government of Canada network)

Overview of Windows as a Service:

Verify application compatibility, based on previous tests on commercial software

Verify device readiness for Windows upgrade

Plan for Windows 10 deployment

What’s new in 1803

Manage connections from Windows operating system components to Microsoft services

Windows Analytics now helps assess Meltdown and Spectre protections

Configure Windows diagnostic data in your organization

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: