Windows 10 has twelve editions, all with varying feature sets, use cases, or intended devices. Certain editions are distributed only on devices directly from an original equipment manufacturer (OEM), while editions such as Enterprise and Education are only available through volume licensing channels. Microsoft also makes editions of Windows 10 available to device manufacturers for use on specific classes of devices, including smartphones (Windows 10 Mobile) and IoT devices.
Part of a series on |
Windows 10 |
---|
Related |
- 7Upgrade path
LTSB, which stands for 'Long-term Servicing Branch,' was among the pillars of Windows 10 in the months leading up to, and for months after, the mid-2015 roll-out of the operating system. Jan 02, 2018 That’s what Windows 10 LTSB–the “Long Term Servicing Branch”–is for, and it’s only available for the Enterprise edition of Windows 10. While this is a branch of Windows 10, you can only get it by installing Windows from Windows 10 LTSB installation media.
Baseline editions[edit]
Baseline editions are the only editions available as standalone purchases in the retail outlets.
- Home
- Windows 10 Home is designed for use in PCs, tablets and 2-in-1 PCs. It includes all features directed at consumers.[1][2][3]
- Pro
- Windows 10 Pro includes all features of Windows 10 Home, with additional capabilities that are oriented towards business environments, such as Active Directory, Remote Desktop, BitLocker, Hyper-V, and Windows Defender Device Guard.[1][2][3]
- Pro for Workstations
- Windows 10 Pro for Workstations is designed for high-end hardware for intensive computing tasks and supports Intel Xeon, AMD Opteron and the latest AMD Epyc processors; up to four CPUs; up to 6 TB RAM; the ReFS file system; Non-Volatile Dual In-line Memory Module (NVDIMM); and remote direct memory access (RDMA).[4][5][6]
Organizational editions[edit]
These editions add features to facilitate centralized control of many installations of the OS within an organization. The main avenue of acquiring them is a volume licensing contract with Microsoft.
- S
- Windows 10 S is a feature-limited edition of Windows 10 designed primarily for low-end devices in the education market. It has a faster initial setup and login process, and allows devices to be provisioned using a USB drive with the 'Set Up School PCs' app. Windows 10 S only allows the installation of software (both Universal Windows Platform and Windows API apps) from Microsoft Store, although command line programs or shells (even from Microsoft Store) are not allowed.[7][8] System settings are locked to allow only Microsoft Edge as the default web browser with Bing as its search engine.[9] The operating system may be upgraded to Windows 10 Pro for a fee, to enable unrestricted software installation.[10][11] All Windows 10 S devices include a free one-year subscription to Minecraft: Education Edition. Critics have compared the edition to Windows RT, and have considered it to be a competitor to Chrome OS.[10][12][13][14][15]
- In March 2018, Microsoft announced that it would be phasing out Windows 10 S, citing confusion among manufacturers and end-users. Microsoft stated that it would replace this edition with the ability for vendors to ship their Windows 10 Home or Pro devices in 'S Mode', wherein Windows defaults to only allowing applications to be installed from Microsoft Store. S Mode does not require payment in order to disable these restrictions.[16][17]
- Education
- Windows 10 Education is distributed through Academic Volume Licensing. It was built off of Windows 10 Enterprise and initially reported to have the same feature set.[1][2][3] As of version 1709, however, this edition has fewer features. See § Comparison chart for details.
