deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 21:03:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into vp-csp-tuning

Browse Source
This commit is contained in:
Thomas Raya
2023-05-22 16:59:58 -07:00
committed by GitHub
parent e1d686e48d 3667f6e584
commit 8dae599e15
34 changed files with 241 additions and 130 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/deployment/update/release-cycle.md
View File

@ -8,7 +8,7 @@ ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 03/23/2023
ms.date: 05/19/2023
---
# Update release cycle for Windows clients
@ -96,7 +96,7 @@ Some of the new features may be disruptive to organizations. By default, these s
- WSUS
- Devices that have updates managed by Configuration Manager use WSUS
Features that are turned off by default are listed in the KB article for the monthly cumulative update. If you want to enable these features, there's a client policy that allows admins to **Enable features introduced via servicing that are off by default**. For more information about this policy, see [Enable features introduced via servicing that are off by default](waas-configure-wufb.md#enable-features-introduced-via-servicing-that-are-off-by-default).
Features that are turned off by default are listed in the KB article for the monthly cumulative update. If you want to enable these features, there's a client policy that allows admins to enable features that are behind temporary enterprise control. For more information about this policy, see [Enable features that are behind temporary enterprise feature control](waas-configure-wufb.md#enable-features-that-are-behind-temporary-enterprise-feature-control).
## Annual feature updates

10
windows/deployment/update/waas-configure-wufb.md
View File

@ -8,7 +8,7 @@ ms.localizationpriority: medium
ms.author: mstewart
ms.topic: article
ms.technology: itpro-updates
ms.date: 02/28/2023
ms.date: 05/19/2023
---
# Configure Windows Update for Business
@ -210,14 +210,14 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving
| GPO for Windows 10, version 1607 or later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
## Enable features introduced via servicing that are off by default
## Enable features that are behind temporary enterprise feature control
<!--6544872-->
New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
The features that are turned off by default from servicing updates will be enabled in the next annual feature update. Organizations can choose to deploy feature updates at their own pace, to delay these features until they're ready for them.
The features that are behind temporary enterprise feature control will be enabled in the next annual feature update. Organizations can choose to deploy feature updates at their own pace, to delay these features until they're ready for them. For a list of features that are turned off by default, see [Windows 11 features behind temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control).
**Policy settings to enable features introduced via servicing that are off by default**
**Policy settings to enable features that are behind temporary enterprise control**
| Policy | Sets registry key under HKLM\Software |
| --- | --- |

6
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -35,7 +35,9 @@ With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Wind
When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object:
- Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers
- Is only used by Azure AD to generate TGTs for the Active Directory domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object
- Is only used by Azure AD to generate TGTs for the Active Directory domain.
> [!NOTE]
> The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object. For example, users that are direct or indirect members of the built-in security group *Denied RODC Password Replication Group* won't be able to use cloud Kerberos trust.
:::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Azure AD Kerberos server ":::
@ -88,4 +90,4 @@ Once the prerequisites are met, deploying Windows Hello for Business with a clou
[SERV-1]: /windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services
[SUP-1]: https://support.microsoft.com/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e
[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f
[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f

10
windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
View File

@ -27,6 +27,10 @@ Microsoft Defender Application Guard (Application Guard) works with Group Policy
Application Guard uses both network isolation and application-specific settings.
[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management](../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md)]
For more information about Microsoft Defender Application Guard (MDAG) for Edge in stand-alone mode, see [Microsoft Defender Application Guard overview](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview).
## Network isolation settings
These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
@ -36,7 +40,7 @@ These settings, located at `Computer Configuration\Administrative Templates\Netw
> [!NOTE]
> You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the **Domains categorized as both work and personal** policy.
|Policy name|Supported versions|Description|
|-----------|------------------|-----------|
|Private network ranges for apps | At least Windows Server 2012, Windows 8, or Windows RT| A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
@ -62,13 +66,13 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<p>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<p>**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<p>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office. <br/><br/>**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher<p>Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher<p>Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher<p>Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won't load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<p>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher<p>Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<p>**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.<p>**Disabled or not configured.** Event logs aren't collected from your Application Guard container.|
## Application Guard support dialog settings
These settings are located at `Administrative Templates\Windows Components\Windows Security\Enterprise Customization`. If an error is encountered, you're presented with a dialog box. By default, this dialog box only contains the error information and a button for you to report it to Microsoft via the feedback hub. However, it's possible to provide additional information in the dialog box.
[Use Group Policy to enable and customize contact information](/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information#use-group-policy-to-enable-and-customize-contact-information).

6
windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
View File

@ -26,7 +26,7 @@ ms.topic: conceptual
- Windows 10
- Windows 11
Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
Microsoft Defender Application Guard (MDAG) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
## What is Application Guard and how does it work?
@ -34,7 +34,6 @@ For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrus
For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
![Hardware isolation diagram.](images/appguard-hardware-isolation.png)
### What types of devices should use Application Guard?
@ -51,6 +50,8 @@ Application Guard has been created to target several types of devices:
[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-standalone-mode](../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md)]
For more information about Microsoft Defender Application Guard (MDAG) for Edge enterprise mode, [Configure Microsoft Defender Application Guard policy settings.](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)
## Related articles
|Article |Description |
@ -63,3 +64,4 @@ Application Guard has been created to target several types of devices:
| [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|

16
windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
View File

@ -19,12 +19,15 @@ ms.topic: conceptual
Starting in Windows 11, version 22H2, Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school passwords used to sign into Windows 11 in these ways:
If a user signs into Windows using a password, Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school password used to sign into Windows 11 in these ways:
- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection alerts them. It also prompts them to change their password so attackers can't gain access to their account.
- Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and prompt them to change their password.
- Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file.
> [!NOTE]
> When a user signs-in to a device using a Windows Hello for Business PIN or biometric, Enhanced Phishing Protection does not alert the user or send events to Microsoft Defender for Endpoint.
## Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen
Enhanced Phishing Protection provides robust phishing protections for work or school passwords that are used to sign into Windows 11. The benefits of Enhanced Phishing Protection are:
@ -70,7 +73,7 @@ Enhanced Phishing Protection can be configured using the following Administrativ
#### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp)
Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][WIN-1].
| Setting | OMA-URI | Data type |
|-------------------------|---------------------------------------------------------------------------|-----------|
| **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer |
@ -87,7 +90,7 @@ By default, Enhanced Phishing Protection is deployed in audit mode, preventing n
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings.
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
|Settings catalog element|Recommendation|
|---------|---------|
|Service Enabled|**Enable**:Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.|
@ -118,11 +121,10 @@ To better help you protect your organization, we recommend turning on and using
## Related articles
- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
- [WebThreatDefense CSP][WIN-1]
- [Threat protection](../index.md)
- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)
------------
<!-- Links -->
[WIN-1]: /windows/client-management/mdm/policy-csp-webthreatdefense
[MEM-2]: /mem/intune/configuration/settings-catalog
[MEM-2]: /mem/intune/configuration/settings-catalog

56
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
View File

@ -100,7 +100,7 @@ To check that the policy was successfully applied on your computer:
```xml
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.25310.0</VersionEx>
<VersionEx>10.0.25860.0</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
@ -583,6 +583,14 @@ To check that the policy was successfully applied on your computer:
<Deny ID="ID_DENY_DIRECTIO_39" FriendlyName="PassMark DirectIo.sys Hash Sha256" Hash="2FB5D7E6DB01C9090BBA92ABF580D38993E02CE9357E08FE1F224A9B18056E5A" />
<Deny ID="ID_DENY_DIRECTIO_3A" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="AE806CA05E141B71664D9C6F20CC2369EF26F996" />
<Deny ID="ID_DENY_DIRECTIO_3B" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="D0559503988DAA407FCC11E59079560CB456BB84" />
<Deny ID="ID_DENY_EIO64_1" FriendlyName="Asus EIO64\b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0 Hash Sha1" Hash="200BE5A696990EE97B4C3176234CDE46C3EBC2CE" />
<Deny ID="ID_DENY_EIO64_2" FriendlyName="Asus EIO64\b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0 Hash Sha256" Hash="72B36C64F0B349D7816C8E5E2D1A7F59807DE0C87D3F071A04DBC56BEC9C00DB" />
<Deny ID="ID_DENY_EIO64_3" FriendlyName="Asus EIO64\b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0 Hash Page Sha1" Hash="DB88BFE5F3DE4E3CC778FE456B542EC4135433A4" />
<Deny ID="ID_DENY_EIO64_4" FriendlyName="Asus EIO64\b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0 Hash Page Sha256" Hash="609E8789D16176622F6EC629A8BEA7513A37CB6BBA7775971FD24056F8F3BCE0" />
<Deny ID="ID_DENY_EIO64_5" FriendlyName="Asus EIO64\cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb Hash Sha1" Hash="ED54E23998978F8124BD1F97C265F708DDBA1DE0" />
<Deny ID="ID_DENY_EIO64_6" FriendlyName="Asus EIO64\cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb Hash Sha256" Hash="D4E7335A177E47688D68AD89940C272F82728C882623F1630E7FD2E03E16F003" />
<Deny ID="ID_DENY_EIO64_7" FriendlyName="Asus EIO64\cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb Hash Page Sha1" Hash="D1AAAAF1EEA34073BAF39C7494E646C5AD2475F5" />
<Deny ID="ID_DENY_EIO64_8" FriendlyName="Asus EIO64\cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb Hash Page Sha256" Hash="796BEC283155309F2DF0B1779CABC78A3B2161FFCED9F521DB231550DCB376A1" />
<Deny ID="ID_DENY_HW_22" FriendlyName="hw_sys\b8fcc8ef2b27c0c0622d069981e39f112d3b3b0dbede053340bc157ba1316eab Hash Sha1" Hash="924A088149D6EE89551E15D45E7BC847B9561196" />
<Deny ID="ID_DENY_HW_23" FriendlyName="hw_sys\b8fcc8ef2b27c0c0622d069981e39f112d3b3b0dbede053340bc157ba1316eab Hash Sha256" Hash="5E1E1489A1A01CFB466B527543D9D25112A83792BDE443DE9E34E4D3ADA697E3" />
<Deny ID="ID_DENY_HW_24" FriendlyName="hw_sys\b8fcc8ef2b27c0c0622d069981e39f112d3b3b0dbede053340bc157ba1316eab Hash Page Sha1" Hash="ADB70331BE7B68359C3EC3065C045349EA5B2EE2" />
@ -828,14 +836,6 @@ To check that the policy was successfully applied on your computer:
<Deny ID="ID_DENY_PHYMEMX64_SHA256" FriendlyName="phymemx64 Hash Sha256" Hash="A6AE7364FD188C10D6B5A729A7FF58A3EB11E7FEB0D107D18F9133655C11FB66" />
<Deny ID="ID_DENY_PHYMEMX64_SHA1_PAGE" FriendlyName="phymemx64 Hash Page Sha1" Hash="6E7D8ABF7F81A2433F27B052B3952EFC4B9CC0B1" />
<Deny ID="ID_DENY_PHYMEMX64_SHA256_PAGE" FriendlyName="phymemx64 Hash Page Sha256" Hash="B7113B9A68E17428E2107B19BA099571AAFFC854B8FB9CBCEB79EF9E3FD1CC62" />
<Deny ID="ID_DENY_SEMAV6MSR64_SHA1" FriendlyName="semav6msr64.sys Hash Sha1" Hash="E3DBE2AA03847DF621591A4CAD69A5609DE5C237" />
