These settings configure the network connections for Chromebook devices and include the following settings categories:
Windows 8.1 deployment planning
Explore key considerations and questions that should be answered when planning for Windows 8.1 deployment.
Windows 8.1 deployment to PCs
Get an overview of Windows 8.1 deployment to PCs in an educational environment.
BYOD
Explore Bring Your Own Device (BYOD) considerations, including device types, infrastructure, and deployment models.
Deploying Windows RT 8.1
Get step-by-step instructions on how to configure and deploy Windows RT devices (like Surface and other tablets) in educational environments.
Virtual Desktop Infrastructure
Learn how to address challenges related to BYOD scenarios using Virtual Desktop Infrastructure (VDI).
Microsoft Store apps
Explore Microsoft Store app deployment strategies and considerations for educational institutions running Windows 8.1.
Windows To Go
Learn about the benefits, limitations, and processes involved in deploying Windows To Go.
Emergency: Request through help desk|Through business office triage
30-day notice required|General policy: Keep past versions for 12 months
List policies for each application|Coordinated through business office
30-day notice required| -|Human Resources|Planned: Monthly through HR triage
Emergency: Request through help desk|Through HR triage
30-day notice required|General policy: Keep past versions for 60 months
List policies for each application|Coordinated through HR
30-day notice required| +| --- | --- | --- | --- | --- | +| Bank Tellers | Planned: Monthly through business office triage
Emergency: Request through help desk | Through business office triage
30-day notice required|General policy: Keep past versions for 12 months
List policies for each application|Coordinated through business office
30-day notice required | +| Human Resources | Planned: Monthly through HR triage
Emergency: Request through help desk|Through HR triage
30-day notice required | General policy: Keep past versions for 60 months
List policies for each application | Coordinated through HR
30-day notice required | diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md index d4039c3443..4dcd7f89ab 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md @@ -1,53 +1,49 @@ --- title: Refresh an AppLocker policy -description: This topic for IT professionals describes the steps to force an update for an AppLocker policy. +description: This article for IT professionals describes the steps to force an update for an AppLocker policy. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Refresh an AppLocker policy ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professionals describes the steps to force an update for an AppLocker policy. -This topic for IT professionals describes the steps to force an update for an AppLocker policy. +If you update the rule collection on a local computer by using the Local Security Policy snap-in, the policy takes effect immediately. If Group Policy is used to distribute the AppLocker policy and you want to immediately implement the policy, you must manually refresh the policy. The Group Policy refresh might take several minutes, depending upon the number of policies within the Group Policy Object (GPO) and the number of target computers. -If you update the rule collection on a local computer by using the Local Security Policy snap-in, the policy will take effect immediately. If Group Policy is used to distribute the AppLocker policy and you want to immediately implement the policy, you must manually refresh the policy. The Group Policy refresh might take several minutes, depending upon the number of policies within the Group Policy Object (GPO) and the number of target computers. - -To use Group Policy to distribute the AppLocker policy change, you need to retrieve the deployed AppLocker policy first. To prepare for the update and subsequent refresh, see [Edit an AppLocker policy](edit-an-applocker-policy.md) - -[Edit an AppLocker policy](edit-an-applocker-policy.md) and [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). +To use Group Policy to distribute the AppLocker policy change, you need to retrieve the deployed AppLocker policy first. To prepare for the update and subsequent refresh, see [Edit an AppLocker policy](edit-an-applocker-policy.md) and [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. -**To manually refresh the AppLocker policy by using Group Policy** +## To manually refresh the AppLocker policy by using Group Policy -1. From a command prompt, type **gpupdate /force**, and then press ENTER. -2. When the command finishes, close the command prompt window, and then verify that the intended rule behavior is correct. You can do this verification by checking the AppLocker event logs for events that include "policy applied." +1. From a command prompt, type **gpupdate /force**, and then press ENTER. +2. When the command finishes, close the command prompt window, and then verify that the intended rule behavior is correct. You can do this verification by checking the AppLocker event logs for events that include "policy applied." -To change a policy on an individual computer, or to implement that policy on other computers, without using Group Policy, you first need to update the rule within the rule collection. For information about updating existing rules, see [Edit AppLocker rules](edit-applocker-rules.md). For information -about creating a new rule for an existing policy, see: -- [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) -- [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) -- [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) +For information about updating existing rules, see [Edit AppLocker rules](edit-applocker-rules.md). For information about creating a new rule for an existing policy, see: + +- [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) +- [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) +- [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. -**To refresh the AppLocker policy on the local computer** +## To refresh the AppLocker policy on the local computer -- Update the rule collection by using the Local Security Policy console with one of the following procedures: +- Update the rule collection by using the Local Security Policy console with one of the following procedures: - - [Edit AppLocker rules](edit-applocker-rules.md) - - [Delete an AppLocker rule](delete-an-applocker-rule.md) - - [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) + - [Edit AppLocker rules](edit-applocker-rules.md) + - [Delete an AppLocker rule](delete-an-applocker-rule.md) + - [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) When finished, the policy is in effect. To make the same change on another device, you can use any of the following methods: -- From the device that you made the change on, export the AppLocker policy, and then import the policy onto the other device. To do these tasks, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer. +- From the device where you made the change, export the AppLocker policy and then import into onto the other device. To do these tasks, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer. - >**Caution:** When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied. - -- Merge AppLocker policies. For information on the procedures to do this merging, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). +> [!WARNING] +> When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied. + +- Merge AppLocker policies. For information on the procedures to do this merging, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md index 70a6f0b415..eb55e89166 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md @@ -1,65 +1,64 @@ --- title: Requirements for deploying AppLocker policies -description: This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. +description: This deployment article for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Requirements for deploying AppLocker policies ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. +This deployment article for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. The following requirements must be met or addressed before you deploy your AppLocker policies: -- [Deployment plan](#bkmk-reqdepplan) -- [Supported operating systems](#bkmk-reqsupportedos) -- [Policy distribution mechanism](#bkmk-reqpolicydistmech) -- [Event collection and analysis system](#bkmk-reqeventcollectionsystem) -### Deployment plan +- [Deployment plan](#deployment-plan) +- [Supported operating systems](#supported-operating-systems) +- [Policy distribution mechanism](#policy-distribution-mechanism) +- [Event collection and analysis system](#event-collection-and-analysis-system) -An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md)). +## Deployment plan + +A successful AppLocker policy deployment begins with a policy design that allows the applications needed by your organization and prevents unauthorized apps, including malware, from running. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies. |Business group|Organizational unit|Implement AppLocker?|Apps|Installation path|Use default rule or define new rule condition|Allow or deny|GPO name|Support policy| -|--- |--- |--- |--- |--- |--- |--- |--- |--- | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | |Bank Tellers|Teller-East and Teller-West|Yes|Teller software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition|Allow|Tellers|Web help| ||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||Help Desk| -||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File is not signed; create a file hash condition|Allow||Web help| +||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File isn't signed; create a file hash condition|Allow||Web help| |Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR|Web help| ||||Internet Explorer 7|C:\Program Files\Internet Explorer
|File is signed; create a publisher condition|Deny||Help Desk| ||||Windows files|C:\Windows|Use the default rule for the Windows path|Allow||Help Desk| - -Event processing policy + +### Event processing policy |Business group|AppLocker event collection location|Archival policy|Analyzed?|Security policy| -|--- |--- |--- |--- |--- | +| --- | --- | --- | --- | --- | |Bank Tellers|Forwarded to: srvBT093|Standard|None|Standard| |Human Resources|Do not forward|60 months|Yes; summary reports monthly to managers|Standard| - -Policy maintenance policy + +### Policy maintenance policy |Business group|Rule update policy|App decommission policy|App version policy|App deployment policy| -|--- |--- |--- |--- |--- | -|Bank Tellers|Planned: Monthly through business office triageEmergency: Request through Help Desk|Through business office triage; 30-day notice required|General policy: Keep past versions for 12 months
List policies for each application|Coordinated through business office; 30-day notice required| -|Human Resources|Planned: Through HR triage
Emergency: Request through Help Desk|Through HR triage; 30-day notice required|General policy: Keep past versions for 60 months
List policies for each application|Coordinated through HR; 30-day notice required| - -### Supported operating systems +| --- | --- | --- | --- | --- | +| Bank Tellers | Planned: Monthly through business office triage
Emergency: Request through Help Desk | Through business office triage; 30-day notice required | General policy: Keep past versions for 12 months
List policies for each application | Coordinated through business office; 30-day notice required | +| Human Resources | Planned: Through HR triage
Emergency: Request through Help Desk | Through HR triage; 30-day notice required |General policy: Keep past versions for 60 months
List policies for each application | Coordinated through HR; 30-day notice required |
-AppLocker is supported only on certain operating systems. Some features are not available on all operating systems. For more information, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+## Supported operating systems
-### Policy distribution mechanism
+AppLocker is supported only on certain operating systems. Some features aren't available on all operating systems. For more information, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
-You need a way to distribute the AppLocker policies throughout the targeted business groups. AppLocker uses Group Policy management architecture to effectively distribute application control policies. AppLocker policies can also be configured on individual computers by using the Local Security Policy snap-in.
+## Policy distribution mechanism
-### Event collection and analysis system
+You need a way to distribute the AppLocker policies throughout the targeted business groups. AppLocker uses Group Policy management architecture to effectively distribute application control policies. AppLocker policies can also be configured on individual computers by using the Local Security Policy snap-in. AppLocker rules can also be distributed through a mobile device management solution, like Microsoft Intune.
+
+## Event collection and analysis system
Event processing is important to understand application usage. You must have a process in place to collect and analyze AppLocker events so that application usage is appropriately restricted and understood. For procedures to monitor AppLocker events, see:
-- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
-- [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md)
-- [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
+
+- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
+- [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md)
+- [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
## See also
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md
index 5d2b189772..3d5dcd1008 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md
@@ -1,61 +1,43 @@
---
title: Requirements to use AppLocker
-description: This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
+description: This article for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/23/2023
---
# Requirements to use AppLocker
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
+This article for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
## General requirements
To use AppLocker, you need:
-- A device running a supported operating system to create the rules. The computer can be a domain controller.
-- For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules.
-- Devices running a supported operating system to enforce the AppLocker rules that you create.
+- A device running a supported operating system to create the rules. The computer can be a domain controller.
+- For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules.
+- Devices running a supported operating system to enforce the AppLocker rules that you create.
>[!NOTE]
->As of [KB 5024351](https://support.microsoft.com/help/5024351), Windows 10 versions 2004 and newer and all Windows 11 versions no longer require a specific edition of Windows to enforce AppLocker policies
-
+>As of [KB 5024351](https://support.microsoft.com/help/5024351), Windows 10 versions 2004 and newer and all Windows 11 versions no longer require a specific edition of Windows to enforce AppLocker policies.
+
## Operating system requirements
The following table shows the Windows versions on which AppLocker features are supported.
| Version | Can be configured | Can be enforced | Available rules | Notes |
-| - | - | - | - | - |
-| Windows 10 and Windows 11| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).
Windows versions older than version 2004, including Windows Server 2019:
AppLocker permits customization of error messages to direct users to a Web page for help.| -|Policy maintenance|SRP policies are updated by using the Local Security Policy snap-in or the Group Policy Management Console (GPMC).|AppLocker policies are updated by using the Local Security Policy snap-in or the GPMC.
AppLocker supports a small set of PowerShell cmdlets to aid in administration and maintenance.|
-|Policy management infrastructure|To manage SRP policies, SRP uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.|To manage AppLocker policies, AppLocker uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.|
-|Block malicious scripts|Rules for blocking malicious scripts prevent all scripts associated with the Windows Script Host from running, except those scripts that are digitally signed by your organization.|AppLocker rules can control the following file formats: .ps1, .bat, .cmd, .vbs, and .js. In addition, you can set exceptions to allow specific files to run.|
-|Manage software installation|SRP can prevent all Windows Installer packages from installing. It allows .msi files that are digitally signed by your organization to be installed.|The Windows Installer rule collection is a set of rules created for Windows Installer file types (.mst, .msi and .msp) to allow you to control the installation of files on client computers and servers.|
-|Manage all software on the computer|All software is managed in one rule set. By default, the policy for managing all software on a device disallows all software on the user's device, except software that is installed in the Windows folder, Program Files folder, or subfolders.|Unlike SRP, each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection will be allowed to run. This configuration makes it easier for administrators to determine what will occur when an AppLocker rule is applied.|
-|Different policies for different users|Rules are applied uniformly to all users on a particular device.|On a device that is shared by multiple users, an administrator can specify the groups of users who can access the installed software. An administrator uses AppLocker to specify the user to whom a specific rule should apply.|
-
-## Related topics
+## Related articles
- [AppLocker technical reference](applocker-technical-reference.md)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
index 9f51d9f474..e64e6e97ff 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
@@ -1,32 +1,29 @@
---
title: Windows Installer rules in AppLocker
-description: This topic describes the file formats and available default rules for the Windows Installer rule collection.
+description: This article describes the file formats and available default rules for the Windows Installer rule collection.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/24/2023
---
# Windows Installer rules in AppLocker
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic describes the file formats and available default rules for the Windows Installer rule collection.
+This article describes the file formats and available default rules for the Windows Installer rule collection.
AppLocker defines Windows Installer rules to include only the following file formats:
-- .msi
-- .msp
-- .mst
+- .msi
+- .msp
+- .mst
The purpose of this collection is to allow you to control the installation of files on client computers and servers through Group Policy or the Local Security Policy snap-in. The following table lists the default rules that are available for the Windows Installer rule collection.
| Purpose | Name | User | Rule condition type |
-| - | - | - | - |
-| Allow members of the local Administrators group to run all Windows Installer files| (Default Rule) All Windows Installer files| BUILTIN\Administrators| Path: *|
-| Allow all users to run Windows Installer files that are digitally signed | (Default Rule) All digitally signed Windows Installer files| Everyone| Publisher: * (all signed files)|
-| Allow all users to run Windows Installer files that are located in the Windows Installer folder | (Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer| Everyone| Path: %windir%\Installer\*|
-
-## Related topics
+| --- | --- | --- | --- |
+| Allow members of the local Administrators group to run all Windows Installer files| (Default Rule) All Windows Installer files| BUILTIN\Administrators| Path: *|
+| Allow all users to run Windows Installer files that are digitally signed | (Default Rule) All digitally signed Windows Installer files| Everyone| Publisher: * (all signed files)|
+| Allow all users to run Windows Installer files that are located in the Windows Installer folder | (Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer| Everyone| Path: %windir%\Installer\*|
+
+## Related articles
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-policies.md
index 0f287537b8..189d8f1654 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-policies.md
@@ -1,32 +1,29 @@
---
title: Working with AppLocker policies
-description: This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.
+description: This article for IT professionals provides links to procedural articles about creating, maintaining, and testing AppLocker policies.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
---
# Working with AppLocker policies
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.
+This article for IT professionals provides links to procedural articles about creating, maintaining, and testing AppLocker policies.
## In this section
-| Topic | Description |
+| Article | Description |
| - | - |
-| [Configure the Application Identity service](configure-the-application-identity-service.md) | This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.|
-| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.|
-| [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) | This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.|
-| [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md) | This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.|
-| [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) | This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.|
-| [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) | This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.|
-| [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md) | This topic for IT professionals describes how to import an AppLocker policy.|
-| [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) | This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).|
-| [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md) | This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).|
-| [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) | This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.|
-| [Merge AppLocker policies manually](merge-applocker-policies-manually.md) | This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).|
-| [Refresh an AppLocker policy](refresh-an-applocker-policy.md) | This topic for IT professionals describes the steps to force an update for an AppLocker policy.|
-| [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md) | This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.|
+| [Configure the Application Identity service](configure-the-application-identity-service.md) | This article for IT professionals shows how to configure the Application Identity service to start automatically or manually. |
+| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This article for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker. |
+| [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) | This article for IT professionals describes the steps to enable the AppLocker policy enforcement setting. |
+| [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md) | This article for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. |
+| [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) | This article for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. |
+| [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) | This article for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. |
+| [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md) | This article for IT professionals describes how to import an AppLocker policy. |
+| [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) | This article for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). |
+| [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md) | This article for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). |
+| [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) | This article for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. |
+| [Merge AppLocker policies manually](merge-applocker-policies-manually.md) | This article for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). |
+| [Refresh an AppLocker policy](refresh-an-applocker-policy.md) | This article for IT professionals describes the steps to force an update for an AppLocker policy. |
+| [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md) | This article for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.|
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules.md
index 57c5eaa7cd..e06ef57ede 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules.md
@@ -1,104 +1,92 @@
---
title: Working with AppLocker rules
-description: This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
+description: This article for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
ms.localizationpriority: medium
-msauthor: v-anbic
-ms.date: 08/27/2018
+msauthor: jsuther
+ms.date: 12/21/2023
ms.topic: conceptual
---
# Working with AppLocker rules
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+This article for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
-This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
-
-## In this section
-
-| Topic | Description |
-| - | - |
-| [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.|
-| [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a path condition.|
-| [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.|
-| [Create AppLocker default rules](create-applocker-default-rules.md) | This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.|
-| [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) | This topic for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule.|
-| [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) | This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.|
-| [Delete an AppLocker rule](delete-an-applocker-rule.md) | This topic for IT professionals describes the steps to delete an AppLocker rule.|
-| [Edit AppLocker rules](edit-applocker-rules.md) | This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.|
-| [Enable the DLL rule collection](enable-the-dll-rule-collection.md) | This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.|
-| [Enforce AppLocker rules](enforce-applocker-rules.md) | This topic for IT professionals describes how to enforce application control rules by using AppLocker.|
-| [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) | This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.|
-
-The three AppLocker enforcement modes are described in the following table. The enforcement mode setting defined here can be overwritten by the setting derived from a linked Group Policy Object (GPO) with a higher precedence.
-
-| Enforcement mode | Description |
-| - | - |
-| **Not configured** | This is the default setting, which means that the rules defined here will be enforced unless a linked GPO with a higher precedence has a different value for this setting.|
-| **Enforce rules** | Rules are enforced.|
-| **Audit only** | Rules are audited but not enforced. When a user runs an app that is affected by an AppLocker rule, the app is allowed to run and the info about the app is added to the AppLocker event log. The Audit-only enforcement mode helps you determine which apps will be affected by the policy before the policy is enforced. When the AppLocker policy for a rule collection is set to **Audit only**, rules for that rule collection aren't enforced|
-
-When AppLocker policies from various GPOs are merged, the rules from all the GPOs are merged, and the enforcement mode setting of the winning GPO is applied.
## Rule collections
-The AppLocker console is organized into rule collections, which are executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections give you an easy way to differentiate the rules for different types of apps. The following table lists the file formats that are included in each rule collection.
+AppLocker policies are organized into rule collections, including executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections give you an easy way to differentiate the rules for different types of apps. The following table lists the file formats that are included in each rule collection.
| Rule collection | Associated file formats |
| - | - |
-| Executable files | .exe
.com|
-| Scripts| .ps1
.bat
.cmd
.vbs
.js|
-| Windows Installer files | .msi
.msp
.mst|
-| Packaged apps and packaged app installers | .appx|
-| DLL files | .dll
.ocx|
-
->**Important:** If you use DLL rules, you need to create an allow rule for each DLL that is used by all of the allowed apps.
+| Executable files | .exe
.com |
+| Scripts| .ps1
.bat
.cmd
.vbs
.js |
+| Windows Installer files | .msi
.msp
.mst |
+| Packaged apps and packaged app installers | .appx |
+| DLL files | .dll
.ocx |
-When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used.
+> [!NOTE]
+> AppLocker rules for executable files actually apply to all portable executable (PE) files, regardless of the file's extension which attackers can easily change. The file extension information listed in the preceding table for executable files is illustrative only.
-The DLL rule collection isn't enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections).
+The DLL rule collection isn't enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#dll-rule-collection).
+
+> [!Important]
+> If you use DLL rules, you need to create an allow rule that covers every DLL used by all allowed apps.
+>
+> When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used. However, this performance impact is usually imperceptible unless a device is already resource constrained.
+
+## Enforcement modes
+
+AppLocker policies set an **enforcement mode** for each rule collection included in the policy. These enforcement modes are described in the following table.
+
+| Enforcement mode | Description |
+| --- | --- |
+| **Not configured** | Despite the name, this enforcement mode **doesn't** mean the rules are ignored. On the contrary, if any rules exist in a rule collection that is "not configured", the rules **will be enforced** unless a policy with a higher precedence changes the enforcement mode to Audit only. Since this enforcement mode can be confusing for policy authors, you should avoid using this value in your AppLocker policies. Instead, you should choose explicitly between the remaining two options. |
+| **Enforce rules** | Rules are enforced. When a user runs an app affected by an AppLocker rule, the app binary is blocked. Info about the binary is added to the AppLocker event log. |
+| **Audit only** | Rules are audited but not enforced. When a user runs an app affected by an AppLocker rule, the app binary is allowed to run. However, the info about the binary is added to the AppLocker event log. The Audit-only enforcement mode helps you identify the apps affected by the policy before the policy is enforced. |
+
+When AppLocker policies are merged, the rules from all the policies are added to the effective policy and a single enforcement mode is selected for each rule collection. If multiple AppLocker policies are applied to a device through Group Policy, the enforcement mode setting applied is selected based on Group Policy precedence. If you apply an AppLocker policy locally using the Set-AppLockerPolicy PowerShell cmdlet with the *-merge* option, the more restrictive enforcement mode is chosen between the existing local policy and the policy being merged.
