Should I stay or should I go … to Windows 10?

It has been almost half a year since Microsoft released Windows 10, and the decision whether or not to migrate computers to this latest release of Microsoft’s flagship operating system is going to be on the minds of administrators for 2016.

The shift from releasing a new version of Windows on the desktop every two to three years to ‘Windows as a Service’ (WaaS) means that Windows 10 will be delivered in continuous releases with branches acting as ‘stepping stones’ to new builds. This model has some security benefits to it, but also potential drawbacks.

I recently presented a webinar titled Windows 10 is here – Are you ready to migrate? on ESET’s BrightTALK channel, looking into not just how Windows 10’s new model of editions, builds and branches work, but also some of the most interesting security features. I also looked at some of the privacy issues surrounding this new version of Windows.


Please note that a free registration is required to view this presentation, as well as others my fellow researchers and I have recorded on a range of security topics. If you’re not up for that, or don’t have an hour to spare, you can download the slide deck from the White Papers section of We Live Security.

I hope you find this webinar helpful. Feel free to leave a message below if you have any questions or comments about the webinar.

Additional articles about Windows 10 can be found here on We Live Security:

And, of course, ESET’s knowledgebase contains the latest information about compatibility with Windows 10.

Author Aryeh Goretsky, ESET

  • jackthecat2010

    …go ahead…go to the “dark side!” lol

    • Hello JackTheCat2010,

      While users might be frustrated by some of the changes in Windows 10, Microsoft finds itself in the position of fighting for stronger user security and privacy as a result of its cloud-centric design. This, to me, is a win for user privacy.

      Regards,

      Aryeh Goretsky

      • jackthecat2010

        :) actually, i was kidding. i already have a laptop and a desktop that is currently using Windows 10. so far, so good, but i still prefer either Win 7 or Win 8.1.

  • Luigi

    I would like to ask a author of this article.

    It is true , that Microsoft steals and monitors data from your computer. (for example , makes screenshot of your desktop , or it win10 has keylogger …etc).

    Thanks

    • Here’n-Now

      Massive Windows 10 News Hides 5 Nasty Surprises

      “…Microsoft admitted it not only logs its users time on Windows 10 but also their time using Microsoft Edge… and gaming… and streaming games… and counting your search queries… and every single time a user opens a photo.”
      You should get an eye-opener at that link

    • Hello Luigi,

      Windows 10 collects more telemetry than previous versions of Windows. This puts it on par with smartphone operating systems such as Android OS and iOS, which collect similar data. What’s different is that Microsoft is doing this for the first time in their desktop operating system, which has drawn a lot comments about privacy.

      Now, with that said, there is the Windows Insider Preview (WIP) branch of Windows 10, which is essentially the beta test version of Windows 10. It does collect additional information beyond the other branches of Windows 10, including recording keystrokes, but that is done because it is a beta version, and Microsoft is trying to find bugs and errors in it.

      Keep in mind that access to the WIP branch specifically requires signing up to access it, and that it does present a license agreement explaining that it collects this sort of information in detail. It also explains that the purpose of the WIP build is to help Microsoft identify bug, errors and other problems, and is not meant for general use. So, in other words, the only people running it should be developers and IT pros who need to test their software and hardware with the latest builds of Windows 10, as well as people who are able and willing to help Microsoft troubleshoot issues in the latest builds of Windows 10.

      Regards,

      Aryeh Goretsky

  • Vess

    Windows 10 will never set foot on any computer I control, period. The privacy problems in it are a game-breaker for me.

    • Hello Vess,

      Thanks for sharing your feedback.

      Regards,

      Aryeh Goretsky

  • Matt

    the easiest method to install is to use the tool and not windows update regardless if you use 7 or 8/8.1 that takes too long and you could get a bad error so the best thing is to use the tool here and follow the instructions.
    Windows Defender is also built in you can find that in windows 10 by clicking the white search box on the taskbar and typing “windows defender” it’s very compatible.
    you can still go to windows update by repeating the above steps and instead type “windows update” into search box and make sure there are no updates.

    • Hello,

      Thanks for sharing that, Matt.

      Regards,

      Aryeh Goretsky

      • Matt

        :)

  • Ian Dodds

    Thanks for the summary.

    I’ve found mixed results with Windows 10, but almost all upgrades have fundamentally worked which is a fair effort for the huge mixture of machines & peripherals addressed.

    In Australia we suffer from slow internet speeds which in turn slows the performance of Windows 10 due to its feedback & web integrations. Anyone who wants a quicker way to un-install many of those apps could use Ccleaner as a very handy utility for that.