<Deny ID="ID_DENY_SEMAV6MSR64_SHA256" FriendlyName="semav6msr64.sys Hash Sha256" Hash="EB71A8ECEF692E74AE356E8CB734029B233185EE5C2CCB6CC87CC6B36BEA65CF" />
<Deny ID="ID_DENY_SEMAV6MSR64_SHA1_PAGE" FriendlyName="semav6msr64.sys Hash Page Sha1" Hash="F3821EC0AEF270F749DF9F44FBA91AFA5C8C38E8" />
<Deny ID="ID_DENY_SEMAV6MSR64_SHA256_PAGE" FriendlyName="semav6msr64.sys Hash Page Sha256" Hash="4F12EE563E7496E7105D67BF64AF6B436902BE4332033AF0B5A242B206372CB7" />
<Deny ID="ID_DENY_WINRING0_SHA1" FriendlyName="WinRing0.sys Hash Sha1" Hash="12EB825418A932B1E4C6697DC7647E89AE52CF3F" />
<Deny ID="ID_DENY_WINRING0_SHA256" FriendlyName="WinRing0.sys Hash Sha256" Hash="4582ADB2E67EEBAFF755AE740C1F24BC3AF78E0F28E8E8DECB99F86BF155AB23" />
<Deny ID="ID_DENY_WINRING0_SHA1_PAGE" FriendlyName="WinRing0.sys Hash Page Sha1" Hash="497AFEB0D5B97D4B863704A2F77FFEF31220402D" />
<Deny ID="ID_DENY_WINRING0_SHA256_PAGE" FriendlyName="WinRing0.sys Hash Page Sha256" Hash="8D8A5696BDF11D2427016F91F9726AFF4F0C80FADBC3E6033662FA11C8B282BD" />
<Deny ID="ID_DENY_RETLIFTEN_SHA1_1" FriendlyName="80.sys Hash Sha1" Hash="BC2F3850C7B858340D7ED27B90E63B036881FD6C" />
<Deny ID="ID_DENY_RETLIFTEN_SHA1_2" FriendlyName="netfilterdrv.sys Hash Sha1" Hash="E74B6DDA8BC53BC687FC21218BD34062A78D8467" />
<Deny ID="ID_DENY_RETLIFTEN_SHA1_3" FriendlyName="netfilterdrv.sys Hash Sha1" Hash="2C27ABBBBCF10DFB75AD79557E30ACE5ED314DF8" />
@ -1009,6 +1009,10 @@ To check that the policy was successfully applied on your computer:
<Deny ID="ID_DENY_RTCORE_1B" FriendlyName="RTCore64\40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1 Hash Page Sha1" Hash="3B05785D8AD770E4356BC8041606B08BDAB56C99" />
<Deny ID="ID_DENY_RTCORE_1C" FriendlyName="RTCore64\40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1 Hash Page Sha256" Hash="2DC771BED765E9FE8E79171A851BA158B8E84034FE0518A619F47F3450FFA2BC" />
<Deny ID="ID_DENY_RTCORE_1D" FriendlyName="RTCore64\bea8c6728d57d4b075f372ac82b8134ac8044fe13f533696a58e8864fa3efee3 Hash Sha256" Hash="6279821BF9ECCED596F474C8FC547DAB0BDDBB3AB972390596BD4C5C7B85C685" />
<Deny ID="ID_DENY_SEMAV6MSR64_SHA1" FriendlyName="semav6msr64.sys Hash Sha1" Hash="E3DBE2AA03847DF621591A4CAD69A5609DE5C237" />
<Deny ID="ID_DENY_SEMAV6MSR64_SHA256" FriendlyName="semav6msr64.sys Hash Sha256" Hash="EB71A8ECEF692E74AE356E8CB734029B233185EE5C2CCB6CC87CC6B36BEA65CF" />
<Deny ID="ID_DENY_SEMAV6MSR64_SHA1_PAGE" FriendlyName="semav6msr64.sys Hash Page Sha1" Hash="F3821EC0AEF270F749DF9F44FBA91AFA5C8C38E8" />
<Deny ID="ID_DENY_SEMAV6MSR64_SHA256_PAGE" FriendlyName="semav6msr64.sys Hash Page Sha256" Hash="4F12EE563E7496E7105D67BF64AF6B436902BE4332033AF0B5A242B206372CB7" />
<Deny ID="ID_DENY_SUPERBMC_2" FriendlyName="superbmc.sys\1d804efc9a1a012e1f68288c0a2833b13d00eecd4a6e93258ba100aa07e3406f Hash Sha1" Hash="989BDDC6B7076947277AB6EB7F002AB6731AAEAE" />
<Deny ID="ID_DENY_SUPERBMC_3" FriendlyName="superbmc.sys\1d804efc9a1a012e1f68288c0a2833b13d00eecd4a6e93258ba100aa07e3406f Hash Sha256" Hash="5147B0F2CA9D0BDE1F9FCEB382C05F7FA9C333709D7BF081D6C00A4132D914AF" />
<Deny ID="ID_DENY_SUPERBMC_4" FriendlyName="superbmc.sys\1d804efc9a1a012e1f68288c0a2833b13d00eecd4a6e93258ba100aa07e3406f Hash Page Sha1" Hash="4378B656A1C94CD885323B6D6E36038E8522E6CC" />
@ -1041,6 +1045,10 @@ To check that the policy was successfully applied on your computer:
<Deny ID="ID_DENY_WINIO_8" FriendlyName="WinIO32A.sys\01779ee53f999464465ed690d823d160f73f10e7 Hash Sha1" Hash="01779EE53F999464465ED690D823D160F73F10E7" />
<Deny ID="ID_DENY_WINIO_9" FriendlyName="WinIo64C.sys\b242b0332b9c9e8e17ec27ef10d75503d20d97b6 Hash Sha1" Hash="B242B0332B9C9E8E17EC27EF10D75503D20D97B6" />
<Deny ID="ID_DENY_WINIO_10" FriendlyName="WinIO64C.sys\a65fabaf64aa1934314aae23f25cdf215cbaa4b6 Hash Sha1" Hash="A65FABAF64AA1934314AAE23F25CDF215CBAA4B6" />
<Deny ID="ID_DENY_WINRING0_SHA1" FriendlyName="WinRing0.sys Hash Sha1" Hash="12EB825418A932B1E4C6697DC7647E89AE52CF3F" />
<Deny ID="ID_DENY_WINRING0_SHA256" FriendlyName="WinRing0.sys Hash Sha256" Hash="4582ADB2E67EEBAFF755AE740C1F24BC3AF78E0F28E8E8DECB99F86BF155AB23" />
<Deny ID="ID_DENY_WINRING0_SHA1_PAGE" FriendlyName="WinRing0.sys Hash Page Sha1" Hash="497AFEB0D5B97D4B863704A2F77FFEF31220402D" />
<Deny ID="ID_DENY_WINRING0_SHA256_PAGE" FriendlyName="WinRing0.sys Hash Page Sha256" Hash="8D8A5696BDF11D2427016F91F9726AFF4F0C80FADBC3E6033662FA11C8B282BD" />
<!-- Deny and FileAttrib rules specifying FileName should always specify MinimumFileVersion and MaximumFileVersion. SiPolicy checks matches minVer <= ver && maxVer >= ver-->
<Deny ID="ID_DENY_PROCESSHACKER" FriendlyName="kprocesshacker.sys FileRule" FileName="kprocesshacker.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.65535.65535" />
<Deny ID="ID_DENY_AMP" FriendlyName="System Mechanic CVE-2018-5701" FileName="amp.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="5.4.11.1" />
@ -1055,6 +1063,8 @@ To check that the policy was successfully applied on your computer:
<Deny ID="ID_DENY_PHYMEMX_64" FriendlyName="Phymemx64 Memory Mapping Driver" FileName="phymemx64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_AMD_RYZEN" FriendlyName="amdryzenmaster.sys" FileName="AMDRyzenMasterDriver.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.5.0.0" />