-EXE rules apply to portable executable (PE) files. AppLocker checks whether a file is a valid PE file, rather than just applying rules based on file extension, which attackers can easily change. Regardless of the file extension, the AppLocker EXE rule collection will work on a file as long as it's a valid PE file.
-
## Rule conditions
Rule conditions are criteria that help AppLocker identify the apps to which the rule applies. The three primary rule conditions are publisher, path, and file hash.
-- [Publisher](#bkmk-publisher): Identifies an app based on its digital signature
-- [Path](#bkmk-path): Identifies an app by its location in the file system of the computer or on the network
-- [File hash](#bkmk-filehash): Represents the system computed cryptographic hash of the identified file
+- [Publisher](#publisher): Identifies an app based on its digital signature
+- [Path](#path): Identifies an app by its location in the file system of the computer or on the network
+- [File hash](#file-hash): Represents the system computed cryptographic Authenticode hash of the identified file
-### Publisher
+### Publisher
-This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also have extended attributes, which are obtained from the binary resource. If there's executable files, dlls and Windows installers, these attributes contain the name of the product that the file is a part of, the original name of the file as supplied by the publisher, and the version number of the file. If there are packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package.
+This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also include extended attributes, which are obtained from the binary resource. These attributes often include the name of the product, the original file name, and the version number of the file as defined by the publisher. If there are packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package.
+
+> [!NOTE]
+> Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers.
+>
+> Use a publisher rule condition when possible because they are more resilient to app updates as well as a change in the location of files.
-> **Note:** Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers.
->
-> **Note:** Use a publisher rule condition when possible because they can survive app updates as well as a change in the location of files.
-
When you select a reference file for a publisher condition, the wizard creates a rule that specifies the publisher, product, file name, and version number. You can make the rule more generic by moving up the slider or by using a wildcard character (\*) in the product, file name, or version number fields.
->**Note:** To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider.
-
+> [!NOTE]
+> To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider.
+
The **File version** and **Package version** control whether a user can run a specific version, earlier versions, or later versions of the app. You can choose a version number and then configure the following options:
-- **Exactly.** The rule applies only to this version of the app
-- **And above.** The rule applies to this version and all later versions.
-- **And below.** The rule applies to this version and all earlier versions.
+- **Exactly.** The rule applies only to this version of the app
+- **And above.** The rule applies to this version and all later versions.
+- **And below.** The rule applies to this version and all earlier versions.
The following table describes how a publisher condition is applied.
| Option | The publisher condition allows or denies... |
-|---|---|
-| **All signed files** | All files that are signed by any publisher.|
-| **Publisher only**| All files that are signed by the named publisher.|
-| **Publisher and product name**| All files for the specified product that are signed by the named publisher.|
-| **Publisher and product name, and file name**| Any version of the named file or package for the named product that is signed by the publisher.|
-| **Publisher, product name, file name, and file version**| **Exactly**
The specified version of the named file or package for the named product that is signed by the publisher.|
-| **Publisher, product name, file name, and file version**| **And above**
The specified version of the named file or package and any new releases for the product that are signed by the publisher.|
-| **Publisher, product name, file name, and file version**| **And below**
The specified version of the named file or package and any earlier versions for the product that are signed by the publisher.|
-| **Custom**| You can edit the **Publisher**, **Product name**, **File name**, **Version** **Package name**, and **Package version** fields to create a custom rule.|
+| --- | --- |
+| **All signed files** | All files signed by any publisher. |
+| **Publisher only** | All files signed by the named publisher. |
+| **Publisher and product name** | All files for the specified product signed by the named publisher. |
+| **Publisher and product name, and file name** | Any version of the named file or package for the named product signed by the publisher. |
+| **Publisher, product name, file name, and file version** | **Exactly**
The specified version of the named file or package for the named product signed by the publisher. |
+| **Publisher, product name, file name, and file version** | **And above**
The specified version of the named file or package and any new releases for the product signed by the publisher. |
+| **Publisher, product name, file name, and file version** | **And below**
The specified version of the named file or package and any earlier versions for the product signed by the publisher. |
+| **Custom** | You can edit the **Publisher**, **Product name**, **File name**, **Version** **Package name**, and **Package version** fields to create a custom rule. |
-### Path
+### Path
This rule condition identifies an application by its location in the file system of the computer or on the network.
@@ -107,106 +95,116 @@ AppLocker uses custom path variables for well-known paths, such as Program Files
The following table details these path variables.
| Windows directory or disk | AppLocker path variable | Windows environment variable |
-| - | - | - |
-| Windows| %WINDIR%| %SystemRoot%|
-| System32 and SysWOW64| %SYSTEM32%| %SystemDirectory%|
-| Windows installation directory| %OSDRIVE%| %SystemDrive%|
-| Program Files| %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)% |
-| Removable media (for example, a CD or DVD)| %REMOVABLE%| |
-| Removable storage device (for example, a USB flash drive)| %HOT% | |
-
->**Important:** Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can copy unapproved files into that location and run the files. For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile.
-
-### File hash
+| --- | --- | --- |
+| Windows | %WINDIR%| %SystemRoot%|
+| System32 and SysWOW64 | %SYSTEM32%| %SystemDirectory%|
+| Windows installation directory | %OSDRIVE%| %SystemDrive%|
+| Program Files | %PROGRAMFILES% | %ProgramFiles% and %ProgramFiles(x86)% |
+| Removable media (for example, a CD or DVD) | %REMOVABLE% | |
+| Removable storage device (for example, a USB flash drive) | %HOT% | |
-When you choose the file hash rule condition, the system computes a cryptographic hash of the identified file. The advantage of this rule condition is that because each file has a unique hash, a file hash rule condition applies to only one file. The disadvantage is that each time the file is updated (such as a security update or upgrade) the file's hash will change. As a result, you must manually update file hash rules.
+> [!IMPORTANT]
+> Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if a path rule includes a folder location that lets non-administrators write data, a user (or malware running as a standard user) can copy unapproved files into that location and run the files. For this reason, you should avoid creating path conditions for standard user writable locations, such as a user profile.
+
+### File hash
+
+When you choose the file hash rule condition, the system computes the Authenticode cryptographic hash of the identified file. The advantage of this rule condition is that because each file has a unique hash, a file hash rule condition applies to only one file. The disadvantage is that each time the file is updated (such as a security update or upgrade) the file's hash changes. As a result, you must manually update file hash rules.
## AppLocker default rules
-AppLocker includes default rules, which are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For background, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md), and for steps, see [Create AppLocker default rules](create-applocker-default-rules.md).
+AppLocker policies created using the AppLocker Group Policy editor can include default rules. Default rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For background, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md), and for steps, see [Create AppLocker default rules](create-applocker-default-rules.md).
Executable default rule types include:
-- Allow members of the local **Administrators** group to run all apps.
-- Allow members of the **Everyone** group to run apps that are located in the Windows folder.
-- Allow members of the **Everyone** group to run apps that are located in the Program Files folder.
+- Allow members of the local **Administrators** group to run all apps.
+- Allow members of the **Everyone** group to run apps that are located in the Windows folder.
+- Allow members of the **Everyone** group to run apps that are located in the Program Files folder.
Script default rule types include:
-- Allow members of the local **Administrators** group to run all scripts.
-- Allow members of the **Everyone** group to run scripts that are located in the Program Files folder.
-- Allow members of the **Everyone** group to run scripts that are located in the Windows folder.
+- Allow members of the local **Administrators** group to run all scripts.
+- Allow members of the **Everyone** group to run scripts that are located in the Program Files folder.
+- Allow members of the **Everyone** group to run scripts that are located in the Windows folder.
Windows Installer default rule types include:
-- Allow members of the local **Administrators** group to run all Windows Installer files.
-- Allow members of the **Everyone** group to run all digitally signed Windows Installer files.
-- Allow members of the **Everyone** group to run all Windows Installer files that are located in the Windows\\Installer folder.
+- Allow members of the local **Administrators** group to run all Windows Installer files.
+- Allow members of the **Everyone** group to run all digitally signed Windows Installer files.
+- Allow members of the **Everyone** group to run all Windows Installer files that are located in the Windows\\Installer folder.
DLL default rule types:
-- Allow members of the local **Administrators** group to run all DLLs.
-- Allow members of the **Everyone** group to run DLLs that are located in the Program Files folder.
-- Allow members of the **Everyone** group to run DLLs that are located in the Windows folder.
+- Allow members of the local **Administrators** group to run all DLLs.
+- Allow members of the **Everyone** group to run DLLs that are located in the Program Files folder.
+- Allow members of the **Everyone** group to run DLLs that are located in the Windows folder.
Packaged apps default rule types:
-- Allow members of the **Everyone** group to install and run all signed packaged apps and packaged app installers.
+- Allow members of the **Everyone** group to install and run all signed packaged apps and packaged app installers.
## AppLocker rule behavior
-If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run.
+If no AppLocker rules are defined for a specific rule collection, all files covered by that rule collection are allowed to run. However, if any rule exists for a specific rule collection, then *only* those files matching at least one allow rule and not matching any deny rules run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run.
A rule can be configured to use allow or deny actions:
-- **Allow.** You can specify which files are allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
-- **Deny.** You can specify which files are *not* allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
+- **Allow.** You can specify which files are allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
+- **Deny.** You can specify which files *aren't* allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
+
+For a best practice, use allow actions with exceptions. Although you can use a combination of allow and deny actions, deny actions always win. You can't use any other rule to allow a file that matches a deny rule.
-> **Important:** For a best practice, use allow actions with exceptions. You can use a combination of allow and deny actions but understand that deny actions override allow actions in all cases, and can be circumvented.
->
-> **Important:** If you join a computer running at least Windows Server 2012 or Windows 8 to a domain that already enforces AppLocker rules for executable files, users will not be able to run any packaged apps unless you also create rules for packaged apps. If you want to allow any packaged apps in your environment while continuing to control executable files, you should create the default rules for packaged apps and set the enforcement mode to Audit-only for the packaged apps rule collection.
-
## Rule exceptions
-You can apply AppLocker rules to individual users or to a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule "Allow everyone to run Windows except Registry Editor" allows everyone in the organization to run the Windows operating system, but it doesn't allow anyone to run Registry Editor.
+You can apply AppLocker rules to individual users or to a group of users. If you apply a rule to a group of users, the rule affects all users in that group. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule "Allow everyone to run Windows except Registry Editor" allows everyone in the organization to run the Windows operating system, but it doesn't allow anyone to run Registry Editor.
-The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Help Desk user group: "Allow Help Desk to run Registry Editor." If you create a deny rule that doesn't allow any users to run Registry Editor, the deny rule will override the second rule that allows the Help Desk user group to run Registry Editor.
+The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Help Desk user group: "Allow Help Desk to run Registry Editor." If you instead used a deny rule that blocks all users from running Registry Editor, the second rule wouldn't actually let the help desk users run Registry Editor.
-## DLL rule collection
+## DLL rule collection
Because the DLL rule collection isn't enabled by default, you must perform the following procedure before you can create and enforce DLL rules.
Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
-**To enable the DLL rule collection**
+### To enable the DLL rule collection
-1. Click **Start**, type **secpol.msc**, and then press ENTER.
-2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
-3. In the console tree, double-click **Application Control Policies**, right-click **AppLocker**, and then click **Properties**.
-4. Click the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then click **OK**.
+1. Select **Start**, type **secpol.msc**, and then select ENTER.
+2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
+3. In the console tree, double-click **Application Control Policies**, right-click **AppLocker**, and then select **Properties**.
+4. Select the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then select **OK**.
+
+ > [!IMPORTANT]
+ > Before you enforce DLL rules, make sure that there are allow rules for every DLL that is needed by all allowed apps.
- >**Important:** Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.
-
## AppLocker wizards
You can create rules by using two AppLocker wizards:
-1. The Create Rules Wizard enables you to create one rule at a time.
-2. The Automatically Generate Rules Wizard allows you to create multiple rules at one time. You can either select a folder and let the wizard create rules for the relevant files within that folder or if there are packaged apps let the wizard create rules for all packaged apps installed on the computer. You can also specify the user or group to which to apply the rules. This wizard automatically generates allow rules only.
+1. The Create Rules Wizard enables you to create one rule at a time.
+2. The Automatically Generate Rules Wizard allows you to create multiple rules at one time. You can select a folder and let the wizard create rules for any relevant files found. Or, for packaged apps, let the wizard create rules for all packaged apps installed on the computer. You can also specify the user or group to which to apply the rules. This wizard automatically generates allow rules only.
## Other considerations
-- By default, AppLocker rules don't allow users to open or run any files that aren't allowed. Administrators should maintain an up-to-date list of allowed applications.
-- There are two types of AppLocker conditions that don't persist following an update of an app:
+- By default, AppLocker rules don't allow users to open or run any files that aren't allowed. Administrators should maintain an up-to-date list of allowed applications.
+- There are two types of AppLocker conditions that don't persist following an update of an app:
+ - **A file hash condition** File hash rule conditions can be used with any app because a cryptographic hash value of the app file is generated at the time the rule is created. However, the hash value is specific to that exact version of the file. If you need to allow multiple versions of the file, you need individual file hash conditions for each version of the file.
+ - **A publisher condition with a specific product version set** If you create a publisher rule condition that uses the **Exactly** version option, the rule can't persist if a new version of the app is installed. A new publisher condition must be created, or the version must be edited in the rule to be made less specific.
+- If an app isn't digitally signed, you can't use a publisher rule condition for that app.
+- If any rules are enforced for the EXE rule collection, you must create rules in the packaged apps and packaged app installers rule collection. Otherwise, all packaged apps and packaged app installers are blocked.
+- A custom configured URL can be included in the message that is displayed when an app is blocked.
+- Expect an increase in the number of Help Desk calls when users encounter apps that aren't allowed.
- - **A file hash condition** File hash rule conditions can be used with any app because a cryptographic hash value of the app is generated at the time the rule is created. However, the hash value is specific to that exact version of the app. If there are several versions of the application in use within the organization, you need to create file hash conditions for each version in use and for any new versions that are released.
+## In this section
- - **A publisher condition with a specific product version set** If you create a publisher rule condition that uses the **Exactly** version option, the rule can't persist if a new version of the app is installed. A new publisher condition must be created, or the version must be edited in the rule to be made less specific.
-
-- If an app isn't digitally signed, you can't use a publisher rule condition for that app.
-- AppLocker rules can't be used to manage computers running a Windows operating system earlier than Windows Server 2008 R2 or Windows 7. Software Restriction Policies must be used instead. If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs.
-- The packaged apps and packaged apps installer rule collection is available on devices running at least Windows Server 2012 and Windows 8.
-- When the rules for the executable rule collection are enforced and the packaged apps and packaged app installers rule collection doesn't contain any rules, no packaged apps and packaged app installers are allowed to run. In order to allow any packaged apps and packaged app installers, you must create rules for the packaged apps and packaged app installers rule collection.
-- When an AppLocker rule collection is set to **Audit only**, the rules aren't enforced. When a user runs an application that is included in the rule, the app is opened and runs normally, and information about that app is added to the AppLocker event log.
-- A custom configured URL can be included in the message that is displayed when an app is blocked.
-- Expect an increase in the number of Help Desk calls initially because of blocked apps until users understand that they can't run apps that aren't allowed.
+| Article | Description |
+| - | - |
+| [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) | This article for IT professionals shows how to create an AppLocker rule with a file hash condition.|
+| [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) | This article for IT professionals shows how to create an AppLocker rule with a path condition.|
+| [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) | This article for IT professionals shows how to create an AppLocker rule with a publisher condition.|
+| [Create AppLocker default rules](create-applocker-default-rules.md) | This article for IT professionals describes the steps to create a standard set of AppLocker rules that allow Windows system files to run.|
+| [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) | This article for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule.|
+| [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) | This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.|
+| [Delete an AppLocker rule](delete-an-applocker-rule.md) | This article for IT professionals describes the steps to delete an AppLocker rule.|
+| [Edit AppLocker rules](edit-applocker-rules.md) | This article for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.|
+| [Enable the DLL rule collection](enable-the-dll-rule-collection.md) | This article for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.|
+| [Enforce AppLocker rules](enforce-applocker-rules.md) | This article for IT professionals describes how to enforce application control rules by using AppLocker.|
+| [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) | This article for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.|
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/feature-availability.md b/windows/security/application-security/application-control/windows-defender-application-control/feature-availability.md
index 4797a379d3..c029680d19 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/feature-availability.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/feature-availability.md
@@ -2,29 +2,29 @@
title: Windows Defender Application Control feature availability
description: Compare Windows Defender Application Control (WDAC) and AppLocker feature availability.
ms.localizationpriority: medium
-ms.date: 05/26/2023
+ms.date: 12/21/2023
ms.topic: overview
---
# Windows Defender Application Control and AppLocker feature availability
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. See below to learn more.
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Review the following table to learn more.
| Capability | Windows Defender Application Control | AppLocker |
|-------------|------|-------------|
| Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later. | Available on Windows 8 or later. |
-| SKU availability | Available on Windows 10, Windows 11, and Windows Server 2016 or later.
WDAC PowerShell cmdlets aren't available on Home edition, but policies are effective on all editions. | Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).
Windows versions older than version 2004, including Windows Server 2019:
The font should automatically install into your `%windir%/Fonts` directory. If it doesn't, you'll need to manually copy the font files into the **Fonts** directory and run the installation from there.
+On each computer with the app installed, right-click on the font name and click **Install**. The font should automatically install into your `%windir%\Fonts` directory. If it doesn't, you'll need to manually copy the font files into the **Fonts** directory and run the installation from there.
**To fix your apps by excluding processes**
-1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
For example, if you want to exclude Microsoft Word processes, you'd use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
-
+1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
If the domain controllers require smart card EKU either:
Otherwise:
|
@@ -86,9 +86,6 @@ For more information, see [Configure certificate infrastructure for SCEP](/mem/i
You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well.
-Domain controllers must have appropriate KDC certificates for the client to trust them as domain controllers. Because phones are not domain-joined, the root CA of the KDC's certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store.
+Domain controllers must have appropriate KDC certificates for the client to trust them as domain controllers. Because phones aren't domain-joined, the root CA of the KDC's certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store.
-Domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication.
-This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server.
-
-For more information, see [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382).
+Domain controllers must be using certificates based on the updated *KDC certificate template* Kerberos Authentication.
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
index b79e1c9335..60dd8c3517 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
@@ -2,7 +2,7 @@
title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.date: 08/03/2023
-ms.topic: conceptual
+ms.topic: concept-article
---
# VPN authentication options
@@ -74,7 +74,7 @@ For a UWP VPN plug-in, the app vendor controls the authentication method to be u
See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EAP XML configuration.
>[!NOTE]
->To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](/windows/client-management/mdm/eap-configuration) to create a smart card certificate. [Learn more about Windows Hello for Business.](../../../identity-protection/hello-for-business/hello-identity-verification.md).
+>To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](/windows/client-management/mdm/eap-configuration) to create a smart card certificate. [Learn more about Windows Hello for Business.](../../../identity-protection/hello-for-business/index.md).
The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
index eb532bf8d6..5e6ac3a460 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
@@ -2,7 +2,7 @@
title: VPN auto-triggered profile options
description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
ms.date: 08/03/2023
-ms.topic: conceptual
+ms.topic: how-to
---
# VPN auto-triggered profile options
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
index 2606196671..20c906ac63 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
@@ -2,7 +2,7 @@
title: VPN and conditional access
description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
ms.date: 08/03/2023
-ms.topic: conceptual
+ms.topic: how-to
---
# VPN and conditional access
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
index 3f71587ce8..d9b3f06811 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
@@ -2,7 +2,7 @@
title: VPN connection types
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.date: 08/03/2023
-ms.topic: conceptual
+ms.topic: concept-article
---
# VPN connection types
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
index f4b96d4267..8243496ddd 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
@@ -2,7 +2,7 @@
title: Windows VPN technical guide
description: Learn how to plan and configure Windows devices for your organization's VPN solution.
ms.date: 08/03/2023
-ms.topic: conceptual
+ms.topic: overview
---
# Windows VPN technical guide
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
index e727022c01..82260ba0a4 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
@@ -2,7 +2,7 @@
title: VPN name resolution
description: Learn how name resolution works when using a VPN connection.
ms.date: 08/03/2023
-ms.topic: conceptual
+ms.topic: concept-article
---
# VPN name resolution
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
index f7974cce7c..1975863b9a 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
@@ -2,7 +2,7 @@
title: VPN profile options
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
ms.date: 08/03/2023
-ms.topic: conceptual
+ms.topic: how-to
---
# VPN profile options
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
index 85d884162a..1f3e5a3784 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
@@ -2,8 +2,9 @@
ms.date: 08/03/2023
title: VPN routing decisions
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
-ms.topic: conceptual
+ms.topic: concept-article
---
+
# VPN routing decisions
Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). The decision impacts the configuration, capacity planning, and security expectations from the connection.