- Pro Education
- This edition was introduced in July 2016 for hardware partners on new devices purchased with the discounted K–12 academic license. It was built off of the Pro edition of Windows 10 and contains the mostly same features as Windows 10 Pro with different options disabled by default, and adds options for setup and deployment in an education environment. It also features a 'Set Up School PCs' app that allows provisioning of settings using a USB flash drive, and does not include Cortana, Microsoft Store suggestions, or Windows Spotlight.[18][19][20]
- Enterprise
- Windows 10 Enterprise provides all the features of Windows 10 Pro, with additional features to assist with IT-based organizations.[1][2][3] Windows 10 Enterprise is configurable on three branches, Semi-Annual Channel, Semi-Annual Channel (Targeted), and Windows Insider.[21]
- Enterprise LTSC
- Enterprise LTSC (Long-Term Servicing Channel) is a long-term support version of Windows 10 Enterprise released every 2 to 3 years. Each release is supported with security updates for 10 years after its release, and intentionally receive no feature updates. Some features, including the Microsoft Store and bundled apps, are not included in this edition.[22][1][3] This edition was first released as Windows 10 Enterprise LTSB (Long-Term Servicing Branch).[23] There are currently 3 releases of LTSC: one in 2015 (version 1507), one in 2016 (version 1607) and one in 2018 (version 1809).[24]
Device-specific editions[edit]
These editions are licensed to OEMs only. The main avenue of purchasing these editions is through buying specific devices (e.g. smartphones) that have them pre-installed.
- IoT
- Designed specifically for use in small footprint, low-cost devices and IoT scenarios. It is a rebranded version of Microsoft's earlier embedded operating systems, Windows Embedded. Three editions are already announced: IoT Core, IoT Enterprise, and IoT Mobile Enterprise.[25][26][27]
- Team
- Windows 10 Team is a device-specific version of Windows 10 loaded onto the Surface Hub.[28]
Discontinued editions[edit]
The following editions of Windows 10 are discontinued, i.e. were not part of Windows 10 version 1803. (For both Mobile and Mobile Enterprise, Microsoft confirmed it was exiting the consumer mobile devices market, so no successor product is available.[29])
- Mobile
- Windows 10 Mobile is designed for smartphones and small tablets. It includes all basic consumer features, including Continuum capability. It is the de facto successor of Windows Phone 8.1 and Windows RT.[1][2]
- Mobile Enterprise
- Windows 10 Mobile Enterprise provides all the features in Windows 10 Mobile, with additional features to assist IT-based organizations, in a manner similar to Windows 10 Enterprise, but optimized for mobile devices.[1][2]
Variations[edit]
As with previous versions of Windows since XP, all Windows 10 editions for PC hardware have 'N' and 'KN' variations in Europe and South Korea that exclude certain bundled multimedia functionality, including media players and related components, in order to comply with antitrust rulings. The 'Media Feature Pack' can be installed to restore these features.[30]
As with Windows 8.1, a reduced-price 'Windows 10 with Bing' SKU is available to OEMs; it is subsidized by having Microsoft's Bing search engine set as default, which cannot be changed to a different search engine by OEMs. It is intended primarily for low-cost devices, and is otherwise identical to Windows 10 Home.[31]
In May 2017, it was reported that Microsoft had, as part of its partnership with China Electronics Technology Group, created a specially-modified version of Windows 10 Enterprise designed for use within branches of the Chinese government. This version is pre-configured to 'remove features that are not needed by Chinese government employees', and allow the use of its internal encryption algorithms.[32][33] Windows 7 loader tpb.
