deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 13:47:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into fr-boot-image-patching

Browse Source
This commit is contained in:
Frank Rojas 2023-08-02 19:42:55 -04:00
commit 2a4727aef9
113 changed files with 450 additions and 604 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
includes/licensing/_edition-requirements.md
View File

@ -1,18 +1,21 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---
| Feature name | Windows Pro | Windows Enterprise | Windows Pro Education/SE | Windows Education |
|:---|:---:|:---:|:---:|:---:|
|**[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|
|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|
|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|
|**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|❌|Yes|
|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|
|**[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)**|Yes|Yes|Yes|Yes|
|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|
|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|
|**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|
|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|
|**[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|
|**[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)**|Yes|Yes|Yes|Yes|
|**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|
@ -28,21 +31,24 @@ ms.topic: include
|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|
|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes|
|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|
|**[Hypervisor-protected Code Integrity (HVCI)](../../windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md)**|Yes|Yes|Yes|Yes|
|**[Kernel Direct Memory Access (DMA) protection](../../windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md)**|Yes|Yes|Yes|Yes|
|**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes|
|**[Manage by Mobile Device Management (MDM) and group policy](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|
|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|
|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
|**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|
|**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|❌|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)**|❌|Yes|❌|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)**|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|❌|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|Yes|❌|Yes|
|**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|❌|Yes|
|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes|
|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|
|**[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|
|**[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|
|**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|
|**Microsoft Security Development Lifecycle (SDL)**|Yes|Yes|Yes|Yes|
|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|
|**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|
|**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|
|**OneFuzz service**|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|❌|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|
@ -50,31 +56,32 @@ ms.topic: include
|**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|
|**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|
|**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|
|**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|
|**[Security baselines](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|
|**[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|
|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
|**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|
|**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|
|**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
|**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|
|**Software Bill of Materials (SBOM)**|Yes|Yes|Yes|Yes|
|**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|
|**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|
|**[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|
|**[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|
|**[Universal Print](/universal-print/)**|Yes|Yes|Yes|Yes|
|**[User Account Control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview)**|Yes|Yes|Yes|Yes|
|**[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|
|**[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)**|Yes|Yes|Yes|Yes|
|**[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|
|**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|
|**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|
|**[Windows application software development kit (SDK)](/windows/security/security-foundations/certification/windows-platform-common-criteria%23security-and-privacy)**|Yes|Yes|Yes|Yes|
|**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|❌|Yes|
|**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|
|**[Windows containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|
|**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
|**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes|
|**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
|**[Windows Defender System Guard](../../windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)**|Yes|Yes|Yes|Yes|
|**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|
|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
|**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
|**[Windows Sandbox](../../windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)**|Yes|Yes|Yes|Yes|
|**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|
|**[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|
|**[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|

45
includes/licensing/_licensing-requirements.md
View File

@ -1,18 +1,21 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---
|Feature name|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---|:---:|:---:|:---:|:---:|:---:|
|**[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes|
|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes|
|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|Yes|
|**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|Yes|Yes|Yes|
|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes|
|**[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)**|❌|Yes|Yes|Yes|Yes|
|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes|
|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes|
|**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|Yes|
|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|Yes|
|**[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)**|❌|Yes|Yes|Yes|Yes|
|**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|Yes|
@ -28,21 +31,24 @@ ms.topic: include
|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes|
|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|❌|Yes|Yes|
|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|Yes|
|**[Hypervisor-protected Code Integrity (HVCI)](../../windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md)**|Yes|Yes|Yes|Yes|Yes|
|**[Kernel Direct Memory Access (DMA) protection](../../windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md)**|Yes|Yes|Yes|Yes|Yes|
|**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes|Yes|
|**[Manage by Mobile Device Management (MDM) and group policy](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|Yes|
|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|Yes|
|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|Yes|
|**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|Yes|
|**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)**|❌|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|❌|❌|❌|❌|
|**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|Yes|Yes|Yes|
|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes|
|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|Yes|
|**Microsoft Security Development Lifecycle (SDL)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|Yes|
|**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|Yes|
|**OneFuzz service**|Yes|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|Yes|Yes|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|
@ -50,31 +56,32 @@ ms.topic: include
|**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|Yes|
|**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes|
|**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|Yes|
|**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|Yes|
|**[Security baselines](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|Yes|
|**[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|Yes|
|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
|**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|Yes|
|**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
|**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|Yes|
|**Software Bill of Materials (SBOM)**|Yes|Yes|Yes|Yes|Yes|
|**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|Yes|
|**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Universal Print](/universal-print/)**|❌|Yes|Yes|Yes|Yes|
|**[User Account Control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|Yes|
|**[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)**|Yes|Yes|Yes|Yes|Yes|
|**[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|Yes|
|**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|Yes|
|**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows application software development kit (SDK)](/windows/security/security-foundations/certification/windows-platform-common-criteria%23security-and-privacy)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|Yes|❌|❌|
|**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes|
|**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Defender System Guard](../../windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Sandbox](../../windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|Yes|

22
includes/licensing/access-control-aclsacl.md Normal file
View File

@ -0,0 +1,22 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/02/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Access Control (ACL/SACL):
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Access Control (ACL/SACL) license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

2
includes/licensing/access-control-aclsscals.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/account-lockout-policy.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/always-on-vpn-device-tunnel.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

22
includes/licensing/app-containers.md Normal file
View File

@ -0,0 +1,22 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/02/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support App containers:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
App containers license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

22
includes/licensing/applocker.md Normal file
View File

@ -0,0 +1,22 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/02/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support AppLocker:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
AppLocker license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
|No|Yes|Yes|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

2
includes/licensing/assigned-access-kiosk-mode.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/attack-surface-reduction-asr.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

6
includes/licensing/windows-containers.md → includes/licensing/azure-code-signing.md
View File

@ -1,19 +1,19 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Windows containers:
The following table lists the Windows editions that support Azure Code Signing:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Windows containers license entitlements are granted by the following licenses:
Azure Code Signing license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|

2
includes/licensing/bitlocker-enablement.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/bitlocker-management.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/bluetooth-pairing-and-connection-protection.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/common-criteria-certifications.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/controlled-folder-access.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/device-health-attestation-service.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/direct-access.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/email-encryption-smime.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/encrypted-hard-drive.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/enhanced-phishing-protection-with-smartscreen.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/exploit-protection.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/fast-identity-online-fido2-security-key.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/federal-information-processing-standard-fips-140-validation.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

6
includes/licensing/federated-sign-in.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---
@ -15,8 +15,8 @@ The following table lists the Windows editions that support Federated sign-in:
Federated sign-in license entitlements are granted by the following licenses:
|Windows Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
|Yes|No|No|Yes|Yes|
|No|No|No|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

2
includes/licensing/hardware-enforced-stack-protection.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/hypervisor-protected-code-integrity-hvci.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/kernel-direct-memory-access-dma-protection.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/local-security-authority-lsa-protection.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

22
includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md
View File

@ -1,22 +0,0 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Manage by Mobile Device Management (MDM) and group policy:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Manage by Mobile Device Management (MDM) and group policy license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

2
includes/licensing/measured-boot.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/microsoft-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/microsoft-defender-for-endpoint.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/microsoft-defender-smartscreen.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

6
includes/licensing/microsoft-pluton-security-processor.md → includes/licensing/microsoft-pluton.md
View File

@ -1,19 +1,19 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Microsoft Pluton security processor:
The following table lists the Windows editions that support Microsoft Pluton:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Microsoft Pluton security processor license entitlements are granted by the following licenses:
Microsoft Pluton license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|

22
includes/licensing/microsoft-security-development-lifecycle-sdl.md Normal file
View File

@ -0,0 +1,22 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/02/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Microsoft Security Development Lifecycle (SDL):
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Microsoft Security Development Lifecycle (SDL) license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

6
includes/licensing/microsoft-vulnerable-driver-blocklist.md
View File

@ -1,19 +1,19 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Microsoft Vulnerable Driver Blocklist:
The following table lists the Windows editions that support Microsoft vulnerable driver blocklist:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Microsoft Vulnerable Driver Blocklist license entitlements are granted by the following licenses:
Microsoft vulnerable driver blocklist license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|

22
includes/licensing/microsoft-windows-insider-preview-bounty-program.md Normal file
View File

@ -0,0 +1,22 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/02/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Microsoft Windows Insider Preview bounty program:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Microsoft Windows Insider Preview bounty program license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

22
includes/licensing/modern-device-management-through-mdm.md Normal file
View File

@ -0,0 +1,22 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/02/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Modern device management through (MDM):
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Modern device management through (MDM) license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

22
includes/licensing/onefuzz-service.md Normal file
View File

@ -0,0 +1,22 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/02/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support OneFuzz service:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
OneFuzz service license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

2
includes/licensing/opportunistic-wireless-encryption-owe.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/personal-data-encryption-pde.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/privacy-resource-usage.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/privacy-transparency-and-controls.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/remote-wipe.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/secure-boot-and-trusted-boot.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/secured-core-configuration-lock.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

6
includes/licensing/secured-core-pc.md → includes/licensing/secured-core-pc-firmware-protection.md
View File

@ -1,19 +1,19 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Secured-core PC:
The following table lists the Windows editions that support Secured-core PC firmware protection:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Secured-core PC license entitlements are granted by the following licenses:
Secured-core PC firmware protection license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|

2
includes/licensing/security-baselines.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/server-message-block-direct-smb-direct.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/server-message-block-smb-file-service.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/smart-app-control.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/smart-cards-for-windows-service.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

22
includes/licensing/software-bill-of-materials-sbom.md Normal file
View File

@ -0,0 +1,22 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/02/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Software Bill of Materials (SBOM):
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Software Bill of Materials (SBOM) license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

2
includes/licensing/tamper-protection-settings-for-mde.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/transport-layer-security-tls.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

6
includes/licensing/trusted-platform-module-tpm-20.md → includes/licensing/trusted-platform-module-tpm.md
View File

@ -1,19 +1,19 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Trusted Platform Module (TPM) 2.0:
The following table lists the Windows editions that support Trusted Platform Module (TPM):
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Trusted Platform Module (TPM) 2.0 license entitlements are granted by the following licenses:
Trusted Platform Module (TPM) license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|

2
includes/licensing/universal-print.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/user-account-control-uac.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

6
includes/licensing/virtual-private-network-vpn.md
View File

@ -1,19 +1,19 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Virtual Private Network (VPN):
The following table lists the Windows editions that support Virtual private network (VPN):
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Virtual Private Network (VPN) license entitlements are granted by the following licenses:
Virtual private network (VPN) license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|

2
includes/licensing/virtualization-based-security-vbs.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/wifi-security.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

22
includes/licensing/windows-application-software-development-kit-sdk.md Normal file
View File

@ -0,0 +1,22 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/02/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Windows application software development kit (SDK):
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Windows application software development kit (SDK) license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

2
includes/licensing/windows-autopatch.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/windows-autopilot.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/windows-defender-application-control-wdac.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/windows-defender-credential-guard.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/windows-defender-remote-credential-guard.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/windows-defender-system-guard.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/windows-firewall.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/windows-hello-for-business.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/windows-laps.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/windows-presence-sensing.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

2
includes/licensing/windows-sandbox.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---

6
includes/licensing/windows-security-policy-settings-and-auditing.md
View File

@ -1,19 +1,19 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 05/04/2023
ms.date: 08/02/2023
ms.topic: include
---
## Windows edition and licensing requirements
The following table lists the Windows editions that support Windows Security policy settings and auditing:
The following table lists the Windows editions that support Windows security policy settings and auditing:
|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|Yes|
Windows Security policy settings and auditing license entitlements are granted by the following licenses:
Windows security policy settings and auditing license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|