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
index c07cabae8d..f6f19b8f96 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
@@ -2,7 +2,7 @@
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN and traffic filters.
ms.date: 08/03/2023
-ms.topic: conceptual
+ms.topic: concept-article
---
# VPN security features
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
index 36140db191..bd157d28de 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
@@ -1,7 +1,7 @@
---
title: Manage Windows Firewall with the command line
description: Learn how to manage Windows Firewall from the command line. This guide provides examples how to manage Windows Firewall with PowerShell and Netsh.
-ms.topic: conceptual
+ms.topic: how-to
ms.date: 11/21/2023
---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/index.md b/windows/security/operating-system-security/network-security/windows-firewall/index.md
index f1d2d5e956..856de36d53 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/index.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/index.md
@@ -1,7 +1,7 @@
---
title: Windows Firewall overview
description: Learn overview information about the Windows Firewall security feature.
-ms.topic: conceptual
+ms.topic: overview
ms.date: 11/21/2023
---
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
index 0282a7bcb2..6f077f8f37 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
@@ -11,7 +11,7 @@ ms.topic: article
The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list:
- [Microsoft Account](https://account.microsoft.com/account/faq)
-- [Windows Hello for Business](../../../identity-protection/hello-for-business/hello-identity-verification.md)
+- [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)
You can also choose to hide the section from users of the device, if you don't want your employees to access or view user-configured options for these features.
diff --git a/windows/security/security-foundations/msft-security-dev-lifecycle.md b/windows/security/security-foundations/msft-security-dev-lifecycle.md
deleted file mode 100644
index 99fc260eb9..0000000000
--- a/windows/security/security-foundations/msft-security-dev-lifecycle.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-title: Microsoft Security Development Lifecycle
-description: Download the Microsoft Security Development Lifecycle white paper that covers a security assurance process focused on software development.
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 07/31/2023
----
-
-# Microsoft Security Development Lifecycle
-
-The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. As a Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.
-
-[:::image type="content" source="images/simplified-sdl.png" alt-text="Simplified secure development lifecycle":::](https://www.microsoft.com/en-us/securityengineering/sdl)
-
-With the help of the combination of a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software. The SDL introduces security and privacy throughout all phases of the development process.
-
-The Microsoft SDL is based on three core concepts:
-
-- Education
-- Continuous process improvement
-- Accountability
-
-To learn more about the SDL, visit the [Security Engineering site](https://www.microsoft.com/en-us/securityengineering/sdl).
-
-And, download the [Simplified Implementation of the Microsoft SDL whitepaper](https://www.microsoft.com/download/details.aspx?id=12379).
diff --git a/windows/security/security-foundations/toc.yml b/windows/security/security-foundations/toc.yml
index 0741c7a555..7fc4c3adff 100644
--- a/windows/security/security-foundations/toc.yml
+++ b/windows/security/security-foundations/toc.yml
@@ -5,11 +5,11 @@ items:
href: zero-trust-windows-device-health.md
- name: Offensive research
items:
- - name: Microsoft Security Development Lifecycle
- href: msft-security-dev-lifecycle.md
+ - name: Microsoft Security Development Lifecycle 🔗
+ href: /compliance/assurance/assurance-microsoft-security-development-lifecycle
- name: OneFuzz service
href: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/
- - name: Microsoft Windows Insider Preview bounty program 🔗
+ - name: Microsoft Windows Insider Preview bounty program
href: https://www.microsoft.com/msrc/bounty-windows-insider-preview
- name: Certification
href: certification/toc.yml
\ No newline at end of file
diff --git a/windows/security/security-foundations/zero-trust-windows-device-health.md b/windows/security/security-foundations/zero-trust-windows-device-health.md
index f80e2bf591..2f5a418bc1 100644
--- a/windows/security/security-foundations/zero-trust-windows-device-health.md
+++ b/windows/security/security-foundations/zero-trust-windows-device-health.md
@@ -1,7 +1,7 @@
---
title: Zero Trust and Windows device health
description: Describes the process of Windows device health attestation
-ms.topic: conceptual
+ms.topic: concept-article
manager: aaroncz
ms.author: paoloma
author: paolomatarazzo
diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
deleted file mode 100644
index 682b246cfa..0000000000
--- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Override Process Mitigation Options
-description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies.
-ms.prod: windows-client
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.localizationpriority: medium
-ms.technology: itpro-security
-ms.date: 12/31/2017
-ms.topic: article
----
-
-
-# Override Process Mitigation Options to help enforce app-related security policies
-
-**Applies to:**
-
-- Windows 10, version 1607
-- Windows Server 2016
-
-Windows 10 includes Group Policy-configurable "Process Mitigation Options" that add advanced protections against memory-based attacks, that is, attacks where malware manipulates memory to gain control of a system. For example, malware might attempt to use buffer overruns to inject malicious executable code into memory, but Process Mitigation Options can prevent the running of the malicious code.
-
-> [!IMPORTANT]
-> We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with your organization's required apps.
-
-The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure more protections. The types of process mitigations are:
-
-- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](overview-of-threat-mitigations-in-windows-10.md#data-execution-prevention).
-
-- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they've been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection).
-
-- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization).
- To find more ASLR protections in the table below, look for `IMAGES` or `ASLR`.
-
-The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings.
-
-**To modify Process Mitigation Options**
-
-1. Open your Group Policy editor and go to the **Administrative Templates\System\Mitigation Options\Process Mitigation Options** setting.
-
- 
-
-2. Click **Enabled**, and then in the **Options** area, click **Show** to open the **Show Contents** box, where you'll be able to add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this topic.
-
- **Important**
For each app you want to include, you must include:
-
- - **Value name.** The app file name, including the extension. For example, iexplore.exe.
- - **Value.** A bit field with a series of bit flags in particular positions. Bits can be set to 0 (where the setting is forced off), 1 (where the setting is forced on), or ? (where the setting retains the previous, existing value).
-
- **Note**
Setting bit flags in positions not specified here to anything other than ? might cause undefined behavior.
-
- 
-
-## Setting the bit field
-Here's a visual representation of the bit flag locations for the various Process Mitigation Options settings:
-
-
-
-Where the bit flags are read from right to left and are defined as:
-
-|Flag |Bit location |Setting |Details |
-|-----|--------------|--------|--------|
-|A |0 |`PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001)` |Turns on Data Execution Prevention (DEP) for child processes. |
-|B |1 |`PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002)` |Turns on DEP-ATL thunk emulation for child processes. DEP-ATL thunk emulation lets the system intercept non-executable (NX) faults that originate from the Active Template Library (ATL) thunk layer, and then emulate and handle the instructions so the process can continue to run. |
-|C |2 |`PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004)` |Turns on Structured Exception Handler Overwrite Protection (SEHOP) for child processes. SEHOP helps to block exploits that use the Structured Exception Handler (SEH) overwrite technique. |
-|D |8 |`PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100)` |Uses the force Address Space Layout Randomization (ASLR) setting to act as though an image base collision happened at load time, forcibly rebasing images that aren't dynamic base compatible. Images without the base relocation section won't be loaded if relocations are required. |
-|E |15 |`PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000)` |Turns on the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
-|F |16 |`PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000)` |Turns off the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
-
-## Example
-If you want to turn on the **PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE** and **PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON** settings, turn off the **PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF** setting, and leave everything else as the default values, you'd want to type a value of `???????????????0???????1???????1`.
-
-
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index f24e8b23a2..a612bfb38e 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
-ms.date: 12/07/2023
+ms.date: 12/20/2023
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
@@ -19,7 +19,7 @@ appliesto:
# Deprecated features for Windows client
-Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that have been removed, see [Windows features removed](removed-features.md).
+Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that have been removed, see [Windows features removed](removed-features.md).
For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
@@ -27,6 +27,17 @@ To understand the distinction between *deprecation* and *removal*, see [Windows
The features in this article are no longer being actively developed, and might be removed in a future update. Some features have been replaced with other features or functionality and some are now available from other sources.
+> [!TIP]
+> You can use RSS to be notified when this page is updated. For example, the following RSS link includes this article:
+>
+> ``` url
+> https://learn.microsoft.com/api/search/rss?search=%22details+about+the+features+and+functionalities+that+are+no+longer+being+developed+in+Windows%22&locale=en-us&%24filter=%28category+eq+%27Documentation%27%29
+> ```
+>
+> This example includes the `&locale=en-us` variable. The `locale` variable is required, but you can change it to another supported locale. For example, `&locale=ja-jp`.
+>
+> For more information on using RSS for notifications, see [How to use the docs](/mem/use-docs#notifications) in the Intune documentation.
+
## Deprecated features
**The following list is subject to change and might not include every affected feature or functionality.**
@@ -34,21 +45,24 @@ The features in this article are no longer being actively developed, and might b
> [!NOTE]
> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332).