<FileAttrib ID="ID_FILEATTRIB_AMDPP" FriendlyName="AMDPowerProfiler.sys FileAttribute" FileName="AMDPowerProfiler.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="6.1.0.0" />
<FileAttrib ID="ID_FILEATTRIB_ASR_AUTOCHECK_1" FriendlyName="ASRAutoCheck\2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4 FileAttribute" FileName="AsrAutoChkUpdDrv.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_ASR_AUTOCHECK_2" FriendlyName="ASRAutoCheck\4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe FileAttribute" FileName="AsrAutoChkUpdDrv_1_0_32.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_ASWARPOT" FriendlyName="Avast aswArpot FileAttribute" FileName="aswArPot.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="21.4.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_ATILLK" FriendlyName="atillk64 FileAttribute" FileName="atillk64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_ATSZIO" FriendlyName="ATSZIO.sys FileAttribute" FileName="ATSZIO.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
@ -1068,6 +1078,7 @@ To check that the policy was successfully applied on your computer:
<FileAttrib ID="ID_FILEATTRIB_BSMI" FriendlyName="" FileName="BSMI.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.3" />
<FileAttrib ID="ID_FILEATTRIB_CPUZ_DRIVER" FriendlyName="" FileName="cpuz.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.4.3" />
<FileAttrib ID="ID_FILEATTRIB_DRIVER7" FriendlyName="Asus driver7.sys\1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb FileAttribute" FileName="Driver7" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535"/>
<FileAttrib ID="ID_FILEATTRIB_EIO64" FriendlyName="ASUS EIO64.sys\1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718 FileAttribute" FileName="EIO.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535"/>
<FileAttrib ID="ID_FILEATTRIB_ELBY_DRIVER" FriendlyName="" FileName="ElbyCDIO.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="6.0.3.2" />
<FileAttrib ID="ID_FILEATTRIB_FAIRPLAY" FriendlyName="Deny FairplayKD.sys MTA San Andreas Versions 367.*" ProductName="MTA San Andreas" MinimumFileVersion="367.0.0.0" MaximumFileVersion="367.65535.65535.65535"/>
<FileAttrib ID="ID_FILEATTRIB_GMER" FriendlyName="GMEREK gmer64 FileAttribute" FileName="gmer64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
@ -1118,6 +1129,7 @@ To check that the policy was successfully applied on your computer:
<FileAttrib ID="ID_FILEATTRIB_VIRAGT" FriendlyName="viragt.sys 32-bit" FileName="viragt.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.80.0.0" />
<FileAttrib ID="ID_FILEATTRIB_VIRAGT64" FriendlyName="viragt64.sys" FileName="viragt64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.11" />
<FileAttrib ID="ID_FILEATTRIB_VMDRV" FriendlyName="vmdrv.sys FileAttribute" FileName="vmdrv.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.0.10011.16384" />
<FileAttrib ID="ID_FILEATTRIB_WCPU" FriendlyName="WCPU\159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980 FileAttribute" FileName="CPU Driver" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535"/>
<FileAttrib ID="ID_FILEATTRIB_WINRING0" FriendlyName="WinRing0.sys" FileName="WinRing0.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="2.0.0.0" />
<FileAttrib ID="ID_FILEATTRIB_WISEUNLO" FriendlyName="WiseUnlo FileAttribute" FileName="WiseUnlo.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
</FileRules>
@ -1126,6 +1138,8 @@ To check that the policy was successfully applied on your computer:
<Signer ID="ID_SIGNER_VERISIGN_2010" Name="VeriSign Class 3 Code Signing 2010 CA">
<CertRoot Type="TBS" Value="4843A82ED3B1F2BFBEE9671960E1940C942F688D" />
<FileAttribRef RuleID="ID_FILEATTRIB_AMDPP" />
<FileAttribRef RuleID="ID_FILEATTRIB_ASR_AUTOCHECK_1" />
<FileAttribRef RuleID="ID_FILEATTRIB_ASR_AUTOCHECK_2" />
<FileAttribRef RuleID="ID_FILEATTRIB_ATSZIO" />
<FileAttribRef RuleID="ID_FILEATTRIB_CPUZ_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_DRIVER7" />
@ -1160,6 +1174,10 @@ To check that the policy was successfully applied on your computer:
<CertRoot Type="TBS" Value="D8BE9E4D9074088EF818BC6F6FB64955E90378B2754155126FEEBBBD969CF0AE" />
<CertOemID Value="MB Rb online" />
</Signer>
<Signer ID="ID_SIGNER_MAN_MUS" Name="Microsoft Windows Third Party Component CA 2014 MANUEL OPUS">
<CertRoot Type="TBS" Value="D8BE9E4D9074088EF818BC6F6FB64955E90378B2754155126FEEBBBD969CF0AE" />
<CertOemID Value="DIGITAL SERVICES OF MANUEL MUSARELLA" />
</Signer>
<Signer ID="ID_SIGNER_DIGICERT_EV" Name="DigiCert EV Code Signing CA (SHA2)">
<CertRoot Type="TBS" Value="EEC58131DC11CD7F512501B15FDBC6074C603B68CA91F7162D5A042054EDB0CF" />
<FileAttribRef RuleID="ID_FILEATTRIB_CPUZ_DRIVER" />
@ -1301,6 +1319,7 @@ To check that the policy was successfully applied on your computer:
<CertPublisher Value="ASUSTeK Computer Inc." />
<FileAttribRef RuleID="ID_FILEATTRIB_BS_DEF" />
<FileAttribRef RuleID="ID_FILEATTRIB_BS_DEF_64" />
<FileAttribRef RuleID="ID_FILEATTRIB_WCPU" />
</Signer>