2
windows/client-management/mdm-overview.md
View File

@ -56,7 +56,7 @@ For more information about the MDM policies defined in the MDM security baseline
For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
[!INCLUDE [manage-by-mobile-device-management-mdm-and-group-policy](../../includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md)]
[!INCLUDE [modern-device-management-through-mdm](../../includes/licensing/modern-device-management-through-mdm.md)]
## Frequently Asked Questions

14
windows/security/application-security/index.md
View File

@ -1,18 +1,14 @@
---
title: Windows application security
description: Get an overview of application security in Windows
ms.date: 03/09/2023
ms.topic: article
ms.date: 08/02/2023
ms.topic: conceptual
---
# Windows application security
Cyber-criminals regularly gain access to valuable data by hacking applications. This can include *code injection* attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows protects your valuable data with layers of application security.
Cybercriminals can take advantage of poorly secured applications to access valuable resources. With Windows, IT admins can combat common application attacks from the moment a device is provisioned. For example, IT can remove local admin rights from user accounts, so that PCs run with least privilege to prevent malicious applications from accessing sensitive resources.
The following table summarizes the Windows security features and capabilities for apps:
Learn more about application security features in Windows.
| Security Measures | Features & Capabilities |
|:---|:---|
| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](application-control/windows-defender-application-control/wdac.md) |
| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md). |
| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](application-isolation/windows-sandbox/windows-sandbox-overview.md) |
[!INCLUDE [application](../includes/sections/application.md)]

18
windows/security/cloud-security/index.md Normal file
View File

@ -0,0 +1,18 @@
---
title: Windows and cloud security
description: Get an overview of cloud security features in Windows
ms.date: 08/02/2023
ms.topic: conceptual
author: paolomatarazzo
ms.author: paoloma
---
# Windows and cloud security
Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We are focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
From identity and device management to Office apps and data storage, Windows and integrated cloud services can help improve productivity, security, and resilience anywhere.
Learn more about cloud security features in Windows.
[!INCLUDE [cloud-services](../includes/sections/cloud-services.md)]

2
windows/security/cloud-security/toc.yml
View File

@ -1,4 +1,6 @@
items:
- name: Overview
href: index.md
- name: Join Active Directory and Azure AD with single sign-on (SSO) 🔗
href: /azure/active-directory/devices/concept-azure-ad-join
- name: Security baselines with Intune 🔗

2
windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md
View File

@ -37,7 +37,7 @@ When the system boots, Pluton hardware initialization is performed by loading th
![Diagram showing the Microsoft Pluton Firmware load flow](../images/pluton/pluton-firmware-load.png)
[!INCLUDE [microsoft-pluton-security-processor](../../../../includes/licensing/microsoft-pluton-security-processor.md)]
[!INCLUDE [microsoft-pluton](../../../../includes/licensing/microsoft-pluton.md)]
## Related topics

2
windows/security/hardware-security/tpm/trusted-platform-module-overview.md
View File

@ -42,7 +42,7 @@ Anti-malware software can use the boot measurements of the operating system star
The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
[!INCLUDE [trusted-platform-module-tpm-20](../../../../includes/licensing/trusted-platform-module-tpm-20.md)]
[!INCLUDE [trusted-platform-module-tpm-20](../../../../includes/licensing/trusted-platform-module-tpm.md)]
## New and changed functionality

22
windows/security/includes/sections/application-application-control-overview.md
View File

@ -1,22 +0,0 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 06/02/2023
ms.topic: include
---
The following table lists the edition applicability for all Application Control features.
|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:-:|:-:|:-:|:-:|:-:|
|[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)|Yes|Yes|Yes|Yes|
|[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|
|[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|
The following table lists the licensing applicability for all Application Control features.
|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:-:|:-:|:-:|:-:|:-:|:-:|
|[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)|Yes|Yes|Yes|Yes|Yes|
|[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|Yes|
|[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|Yes|

30
windows/security/includes/sections/application-application-isolation-overview.md
View File

