deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into release-mcc-ent

Browse Source
This commit is contained in:
Alma Jenks
2024-07-01 17:44:47 +00:00
parent 110ab75535 c89cc5d5d9
commit 6358e9dd22
9 changed files with 35 additions and 313 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
windows/deployment/windows-enterprise-e3-overview.md
View File

@ -67,7 +67,7 @@ Windows Enterprise edition has many features that are unavailable in Windows Pro
|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<br><br>Credential Guard has the following features:<li>**Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability** - Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<br><br>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<br><br>*Credential Guard requires <ul><li>UEFI 2.3.1 or greater with Trusted Boot</li><li>Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled</li><li>x64 version of Windows</li><li>IOMMU, such as Intel VT-d, AMD-Vi</li><li>BIOS Lockdown</li><li>TPM 2.0 recommended for device health attestation (uses software if TPM 2.0 not present)*</li></ul>|
|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they're much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<br><br>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<br><br>For more information, see [Getting started with App-V for Windows client](/windows/application-management/app-v/appv-getting-started).|
|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<br><br>For more information, see [Getting started with App-V for Windows client](/microsoft-desktop-optimization-pack/app-v/appv-for-windows).|
|User Experience Virtualization (UE-V)|With this feature, user-customized Windows and application settings can be captured and stored on a centrally managed network file share.<br><br>When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign into.<br><br>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after reimaging a virtual machine to its initial state<br><br>For more information, see [User Experience Virtualization (UE-V) overview](/microsoft-desktop-optimization-pack/ue-v/uev-for-windows).|
|Managed User Experience|This feature helps customize and lock down a Windows device's user interface to restrict it to a specific task. For example, a device can be configured for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. Access to services such as the Windows Store can also be restricted. For Windows 10, Start layout options can also be managed, such as:<li>Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands<li>Removing Log Off (the User tile) from the Start menu<li>Removing frequent programs from the Start menu<li>Removing the All Programs list from the Start menu<li>Preventing users from customizing their Start screen<li>Forcing Start menu to be either full-screen size or menu size<li>Preventing changes to Taskbar and Start menu settings|
@ -146,9 +146,9 @@ App-V requires an App-V server infrastructure to support App-V clients. The prim
For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources:
- [Getting started with App-V for Windows client](/windows/application-management/app-v/appv-getting-started)
- [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server)
- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client)
- [Getting started with App-V for Windows client](/microsoft-desktop-optimization-pack/app-v/appv-getting-started)
- [Deploying the App-V server](/microsoft-desktop-optimization-pack/app-v/appv-deploying-the-appv-server)
- [Deploying the App-V Sequencer and Configuring the Client](/microsoft-desktop-optimization-pack/app-v/appv-deploying-the-appv-sequencer-and-client)
### UE-V