<Signer ID="ID_SIGNER_VERISIGN_2009_BIOSTAR" Name="VeriSign Class 3 Code Signing 2009-2 CA">
<CertRoot Type="TBS" Value="4CDC38C800761463749C3CBD94A12F32E49877BF" />
@ -1610,8 +1629,8 @@ To check that the policy was successfully applied on your computer:
</Signer>
<Signer ID="ID_SIGNER_MS_ELAM" Name="Microsoft Code Signing PCA 2010">
<CertRoot Type="TBS" Value="121AF4B922A74247EA49DF50DE37609CC1451A1FE06B2CB7E1E079B492BD8195" />
<FileAttribRef RuleID="ID_FILEATTRIB_TMEL" />
<FileAttribRef RuleID="ID_FILEATTRIB_AVGELAM" />
<FileAttribRef RuleID="ID_FILEATTRIB_TMEL" />
</Signer>
<Signer ID="ID_SIGNER_AVGELAM_1" Name="DigiCert High Assurance Code Signing CA-1">
<CertRoot Type="TBS" Value="1D7E838ACCD498C2E5BA9373AF819EC097BB955C" />
@ -1816,7 +1835,7 @@ To check that the policy was successfully applied on your computer:
</Signers>
<!--Driver Signing Scenarios-->
<SigningScenarios>
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 09-19-2022">
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DENIED_VULN_MAL_SIGNERS" FriendlyName="Signers of known vulnerable or malicious drivers">
<ProductSigners>
<DeniedSigners>
<DeniedSigner SignerId="ID_SIGNER_AGNITUM_2004" />
@ -1840,13 +1859,13 @@ To check that the policy was successfully applied on your computer:
<DeniedSigner SignerId="ID_SIGNER_CAPCOM" />
<DeniedSigner SignerId="ID_SIGNER_CHEAT_ENGINE" />
<DeniedSigner SignerId="ID_SIGNER_COMODO_IQVW" />
<DeniedSigner SignerId="ID_SIGNER_DIGICERT_EV" />
<DeniedSigner SignerId="ID_SIGNER_ELBY" />
<DeniedSigner SignerId="ID_SIGNER_ENE" />
<DeniedSigner SignerId="ID_SIGNER_FAIRPLAY_1" />
<DeniedSigner SignerId="ID_SIGNER_FAIRPLAY_2" />
<DeniedSigner SignerId="ID_SIGNER_FAIRPLAY_3" />
<DeniedSigner SignerId="ID_SIGNER_FAIRPLAY_4" />
<DeniedSigner SignerId="ID_SIGNER_DIGICERT_EV" />
<DeniedSigner SignerId="ID_SIGNER_GEOTRUST_SRL_2009" />
<DeniedSigner SignerId="ID_SIGNER_GEOTRUST_SRL_2010" />
<DeniedSigner SignerId="ID_SIGNER_GETAC" />
@ -1884,6 +1903,7 @@ To check that the policy was successfully applied on your computer:
<DeniedSigner SignerId="ID_SIGNER_LV_DIAG" />
<DeniedSigner SignerId="ID_SIGNER_LV_DIAG_2" />
<DeniedSigner SignerId="ID_SIGNER_LV_LOGITECH" />
<DeniedSigner SignerId="ID_SIGNER_MAN_MUS" />
<DeniedSigner SignerId="ID_SIGNER_MB_RB_HACKS" />
<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL" />
<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL_SHA2" />
@ -1898,7 +1918,7 @@ To check that the policy was successfully applied on your computer:
<DeniedSigner SignerId="ID_SIGNER_NVFLASH_3" />
<DeniedSigner SignerId="ID_SIGNER_PAN" />
<DeniedSigner SignerId="ID_SIGNER_PHYSMEM" />
<DeniedSigner SignerId="ID_SIGNER_PROCEXP_1" />
<DeniedSigner SignerId="ID_SIGNER_PROCEXP_1" />
<DeniedSigner SignerId="ID_SIGNER_PROCEXP_2" />
<DeniedSigner SignerId="ID_SIGNER_PROCEXP_3" />
<DeniedSigner SignerId="ID_SIGNER_PROCEXP_4" />
@ -2407,6 +2427,14 @@ To check that the policy was successfully applied on your computer:
<FileRuleRef RuleID="ID_DENY_DIRECTIO_39" />
<FileRuleRef RuleID="ID_DENY_DIRECTIO_3A" />
<FileRuleRef RuleID="ID_DENY_DIRECTIO_3B" />
<FileRuleRef RuleID="ID_DENY_EIO64_1" />
<FileRuleRef RuleID="ID_DENY_EIO64_2" />
<FileRuleRef RuleID="ID_DENY_EIO64_3" />
<FileRuleRef RuleID="ID_DENY_EIO64_4" />
<FileRuleRef RuleID="ID_DENY_EIO64_5" />
<FileRuleRef RuleID="ID_DENY_EIO64_6" />
<FileRuleRef RuleID="ID_DENY_EIO64_7" />
<FileRuleRef RuleID="ID_DENY_EIO64_8" />
<FileRuleRef RuleID="ID_DENY_HW_22" />
<FileRuleRef RuleID="ID_DENY_HW_23" />
<FileRuleRef RuleID="ID_DENY_HW_24" />
@ -2898,7 +2926,7 @@ To check that the policy was successfully applied on your computer:
</Setting>
<Setting Provider="PolicyInfo" Key="Information" ValueName="Id">
<Value>
<String>10.0.25310.0</String>
<String>10.0.25860.0</String>
</Value>
</Setting>
</Settings>

2
windows/whats-new/TOC.yml
View File

@ -11,6 +11,8 @@
href: windows-11-plan.md
- name: Prepare for Windows 11
href: windows-11-prepare.md
- name: Windows 11 temporary enterprise feature control
href: temporary-enterprise-feature-control.md
- name: What's new in Windows 11, version 22H2
href: whats-new-windows-11-version-22h2.md
- name: Windows 10

8
windows/whats-new/deprecated-features-resources.md
View File

@ -12,15 +12,13 @@ ms.topic: reference
ms.collection:
- highpri
- tier1
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Resources for deprecated features
**Applies to**
- Windows 10
- Windows 11
This article provides additional resources about [deprecated features for Windows client](deprecated-features.md) that may be needed by IT professionals. The following information is provided to help IT professionals plan for the removal of deprecated features:
## Microsoft Support Diagnostic Tool resources

8
windows/whats-new/deprecated-features.md
View File

@ -12,15 +12,13 @@ ms.topic: conceptual
ms.collection:
- highpri
- tier1
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Deprecated features for Windows client
**Applies to**
- Windows 10
- Windows 11
Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that have been removed, see [Windows features removed](removed-features.md).