Comparison chart[edit]
Item | Meaning |
---|---|
Yes | Feature is present in the given edition |
Yes, since [update] | Feature is present in the given edition after installing a certain update |
No | Feature is absent from the given edition |
[Explanation] | Feature is partly present in the given edition |
[Explanation], since [update] | Feature is partly present in the given edition, after installing a certain update (It might have been fully present prior to that update, or not present at all) |
Features | Home | Pro | Pro Education | Education | Enterprise |
---|---|---|---|---|---|
Architecture | IA-32, x86-64 | ||||
Availability | OEM, Retail | OEM, Retail, Volume licensing | Academic Volume Licensing | Volume licensing | Volume licensing |
Has N or KN variants? | Yes | Yes | Yes | Yes | Yes |
Maximum physical memory (RAM) | 4 GB on IA-32 128 GB on x86-64 | 4 GB on IA-32 2 TB (2048 GB) on x86-64 | 4 GB on IA-32 6 TB (6144 GB) on x86-64 | ||
Minimum telemetry level[a][38] | Basic | Basic | Basic | Security | Security |
Continuum | Yes | Yes | Yes | Yes | Yes |
Family Safety and Parental Controls | Yes | Yes | No | No | No |
Cortana[b] | Yes | Yes | Yes, disabled by default | Yes, since 1703 | Yes |
Hardware device encryption | Yes | Yes | Yes | Yes | Yes |
Microsoft Edge | Yes | Yes | Yes | Yes | Yes |
Multiple language pack support | Yes | Yes | Yes | Yes | Yes |
Mobile device management | Yes | Yes | Yes | Yes | Yes |
Side-loading of line of business apps | Yes | Yes | Yes | Yes | Yes |
Virtual desktops | Yes | Yes | Yes | Yes | Yes |
Windows Hello[c] | Yes | Yes | Yes | Yes | Yes |
Can pause updates? | Yes, since 1903 | Yes | Yes | Yes | Yes |
Windows Spotlight | Yes | Yes | No | Yes | Yes |
Microsoft Store suggestions[19][20] | Yes | Yes | Yes, disabled by default | Yes, disabled by default | Yes |
Remote Desktop | Client only | Client and host | Client and host | Client and host | Client and host |
Remote App | Client only | Client only | Client only | Client and host | Client and host |
ReFS support[39] | Cannot create, since 1709 | Cannot create, since 1709 | Cannot create, since 1709 | Cannot create, since 1709 | Yes |
Windows Subsystem for Linux | 64-bitSKUs only, since 1607 | 64-bit SKUs only, since 1607 | 64-bit SKUs only, since 1607 | 64-bit SKUs only, since 1607 | 64-bit SKUs only, since 1607 |
Windows Sandbox | No | 64-bit SKUs only, since 1903 | 64-bit SKUs only, since 1903 | 64-bit SKUs only, since 1903 | 64-bit SKUs only, since 1903 |
Hyper-V | No | 64-bit SKUs only | 64-bit SKUs only | 64-bit SKUs only | 64-bit SKUs only |
Assigned Access 8.1 | No | Yes | Yes | Yes | Yes |
BitLocker | No | Yes | Yes | Yes | Yes |
Business Store | No | Yes | Yes | Yes | Yes |
Conditional Access | No | Yes | Yes | Yes | Yes |
Device Guard | No | Yes | Yes | Yes | Yes |
Enterprise data protection | No | Yes | Yes | Yes | Yes |
Enterprise Mode Internet Explorer (EMIE) | No | Yes | Yes | Yes | Yes |
Joining a domain and Group Policy management | No | Yes | Yes | Yes | Yes |
Joining a Microsoft AzureActive Directory | No | Yes | Yes | Yes | Yes |
Private catalog | No | Yes | Yes | Yes | Yes |
Windows Analytics | No | Yes | Yes | Yes | Yes |
Windows Information Protection | No | Yes | Yes | Yes | Yes |
Windows Update for Business | No | Yes | Yes | Yes | Yes |
Windows To Go[d] | No | No | No | Yes[41] | Yes[40][41] |
AppLocker | No | No | No | Yes | Yes |
BranchCache | No | No | No | Yes | Yes |
Credential Guard (Pass the hash mitigations) | No | No | No | Yes | Yes |
DirectAccess[42] | No | No | No | No | Yes |
Microsoft App-V | No | No | No | Yes | Yes |
Microsoft Desktop Optimization Pack (MDOP) | No | No | No | Yes | Yes |
Microsoft UE-V | No | No | No | Yes | Yes |
Start screen control with Group Policy | No | No | No | Yes | Yes |
User experience control and lockdown | No | No | No | Yes | Yes |
Unified Write Filter (UWF) | No | No | No | Yes | Yes |
Long-term servicing option available (LTSC) | No | No | No | No | Yes |
Features | Home | Pro | Pro Education | Education | Enterprise |
Microsoft OEM licensing formula takes display size, RAM capacity and storage capacity into account. In mid-2015, devices with 4 GB RAM were expected to be $20 more expensive than devices with 2 GB RAM.[43]
Upgrade path[edit]
Free upgrade[edit]
At the time of launch, Microsoft deemed Windows 7 (with Service Pack 1), Windows 8 and Windows 8.1 users eligible to upgrade to Windows 10 free of charge, so long as the upgrade takes place within one year of Windows 10's initial release date. Windows RT and the respective Enterprise editions of Windows 7, 8, and 8.1 were excluded from this offer.[44]
Windows version and edition | Windows 10 edition |
---|---|
Windows 7 Starter | Home |
Windows 7 Home Basic | |
Windows 7 Home Premium | |
Windows 7 Professional | Pro |
Windows 7 Ultimate | |
Windows 8.1 with Bing | Home |
Windows 8.1 | |
Windows 8.1 Pro | Pro |
Windows Phone 8.1 | Mobile |
Commercial upgrade[edit]
The following table summarizes possible upgrade paths that can be taken, provided that proper licenses are purchased.
Item | Meaning |
---|---|
Yes | Full upgrade is possible, preserving apps, settings and data |
No | Full upgrade is not possible |
Downgrade | Full upgrade is possible but feature loss will occur |
Windows version | Windows edition | Upgrade target | ||||
---|---|---|---|---|---|---|
Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise | ||
Windows 7 | Starter | Yes | Yes | Yes | Yes | No |
Home Basic | Yes | Yes | Yes | Yes | No | |
Home Premium | Yes | Yes | Yes | Yes | No | |
Professional | Downgrade | Yes | Yes | Yes | Yes | |
Ultimate | Downgrade | Yes | Yes | Yes | Yes | |
Enterprise | No | No | No | Yes | Yes | |
Windows 8.x | (Core) | Yes | Yes | Yes | Yes | No |
Professional | Downgrade | Yes | Yes | Yes | Yes | |
Enterprise | No | No | No | Yes | Yes | |
Windows 8.x Embedded | Industry | No | No | No | No | Yes |
Windows 10 | Home | N/A | Yes | Yes | Yes | Yes |
Pro | Downgrade | N/A | Yes | Yes | Yes | |
Pro Education | Yes | Yes | N/A | No | No | |
Education | No | No | No | N/A | Yes | |
Enterprise | No | No | No | Downgrade | N/A |
Release branches[edit]
New releases of Windows10, called feature updates,[22] are released twice a year as a free update for existing Windows 10 users. Each feature update contains new features and other changes to the operating system.[46] The pace at which a system receives feature updates is dependent on the release branch from which the system downloads its updates. Windows 10 Pro, Enterprise and Education can optionally use a branch that receives updates at a slower pace. These modes can be managed through system settings, Windows Server Update Services (WSUS), Windows Update for Business, Group Policy or through mobile device management systems such as Microsoft Intune.[22]
- Windows Insider
- Windows Insider is a beta testing program that allows access to pre-release builds of Windows 10; it is designed to allow power users, developers, and vendors to test and provide feedback on future feature updates to Windows 10 as they are developed. Windows Insider itself consists of three 'rings', 'fast' (which receives new builds as they are released), 'Slow' (which receives new builds on a delay after it is deployed to Fast ring users), and 'Release Preview'.
- Semi-Annual Channel (Targeted)
- The Semi-Annual Channel (Targeted), previously known as the Current Branch (CB), distributes all feature updates as they graduate from the Windows Insider branch. Microsoft only supports the latest build. As of version 1703, additional settings are provided to pause or defer feature updates for a specified length of time, but they were not available on Windows 10 Home until version 1903[47].[48][49]
- Semi-Annual Channel
- The Semi-Annual Channel, previously known as Current Branch for Business (CBB), distributes feature updates on a four-month delay from their original release to the Semi-Annual Channel. This allows customers and vendors to evaluate and perform additional testing on new builds before broader deployments. Devices can be switched back to the Semi-Annual Channel (Targeted) at any time. The Semi-Annual Channel is not available on Windows 10 Home.[22][50]
- Long-Term Servicing Channel (LTSC)
- This servicing option is exclusively available for Windows 10 Enterprise LTSC edition and distributes snapshots of this edition that are updated every 2-3 years. LTSC builds adhere to Microsoft's traditional support policy which was in effect before Windows 10: They are not updated with new features, and are supported with critical updates for 10 years after their release. Microsoft officially discourages the use of LTSC outside of 'special-purpose devices' that perform a fixed function and thus do not require new user experience features. As a result, it excludes Windows Store, most Cortana functionality, and most bundled apps (including Microsoft Edge).[22][1][3] According to a Microsoft announcement, this servicing option was renamed from Long-Term Servicing Branch (LTSB) in 2016 to Long-Term Servicing Channel (LTSC) in 2018, to match the name changes mentioned above.[23]
See also[edit]
- Windows Server 2016, the sibling of Windows 10 designed for servers, based on Windows 10 version 1607[51]
- Windows Server 2019, based on Windows 10 version 1809
- Xbox One system software, an operating system based on the Windows 10 core, designed to run on consoles
Notes[edit]
- ^There are four telemetry levels, in the order of magnitude: Security, basic, advanced, and full. The higher the level, the more information that is sent to Microsoft.
