diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md index 3d2d33db5d..b5259a8275 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows feature updates overview description: This article explains how Windows feature updates are managed -ms.date: 10/30/2024 +ms.date: 11/20/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: overview @@ -120,6 +120,9 @@ For more information about Windows feature update policies that are created for ## Pause and resume a release +> [!IMPORTANT] +> **Due to a recent change, we have identified an issue that prevents the Paused and Pause status columns from being displayed** in reporting. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed. + > [!IMPORTANT] > **Pausing or resuming an update can take up to eight hours to be applied to devices**. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates. For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned). diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md index 656f94452c..ed17d7438c 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality updates overview description: This article explains how Windows quality updates are managed -ms.date: 10/30/2024 +ms.date: 11/20/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: conceptual @@ -66,6 +66,9 @@ For the deployment rings that pass quality updates deferral date, the OOB releas ## Pause and resume a release +> [!IMPORTANT] +> **Due to a recent change, we have identified an issue that prevents the Paused and Pause status columns from being displayed** in reporting. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed. + The service-level pause is driven by the various software update deployment-related signals. Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft. If Windows Autopatch detects a significant issue with a release, we might decide to pause that release. diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md index 4219401d76..c70e5b8f7a 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md @@ -1,7 +1,7 @@ --- title: Feature update status report -description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. -ms.date: 09/16/2024 +description: Provides a per device view of the current Windows OS upgrade status for all Intune devices. +ms.date: 11/20/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -19,7 +19,7 @@ ms.collection: [!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] -The Feature update status report provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. +The Feature update status report provides a per device view of the current Windows OS upgrade status for all Intune devices. **To view the Feature update status report:** @@ -32,6 +32,9 @@ The Feature update status report provides a per device view of the current Windo ### Default columns +> [!IMPORTANT] +> **Due to a recent change, we have identified an issue that prevents the Pause status column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed. + The following information is available as default columns in the Feature update status report: | Column name | Description | diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md index 4e65d5e28b..3df6e2730f 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md @@ -1,7 +1,7 @@ --- title: Windows feature update summary dashboard -description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. -ms.date: 09/16/2024 +description: Provides a broader view of the current Windows OS upgrade status for all Intune devices. +ms.date: 11/20/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -19,7 +19,7 @@ ms.collection: [!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] -The Summary dashboard provides a broader view of the current Windows OS update status for all devices registered with Windows Autopatch. +The Summary dashboard provides a broader view of the current Windows OS update status for all Intune devices. The first part of the Summary dashboard provides you with an all-devices trend report where you can follow the deployment trends within your organization. You can view if updates were successfully installed, failing, in progress, not ready or have their Windows feature update paused. @@ -31,6 +31,9 @@ The first part of the Summary dashboard provides you with an all-devices trend r ## Report information +> [!IMPORTANT] +> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed. + The following information is available in the Summary dashboard: | Column name | Description | diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md index 07b8b574fd..4b2f2596df 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality and feature update reports overview description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch. -ms.date: 11/19/2024 +ms.date: 11/20/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: overview @@ -27,7 +27,7 @@ The Windows quality reports provide you with information about: - Device update health - Device update alerts -Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch. +Together, these reports provide insight into the quality update state and compliance of Intune devices. The Windows quality report types are organized into the following focus areas: diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md index a28d602741..abde6947cc 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md @@ -1,7 +1,7 @@ --- title: Quality update status report -description: Provides a per device view of the current update status for all Windows Autopatch managed devices. -ms.date: 11/19/2024 +description: Provides a per device view of the current update status for all Intune devices. +ms.date: 11/20/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -19,7 +19,7 @@ ms.collection: [!