For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).

7
windows/whats-new/feature-lifecycle.md
View File

@ -12,13 +12,12 @@ ms.date: 10/28/2022
ms.collection:
- highpri
- tier2
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Windows client features lifecycle
Applies to:
- Windows 10
- Windows 11
Each release of Windows 10 and Windows 11 contains many new and improved features. Occasionally we also remove features and functionality, usually because there is a better option.
## Windows 11 features

2
windows/whats-new/index.yml
View File

@ -65,4 +65,4 @@ landingContent:
- text: Compare Windows 11 Editions
url: https://www.microsoft.com/windows/business/compare-windows-11
- text: Windows 10 Enterprise LTSC
url: ltsc/index.md
url: ltsc/overview.md

4
windows/whats-new/ltsc/TOC.yml
View File

@ -1,6 +1,8 @@
- name: Windows 10 Enterprise LTSC
href: index.md
href: index.yml
items:
- name: Windows 10 Enterprise LTSC overview
href: overview.md
- name: What's new in Windows 10 Enterprise LTSC 2021
href: whats-new-windows-10-2021.md
- name: What's new in Windows 10 Enterprise LTSC 2019

49
windows/whats-new/ltsc/index.yml Normal file
View File

@ -0,0 +1,49 @@
### YamlMime:Landing
title: What's new in Windows 10 Enterprise LTSC
summary: Find out about new features and capabilities in the latest release of Windows 10 Enterprise LTSC for IT professionals.
metadata:
title: What's new in Windows 10 Enterprise LTSC
description: Find out about new features and capabilities in the latest release of Windows 10 Enterprise LTSC for IT professionals.
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.topic: landing-page
ms.collection:
- highpri
- tier1
author: mestew
ms.author: mstewart
manager: aaroncz
ms.date: 05/22/2023
localization_priority: medium
landingContent:
- title: Windows 10 Enterprise LTSC
linkLists:
- linkListType: overview
links:
- text: Windows 10 Enterprise LTSC overview
url: overview.md
- text: What's new in Windows 10 Enterprise LTSC 2021
url: whats-new-windows-10-2021.md
- text: What's new in Windows 10 Enterprise LTSC 2019
url: whats-new-windows-10-2019.md
- text: What's new in Windows 10 Enterprise LTSC 2016
url: whats-new-windows-10-2016.md
- text: What's new in Windows 10 Enterprise LTSC 2015
url: whats-new-windows-10-2015.md
- title: Learn more
linkLists:
- linkListType: overview
links:
- text: Windows release health dashboard
url: /windows/release-health/
- text: Windows 10 update history
url: https://support.microsoft.com/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb
- text: Windows features we're no longer developing
url: ../deprecated-features.md
- text: Features and functionality removed in Windows
url: ../removed-features.md

11
windows/whats-new/ltsc/index.md → windows/whats-new/ltsc/overview.md
View File

@ -1,5 +1,5 @@
---
title: Windows 10 Enterprise LTSC
title: Windows 10 Enterprise LTSC overview
description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB).
ms.prod: windows-client
author: mestew
@ -9,16 +9,13 @@ ms.localizationpriority: low
ms.topic: overview
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 Enterprise LTSC</a>
---
# Windows 10 Enterprise LTSC
**Applies to**
- Windows 10 Enterprise LTSC
## In this topic
This topic provides links to articles with information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel.
This article provides links to information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel.
[What's New in Windows 10 Enterprise LTSC 2021](whats-new-windows-10-2021.md)<br>
[What's New in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md)<br>

11
windows/whats-new/ltsc/whats-new-windows-10-2015.md
View File

@ -8,15 +8,14 @@ author: mestew
ms.localizationpriority: low
ms.topic: article
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
ms.date: 02/26/2023
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/" target="_blank">Windows 10 Enterprise LTSC 2015</a>
---
# What's new in Windows 10 Enterprise LTSC 2015
**Applies to**
- Windows 10 Enterprise LTSC 2015
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](overview.md).
## Deployment
@ -289,4 +288,4 @@ The new chromium-based Microsoft Edge isn't included in the LTSC release of Wind
## See Also
[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
[Windows 10 Enterprise LTSC](overview.md): A description of the LTSC servicing channel with links to information about each release.

9
windows/whats-new/ltsc/whats-new-windows-10-2016.md
View File

@ -9,14 +9,13 @@ ms.localizationpriority: low
ms.topic: article
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/" target="_blank">Windows 10 Enterprise LTSC 2016</a>
---
# What's new in Windows 10 Enterprise LTSC 2016
**Applies to**
- Windows 10 Enterprise LTSC 2016
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2016 (LTSB), compared to Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2016 (LTSB), compared to Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](overview.md).
>[!NOTE]
>Features in Windows 10 Enterprise LTSC 2016 are equivalent to Windows 10, version 1607.