@ -1,30 +0,0 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 06/02/2023
ms.topic: include
---
The following table lists the edition applicability for all Application Isolation features.
|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:-:|:-:|:-:|:-:|:-:|
|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)|Yes|Yes|Yes|Yes|
|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)|❌|Yes|❌|Yes|
|Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|❌|Yes|
|[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|Yes|❌|Yes|
|[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|❌|Yes|
|[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|
|[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)|Yes|Yes|Yes|Yes|
The following table lists the licensing applicability for all Application Isolation features.
|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:-:|:-:|:-:|:-:|:-:|:-:|
|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)|Yes|Yes|Yes|Yes|Yes|
|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)|❌|Yes|Yes|Yes|Yes|
|Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|Yes|Yes|Yes|
|[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|❌|❌|❌|❌|
|[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|Yes|Yes|Yes|
|[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|Yes|
|[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)|Yes|Yes|Yes|Yes|Yes|

24
windows/security/includes/sections/application.md
View File

@ -1,26 +1,28 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 06/06/2023
ms.date: 08/02/2023
ms.topic: include
---
## Application Control
## Application and driver control
| Security Measures | Features & Capabilities |
| Feature name | Description |
|:---|:---|
| **[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)** | User Account Control (UAC) helps prevent malware from damaging a device. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevents inadvertent changes to system settings. Enabling UAC helps to prevent malware from altering device settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. |
| **[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means for addressing the threat of executable file-based malware.<br><br>Windows 10 and above include Windows Defender Application Control (WDAC) and AppLocker. WDAC is the next generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to WDAC for the stronger protection. |
| **[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections, by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run that are predicted to be safe based on existing and new intelligence processed daily. Smart App Control builds on top of the same cloud-based AI used in Windows Defender Application Control (WDAC) to predict the safety of an application, so people can be confident they're using safe and reliable applications on their new Windows 11 devices, or Windows 11 devices that have been reset. |
| **[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)** | |
| **[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means for addressing the threat of executable file-based malware.<br><br>Windows 10 and above include Windows Defender Application Control (WDAC) and AppLocker. WDAC is the next generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to WDAC for the stronger protection. |
| **[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)** | User Account Control (UAC) helps prevent malware from damaging a device. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevents inadvertent changes to system settings. Enabling UAC helps to prevent malware from altering device settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. |
| **[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
## Application Isolation
## Application isolation
| Security Measures | Features & Capabilities |
| Feature name | Description |
|:---|:---|
| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
| **Microsoft Defender Application Guard (MDAG) public APIs** | Enable applications using them to be isolated Hyper-V based container, which is separate from the host operating system. |
| **[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)** | Application Guard protects Office files including Word, PowerPoint, and Excel. Application icons have a small shield if Application Guard has been enabled and they are under protection. |
| **[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)** | The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. |
| **[Windows containers](/virtualization/windowscontainers/about/)** | Universal Windows Platform (UWP) applications run in Windows containers known as app containers. Processes that run in app containers operate with low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the filesystem, registry, and other resources. The app container also enforces restrictions on network connectivity; for example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. |
| **[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. |
| **[App containers](/virtualization/windowscontainers/about/)** | Universal Windows Platform (UWP) applications run in Windows containers known as app containers. Processes that run in app containers operate with low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the filesystem, registry, and other resources. The app container also enforces restrictions on network connectivity; for example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. |
| **[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. |

26
windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md
View File

@ -1,26 +0,0 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 06/02/2023
ms.topic: include
---
The following table lists the edition applicability for all Protecting Your Work Information features.
|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:-:|:-:|:-:|:-:|:-:|
|[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|
|[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|
|[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|
|[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)|Yes|Yes|Yes|Yes|
|[Universal Print](/universal-print/)|Yes|Yes|Yes|Yes|
The following table lists the licensing applicability for all Protecting Your Work Information features.
|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:-:|:-:|:-:|:-:|:-:|:-:|
|[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|Yes|
|[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|Yes|
|[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|Yes|
|[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)|Yes|Yes|Yes|Yes|Yes|
|[Universal Print](/universal-print/)|❌|Yes|Yes|Yes|Yes|

20
windows/security/includes/sections/cloud-services-update-overview.md
View File