-|Feature | Details and mitigation | Deprecation announced |
+| Feature | Details and mitigation | Deprecation announced |
|---|---|---|
-| Windows speech recognition | [Windows speech recognition](https://support.microsoft.com/windows/83ff75bd-63eb-0b6c-18d4-6fae94050571) is being deprecated and will no longer being developed. This feature is being replaced with [voice access](https://support.microsoft.com/en-us/topic/4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). Voice access is available for Windows 11, version 22H2, or later devices. Currently, voice access supports five English locales: English - US, English - UK, English - India, English - New Zealand, English - Canada, and English - Australia. For more information, see [Setup voice access](https://support.microsoft.com/en-us/topic/set-up-voice-access-9fc44e29-12bf-4d86-bc4e-e9bb69df9a0e). | December 2023 |
-| Microsoft Defender Application Guard for Office | [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/app-guard-for-office-install) is being deprecated and is no longer being updated. This deprecation also includes the [Windows.Security.Isolation APIs](/uwp/api/windows.security.isolation) that are used for Microsoft Defender Application Guard for Office. We recommend transitioning to Microsoft Defender for Endpoint [attack surface reduction rules](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) along with [Protected View](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365#global-settings-for-safe-attachments) and [Windows Defender Application Control](/windows/security/application-security/application-control/windows-defender-application-control/wdac). | November 2023 |
+| Windows Mixed Reality | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in a future release of Windows. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, and [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality) and Steam VR Beta. | December 2023 |
+| Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). Please download the [Microsoft Edge For Business Security Whitepaper](https://edgestatic.azureedge.net/shared/cms/pdfs/Microsoft_Edge_Security_Whitepaper_v2.pdf) to learn more about Edge for Business security capabilities. | December 2023 |
+| Legacy console mode | The [legacy console mode](/windows/console/legacymode) is deprecated and no longer being updated. In future Windows releases, it will be available as an optional [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). This feature won't be installed by default. | December 2023 |
+| Windows speech recognition | [Windows speech recognition](https://support.microsoft.com/windows/83ff75bd-63eb-0b6c-18d4-6fae94050571) is deprecated and is no longer being developed. This feature is being replaced with [voice access](https://support.microsoft.com/topic/4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). Voice access is available for Windows 11, version 22H2, or later devices. Currently, voice access supports five English locales: English - US, English - UK, English - India, English - New Zealand, English - Canada, and English - Australia. For more information, see [Setup voice access](https://support.microsoft.com/topic/set-up-voice-access-9fc44e29-12bf-4d86-bc4e-e9bb69df9a0e). | December 2023 |
+| Microsoft Defender Application Guard for Office | [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/app-guard-for-office-install), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated and will no longer be updated. We recommend transitioning to Microsoft Defender for Endpoint [attack surface reduction rules](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) along with [Protected View](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365#global-settings-for-safe-attachments) and [Windows Defender Application Control](/windows/security/application-security/application-control/windows-defender-application-control/wdac). | November 2023 |
| Steps Recorder (psr.exe) | Steps Recorder is no longer being updated and will be removed in a future release of Windows. For screen recording, we recommend the Snipping Tool, Xbox Game Bar, or Microsoft Clipchamp. | November 2023 |
| Tips | The Tips app is deprecated and will be removed in a future release of Windows. Content in the app will continue to be updated with information about new Windows features until the app is removed. | November 2023 |
-| Computer Browser | The Computer Browser driver and service are deprecated. The browser (browser protocol and service) is a dated and insecure device location protocol. This protocol, service, and driver were first disabled by default in Windows 10 with the removal of the SMB1 service. For more information on Computer Browser, see [MS-BRWS Common Internet File System](/openspecs/windows_protocols/ms-brws/3cfbad92-09b3-4abc-808f-c6f6347d5677). | November 2023 |
+| Computer Browser | The Computer Browser driver and service are deprecated. The browser (browser protocol and service) is a dated and insecure device location protocol. This protocol, service, and driver were first disabled by default in Windows 10 with the removal of the SMB1 service. For more information on Computer Browser, see [MS-BRWS Common Internet File System](/openspecs/windows_protocols/ms-brws/3cfbad92-09b3-4abc-808f-c6f6347d5677). | November 2023 |
| Webclient (WebDAV) Service | The Webclient (WebDAV) service is deprecated. The Webclient service isn't started by default in Windows. For more information on WebDAV, see [WebDAV - Win32 apps](/windows/win32/webdav/webdav-portal). | November 2023 |
-| Remote Mailslots | Remote Mailslots are deprecated. The Remote Mailslot protocol is a dated, simple, unreliable, insecure IPC method first introduced in MS DOS. This protocol was first disabled by default in [Windows 11 Insider Preview Build ](https://blogs.windows.com/windows-insider/2023/03/08/announcing-windows-11-insider-preview-build-25314/). For more information on Remote Mailslots, see [About Mailslots](/windows/win32/ipc/about-mailslots) and [[MS-MAIL]: Remote Mailslot Protocol](/openspecs/windows_protocols/ms-mail/8ea19aa4-6e5a-4aed-b628-0b5cd75a1ab9).| November 2023 |
+| Remote Mailslots | Remote Mailslots are deprecated. The Remote Mailslot protocol is a dated, simple, unreliable, insecure IPC method first introduced in MS DOS. This protocol was first disabled by default in [Windows 11 Insider Preview Build ](https://blogs.windows.com/windows-insider/2023/03/08/announcing-windows-11-insider-preview-build-25314/). For more information on Remote Mailslots, see [About Mailslots](/windows/win32/ipc/about-mailslots) and [[MS-MAIL]: Remote Mailslot Protocol](/openspecs/windows_protocols/ms-mail/8ea19aa4-6e5a-4aed-b628-0b5cd75a1ab9).| November 2023 |
| Timeline for Microsoft Entra accounts | Cross-device syncing of Microsoft Entra user activity history will stop starting in January 2024. Microsoft will stop storing this data in the cloud, aligning with [the previous change for Microsoft accounts (MSA)](https://blogs.windows.com/windows-insider/2021/04/14/announcing-windows-10-insider-preview-build-21359) in 2021. The timeline user experience was retired in Windows 11, although it remains in Windows 10. The timeline user experience and all your local activity history still remains on Windows 10 devices. Users can access web history using their browser and access recent files through OneDrive and Office. | October 2023 |
| VBScript | VBScript is deprecated. In future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system. For more information, see [Resources for deprecated features](deprecated-features-resources.md#vbscript). | October 2023 |
| WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. | September 1, 2023 |
| AllJoyn | Microsoft's implementation of AllJoyn, which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 |
-| TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023|
-| Cortana in Windows | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 |
+| TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023|
+| Cortana in Windows | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 |
| Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 |
| Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content isn't applicable. If you aren't sure which type of processor you have, check **Settings** > **System** > **About**. Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 |
| Update Compliance | [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022|
diff --git a/windows/whats-new/feature-lifecycle.md b/windows/whats-new/feature-lifecycle.md
index dd03e924a0..0c963dd3b4 100644
--- a/windows/whats-new/feature-lifecycle.md
+++ b/windows/whats-new/feature-lifecycle.md
@@ -8,7 +8,7 @@ manager: aaroncz
ms.author: mstewart
ms.topic: conceptual
ms.technology: itpro-fundamentals
-ms.date: 12/05/2023
+ms.date: 12/15/2023
ms.collection:
- highpri
- tier2
@@ -38,12 +38,12 @@ The following article has details about features that have been removed from Win
## Terminology
-The following terms can be used to describe the status that might be assigned to a feature during its lifecycle:
+The following terms can be used to describe the status that might be assigned to a feature during its lifecycle:
- **Deprecation**: The stage of the product lifecycle when a feature or functionality is no longer in active development and may be removed in future releases of a product or online service.
- **End of support**: The stage of the product lifecycle when support and servicing are no longer available for a product.
- **Retirement**: The stage of the product lifecycle when a service is shut down so that it's no longer available for use.
-- **Remove or retire a feature**: The stage of the product lifecycle when a feature or functionality is removed from a service after it has been deprecated.
+- **Remove or retire a feature**: The stage of the product lifecycle when a feature or functionality is taken out of a service after it has been marked as deprecated. The feature is removed from newer versions of Windows, but still exists in older versions and is supported until those versions reach **end of support** stage.
- **Replace a feature**: The stage of the product lifecycle when a feature or functionality in a service is replaced with a different feature or functionality.
## Also see
diff --git a/windows/whats-new/ltsc/index.yml b/windows/whats-new/ltsc/index.yml
index 4744f04260..aecd90e01a 100644
--- a/windows/whats-new/ltsc/index.yml
+++ b/windows/whats-new/ltsc/index.yml
@@ -15,7 +15,7 @@ metadata:
author: mestew
ms.author: mstewart
manager: aaroncz
- ms.date: 05/22/2023
+ ms.date: 12/18/2023
localization_priority: medium
landingContent:
diff --git a/windows/whats-new/ltsc/overview.md b/windows/whats-new/ltsc/overview.md
index 2faae9d8de..77fdc1e229 100644
--- a/windows/whats-new/ltsc/overview.md
+++ b/windows/whats-new/ltsc/overview.md
@@ -1,6 +1,6 @@
---
title: Windows 10 Enterprise LTSC overview
-description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB).
+description: An overview of the Windows 10 long-term servicing channel (LTSC).
ms.prod: windows-client
author: mestew
ms.author: mstewart
@@ -8,42 +8,43 @@ manager: aaroncz
ms.localizationpriority: low
ms.topic: overview
ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
+ms.date: 12/18/2023
appliesto:
- ✅ Windows 10 Enterprise LTSC
---
# Windows 10 Enterprise LTSC
-This article provides links to information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel.
+This article provides general information about the Windows 10 Enterprise long-term servicing channel (LTSC). For more information about the features in each available version of the Windows 10 LTSC, see the following articles:
-[What's New in Windows 10 Enterprise LTSC 2021](whats-new-windows-10-2021.md)
-[What's New in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md)
-[What's New in Windows 10 Enterprise LTSC 2016](whats-new-windows-10-2016.md)
-[What's New in Windows 10 Enterprise LTSC 2015](whats-new-windows-10-2015.md)
+- [What's New in Windows 10 Enterprise LTSC 2021](whats-new-windows-10-2021.md)
+- [What's New in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md)
+- [What's New in Windows 10 Enterprise LTSC 2016](whats-new-windows-10-2016.md)
+- [What's New in Windows 10 Enterprise LTSC 2015](whats-new-windows-10-2015.md)
-## The Long-Term Servicing Channel (LTSC)
+## The long-term servicing channel (LTSC)
-The following table summarizes equivalent feature update versions of Windows 10 LTSC and General Availability Channel (GA Channel) releases.
+The following table summarizes equivalent feature update versions of Windows 10 LTSC and general availability channel (GA channel) releases:
-| LTSC release | Equivalent GA Channel release | Availability date |
+| LTSC release | Equivalent GA channel release | Availability date |
| --- | --- | --- |
-| Windows 10 Enterprise LTSC 2015 | Windows 10, Version 1507 | 7/29/2015 |
-| Windows 10 Enterprise LTSC 2016 | Windows 10, Version 1607 | 8/2/2016 |
-| Windows 10 Enterprise LTSC 2019 | Windows 10, Version 1809 | 11/13/2018 |
| Windows 10 Enterprise LTSC 2021 | Windows 10, Version 21H2 | 11/16/2021 |
+| Windows 10 Enterprise LTSC 2019 | Windows 10, Version 1809 | 11/13/2018 |
+| Windows 10 Enterprise LTSC 2016 | Windows 10, Version 1607 | 8/2/2016 |
+| Windows 10 Enterprise LTSC 2015 | Windows 10, Version 1507 | 7/29/2015 |
> [!NOTE]
-> The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB.
+> The long-term servicing channel was previously called the long-term servicing branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB.
-With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades, or even skip releases. Microsoft is committed to providing bug fixes and security patches for each LTSC release during the extended LTSC servicing lifecycle. Always check your individual LTSC release to verify its servicing lifecycle. For more information, see [release information](/windows/release-health/release-information), or perform a search on the [product lifecycle information](/lifecycle/products/) page.