@ -177,4 +176,4 @@ The new chromium-based Microsoft Edge isn't included in the LTSC release of Wind
## See Also
[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
[Windows 10 Enterprise LTSC](overview.md): A description of the LTSC servicing channel with links to information about each release.

9
windows/whats-new/ltsc/whats-new-windows-10-2019.md
View File

@ -9,14 +9,13 @@ ms.localizationpriority: medium
ms.topic: conceptual
ms.technology: itpro-fundamentals
ms.date: 04/05/2023
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/" target="_blank">Windows 10 Enterprise LTSC 2019</a>
---
# What's new in Windows 10 Enterprise LTSC 2019
**Applies to**
- Windows 10 Enterprise LTSC 2019
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2019, compared to Windows 10 Enterprise LTSC 2016 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2019, compared to Windows 10 Enterprise LTSC 2016 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](overview.md).
>[!NOTE]
>Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 1809.
@ -577,4 +576,4 @@ See the following example:
## See also
[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release.
[Windows 10 Enterprise LTSC](overview.md): A short description of the LTSC servicing channel with links to information about each release.

9
windows/whats-new/ltsc/whats-new-windows-10-2021.md
View File

@ -9,14 +9,13 @@ ms.localizationpriority: high
ms.topic: conceptual
ms.technology: itpro-fundamentals
ms.date: 04/05/2023
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/" target="_blank">Windows 10 Enterprise LTSC 2021</a>
---
# What's new in Windows 10 Enterprise LTSC 2021
**Applies to**
- Windows 10 Enterprise LTSC 2021
This article lists new and updated features and content that is of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
This article lists new and updated features and content that is of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](overview.md).
> [!NOTE]
> Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2.<br>
@ -244,4 +243,4 @@ WPA3 H2E standards are supported for enhanced Wi-Fi security.
## See Also
[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release.
[Windows 10 Enterprise LTSC](overview.md): A short description of the LTSC servicing channel with links to information about each release.

8
windows/whats-new/removed-features.md
View File

@ -12,15 +12,13 @@ ms.date: 01/05/2023
ms.collection:
- highpri
- tier1
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Features and functionality removed in Windows client
**Applies to**
- Windows 10
- Windows 11
Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionality that have been removed in Windows client.
For more information about features that might be removed in a future release, see [Deprecated features for Windows client](deprecated-features.md).

48
windows/whats-new/temporary-enterprise-feature-control.md Normal file
View File

@ -0,0 +1,48 @@
---
title: Temporary enterprise feature control in Windows 11
description: Learn about the Windows 11 features behind temporary enterprise feature control.
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.author: mstewart
author: mestew
manager: aaroncz
ms.localizationpriority: medium
ms.topic: reference
ms.date: 05/19/2023
ms.collection:
- highpri
- tier2
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2 and later</a>
---
# Temporary enterprise feature control in Windows 11
<!--7790977-->
New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
Features behind temporary enterprise control are automatically disabled for devices that have their Windows updates managed by policies.
## Windows 11 features behind temporary enterprise feature control
The following features are behind temporary enterprise control in Windows 11:
| Feature | KB article where the feature was introduced | Feature update that ends temporary control |
|---|---|---|
| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9) | 2023 annual feature update |
## Enable features behind temporary enterprise feature control
Features that are behind temporary enterprise control will be enabled when one of the following conditions is met:
- The device installs the annual feature update that enables the new features by default
- The device receives a policy that enables features behind temporary enterprise control
- When the policy is enabled, all features on the device behind temporary control are turned on when the device next restarts.
## Policy settings for temporary enterprise feature control
You can use a policy to enable features that are behind temporary enterprise feature control. When this policy is enabled, all features that were disabled behind temporary enterprise feature control are turned on when the device next reboots. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later:
- **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default**
- **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)
- In the Intune [settings catalog](/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category.

5
windows/whats-new/whats-new-windows-10-version-20H2.md
View File

@ -12,13 +12,12 @@ ms.collection:
- tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10, version 20H2</a>
---
# What's new in Windows 10, version 20H2 for IT Pros
**Applies to**
- Windows 10, version 20H2
This article lists new and updated features and content that is of interest to IT Pros for Windows 10, version 20H2, also known as the Windows 10 October 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 2004.
> [!NOTE]

5
windows/whats-new/whats-new-windows-10-version-21H1.md
View File

@ -12,13 +12,12 @@ ms.collection:
- tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10, version 21H1</a>
---
# What's new in Windows 10, version 21H1 for IT Pros
**Applies to**
- Windows 10, version 21H1
This article lists new and updated features and content that is of interest to IT Pros for Windows 10, version 21H1, also known as the **Windows 10 May 2021 Update**. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 20H2.
Windows 10, version 21H1 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H1-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), 21H1 is serviced for 18 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions.

6
windows/whats-new/whats-new-windows-10-version-21H2.md
View File

@ -12,14 +12,12 @@ ms.collection:
- tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10, version 21H2</a>
---
# What's new in Windows 10, version 21H2
**Applies to**:
- Windows 10, version 21H2
Windows 10, version 21H2 is the next feature update. This article lists the new and updated features IT Pros should know. Windows 10, version 21H2 is also known as the Windows 10 November 2021 Update. It includes all features and fixes in previous cumulative updates to Windows 10, version 21H1.
Windows 10, version 21H2 is an [H2-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), and has the following servicing schedule:

2
windows/whats-new/whats-new-windows-10-version-22H2.md
View File

@ -12,6 +12,8 @@ ms.date: 10/18/2022
ms.collection:
- highpri
- tier2
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10, version 22H2</a>
---
# What's new in Windows 10, version 22H2

4
windows/whats-new/whats-new-windows-11-version-22H2.md
View File

@ -12,11 +12,11 @@ ms.collection:
- tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2</a>
---
# What's new in Windows 11, version 22H2
**Applies to**: Windows 11, version 22H2
<!--6681501-->
Windows 11, version 22H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 21H2, the original Windows 11 release version. This article lists the new and updated features IT Pros should know.