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] -The Quality update status report provides a per device view of the current update status for all Windows Autopatch managed devices. +The Quality update status report provides a per device view of the current update status for all Intune devices. **To view the Quality update status report:** @@ -35,6 +35,9 @@ The Quality update status report provides a per device view of the current updat ### Default columns +> [!IMPORTANT] +> **Due to a recent change, we have identified an issue that prevents the Pause status column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed. + The following information is available as default columns in the Quality update status report: | Column name | Description | diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md index 5a9fe70720..13da855155 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md @@ -1,7 +1,7 @@ --- title: Windows quality update summary dashboard -description: Provides a summary view of the current update status for all Windows Autopatch managed devices. -ms.date: 11/19/2024 +description: Provides a summary view of the current update status for all Intune devices. +ms.date: 11/20/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -19,7 +19,7 @@ ms.collection: [!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] -The Summary dashboard provides a summary view of the current update status for all Windows Autopatch managed devices. +The Summary dashboard provides a summary view of the current update status for all Intune devices. **To view the current update status for all your enrolled devices:** @@ -27,15 +27,18 @@ The Summary dashboard provides a summary view of the current update status for a 1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**. > [!NOTE] -> The data in this report is refreshed every four hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency). +> The data in this report is refreshed every four hours with data received by your managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency). ## Report information +> [!IMPORTANT] +> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed. + The following information is available in the Summary dashboard: | Column name | Description | | ----- | ----- | -| Autopatch group | The Autopatch group and deployment ring. For more information, see [Windows Autopatch groups](../deploy/windows-autopatch-groups-overview.md). | +| Autopatch group | The Autopatch group and deployment ring. If the device isn't in an Autopatch group or policy, the device appears as "Unassigned". For more information, see [Windows Autopatch groups](../deploy/windows-autopatch-groups-overview.md). | | Device count | Total device count per Autopatch group or deployment ring. | | Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | | Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md index 0ef22984f0..97d26c798d 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md @@ -1,7 +1,7 @@ --- title: What is Windows Autopatch? description: Details what the service is and shortcuts to articles. -ms.date: 11/19/2024 +ms.date: 11/20/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: overview @@ -72,7 +72,7 @@ In addition to the features included in [Business Premium and A3+ licenses](#bus | [Microsoft Edge updates](../manage/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. | | [Microsoft Teams updates](../manage/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. | | [Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md) | When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch raises alerts and detailed recommended actions to ensure healthy operation of the service. | -| Enhanced [Windows quality and feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) and [device alerts](../monitor/windows-autopatch-device-alerts.md) | Using Windows quality and feature update reports, you can monitor and remediate Windows Autopatch managed devices that are Not up to Date and resolve any device alerts to bring Windows Autopatch managed devices back into compliance. | +| Enhanced [Windows quality and feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) and [device alerts](../monitor/windows-autopatch-device-alerts.md) | Using Windows quality and feature update reports, you can monitor and remediate managed devices that are Not up to Date and resolve any device alerts to bring managed devices back into compliance. | | [Submit support requests](../manage/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team | When you activate additional Autopatch features, you can submit, manage, and edit support requests. | ## Communications diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index 36d65173bd..c695db60bd 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -9,16 +9,9 @@ ms.date: 11/04/2024 :::image type="content" source="images/cloud-security.png" alt-text="Diagram containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false"::: -## Microsoft Entra ID +## :::image type="icon" source="images/microsoft-entra-id.svg" border="false"::: Microsoft Entra ID -:::row::: - :::column span="1"::: -:::image type="content" source="images/microsoft-entra-id.png" alt-text="Logo of Microsoft Entra ID." border="false"::: - :::column-end::: - :::column span="3"::: - Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies. - :::column-end::: -:::row-end::: +Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies. Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. For the most seamless and delightful end to end single sign-on (SSO) experience, we recommend users configure Windows Hello for Business during the out of box experience for easy passwordless sign-in to Entra ID . @@ -56,31 +49,17 @@ Every Windows device has a built-in local administrator account that must be sec - [Microsoft Entra ID documentation][LINK-1] - [Microsoft Entra plans and pricing][LINK-2] -### Microsoft Entra Private Access +### :::image type="icon" source="images/microsoft-entra-private-access.svg" border="false"::: Microsoft Entra Private Access -:::row::: - :::column span="1"::: -:::image type="content" source="images/microsoft-entra-private-access.png" alt-text="Logo of Microsoft Entra Private Access." border="false"::: - :::column-end::: - :::column span="3"::: - Microsoft Entra Private Access provides organizations the ability to manage and give users access to private or internal fully qualified domain names (FQDNs) and IP addresses. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need. - :::column-end::: -:::row-end::: +Microsoft Entra Private Access provides organizations the ability to manage and give users access to private or internal fully qualified domain names (FQDNs) and IP addresses. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need. [!INCLUDE [learn-more](includes/learn-more.md)] - [Microsoft Entra Private Access][LINK-4] -### Microsoft Entra Internet Access +### :::image type="icon" source="images/microsoft-entra-internet-access.svg" border="false"::: Microsoft Entra Internet Access -:::row::: - :::column span="1"::: -:::image type="content" source="images/microsoft-entra-internet-access.png" alt-text="Logo of Microsoft Entra Internet Access." border="false"::: - :::column-end::: - :::column span="3"::: - Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. - :::column-end::: -:::row-end::: +Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. > [!NOTE] > Both Microsoft Entra Private Access and Microsoft Entra Internet Access requires Microsoft Entra ID and Microsoft Entra Joined devices for deployment. The two solutions use the Global Secure Access client for Windows, which secures and controls the features. @@ -99,16 +78,9 @@ Available to any organization with a Microsoft Entra ID Premium[\[4\]](conc - [Enterprise State Roaming in Microsoft Entra ID][LINK-7] -## Azure Attestation service +## :::image type="icon" source="images/azure-attestation.svg" border="false"::: Azure Attestation service -:::row::: - :::column span="1"::: -:::image type="content" source="images/azure-attestation.png" alt-text="Logo of Azure Attestation service." border="false"::: - :::column-end::: - :::column span="3"::: - Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they're allowed to access resources. Microsoft Intune[\[4\]](conclusion.md#footnote4) integrates with Azure Attestation service to review Windows device health comprehensively and connect this information with Microsoft Entra ID[\[4\]](conclusion.md#footnote4) Conditional Access. - :::column-end::: -:::row-end::: +Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they're allowed to access resources. Microsoft Intune[\[4\]](conclusion.md#footnote4) integrates with Azure Attestation service to review Windows device health comprehensively and connect this information with Microsoft Entra ID[\[4\]](conclusion.md#footnote4) Conditional Access. **Attestation policies are configured in the Azure Attestation service which can then:** @@ -122,16 +94,9 @@ Once this verification is complete, the attestation service returns a signed rep - [Azure Attestation overview][LINK-8] -## Microsoft Defender for Endpoint +## :::image type="icon" source="images/defender-for-endpoint.svg" border="false"::: Microsoft Defender for Endpoint -:::row::: - :::column span="1"::: -:::image type="content" source="images/defender-for-endpoint.png" alt-text="Logo of Microsoft Defender for Endpoint." border="false"::: - :::column-end::: - :::column span="3"::: - Microsoft Defender for Endpoint[\[4\]](conclusion.md#footnote4) is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. - :::column-end::: -:::row-end::: +Microsoft Defender for Endpoint[\[4\]](conclusion.md#footnote4) is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: @@ -177,16 +142,9 @@ Windows 11 supports the Remote Wipe configuration service provider (CSP) so that - [Remote wipe CSP][LINK-10] -## Microsoft Intune +## :::image type="icon" source="images/microsoft-intune.svg" border="false"::: Microsoft Intune -:::row::: - :::column span="1"::: -:::image type="content" source="images/microsoft-intune.png" alt-text="Logo of Microsoft Intune." border="false"::: - :::column-end::: - :::column span="3"::: - Microsoft Intune[\[4\]](conclusion.md#footnote4) is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization. - :::column-end::: -:::row-end::: +Microsoft Intune[\[4\]](conclusion.md#footnote4) is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization. Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication and conditional access. @@ -210,16 +168,9 @@ With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certif - [Windows enrollment attestation][LINK-13] -### Microsoft Cloud PKI +### :::image type="icon" source="images/microsoft-cloud-pki.svg" border="false"::: Microsoft Cloud PKI -:::row::: - :::column span="1"::: -:::image type="content" source="images/microsoft-cloud-pki.png" alt-text="Logo of Microsoft Cloud PKI." border="false"::: - :::column-end::: - :::column span="3"::: - Microsoft Cloud PKI is a cloud-based service included in the Microsoft Intune Suite[\[4\]](conclusion.md#footnote4) that simplifies and automates the management of a Public Key Infrastructure (PKI) for organizations. It eliminates the need for on-premises servers, hardware, and connectors, making it easier to set up and manage a PKI compared to, for instance, Microsoft Active Directory Certificate Services (AD CS) combined with the Certificate Connector for Microsoft Intune. - :::column-end::: -:::row-end::: +Microsoft Cloud PKI is a cloud-based service included in the Microsoft Intune Suite[\[4\]](conclusion.md#footnote4) that simplifies and automates the management of