- ^Cortana is available only in certain markets. Experience may vary by region and device.
- ^Windows Hello requires specialized hardware, such as a fingerprint reader, illuminated IR sensor or other biometric sensor.
- ^On Windows 10 Pro, a Control Panel applet corresponding to this feature appears, but a Windows 10 Enterprise or Education image is still needed.[40][41]
References[edit]
- ^ abcdefghProphet, Tony (May 13, 2015). 'Introducing Windows 10 Editions'. Windows Experience Blog. Microsoft.
- ^ abcdefBott, Ed (May 14, 2015). 'Windows 10 editions: Everything you need to know'. ZDNet. CBS Interactive.
- ^ abcdefFoley, Mary Jo (July 2, 2015). 'Which Windows 10 editions get which features?'. ZDNet. CBS Interactive.
- ^Diaconu, Klaus (August 10, 2017). 'Microsoft announces Windows 10 Pro for Workstations'. Windows For Your Business. Microsoft.
- ^Foley, Mary Jo (August 10, 2017). 'Microsoft confirms new Windows 10 Pro for Workstations edition'. ZDNet. CBS Interactive.
- ^Warren, Tom (August 10, 2017). 'Microsoft reveals new Windows 10 Workstations edition for power users'. The Verge. Vox Media.
- ^Turner, Rich. 'Will Linux distros run on Windows 10 S?'. Microsoft. Retrieved May 26, 2017.
- ^Gartenberg, Chaim (May 19, 2017). 'Linux distros won't run on Windows 10 S after all'. The Verge. Vox Media.
- ^Warren, Tom. 'Windows 10 S won't let you change the default browser or switch to Google search'. The Verge. Vox Media.
- ^ abChacos, Brad. 'Meet Windows 10 S, a streamlined, simplified, Microsoft Store-only OS for schools'. PC World. IDG.
- ^Warren, Tom (June 19, 2017). 'Microsoft now lets Surface Laptop owners revert back to Windows 10 S'. The Verge. Vox Media.
- ^'Windows 10 S is Microsoft's answer to Chrome OS'. The Verge. Vox Media. Retrieved May 2, 2017.
- ^Bright, Peter (September 14, 2016). 'Desktop apps make their way into the Microsoft Store'. Ars Technica. Condé Nast.
- ^'Windows 10 Cloud looks just like Windows 10 in leaked screenshots'. The Verge. Vox Media. Retrieved March 11, 2017.
- ^'Leaked Microsoft document confirms Windows 10 Cloud and a Chromebook competitor'. PC World. IDG. Retrieved April 23, 2017.
- ^'Microsoft admits Windows 10 S was confusing, new 'S Mode' upgrades will be free'. The Verge. Retrieved 2018-03-08.
- ^Tung, Liam. 'Windows 10 to permit block on apps installing if they're not from Microsoft Store'. ZDNet. Retrieved 2018-03-08.
- ^Foley, Mary Jo (July 27, 2016). 'Microsoft to add new Windows 10 Pro Education edition to its line-up'. ZDNet. CBS Interactive.
- ^ ab'Windows 10 editions for education customers'. Microsoft. Retrieved February 22, 2019.
