John Savill'ss FAQs on IT Pro Today Hero

Savill's FAQs: How Hyper-V and Azure Stack Differ

Three times a week, John Savill tackles your most pressing IT questions. Today: where to find details about the new features in the latest release of Windows 10, why some features are in Hyper-V but not in Azure Stack, and information about Application Security Groups in Azure.

Three times a week (Monday/Wednesday/Friday), John Savill tackles your most pressing IT questions.

Read through the FAQ archives, or send him your questions via email.

Today: He shows you how to find out about the new features in the Windows 10 Fall Creators Update, why some features are available in Hyper-V but not on Azure Stack, and explains what Application Security Groups are in Azure.

Q. How can I check what new features were added in the 1709 releases of Windows?

A. Both Windows 10 and Windows Server had a 1709 semi-annual channel release. Both received a large number of new features. The best source for the details on what was added is via the Microsoft documentation:

Windows 10 1709 -
Edge in 1709 -
Windows Server 1709 -

Q. Why does Azure Stack not have feature X when Hyper-V does?

A. It's important to understand the relationship between Windows Server, Hyper-V, Azure and Azure Stack.

Azure runs on Windows Server and Hyper-V. On that foundation Azure adds many levels of functionality around networking, compute, storage and much more. This are enabled in various resource providers. Azure Stack brings certain capabilities of Azure to an on-premises appliance. The feature first has to be available in Azure and then later that feature can be brought to Azure Stack.

There is no feature that will go directly from Hyper-V to Azure Stack without first going via Azure.

Q. What are Application Security Groups in Azure?

A. Azure has a feature called Network Security Groups. Using Network Security Groups you can define rules based on source and destination IP address and port along with the protocol to control the flow of data. Typically these NSGs are applied at a subnet level but the key point is the actual rules are based on IP addresses or ranges of IP addresses in CIDR format (e.g. Note with the augmented security rules you can define a rule using multiple CIDR IP addresses. There are also some special service tags such as Internet and VirtualNetwork to enable rules to be based on known vs unknown IP space.

Application Security Groups add functionality to enable vmNICs to be associated to an Application Security Group, for example WebApps. It does not matter which subnet the VMs are in, all that matters is the vmNIC is tagged to a specific Application Security Group. Then within the NSG instead of using an IP range or built-in service tag you can use the name of the Application Security Group. As an example you could allow all traffic from the Internet on TCP port 443 to be allowed to the WebApps Application Security Group.

For example code to use Application Security Groups see

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.