a Public Key Infrastructure (PKI) for organizations. It eliminates the need for on-premises servers, hardware, and connectors, making it easier to set up and manage a PKI compared to, for instance, Microsoft Active Directory Certificate Services (AD CS) combined with the Certificate Connector for Microsoft Intune. Key features include: @@ -234,16 +185,9 @@ With Microsoft Cloud PKI, organizations can accelerate their digital transformat - [Overview of Microsoft Cloud PKI for Microsoft Intune](/mem/intune/protect/microsoft-cloud-pki-overview) -### Endpoint Privilege Management (EPM) +### :::image type="icon" source="images/endpoint-privilege-management.svg" border="false"::: Endpoint Privilege Management (EPM) -:::row::: - :::column span="1"::: -:::image type="content" source="images/endpoint-privilege-management.png" alt-text="Logo of Endpoint Privilege Management." border="false"::: - :::column-end::: - :::column span="3"::: - Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run elevated tasks allowed by the organization to remain productive. - :::column-end::: -:::row-end::: +Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run elevated tasks allowed by the organization to remain productive. [!INCLUDE [learn-more](includes/learn-more.md)] @@ -352,16 +296,9 @@ By utilizing hotpatching through Windows Autopatch, the number of system restart - [Windows Autopatch documentation](/windows/deployment/windows-autopatch/) -## OneDrive for work or school +## :::image type="icon" source="images/onedrive.svg" border="false"::: OneDrive for work or school -:::row::: - :::column span="1"::: -:::image type="content" source="images/onedrive.png" alt-text="Logo of Onedrive." border="false"::: - :::column-end::: - :::column span="3"::: - OneDrive for work or school is a cloud storage service that allows users to store, share, and collaborate on files. It's a part of Microsoft 365 and is designed to help organizations protect their data and comply with regulations. OneDrive for work or school is protected both in transit and at rest. - :::column-end::: -:::row-end::: +OneDrive for work or school is a cloud storage service that allows users to store, share, and collaborate on files. It's a part of Microsoft 365 and is designed to help organizations protect their data and comply with regulations. OneDrive for work or school is protected both in transit and at rest. When data transits either into the service from clients or between datacenters, it's protected using transport layer security (TLS) encryption. OneDrive only permits secure access. @@ -378,16 +315,9 @@ There are several ways that OneDrive for work or school is protected at rest: - [How OneDrive safeguards data in the cloud](https://support.microsoft.com/topic/23c6ea94-3608-48d7-8bf0-80e142edd1e1) -## Universal Print +## :::image type="icon" source="images/universal-print.svg" border="false"::: Universal Print -:::row::: - :::column span="1"::: -:::image type="content" source="images/universal-print.png" alt-text="Logo of Universal Print." border="false"::: - :::column-end::: - :::column span="3"::: - Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models][LINK-23]. It also supports existing printers by using the connector software that comes with Universal Print. - :::column-end::: -:::row-end::: +Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models][LINK-23]. It also supports existing printers by using the connector software that comes with Universal Print. Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices don't need to be on the same local network as the printers or the Universal Print connector. diff --git a/windows/security/book/features-index.md b/windows/security/book/features-index.md index 58136fcd41..478367613e 100644 --- a/windows/security/book/features-index.md +++ b/windows/security/book/features-index.md @@ -7,4 +7,4 @@ ms.date: 11/18/2024 # Features index -[5G and eSIM](operating-system-security-network-security.md#5g-and-esim)
[Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control)
[Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies)
[Administrator protection](application-security-application-and-driver-control.md#-administrator-protection)
[App containers](application-security-application-isolation.md#app-containers)
[App Control for Business](application-security-application-and-driver-control.md#app-control-for-business)
[Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules)
[Azure Attestation service](cloud-services-protect-your-work-information.md#azure-attestation-service)
[BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go)
[BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)
[Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection)
[Certificates](operating-system-security-system-security.md#certificates)
[Cloud-native device management](cloud-services-protect-your-work-information.md#cloud-native-device-management)
[Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity)
[Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc)
[Config Refresh](operating-system-security-system-security.md#-config-refresh)
[Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access)
[Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)
[Cryptography](operating-system-security-system-security.md#cryptography)
[Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
[Device Health Attestation](operating-system-security-system-security.md#device-health-attestation)
[Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security)
[Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption)
[Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive)
[Enhanced phishing protection in Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-in-microsoft-defender-smartscreen)
[Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess)