    Watch out though, as the “Build” Updates bring them all back :-)

    The privacy concerns make me laugh, as I can’t imagine anyone bothering to try & find one of my PCs or Laptops in with the many hundreds of millions of results collected from users worldwide.

    I don’t recall putting a name & addresses in there & if I use my Microsoft account, then I’m expecting a look from the outside. At least they aren’t using port 80 like the bad guys. :-) (I hope :-) )

  • sproggit

    I have 5 personally licensed copies of Win7 on various machines, and I do not intend to upgrade. My chief concern is privacy; I would rather pay for the product than have an unknown and unknowable amount of monitoring of my systems being conducted. Articles suggesting that passwords used to encrypt hard drives are being escrowed to MS servers is another example of my concerns.

    Right now I rely on Win7 for 3 primary reasons: to play a small handful of games that I can’t get on a console; to use software such as Photoshop [the most powerful hardware I have runs Windows…] and to run a copy of Office 2013 Professional, mainly to help teach myself about VBA programming, which I can leverage for work. I will give up all of these things before upgrading to W10 because of my lack of trust for this product.

    However, I have a closely related question. What do you think about the way that Microsoft have back-ported their “monitoring” tools to Windows 7, 8 and 8.1? The argument for deploying to W10 was that this latest edition is a “free” update, so in return for getting a “free” OS, Microsoft felt entitled to encumber your machine with monitoring and surveillance technology. But: my purchases of Win7 [and I have multiple copies of the 64-bit Ultimate edition, all retail purchased] were paid for. Whilst Microsoft have the technical ability to back-port their spyware to these older machines, is it specious and/or under-handed of them to do so?

    Their argument was that users traded the spyware for “free” [as in, W10 was available for free]. But if we *paid* for Windows 7 [a lot of money, too…] then is it acceptable for MS to re-negotiate the terms at this late stage and start to generate income from users *after* taking money from them in good faith.

    There is a common expression: “Any time you get to use a piece of technology for free, it’s because *you* are the product…” But I haven’t got “free” access to Win7, I’ve paid for every copy I use [most retail as I build my own machines – except laptops]. So is it OK for Microsoft to “monetize” Win7 in the way that they have – and, follow-up, is it OK for them to do all this without telling users what they are doing?

    • Hello,

      Windows 10 will continue to receive updates until 2020, so you are going to be safe until then, in terms of Microsoft releasing updates to patch vulnerabilities.

      The information about the passwords for drives with pervasive disk encryption being stored in your Microsoft account is correct and has been done since Windows 8.1 was released in 2013. For more information, see the white paper I wrote attached to the Windows 8.1 – security improvements article.

      I think that it is pretty understandable that Microsoft wants to create the best products possible that they can and I don’t think this is something that most consumers would object to. Microsoft now lives in a world not just with greater competition from Apple and Google, but faster competition as well, and I think Microsoft’s defense against this is to try and shift from the monolithic waterfall release processes it has had for the previous three decades to more agile models, driven by data. The problem, of course, being where to get the data to drive those processes, and that’s where I think things may be breaking down between Microsoft and consumers.

      There’s a great article by Peter Bright on Ars Technica which goes over the issues of the telemetry collection tools being backported to Windows 7 (8, 8.1) at Microsoft accused of adding spy features to Windows 7, 8, so I don’t really want to re-hash here what has been said over there.

      Given the laissez-faire approach to capitalism and big business in general in the United States, I don’t see see much changing in terms of this. However, if the European, Indian and Chinese markets react strongly to this collecting and use of telemetry, there could be some changes in the future.

      What I will point out, though, is the key problem with having your best power (most active, advanced and smartest) users opt out of telemetry collection is that it biases your data, so you end up creating products for less and less sophisticated users, locking features away because they might cause “confusion” or removing them entirely. One possible example of this was the decision to replace the twenty-five year old Start Menu in Microsoft Windows with the full-screen Start Screen in Windows 8, a change that most power users disagreed with. While there were definitely other issues going on at the time¹ I think this also shows the problem of focusing too much on telemetry at the expense of making it a component of more holistic approaches to figuring out what your users want and need. With an over-reliance on telemetry, one can lose visibility that there are gaps in your own data, and sometimes very important ones.

      I’m not sure if I’ve really answered your question about the monetization per se of older versions of Windows, but I’m not sure if that’s really a case of that, as Microsoft isn’t selling the data or sharing it in any broad sense for marketing purposes or activities. Rather, it seems to me like they are struggling with how to make new products which are better than old ones. Windows 7 is a very usable and well-liked product and that’s unfortunate in a sense, because it raised the bar that much higher for future versions of Windows. I do predict, however, that I won’t be out of a job soon. Or if I am, it won’t be due to Windows becoming an inassailable target to criminals.