- ^ ab'Manage Windows 10 and Microsoft Store tips, 'fun facts', and suggestions'. Microsoft. Retrieved February 22, 2019.
- ^DaniHalfin. 'Assign devices to servicing branches for Windows 10 updates (Windows 10)'. docs.microsoft.com. Retrieved May 3, 2017.
- ^ abcde'Overview of Windows as a service'. Microsoft. Retrieved May 6, 2017.
- ^ abBrinkmann, Martin (July 28, 2017). 'Windows 10 LTSB becomes Windows 10 LTSC'. gHacks Technology News.
- ^Keizer, Gregg. 'FAQ: Windows 10 LTSB explained'. Computerworld. Retrieved 3 October 2018.
- ^'Windows 10 IoT for your business'. Windows for Business. Microsoft. Retrieved January 16, 2016.
- ^'Windows 10 IoT Enterprise'. MS Embedded. Silica. August 14, 2015. Archived from the original on May 8, 2017. Retrieved February 1, 2016.
- ^Foley, Mary Jo (December 3, 2015). 'Microsoft updates Windows 10 IoT, adds new Core Pro version'. ZDNet. CBS Interactive.
- ^'Windows 10 Team Anniversary Update now available for Microsoft Surface Hub'. Neowin. Retrieved May 3, 2017.
- ^Patrizio, Andy. 'Microsoft is leaving the consumer mobile market'. Network World. IDG Publishing. Retrieved 30 August 2018.
- ^Ron (August 2, 2015). 'Grab the Media Feature Pack for Windows 10 N and Windows 10 KN editions'. WinBeta. Retrieved March 11, 2016.
- ^Slater-Robins, Max. 'Microsoft is helping manufacturers make cheap tablets that can run Windows as well as Android'. Business Insider UK. Business Insider UK. Retrieved April 23, 2016.
- ^'Microsoft made a version of Windows 10 for the Chinese government'. Engadget. Retrieved May 28, 2017.
- ^Myerson, Terry (May 23, 2017). 'Announcing Windows 10 China Government Edition and the new Surface Pro'. Windows 10 blog. Microsoft.
- ^Dudau, Vlad (June 10, 2015). 'Microsoft shows OEMs how to market Windows 10; talks features and SKUs'. Neowin. Neowin LLC. Retrieved June 19, 2015.
- ^'Compare Windows 10 Pro & Enterprise (E3 & E5) Commercial Editions'. microsoft.com. Microsoft. Retrieved July 2, 2015.
- ^'Compare Windows 10 Editions & Versions | Home & Pro'. microsoft.com. Microsoft. Retrieved October 30, 2017.
- ^Howse, Brett (July 2, 2015). 'Windows 10 Editions Compared'. AnandTech. Purch.
- ^'Configure Windows telemetry in your organization'. docs.microsoft.com. Microsoft. May 22, 2017.
- ^'Features that are removed or deprecated in Windows 10 Fall Creators Update'. Support (28 ed.). Microsoft. October 17, 2017.
- ^ abThurrott, Paul (February 10, 2017). 'Ask Paul: Is Windows To Go Coming to Windows 10 Pro?'. thurrott.com. BWW Media Group.
- ^ abcNiehaus, Michael; Lich, Brian. 'Windows To Go frequently asked questions (Windows 10)'. docs.microsoft.com. Microsoft. Retrieved July 30, 2017.
How can Windows To Go be deployed in an organization? [~snip~] A Windows 10 Enterprise or Windows 10 Education image
- ^shortpatti. 'DirectAccess'. docs.microsoft.com. Retrieved 2019-09-01.
- ^'TrendForce Adjusts Notebooks' Unit Memory Capacity for 2015 Down by 3~5% due to Microsoft's New License Fee Arrangement for Windows 10'. DRAMeXchange. TrendForce Corp. July 27, 2015. Retrieved March 11, 2016.
- ^ abTrent, Rod (June 9, 2015). 'Windows 10 Upgrade Paths'. SuperSite for Windows. Penton.