@ -1,20 +0,0 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 06/02/2023
ms.topic: include
---
The following table lists the edition applicability for all Update features.
|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:-:|:-:|:-:|:-:|:-:|
|[Windows Autopatch](/windows/deployment/windows-autopatch/)|❌|Yes|❌|Yes|
|[Windows Autopilot](/windows/deployment/windows-autopilot)|Yes|Yes|Yes|Yes|
The following table lists the licensing applicability for all Update features.
|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:-:|:-:|:-:|:-:|:-:|:-:|
|[Windows Autopatch](/windows/deployment/windows-autopatch/)|❌|Yes|Yes|❌|❌|
|[Windows Autopilot](/windows/deployment/windows-autopilot)|Yes|Yes|Yes|Yes|Yes|

17
windows/security/includes/sections/cloud-services.md
View File

@ -1,23 +1,18 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 06/06/2023
ms.date: 08/02/2023
ms.topic: include
---
## Protecting Your Work Information
## Protect your work information
| Security Measures | Features & Capabilities |
| Feature name | Description |
|:---|:---|
| **[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)** | Microsoft Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
| **[Security baselines](/mem/intune/protect/security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. <br><br>Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
| **[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. <br><br>Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
| **[Remote wipe](/windows/client-management/mdm/remotewipe-csp)** | When a device is lost or stolen, IT administrators may want to remotely wipe data stored on the device. A helpdesk agent may also want to reset devices to fix issues encountered by remote workers. <br><br>With the Remote Wipe configuration service provider (CSP), an MDM solution can remotely initiate any of the following operations on a Windows device: reset the device and remove user accounts and data, reset the device and clean the drive, reset the device but persist user accounts and data. |
| **[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. |
| **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a <br>Microsoft hosted cloud subscription service that supports a zero-trust security model by <br>enabling network isolation of printers, including the Universal Print connector software, from <br>the rest of the organization's resources. |
## Update
| Security Measures | Features & Capabilities |
|:---|:---|
| **[Modern device management through (MDM)](/windows/client-management/mdm-overview)** | Windows 11 supports modern device management through mobile device management (MDM) protocols.<br><br>IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols.<br><br>To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. |
| **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft hosted cloud subscription service that supports a zero-trust security model by enabling network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. |
| **[Windows Autopatch](/windows/deployment/windows-autopatch/)** | With the Autopatch service, IT teams can delegate management of updates to Windows 10/11, Microsoft Edge, and Microsoft 365 apps to Microsoft. Under the hood, Autopatch takes over configuration of the policies and deployment service of Windows Update for Business. What the customer gets are endpoints that are up to date, thanks to dynamically generated rings for progressive deployment that will pause and/or roll back updates (where possible) when issues arise. <br><br>The goal is to provide peace of mind to IT pros, encourage rapid adoption of updates, and to reduce bandwidth required to deploy them successfully, thereby closing gaps in protection that may have been open to exploitation by malicious actors. |
| **[Windows Autopilot](/windows/deployment/windows-autopilot)** | Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT. |

22
windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md
View File

@ -1,22 +0,0 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 06/02/2023
ms.topic: include
---
The following table lists the edition applicability for all Hardware Root-Of-Trust features.
|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:-:|:-:|:-:|:-:|:-:|
|[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)|Yes|Yes|Yes|Yes|
|[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|
|[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|
The following table lists the licensing applicability for all Hardware Root-Of-Trust features.
|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:-:|:-:|:-:|:-:|:-:|:-:|
|[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)|Yes|Yes|Yes|Yes|Yes|
|[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|Yes|
|[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|Yes|

26
windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md
View File

@ -1,26 +0,0 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 06/02/2023
ms.topic: include
---
The following table lists the edition applicability for all Silicon Assisted Security (Secured Kernel) features.
|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:-:|:-:|:-:|:-:|:-:|
|[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)|Yes|Yes|Yes|Yes|
|[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|
|[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|
|[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|
|[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)|Yes|Yes|Yes|Yes|
The following table lists the licensing applicability for all Silicon Assisted Security (Secured Kernel) features.
|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:-:|:-:|:-:|:-:|:-:|:-:|
|[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)|Yes|Yes|Yes|Yes|Yes|
|[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|Yes|
|[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|Yes|
|[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|Yes|
|[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)|Yes|Yes|Yes|Yes|Yes|