6
windows/whats-new/windows-11-overview.md
View File

@ -12,14 +12,12 @@ ms.topic: overview
ms.collection:
- highpri
- tier1
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
---
# Windows 11 overview
**Applies to**:
- Windows 11
Windows 11 is the next client operating system, and includes features that organizations should know. Windows 11 is built on the same foundation as Windows 10. If you use Windows 10, then Windows 11 is a natural transition. It's an update to what you know, and what you're familiar with.
It offers innovations focused on enhancing end-user productivity, and is designed to support today's hybrid work environment.

9
windows/whats-new/windows-11-plan.md
View File

@ -12,17 +12,14 @@ ms.collection:
- tier1
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
---
# Plan for Windows 11
**Applies to**
- Windows 11
## Deployment planning
This article provides guidance to help you plan for Windows 11 in your organization.
## Deployment planning
Since Windows 11 is built on the same foundation as Windows 10, you can use the same deployment capabilities, scenarios, and tools—and the same basic deployment strategy that you use today for Windows 10. You'll need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows 11.

8
windows/whats-new/windows-11-prepare.md
View File

@ -12,15 +12,13 @@ ms.collection:
- tier1
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Prepare for Windows 11
**Applies to**
- Windows 11
- Windows 10
Windows 10 and Windows 11 are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows 11 helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows 11 deployments in the same way that you do with Windows 10.
After you evaluate your hardware to see if it meets [requirements](windows-11-requirements.md) for Windows 11, it's a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. This article provides some helpful guidance to accomplish these tasks.

7
windows/whats-new/windows-11-requirements.md
View File

@ -12,14 +12,13 @@ ms.collection:
- tier1
ms.technology: itpro-fundamentals
ms.date: 02/13/2023
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
---
# Windows 11 requirements
**Applies to**
- Windows 11
This article lists the system requirements for Windows 11. Windows 11 is also [supported on a virtual machine (VM)](#virtual-machine-support).
## Hardware requirements

9
windows/whats-new/windows-licensing.md
View File

@ -68,7 +68,7 @@ The following table describes the unique Windows Enterprise edition features:
| OS-based feature | Description |
|-|-|
|**[Windows Defender Credential Guard][WIN-1]**|Protects against user credential harvesting and pass-the-hash attacks or pass the token attacks.|
|**[Managed Microsoft Defender Application Guard for Microsoft Edge][EDGE-1]**| Isolates enterprise-defined untrusted sites with virtualization-based security from Windows, protecting your organization while users browse the Internet.|
|**[Managed Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**| Isolates enterprise-defined untrusted sites with virtualization-based security from Windows, protecting your organization while users browse the Internet.|
|**[Modern BitLocker Management][WIN-2]** | Allows you to eliminate on-premises tools to monitor and support BitLocker recovery scenarios. |
|**[Personal Data Encryption][WIN-3]**|Encrypts individual's content using Windows Hello for Business to link the encryption keys to user credentials.|
|**[Direct Access][WINS-1]**|Connect remote users to the organization network without the need for traditional VPN connections.|
@ -127,7 +127,7 @@ Windows Enterprise E3 in Microsoft 365 F3 does not include some use rights previ
## Use a Windows Pro device with the Windows Enterprise user subscription license
In most cases, the Windows Pro edition comes pre-installed on a business-class device. Microsoft recommends upgrading your Windows Pro devices to Enterprise edition when you have acquired a user subscription licenses for Windows. However, there are cases that require to keep devices on the Pro edition and not upgrade them to Enterprise edition. With Windows 11 Enterprise E3, you can take advantage of features, services and use rights not licensed to the Windows Pro license bound to the device. It includes Windows Enterprise edition with cloud-powered capabilities and subscription use rights, and these capabilities are not always technically enforced. Some scenarios that may require to not upgrade to Windows Enterprise edition:
In most cases, the Windows Pro edition comes pre-installed on a business-class device. Microsoft recommends upgrading your Windows Pro devices to Enterprise edition when you have acquired a user subscription license for Windows. However, there are cases that require to keep devices on the Pro edition and not upgrade them to Enterprise edition. With Windows 11 Enterprise E3, you can take advantage of features, services and use rights not licensed to the Windows Pro license bound to the device. It includes Windows Enterprise edition with cloud-powered capabilities and subscription use rights, and these capabilities are not always technically enforced. Some scenarios that may require to not upgrade to Windows Enterprise edition:
- Devices not properly provisioned that don't automatically upgrade to Windows Enterprise edition
- Devices may have been acquired for a business process that was not under control of a central IT department or outside of the IT department's knowledge
@ -142,7 +142,7 @@ The following table lists the Windows 11 Enterprise features and their Windows e
| OS-based feature |Windows Pro|Windows Enterprise|
|-|-|-|
|**[Windows Defender Credential Guard][WIN-1]**|❌|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Microsoft Edge][EDGE-1]**|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**|Yes|Yes|
|**[Modern BitLocker Management][WIN-2]**|Yes|Yes|
|**[Personal data encryption (PDE)][WIN-3]**|❌|Yes|
|**[Direct Access][WINS-1]**|Yes|Yes|
@ -186,7 +186,6 @@ To learn more about Windows 11 Enterprise E3 and E5 licensing, download the [Win
- How to acquire licenses through Commercial Licensing
[AZ-1]: /azure/virtual-desktop/prerequisites#operating-systems-and-licenses
[EDGE-1]: /deployedge/microsoft-edge-security-windows-defender-application-guard
[EXT-1]: https://www.microsoft.com/licensing/terms/productoffering/WindowsDesktopOperatingSystem/EAEAS
[EXT-2]: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-release-health-now-available-in-the-microsoft-365-admin/ba-p/2235908
[EXT-3]: https://windows.com/enterprise
@ -208,5 +207,7 @@ To learn more about Windows 11 Enterprise E3 and E5 licensing, download the [Win
[WIN-8]: /windows/deployment/do/waas-microsoft-connected-cache
[WIN-9]: /windows/release-health/supported-versions-windows-client#enterprise-and-iot-enterprise-ltsbltsc-editions
[WIN-10]: /windows/whats-new/ltsc/
[WIN-11]: /windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
[WINS-1]: /windows-server/remote/remote-access/directaccess/directaccess
[WINS-2]: /windows-server/remote/remote-access/vpn/always-on-vpn/