- ^Lindsay, Greg; Lich, Brian (April 5, 2017). 'Windows 10 upgrade paths'. Microsoft Docs. Microsoft.
- ^Warren, Tom (April 20, 2017). 'Microsoft will now release major Windows 10 updates every March and September'. The Verge. Vox Media.
- ^'Windows 10 1903: the case of the missing update deferral options - gHacks Tech News'. www.ghacks.net. Retrieved 2019-06-13.
- ^Leonhard, Woody (March 1, 2017). 'Put Windows 10 updates on hold—now available in Creators Update build 15046'. Computerworld. IDG. Retrieved May 6, 2017.
- ^Paul, Ian (April 18, 2017). 'How to defer future updates in the Windows 10 Creators Update'. PC World. IDG.
- ^Keizer, Gregg (November 17, 2015). 'How to defer upgrades and updates in Windows 10 Pro'. Computerworld. IDG.
- ^https://www.neowin.net/news/windows-server-2019-and-windows-server-version-1809-will-be-generally-available-in-october/
Retrieved from 'https://en.wikipedia.org/w/index.php?title=Windows_10_editions&oldid=918059152'
-->Applies to
- Windows 10 Enterprise 2015 LTSC
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see Windows 10 Enterprise LTSC.
Note
Features in Windows 10 Enterprise 2015 LTSC are equivalent to Windows 10, version 1507.
![Windows 10 Enterprise Ltsb 2015 Windows 10 Enterprise Ltsb 2015](/uploads/1/3/3/8/133865976/912081052.png)
Deployment
Provisioning devices using Windows Imaging and Configuration Designer (ICD)
With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Using Windows Provisioning, an IT administrator can easily specify the configuration and settings required to enroll devices into management using a wizard-driven user interface, and then apply this configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
Security
Applocker
Applocker was available for Windows 8.1, and is improved with Windows 10. See Requirements to use AppLocker for a list of operating system requirements.
Enhancements to Applocker in Windows 10 include:
- A new parameter was added to the New-AppLockerPolicy Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the ServiceEnforcement to Enabled.
- A new AppLocker configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
- You can manage Windows 10 Mobile devices by using the new AppLocker CSP.
Learn how to manage AppLocker within your organization.
Bitlocker
Enhancements to Applocker in Windows 10 include:
- Encrypt and recover your device with Azure Active Directory. In addition to using a Microsoft Account, automatic Device Encryption can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online.
- DMA port protection. You can use the DataProtection/AllowDirectMemoryAccess MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
- New Group Policy for configuring pre-boot recovery. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the Configure pre-boot recovery message and URL section in 'BitLocker Group Policy settings.'
Learn how to deploy and manage BitLocker within your organization. Windows office iso.
Certificate management
For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the Certificates app to review the details of certificates on your device. Learn how to install digital certificates on Windows 10 Mobile.
Microsoft Passport
In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
Security auditing
In Windows 10, security auditing has added some improvements:
New audit subcategories
In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
- Audit Group Membership Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy ConfigurationSystem Audit PoliciesLogon/Logoff. Multiple events are generated if the group membership information cannot fit in a single security audit event.
- Audit PNP Activity Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play.A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event.
More info added to existing audit events
With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
Changed the kernel default audit policy
In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts.
Added a default process SACL to LSASS.exe
In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L'S:(AU;SAFA;0x0010;;;WD)'. You can enable this under Advanced Audit Policy ConfigurationObject AccessAudit Kernel Object.This can help identify attacks that steal credentials from the memory of a process.
New fields in the logon event
The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
- MachineLogon String: yes or noIf the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no.
- ElevatedToken String: yes or noIf the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP_LOGON_SESSION) will also be shown.
- TargetOutboundUserName StringTargetOutboundUserDomain StringThe username and domain of the identity that was created by the LogonUser method for outbound traffic.
- VirtualAccount String: yes or noIf the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no.
- GroupMembership StringA list of all of the groups in the user's token.
- RestrictedAdminMode String: yes or noIf the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes.For more info on restricted admin mode, see Restricted Admin mode for RDP.
New fields in the process creation event
The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688:
- TargetUserSid StringThe SID of the target principal.