[Exploit Protection](operating-system-security-virus-and-threat-protection.md#exploit-protection)
[Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips)
[Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in)
[FIDO2](identity-protection-passwordless-sign-in.md#fido2)
[Find my device](cloud-services-protect-your-personal-information.md#find-my-device)
[Kernel direct memory access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection)
[Kiosk mode](operating-system-security-system-security.md#kiosk-mode)
[Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
[Microsoft account](cloud-services-protect-your-personal-information.md#microsoft-account)
[Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator)
[Microsoft Cloud PKI](cloud-services-protect-your-work-information.md#microsoft-cloud-pki)
[Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus)
[Microsoft Defender for Endpoint](cloud-services-protect-your-work-information.md#microsoft-defender-for-endpoint)
[Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen)
[Microsoft Entra ID](cloud-services-protect-your-work-information.md#microsoft-entra-id)
[Microsoft Intune](cloud-services-protect-your-work-information.md#microsoft-intune)
[Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering)
[Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor)
[Microsoft Privacy Dashboard](privacy-controls.md#microsoft-privacy-dashboard)
[Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl)
[Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist)
[Network protection](operating-system-security-virus-and-threat-protection.md#network-protection)
[OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal)
[OneDrive for work or school](cloud-services-protect-your-work-information.md#onedrive-for-work-or-school)
[OneFuzz service](security-foundation-offensive-research.md#onefuzz-service)
[Personal Data Encryption](operating-system-security-encryption-and-data-protection.md#personal-data-encryption)
[Personal Vault](cloud-services-protect-your-personal-information.md#personal-vault)
[Privacy resource usage](privacy-controls.md#privacy-resource-usage)
[Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls)
[Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard)
[Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe)
[Rust for Windows](operating-system-security-system-security.md#-rust-for-windows)
[Secure Future Initiative (SFI)](security-foundation-offensive-research.md#secure-future-initiative-sfi)
[Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)
[Secured-core PC and Edge Secured-Core](hardware-security-silicon-assisted-security.md#secured-core-pc-and-edge-secured-core)
[Security baselines](cloud-services-protect-your-work-information.md#security-baselines)
[Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
[Smart App Control](application-security-application-and-driver-control.md#smart-app-control)
[Smart cards](identity-protection-passwordless-sign-in.md#smart-cards)
[Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom)
[Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection)
[Token protection (preview)](identity-protection-advanced-credential-protection.md#token-protection-preview)
[Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls)
[Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot)
[Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm)
[Trusted Signing](application-security-application-and-driver-control.md#-trusted-signing)
[Universal Print](cloud-services-protect-your-work-information.md#universal-print)
[VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection)
[Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn)
[Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves)
[Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in)
[Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections)
[Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation)
[Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch)
[Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot)
[Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration)
[Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation)
[Windows Firewall](operating-system-security-network-security.md#windows-firewall)
[Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business)
[Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello)
[Windows Hotpatch](cloud-services-protect-your-work-information.md#-windows-hotpatch)
[Windows Insider and Microsoft Bug Bounty Programs](security-foundation-offensive-research.md#windows-insider-and-microsoft-bug-bounty-programs)
[Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)
[Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing)
[Windows protected print](operating-system-security-system-security.md#-windows-protected-print)
[Windows Sandbox](application-security-application-isolation.md#windows-sandbox)
[Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing)
[Windows security](operating-system-security-system-security.md#windows-security)
[Windows Software Development Kit (SDK)](security-foundation-secure-supply-chain.md#windows-software-development-kit-sdk)
[Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)
[Windows Update for Business](cloud-services-protect-your-work-information.md#windows-update-for-business) \ No newline at end of file +[5G and eSIM](operating-system-security-network-security.md#5g-and-esim)
[Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control)
[Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies)
[Administrator protection](application-security-application-and-driver-control.md#-administrator-protection)
[App containers](application-security-application-isolation.md#app-containers)