+With the LTSC servicing model, you can delay receiving *feature* updates and instead only receive monthly *quality* updates on devices. Features from Windows 10 that could be updated with new functionality, including Microsoft Edge and in-box Windows apps, are also not included. Feature updates are offered in new LTSC releases every several years instead of every few months. You can choose to install them as in-place upgrades, or even skip releases, what's best for your business requirements. Microsoft is committed to providing bug fixes and security patches for each LTSC release during the extended LTSC servicing lifecycle. Always check your individual LTSC release to verify its servicing lifecycle. For more information, see [release information](/windows/release-health/release-information), or search the [product lifecycle information](/lifecycle/products/) page.
> [!IMPORTANT]
-> The Long-Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181).
-
-For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview).
+> The long-term servicing channel isn't intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides a deployment option for special-purpose devices and environments. These devices typically do a single important task and don't need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC doesn't change for the lifetime of the release, over time there might be some external tools that don't continue to provide legacy support. For more information, see [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181).
-## See Also
+For more information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview).
-[What's New in Windows 10](../index.yml): See what’s new in other versions of Windows 10.
-[Windows 10 - Release information](/windows/release-health/release-information): Windows 10 current versions by servicing option.
+## See also
+
+- [What's new in Windows](../index.yml): See what's new in other versions of Windows.
+
+- [Windows 10 release information](/windows/release-health/release-information): Windows 10 current versions by servicing option.
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
index da9e6df080..66b1088247 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
@@ -2,20 +2,23 @@
title: What's new in Windows 10 Enterprise LTSC 2015
manager: aaroncz
ms.author: mstewart
-description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB).
+description: New and updated IT pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB).
ms.prod: windows-client
author: mestew
ms.localizationpriority: low
-ms.topic: article
+ms.topic: conceptual
ms.technology: itpro-fundamentals
-ms.date: 02/26/2023
+ms.date: 12/18/2023
appliesto:
- ✅ Windows 10 Enterprise LTSC 2015
---
# What's new in Windows 10 Enterprise LTSC 2015
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](overview.md).
+This article lists new and updated features and content that are of interest to IT pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](overview.md).
+
+> [!NOTE]
+> Windows 10 Enterprise LTSC 2015 was first available on July 29, 2015. Features in Windows 10 Enterprise LTSC 2015 are equivalent to Windows 10, version 1507.
## Deployment
@@ -29,24 +32,24 @@ With Windows 10, you can create provisioning packages that let you quickly and e
### AppLocker
-AppLocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker) for a list of operating system requirements.
+AppLocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker) for a list of operating system requirements.
Enhancements to AppLocker in Windows 10 include:
- A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this parameter, set the **ServiceEnforcement** to **Enabled**.
- A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was added to allow you to enable AppLocker rules by using an MDM server.
-[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview).
+[Learn how to manage AppLocker within your organization](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview).
### BitLocker
Enhancements to AppLocker in Windows 10 include:
-- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This escrow will make it easier to recover your BitLocker key online.
-- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
-- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings."
+- **Encrypt and recover your device with Microsoft Entra**. In addition to using a Microsoft Account, automatic device encryption can now encrypt your devices that are joined to a Microsoft Entra domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Microsoft Entra. This escrow will make it easier to recover your BitLocker key online.
+- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
+- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more information, see [BitLocker preboot recovery screen](/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen).
-[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview).
+[Learn how to deploy and manage BitLocker within your organization](/windows/security/operating-system-security/data-protection/bitlocker/).
### Certificate management
@@ -54,20 +57,22 @@ For Windows 10-based devices, you can use your MDM server to directly deploy cli
### Microsoft Passport
-In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
+In Windows 10, [Microsoft Passport](/windows/security/identity-protection/hello-for-business/deploy/requirements) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
-Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
+Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Entra ID account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
### Security auditing
In Windows 10, security auditing has added some improvements:
+
- [New audit subcategories](#bkmk-auditsubcat)
- [More info added to existing audit events](#bkmk-moreinfo)
#### New audit subcategories
In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
-- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the sign-in session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
+
+- [Audit Group Membership](/windows/security/threat-protection/auditing/audit-handle-manipulation) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the sign-in session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
When this setting is configured, one or more security audit events are generated for each successful sign-in. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information can't fit in a single security audit event.
- [Audit PNP Activity](/windows/security/threat-protection/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
Only Success audits are recorded for this category. If you don't configure this policy setting, no audit event is generated when an external device is detected by plug and play.
@@ -76,6 +81,7 @@ In Windows 10, two new audit subcategories were added to the Advanced Audit Poli
#### More info added to existing audit events
With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
+
- [Changed the kernel default audit policy](#bkmk-kdal)
- [Added a default process SACL to LSASS.exe](#bkmk-lsass)
- [Added new fields in the logon event](#bkmk-logon)
@@ -96,6 +102,7 @@ This process-when enabled-can help identify attacks that steal credentials from
#### New fields in the sign-in event
The sign-in event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
+
1. **MachineLogon** String: yes or no
If the account that signed in to the PC is a computer account, this field will be yes. Otherwise, the field is no.
2. **ElevatedToken** String: yes or no
@@ -109,7 +116,6 @@ The sign-in event ID 4624 has been updated to include more verbose information t
A list of all of the groups in the user's token.
6. **RestrictedAdminMode** String: yes or no
If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes.
- For more info on restricted admin mode, see [Restricted Admin mode for RDP](/archive/blogs/kfalde/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2).
#### New fields in the process creation event
@@ -156,24 +162,25 @@ Event ID 4826 has been added to track the following changes to the Boot Configur
#### New PNP events
-Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.
-
-[Learn how to manage your security audit policies within your organization](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319078(v=ws.11))
+Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn't expect this type of action, such as a domain controller.
### Trusted Platform Module
#### New TPM features in Windows 10
The following sections describe the new and changed functionality in the TPM for Windows 10:
+
- [Device health attestation](#bkmk-dha)
-- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support
-- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support
-- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support
+- [Microsoft Passport](/windows/security/identity-protection/hello-for-business/deploy/requirements) support
+- [Device Guard](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) support
+- [Credential Guard](/windows/security/identity-protection/credential-guard/) support
### Device health attestation
Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
+
Some things that you can check on the device are:
+
- Is Data Execution Prevention supported and enabled?
- Is BitLocker Drive Encryption supported and enabled?
- Is SecureBoot supported and enabled?
@@ -181,7 +188,7 @@ Some things that you can check on the device are:
> [!NOTE]
> The device must be running Windows 10 and it must support at least TPM 2.0.
-[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview).
+[Learn how to deploy and manage TPM within your organization](/windows/security/hardware-security/tpm/trusted-platform-module-overview).
### User Account Control
@@ -189,13 +196,13 @@ User Account Control (UAC) helps prevent malware from damaging a computer and he
You shouldn't turn off UAC because such a setting isn't supportive of devices running Windows 10. If you do turn off UAC, all Universal Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This setting isn't recommended for devices running Windows 10.
-For more info about how to manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings).
+For more info about how to manage UAC, see [UAC group policy settings and registry key settings](/windows/security/application-security/application-control/user-account-control/settings-and-configuration).
In Windows 10, User Account Control has added some improvements:
- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](/windows/win32/amsi/antimalware-scan-interface-portal) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
-[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview).
+[Learn how to manage User Account Control within your organization](/windows/security/application-security/application-control/user-account-control/).
### VPN profile options
@@ -207,7 +214,7 @@ Windows 10 provides a set of VPN features that both increase enterprise security
- Lock down VPN
- Integration with Microsoft Passport for Work
-[Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options)
+[Learn more about the VPN options in Windows 10.](/windows/security/operating-system-security/network-security/vpn/vpn-profile-options)
## Management
@@ -216,11 +223,11 @@ Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops
### MDM support
-MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more.
+MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Entra ID accounts, full control over the Microsoft Store, VPN configuration, and more.
-MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
+MDM support in Windows 10 is based on Open Mobile Alliance (OMA) Device Management (DM) protocol 1.2.1 specification.
-Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](/windows/client-management/mdm/)
+Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for mobile device management for Windows 10](/windows/client-management/mdm/)
### Unenrollment
@@ -265,17 +272,17 @@ Administrators can also use mobile device management (MDM) or Group Policy to di
## Updates
-Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
+Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft's Windows Update service.
-By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system that enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
+By using group policy objects, Windows Update for Business is an easily established and implemented system that enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).
- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth efficient.
-- **Use with existing tools** such as Microsoft Intune and the [Enterprise Mobility Suite](/enterprise-mobility-security).
+- **Use with existing tools** such as Microsoft Intune and Configuration Manager.
-Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Configuration Manager](/configmgr).
+Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as Windows Server Update Services (WSUS) and [Microsoft Configuration Manager](/configmgr).
Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
index ba451305fd..9a932a1ef1 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
@@ -2,29 +2,29 @@
title: What's new in Windows 10 Enterprise LTSC 2016
manager: aaroncz
ms.author: mstewart
-description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB).
+description: New and updated IT pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB).
ms.prod: windows-client
author: mestew
ms.localizationpriority: low
-ms.topic: article
+ms.topic: conceptual
ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
+ms.date: 12/18/2023
appliesto:
- ✅ Windows 10 Enterprise LTSC 2016
---
# What's new in Windows 10 Enterprise LTSC 2016
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2016 (LTSB), compared to Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](overview.md).
+This article lists new and updated features and content that are of interest to IT pros for Windows 10 Enterprise LTSC 2016 (LTSB), compared to Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](overview.md).
->[!NOTE]
->Features in Windows 10 Enterprise LTSC 2016 are equivalent to Windows 10, version 1607.
+> [!NOTE]
+> Windows 10 Enterprise LTSC 2016 was first available on August 2, 2016. Features in Windows 10 Enterprise LTSC 2016 are equivalent to Windows 10, version 1607.
## Deployment
### Windows Imaging and Configuration Designer (ICD)
-In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install more features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
+In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install more features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK](/windows-hardware/get-started/adk-install).
Windows ICD now includes simplified workflows for creating provisioning packages:
@@ -39,7 +39,7 @@ Windows ICD now includes simplified workflows for creating provisioning packages
>[!IMPORTANT]
>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a General Availability Channel release.
-Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for more direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
+Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for more direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft's experience upgrading millions of devices to Windows 10.
With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft.
@@ -69,11 +69,11 @@ When Windows 10 was first shipped, it included Microsoft Passport and Windows He
Other changes for Windows Hello in Windows 10 Enterprise LTSC 2016:
-- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
+- Personal (Microsoft account) and corporate (Active Directory or Entra ID) accounts use a single container for keys.
- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
- Beginning in this version of Windows 10, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**.