- TargetUserName StringThe account name of the target user.
- TargetDomainName StringThe domain of the target user.
- TargetLogonId StringThe logon ID of the target user.
- ParentProcessName StringThe name of the creator process.
- ParentProcessId StringA pointer to the actual parent process if it's different from the creator process.
New Security Account Manager events
In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited:
- SamrEnumerateGroupsInDomain
- SamrEnumerateUsersInDomain
- SamrEnumerateAliasesInDomain
- SamrGetAliasMembership
- SamrLookupNamesInDomain
- SamrLookupIdsInDomain
- SamrQueryInformationUser
- SamrQueryInformationGroup
- SamrQueryInformationUserAlias
- SamrGetMembersInGroup
- SamrGetMembersInAlias
- SamrGetUserDomainPasswordInformation
New BCD events
Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD):
- DEP/NEX settings
- Test signing
- PCAT SB simulation
- Debug
- Boot debug
- Integrity Services
- Disable Winload debugging menu
New PNP events
Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.
Learn how to manage your security audit policies within your organization.
Trusted Platform Module
New TPM features in Windows 10
The following sections describe the new and changed functionality in the TPM for Windows 10:
- Microsoft Passport support
- Device Guard support
- Credential Guard support
Device health attestation
Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.Some things that you can check on the device are:
- Is Data Execution Prevention supported and enabled?
- Is BitLocker Drive Encryption supported and enabled?
- Is SecureBoot supported and enabled?
Note The device must be running Windows 10 and it must support at least TPM 2.0.
Learn how to deploy and manage TPM within your organization.
User Account Control
User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.
You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemConsentPromptBehaviorAdmin registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10.
For more info about how manage UAC, see UAC Group Policy Settings and Registry Key Settings.
Windows 10 Enterprise 2016 Ltsb
In Windows 10, User Account Control has added some improvements:
- Integration with the Antimalware Scan Interface (AMSI). The AMSI scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
Learn how to manage User Account Control within your organization.
VPN profile options
Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including:
- Always-on auto connection behavior
- App=triggered VPN
- VPN traffic filters
- Lock down VPN
- Integration with Microsoft Passport for Work
Management
Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.
MDM support
MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more.
MDM support in Windows 10 is based on Open Mobile Alliance (OMA) Device Management (DM) protocol 1.2.1 specification.
Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. Driver genius crack key download. Reference for Mobile device management for Windows 10
Unenrollment
When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device.
When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed.
Infrastructure
Enterprises have the following identity and management choices.
Area | Choices |
---|---|
Identity | Active Directory; Azure AD |
Grouping | Domain join; Workgroup; Azure AD join |
Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
Note With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see Microsoft Support Lifecycle.
Device lockdown
Do you need a computer that can only do one thing? For example:
- A device in the lobby that customers can use to view your product catalog.
- A portable device that drivers can use to check a route on a map.
- A device that a temporary worker uses to enter data.
You can configure a persistent locked down state to create a kiosk-type device. When the locked-down account is logged on, the device displays only the app that you select.
You can also configure a lockdown state that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify.
Lockdown settings can also be configured for device look and feel, such as a theme or a custom layout on the Start screen.
Customized Start layout
A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a partial Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to customize and export Start layout.
Administrators can also use mobile device management (MDM) or Group Policy to disable the use of Windows Spotlight on the lock screen.
Updates
Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
By using Group Policy Objects, Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
- Deployment and validation groups; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).
- Peer-to-peer delivery, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient.
- Use with existing tools such as System Center Configuration Manager and the Enterprise Mobility Suite.
Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
Learn more about Windows Update for Business.
For more information about updating Windows 10, see Windows 10 servicing options for updates and upgrades.
Microsoft Edge
Microsoft Edge is not available in the LTSC release of Windows 10.
See Also
![Ltsb Ltsb](/uploads/1/3/3/8/133865976/719134748.jpg)
Windows 10 Enterprise Ltsb 2015 2017
Windows 10 Enterprise LTSC: A description of the LTSC servicing channel with links to information about each release.