28
windows/security/includes/sections/hardware.md
View File

@ -1,24 +1,30 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 06/06/2023
ms.date: 08/02/2023
ms.topic: include
---
## Hardware Root-Of-Trust
## Hardware root-of-trust
| Security Measures | Features & Capabilities |
| Feature name | Description |
|:---|:---|
| **[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)** | In Secured-core PCs, Windows Defender System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit/bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction technology can be used instead of DRTM on supporting devices such as Microsoft Surface. |
| **[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)** | TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, Windows Defender System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. The 2.0 version of the specification includes support for newer algorithms, which can improve driver signing and key generation performance.<br><br>Starting with Windows 10, Microsoft's hardware certification requires all new Windows PCs to include TPM 2.0 built in and enabled by default. With Windows 11, both new and upgraded devices must have TPM 2.0. |
| **[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)** | Microsoft Pluton security processors are designed by Microsoft in partnership with silicon partners. Pluton enhances the protection of Windows devices with a hardware root-of-trust that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface as it integrates the security chip directly into the processor. It can be used with a discreet TPM 2.0, or as a standalone security processor. When root of trust is located on a separate, discrete chip on the motherboard, the communication path between the root-of-trust and the CPU can be vulnerable to physical attack. Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPMs including BitLocker, Windows Hello, and Windows Defender System Guard.<br><br>In addition to providing root-of trust, Pluton also supports other security functionality beyond what is possible with the TPM 2.0 specification, and this extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. Pluton-enabled Windows 11 devices are available and the selection of options with Pluton is growing. |
| **[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)** | In Secured-core PCs, Windows Defender System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit/bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction technology can be used instead of DRTM on supporting devices such as Microsoft Surface. |
| **[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)** | TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, Windows Defender System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. The 2.0 version of the specification includes support for newer algorithms, which can improve driver signing and key generation performance.<br><br>Starting with Windows 10, Microsoft's hardware certification requires all new Windows PCs to include TPM 2.0 built in and enabled by default. With Windows 11, both new and upgraded devices must have TPM 2.0. |
| **[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)** | Microsoft Pluton security processors are designed by Microsoft in partnership with silicon partners. Pluton enhances the protection of Windows devices with a hardware root-of-trust that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface as it integrates the security chip directly into the processor. It can be used with a discreet TPM 2.0, or as a standalone security processor. When root of trust is located on a separate, discrete chip on the motherboard, the communication path between the root-of-trust and the CPU can be vulnerable to physical attack. Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPMs including BitLocker, Windows Hello, and Windows Defender System Guard.<br><br>In addition to providing root-of trust, Pluton also supports other security functionality beyond what is possible with the TPM 2.0 specification, and this extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. Pluton-enabled Windows 11 devices are available and the selection of options with Pluton is growing. |
## Silicon Assisted Security (Secured Kernel)
## Silicon assisted security
| Security Measures | Features & Capabilities |
| Feature name | Description |
|:---|:---|
| **[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)** | In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats, such as by protecting the boot process, safeguarding the integrity of memory, isolating security sensitive compute logic, and more. Two examples include Virtualization-based security (VBS) and Hypervisor-protected code integrity (HVCI). Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel remains protected.<br><br>Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.<br>With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
| **[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.<br><br>Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.<br>With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
| **[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.<br><br>Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.<br>With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
| **[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)** | Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats such as memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. |
| **[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)** | Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows. Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root of trust. Virtualization-based security comes enabled by default. And with built-in hypervisor protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all executables are signed by known and approved authorities only. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks. |
| **[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
| **[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
## Secured-core PC
| Feature name | Description |
|:---|:---|
| **[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)** | Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows. Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root of trust. Virtualization-based security comes enabled by default. And with built-in hypervisor protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all executables are signed by known and approved authorities only. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks. |
| **[Secured-core configuration lock](/windows/client-management/config-lock)** | Secured-core configuration lock is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired SCPC state in seconds. |

