| Access Control (ACL/SACL) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Account Lockout Policy |
Yes |
Yes |
Yes |
Yes |
Yes |
| Active Directory domain join, Microsoft Entra join, and Microsoft Entra hybrid join with single sign-on (SSO) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Always On VPN (device tunnel) |
❌ |
Yes |
Yes |
Yes |
Yes |
| App containers |
Yes |
Yes |
Yes |
Yes |
Yes |
| AppLocker |
❌ |
Yes |
Yes |
Yes |
Yes |
| Assigned Access (kiosk mode) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Attack surface reduction (ASR) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Azure Code Signing |
Yes |
Yes |
Yes |
Yes |
Yes |
| BitLocker enablement |
Yes |
Yes |
Yes |
Yes |
Yes |
| BitLocker management |
❌ |
Yes |
Yes |
Yes |
Yes |
| Bluetooth pairing and connection protection |
Yes |
Yes |
Yes |
Yes |
Yes |
| Common Criteria certifications |
Yes |
Yes |
Yes |
Yes |
Yes |
| Controlled folder access |
Yes |
Yes |
Yes |
Yes |
Yes |
| Credential Guard |
❌ |
Yes |
Yes |
Yes |
Yes |
| Device health attestation service |
Yes |
Yes |
Yes |
Yes |
Yes |
| Direct Access |
❌ |
Yes |
Yes |
Yes |
Yes |
| Domain Name System (DNS) security |
Yes |
Yes |
Yes |
Yes |
Yes |
| Email Encryption (S/MIME) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Encrypted hard drive |
Yes |
Yes |
Yes |
Yes |
Yes |
| Enhanced phishing protection with SmartScreen |
Yes |
Yes |
Yes |
Yes |
Yes |
| Exploit protection |
Yes |
Yes |
Yes |
Yes |
Yes |
| Federal Information Processing Standard (FIPS) 140 validation |
Yes |
Yes |
Yes |
Yes |
Yes |
| Federated sign-in |
❌ |
❌ |
❌ |
Yes |
Yes |
| FIDO2 security key |
Yes |
Yes |
Yes |
Yes |
Yes |
| Hardware-enforced stack protection |
Yes |
Yes |
Yes |
Yes |
Yes |
| Hypervisor-protected Code Integrity (HVCI) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Kernel Direct Memory Access (DMA) protection |
Yes |
Yes |
Yes |
Yes |
Yes |
| Local Security Authority (LSA) Protection |
Yes |
Yes |
Yes |
Yes |
Yes |
| Measured boot |
Yes |
Yes |
Yes |
Yes |
Yes |
| Microsoft Defender Antivirus |
Yes |
Yes |
Yes |
Yes |
Yes |
| Microsoft Defender Application Guard (MDAG) configure via MDM |
❌ |
Yes |
Yes |
Yes |
Yes |
| Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management |
❌ |
Yes |
Yes |
Yes |
Yes |
| Microsoft Defender Application Guard (MDAG) for Edge standalone mode |
Yes |
Yes |
Yes |
Yes |
Yes |
| Microsoft Defender Application Guard (MDAG) for Microsoft Office |
❌ |
❌ |
❌ |
❌ |
❌ |
| Microsoft Defender Application Guard (MDAG) public APIs |
❌ |
Yes |
Yes |
Yes |
Yes |
| Microsoft Defender for Endpoint |
❌ |
❌ |
Yes |
❌ |
Yes |
| Microsoft Defender SmartScreen |
Yes |
Yes |
Yes |
Yes |
Yes |
| Microsoft Pluton |
Yes |
Yes |
Yes |
Yes |
Yes |
| Microsoft Security Development Lifecycle (SDL) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Microsoft vulnerable driver blocklist |
Yes |
Yes |
Yes |
Yes |
Yes |
| Microsoft Windows Insider Preview bounty program |
Yes |
Yes |
Yes |
Yes |
Yes |
| Modern device management through (MDM) |
Yes |
Yes |
Yes |
Yes |
Yes |
| OneFuzz service |
Yes |
Yes |
Yes |
Yes |
Yes |
| Opportunistic Wireless Encryption (OWE) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Passkeys |
Yes |
Yes |
Yes |
Yes |
Yes |
| Personal data encryption (PDE) |
❌ |
Yes |
Yes |
Yes |
Yes |
| Privacy Resource Usage |
Yes |
Yes |
Yes |
Yes |
Yes |
| Privacy Transparency and Controls |
Yes |
Yes |
Yes |
Yes |
Yes |
| Remote Credential Guard |
Yes |
Yes |
Yes |
Yes |
Yes |
| Remote wipe |
Yes |
Yes |
Yes |
Yes |
Yes |
| Secure Boot and Trusted Boot |
Yes |
Yes |
Yes |
Yes |
Yes |
| Secured-core configuration lock |
Yes |
Yes |
Yes |
Yes |
Yes |
| Secured-core PC firmware protection |
Yes |
Yes |
Yes |
Yes |
Yes |
| Security baselines |
Yes |
Yes |
Yes |
Yes |
Yes |
| Server Message Block (SMB) file service |
Yes |
Yes |
Yes |
Yes |
Yes |
| Server Message Block Direct (SMB Direct) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Smart App Control |
Yes |
Yes |
Yes |
Yes |
Yes |
| Smart Cards for Windows Service |
Yes |
Yes |
Yes |
Yes |
Yes |
| Software Bill of Materials (SBOM) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Tamper protection settings for MDE |
Yes |
Yes |
Yes |
Yes |
Yes |
| Transport Layer Security (TLS) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Trusted Platform Module (TPM) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Universal Print |
❌ |
Yes |
Yes |
Yes |
Yes |
| User Account Control (UAC) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Virtual private network (VPN) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Virtualization-based security (VBS) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Web sign-in |
Yes |
Yes |
Yes |
Yes |
Yes |
| WiFi Security |
Yes |
Yes |
Yes |
Yes |
Yes |
| Windows application software development kit (SDK) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Windows Autopatch |
❌ |
Yes |
Yes |
❌ |
❌ |
| Windows Autopilot |
Yes |
Yes |
Yes |
Yes |
Yes |
| Windows Defender Application Control (WDAC) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Windows Defender System Guard |
Yes |
Yes |
Yes |
Yes |
Yes |
| Windows Firewall |
Yes |
Yes |
Yes |
Yes |
Yes |
| Windows Hello for Business |
Yes |
Yes |
Yes |
Yes |
Yes |
| Windows Hello for Business Enhanced Security Sign-in (ESS) |
Yes |
Yes |
Yes |
Yes |
Yes |
| Windows LAPS |
Yes |
Yes |
Yes |
Yes |
Yes |
| Windows passwordless experience |
Yes |
Yes |
Yes |
Yes |
Yes |
| Windows presence sensing |
Yes |
Yes |
Yes |
Yes |
Yes |
| Windows Sandbox |
Yes |
Yes |
Yes |
Yes |
Yes |
| Windows security policy settings and auditing |
Yes |
Yes |
Yes |
Yes |
Yes |
Licensing requirements
Edition requirements