      Regards,

      Aryeh Goretsky

      ¹ I think Steve Ballmer may have been trying to revive Microsoft’s moribund stock prices and the hit that PC manufacturers had taken from shrinking PC sales by introducing radical changes to drive new PC sales.

      • sproggit

        Aryeh,

        This is really, really interesting… My understanding of the Windows 10 Revenue model was that it would be derived from in-product advertising [for example by default Solitaire now presents paid advertisements] and the sale of telemetry data to other companies.

        To be fair to Microsoft, this is not new and not something they have pioneered – for example Canonical, the commercial company behind the ubuntu family of GNU/Linux operating systems, were paid by i.e. Amazon to forward all desktop search parameters through to the retail giant… [ This is not dissimilar to the reported $1 Billion annually paid by Google to Apple for search rights ].

        I work for an Enterprise client of Microsoft and I hear conversationally that the bulk PC brands [i.e. the Dells of this world] would expect to pay MS no more than $15 dollars for a Windows License. Looking at the “desist” option for the Windows desktop advertising [which is $1.49 monthly or $10 yearly, with no “forever” option, we could infer that if users volunteered to pay their way out of advertising, then just 2 years of payments on an annual basis would more than equate two the previous “wholesale” prices.

        Now, at this point in time we only have what Microsoft tell us publicly about what this telemetry will harvest, but in the balance of evidence, Microsoft have 1) not disclosed to users of Windows 7, 8 or 8.1 that they were backporting the telemetry to those paid-for platforms; or 2) that having backed away from the initial reports of enforced deployment, Microsoft actually *changed the name of the telemetry services*, see here:-

        http://www.theregister.co.uk/2015/11/26/microsoft_renamed_data_slurper_reinserted_windows_10/

        It’s all of this which leaves me so nervous. Microsoft have been disingenuous in their description of those Windows updates that have back-ported this telemetry; they have been circumspect in declaring what is being collected or why; and when caught they have acted to disguise what is going on.

        I do think the probability that Microsoft decided that “they could not compete with free” was a driver behind the cost-recovery model for Windows 10, but I am not sure that the implementation has been entirely trustworthy. I do note in your response that you have characterised all of Microsoft’s data gathering activities as being purely for usage telemetry; personally given the recent evidence to the contrary, I do not believe we can trust them to be honest in this regard.

        If Microsoft came forward with a “paid” version of W10 that was guaranteed to be free from telemetry, spyware and embedded advertisements [i.e. Windows 7 Ultimate 64-bit but updated to W10 codebase] then I’d buy it without a moment’s hesitation. The fact that they realise the “own-goal potential” of offering such a product [i.e. drawing attention to what the “free” edition does] tells me a lot.

        Put another way: I’d rather pay a quoted price for a transparently-defined product, than to *be* the product whilst using a shady OS that doesn’t tell me what it’s doing with my data…

        • Hello,

          Universal Windows Apps in Windows 10 can contain advertising through Microsoft’s Universal Ad Client SDK, just like apps under Android or iOS. For that matter, it’s not uncommon to find advertisements in certain kinds of Win32 apps, although most of that ilk tend to monetize by bundling potentially unwanted applications.

          In Windows 10, the Solitaire program has moved from being part of the operating system to a game published in the Windows Store by Microsoft Studios, the same as Minecraft (which is now owned by them as well) or Candy Crush (which is a game from another company, but is given away for free* in the Windows Store to Windows 10 users). I have not looked at any of these games, but would be unsurprised if they all displayed advertising. While it may seem like splitting hairs because Microsoft Corporation owns Microsoft Studio, but I would not expect advertisement display and telemetry collection in these games to be markedly differently from what other third-parties do in games on the Android and iOS ecosystems.

          My suggestion would be that if you do not wish to see advertisements (or have advertisers obtain data on your habits) to either (1) not install these types of apps from the Windows Store; or (2) to only install apps after you have verified with the publisher that no data is collected that you find objectionable. Another possibility, since these are computers running Windows, would be to install native Win32 games, either as standalone programs (whose publishers may be collecting telemetry as well) or through some service such as Valve Software’s Steam gaming platform (which does collect telemetry, as evinced through this report, but you may be more comfortable sharing that data with a non-Microsoft company.

          I do fundamentally agree with your concerns over cost-recovery on Microsoft’s part, but I also do not see a solution when consumers, businesses and computer manufacturers are not willing to pay tens of dollars (or hundreds, in the case of retail/FPP) for a Windows operating system license.

          Regards,

          Aryeh Goretsky

          *It does contain in-app purchases.

Follow us

Copyright © 2018 ESET, All Rights Reserved.