28
windows/security/includes/sections/identity-advanced-credential-protection-overview.md
View File

@ -1,28 +0,0 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 06/02/2023
ms.topic: include
---
The following table lists the edition applicability for all Advanced Credential Protection features.
|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:-:|:-:|:-:|:-:|:-:|
|[Windows LAPS](/windows-server/identity/laps/laps-overview)|Yes|Yes|Yes|Yes|
|[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)|Yes|Yes|Yes|Yes|
|[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)|Yes|Yes|Yes|Yes|
|[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)|Yes|Yes|Yes|Yes|
|[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)|❌|Yes|❌|Yes|
|[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)|Yes|Yes|Yes|Yes|
The following table lists the licensing applicability for all Advanced Credential Protection features.
|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:-:|:-:|:-:|:-:|:-:|:-:|
|[Windows LAPS](/windows-server/identity/laps/laps-overview)|Yes|Yes|Yes|Yes|Yes|
|[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)|Yes|Yes|Yes|Yes|Yes|
|[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)|Yes|Yes|Yes|Yes|Yes|
|[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)|Yes|Yes|Yes|Yes|Yes|
|[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)|❌|Yes|Yes|Yes|Yes|
|[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)|Yes|Yes|Yes|Yes|Yes|

28
windows/security/includes/sections/identity-passwordless-sign-in-overview.md
View File

@ -1,28 +0,0 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 06/02/2023
ms.topic: include
---
The following table lists the edition applicability for all Passwordless Sign In features.
|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
|:-:|:-:|:-:|:-:|:-:|
|[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)|Yes|Yes|Yes|Yes|
|[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)|Yes|Yes|Yes|Yes|
|[Windows Hello for Business Enhanced Security Sign-in (ESS) ](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)|Yes|Yes|Yes|Yes|
|[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)|Yes|Yes|Yes|Yes|
|[Federated sign-in](/education/windows/federated-sign-in)|❌|❌|Yes|Yes|
|[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)|Yes|Yes|Yes|Yes|
The following table lists the licensing applicability for all Passwordless Sign In features.
|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:-:|:-:|:-:|:-:|:-:|:-:|
|[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)|Yes|Yes|Yes|Yes|Yes|
|[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)|Yes|Yes|Yes|Yes|Yes|
|[Windows Hello for Business Enhanced Security Sign-in (ESS) ](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)|Yes|Yes|Yes|Yes|Yes|
|[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)|Yes|Yes|Yes|Yes|Yes|
|[Federated sign-in](/education/windows/federated-sign-in)|❌|❌|❌|Yes|Yes|
|[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)|Yes|Yes|Yes|Yes|Yes|

14
windows/security/includes/sections/identity.md
View File

@ -1,13 +1,13 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 06/06/2023
ms.date: 08/02/2023
ms.topic: include
---
## Passwordless Sign In
## Passwordless sign in
| Security Measures | Features & Capabilities |
| Feature name | Description |
|:---|:---|
| **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.<br><br>Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
| **[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
@ -16,13 +16,13 @@ ms.topic: include
| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
| **[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)** | Organizations also have the option of using smart cards, an authentication method that pre-dates biometric sign in. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Smart cards can only be used to sign into domain accounts, not local accounts. When a password is used to sign into a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. |
## Advanced Credential Protection
## Advanced credential protection
| Security Measures | Features & Capabilities |
| Feature name | Description |
|:---|:---|
| **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
| **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | |
| **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | Account Lockout Policy settings control the response threshold for failed logon attempts and the actions to be taken after the threshold is reached. |
| **[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |
| **[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.<br><br>Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. |
| **[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.<br><br>Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. |
| **[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)** | Enabled by default in Windows 11 Enterprise, Windows Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Windows Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. <br><br>By protecting the LSA process with Virtualization-based security, Windows Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
| **[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Window Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. <br><br>Administrator credentials are highly privileged and must be protected. When you use Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. |

Some files were not shown because too many files have changed in this diff Show More