-[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification)
+[Learn more about Windows Hello for Business.](/windows/security/identity-protection/hello-for-business/deploy/requirements)
### BitLocker
@@ -101,7 +101,7 @@ Other changes for Windows Hello in Windows 10 Enterprise LTSC 2016:
### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP)
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
+With the increase of employee-owned devices in the enterprise, there's also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise's control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
@@ -125,20 +125,20 @@ Several new features and management options have been added to Windows Defender
With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Microsoft Defender for Endpoint is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
-[Learn more about Microsoft Defender for Endpoint](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+[Learn more about Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/).
### VPN security
-- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
+- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Microsoft Entra ID, to provide a device compliance option for remote clients.
- The VPN client can integrate with Windows Information Protection (WIP) policy to provide extra security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
-- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607)
+- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp)
- Microsoft Intune: *VPN* profile template includes support for native VPN plug-ins. For more information, see [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure).
## Management
-### Use Remote Desktop Connection for PCs joined to Azure Active Directory
+### Use Remote Desktop Connection for PCs joined to Microsoft Entra ID
-From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in this version of Windows 10, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc)
+From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in this version of Windows 10, you can also connect to a remote PC that is joined to Microsoft Entra ID. [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc)
### Taskbar configuration
@@ -146,7 +146,7 @@ Enterprise administrators can add and remove pinned apps from the taskbar. Users
### Mobile device management and configuration service providers (CSPs)
-Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607).
+Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management).
### Shared PC mode
@@ -154,9 +154,9 @@ This version of Windows 10, introduces shared PC mode, which optimizes Windows 1
### Application Virtualization (App-V) for Windows 10
-Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally.
+Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service - in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally.
-With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users.
+With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you'll need to download, activate, and install server- and client-side components to start delivering virtual applications to users.
[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started)
@@ -166,13 +166,13 @@ Many users customize their settings for Windows and for specific applications. C
With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign in to.
-With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
+With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you'll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows)
## Microsoft Edge
-The new chromium-based Microsoft Edge isn't included in the LTSC release of Windows 10. However, you can download and install it separately [here](https://www.microsoft.com/edge/business/download).
+The new chromium-based Microsoft Edge isn't included in the LTSC release of Windows 10. However, you can download and install it separately. For more information, see [Download and configure Microsoft Edge for Business](https://www.microsoft.com/edge/business/download).
## See Also
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 99cf0f87aa..2221b4ab44 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -8,7 +8,7 @@ author: mestew
ms.localizationpriority: medium
ms.topic: conceptual
ms.technology: itpro-fundamentals
-ms.date: 04/05/2023
+ms.date: 12/18/2023
appliesto:
- ✅ Windows 10 Enterprise LTSC 2019
---
@@ -17,8 +17,8 @@ appliesto:
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2019, compared to Windows 10 Enterprise LTSC 2016 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](overview.md).
->[!NOTE]
->Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 1809.
+> [!NOTE]
+> Windows 10 Enterprise LTSC 2019 was first available on November 13, 2018. Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 1809.
Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as:
@@ -30,11 +30,12 @@ Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding pr
The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below.
>[!IMPORTANT]
->The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the General Availability Channel release of Windows 10 might be limited.
+>The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the general availability channel release of Windows 10 might be limited.
## Microsoft Intune
Microsoft Intune supports Windows 10 Enterprise LTSC 2019 with the following exception:
+
- [Update rings](/mem/intune/protect/windows-10-update-rings) can't be used for feature updates since Windows 10 LTSC versions don't receive feature updates. Update rings can be used for quality updates for Windows 10 Enterprise LTSC 2019 clients.
## Security
@@ -49,7 +50,7 @@ The [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/
##### Attack surface reduction
-Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access]/microsoft-365/security/defender-endpoint/enable-controlled-folders).
+Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access](/microsoft-365/security/defender-endpoint/enable-controlled-folders).
- This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We've made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
@@ -74,7 +75,7 @@ But these protections can also be configured separately. And, unlike HVCI, code
Endpoint detection and response are improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal.
-Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between Microsoft 365 services and interoperates with Microsoft Defender for Endpoint. Other policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus).
+Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between Microsoft 365 services and interoperates with Microsoft Defender for Endpoint. Other policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus).
We've also [increased the breadth of the documentation library for enterprise security admins](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows). The new library includes information on:
@@ -143,12 +144,7 @@ We've also added a new assessment for the Windows time service to the **Device p
We're continuing to work on how other security apps you've installed show up in the **Windows Security** app. There's a new page called **Security providers** that you can find in the **Settings** section of the app. Select **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers' apps or get more information on how to resolve issues reported to you through **Windows Security**.
-This improvement also means you'll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you'll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks).
-
-You can read more about ransomware mitigations and detection capability at:
-
-- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://www.microsoft.com/security/blog/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
-- [Microsoft Malware Protection Center blog](https://www.microsoft.com/security/blog/category/research/ransomware/)
+This improvement also means you'll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you'll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks.
Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
@@ -170,11 +166,11 @@ This release enables support for WIP with Files on Demand, allows file encryptio
### BitLocker
-The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#configure-minimum-pin-length-for-startup).
+The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/security/operating-system-security/data-protection/bitlocker/configure#bitlocker-policy-settings).
#### Silent enforcement on fixed drives
-Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (Azure AD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard Azure AD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don't pass the HSTI.
+Through a modern device management (MDM) policy, BitLocker can be enabled silently for standard Microsoft Entra ID joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard Entra ID users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don't pass the HSTI.
This change is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) and used by Intune and others.
@@ -192,7 +188,7 @@ New features in [Windows Hello for Business](/windows/security/identity-protecti
- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more information, see [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
-Windows Hello for Business now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration).
+Windows Hello for Business now supports FIDO 2.0 authentication for Entra ID-joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration).
- Windows Hello is now password-less on S-mode.
@@ -212,18 +208,18 @@ For more information, see: [Windows Hello and FIDO2 Security Keys enable secure
Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
-Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory-joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode.
+Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Entra ID-joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode.
> [!NOTE]
> Credential Guard is available only to S mode devices or Enterprise and Education Editions.
-For more information, see [Credential Guard Security Considerations](/windows/security/identity-protection/credential-guard/credential-guard-requirements#security-considerations).
+For more information, see [Credential Guard overview](/windows/security/identity-protection/credential-guard/credential-guard-requirements).
### Other security improvements
#### Windows security baselines
-Microsoft has released new [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security effect. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10).
+Microsoft has released new [Windows security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security effect. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10).
#### SMBLoris vulnerability
@@ -250,9 +246,9 @@ A new security policy setting
#### Windows 10 in S mode
-We've continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
+We've continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
-:::image type="content" source="../images/virus-and-threat-protection.png" alt-text="Screenshot of the Virus & threat protection settings in Windows.":::
+:::image type="content" source="../images/virus-and-threat-protection.png" alt-text="Screenshot of the Virus & threat protection settings in Windows 10 Enterprise LTSC 2019.":::
## Deployment
@@ -295,7 +291,7 @@ It's also now possible to run a script if the user rolls back their version of W
`/PostRollback
-> The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the General Availability Channel release of Windows 10 might be limited.
+> Windows 10 Enterprise LTSC 2021 was first available on November 16, 2021. Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2.
+>
+> The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the general availability channel release of Windows 10 might be limited.
Windows 10 Enterprise LTSC 2021 builds on Windows 10 Enterprise LTSC 2019, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities.
@@ -28,9 +29,9 @@ The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements
## Lifecycle
> [!IMPORTANT]
-> Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle ([IoT Enterprise LTSC](/windows/iot/iot-enterprise/whats-new/windows-iot-enterprise-ltsc) continues to have a [10 year lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2021)). Thus, the LTSC 2021 release is not a direct replacement for LTSC 2019, which has a 10 year lifecycle.
+> Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle. ([IoT Enterprise LTSC](/windows/iot/iot-enterprise/whats-new/windows-iot-enterprise-ltsc) continues to have a [10 year lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2021)). Thus, the LTSC 2021 release is not a direct replacement for LTSC 2019, which has a 10 year lifecycle.
-For more information about the lifecycle for this release, see [The next Windows 10 Long Term Servicing Channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232).
+For more information about the lifecycle for this release, see [The next Windows 10 long-term servicing channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232).
## Hardware security
@@ -52,7 +53,7 @@ There are already devices in the market today that offer SMM Firmware Protection
### Encryption and data protection
-BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM-managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
+BitLocker and Mobile Device Management (MDM) with Microsoft Entra ID work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM-managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
### Network security
@@ -97,11 +98,12 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](
### App isolation
-[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
+[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
#### Microsoft Defender Application Guard
-[Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements include:
+[Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements include:
+
- Standalone users can install and configure their Windows Defender Application Guard settings without needing to change registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
- Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard's browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the Application Guard Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
@@ -119,10 +121,6 @@ Application Guard performance is improved with optimized document opening times:
- A memory issue is fixed that could cause an Application Guard container to use almost 1 GB of working set memory when the container is idle.
- The performance of Robocopy is improved when copying files over 400 MB in size.
-[Edge support for Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
-
-**Application Guard now supports Office**: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
-
### Application Control
[Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control (WDAC) added many new features that light up key scenarios and provide feature parity with AppLocker.
@@ -140,12 +138,12 @@ Windows Hello enhancements include:
- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign-in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
- Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
-- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
+- Windows Hello for Business now has Microsoft Entra hybrid support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Microsoft Entra hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
- With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data.
- Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present.
-- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
+- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Entra ID.
- [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
-- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
+- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Microsoft Entra ID and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
### Credential protection
@@ -155,26 +153,19 @@ Windows Hello enhancements include:
### Privacy controls
-[Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone.
+[Microphone privacy settings](https://support.microsoft.com/windows/windows-camera-microphone-and-privacy-a83257bc-e990-d54a-d212-b5e41beba857): A microphone icon appears in the notification area letting you see which apps are using your microphone.
## Cloud Services
-### Microsoft Intune family of products
-
-Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/).
-
-### Configuration Manager
-
-An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
-
-#### Microsoft Intune
+### Microsoft Intune
Microsoft Intune supports Windows 10 Enterprise LTSC 2021 with the following exception:
+
- [Update rings](/mem/intune/protect/windows-10-update-rings) can't be used for feature updates since Windows 10 LTSC versions don't receive feature updates. Update rings can be used for quality updates for Windows 10 Enterprise LTSC 2021 clients.
-A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action).
+A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/remote-actions/collect-diagnostics).
-Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information, see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group).
+Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information, see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status).
For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
@@ -189,7 +180,8 @@ Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a perf
#### Key-rolling and Key-rotation
-This release also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM-managed Azure Active Directory devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
+This release also includes two new features called key-rolling and key-rotation enables secure rolling of recovery passwords on MDM-managed Microsoft Entra ID devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
+
## Deployment
### SetupDiag