[App Control for Business](application-security-application-and-driver-control.md#app-control-for-business)
[Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules)
[Azure Attestation service](cloud-services-protect-your-work-information.md#-azure-attestation-service)
[BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go)
[BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)
[Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection)
[Certificates](operating-system-security-system-security.md#certificates)
[Cloud-native device management](cloud-services-protect-your-work-information.md#cloud-native-device-management)
[Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity)
[Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc)
[Config Refresh](operating-system-security-system-security.md#-config-refresh)
[Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access)
[Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)
[Cryptography](operating-system-security-system-security.md#cryptography)
[Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
[Device Health Attestation](operating-system-security-system-security.md#device-health-attestation)
[Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security)
[Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption)
[Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive)
[Enhanced phishing protection in Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-in-microsoft-defender-smartscreen)
[Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess)
[Exploit Protection](operating-system-security-virus-and-threat-protection.md#exploit-protection)
[Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips)
[Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in)
[FIDO2](identity-protection-passwordless-sign-in.md#fido2)
[Find my device](cloud-services-protect-your-personal-information.md#find-my-device)
[Kernel direct memory access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection)
[Kiosk mode](operating-system-security-system-security.md#kiosk-mode)
[Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
[Microsoft account](cloud-services-protect-your-personal-information.md#microsoft-account)
[Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator)
[Microsoft Cloud PKI](cloud-services-protect-your-work-information.md#-microsoft-cloud-pki)
[Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus)
[Microsoft Defender for Endpoint](cloud-services-protect-your-work-information.md#-microsoft-defender-for-endpoint)
[Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen)
[Microsoft Entra ID](cloud-services-protect-your-work-information.md#-microsoft-entra-id)
[Microsoft Intune](cloud-services-protect-your-work-information.md#-microsoft-intune)
[Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering)
[Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor)
[Microsoft Privacy Dashboard](privacy-controls.md#microsoft-privacy-dashboard)
[Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl)
[Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist)
[Network protection](operating-system-security-virus-and-threat-protection.md#network-protection)
[OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal)
[OneDrive for work or school](cloud-services-protect-your-work-information.md#-onedrive-for-work-or-school)
[OneFuzz service](security-foundation-offensive-research.md#onefuzz-service)
[Personal Data Encryption](operating-system-security-encryption-and-data-protection.md#personal-data-encryption)
[Personal Vault](cloud-services-protect-your-personal-information.md#personal-vault)
[Privacy resource usage](privacy-controls.md#privacy-resource-usage)
[Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls)
[Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard)
[Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe)
[Rust for Windows](operating-system-security-system-security.md#-rust-for-windows)
[Secure Future Initiative (SFI)](security-foundation-offensive-research.md#secure-future-initiative-sfi)
[Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)
[Secured-core PC and Edge Secured-Core](hardware-security-silicon-assisted-security.md#secured-core-pc-and-edge-secured-core)
[Security baselines](cloud-services-protect-your-work-information.md#security-baselines)
[Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
[Smart App Control](application-security-application-and-driver-control.md#smart-app-control)
[Smart cards](identity-protection-passwordless-sign-in.md#smart-cards)
[Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom)
[Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection)
[Token protection (preview)](identity-protection-advanced-credential-protection.md#token-protection-preview)
[Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls)
[Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot)
[Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm)
[Trusted Signing](application-security-application-and-driver-control.md#-trusted-signing)
[Universal Print](cloud-services-protect-your-work-information.md#-universal-print)
[VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection)
[Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn)
[Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves)
[Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in)
[Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections)
[Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation)
[Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch)
[Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot)
[Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration)
[Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation)
[Windows Firewall](operating-system-security-network-security.md#windows-firewall)
[Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business)
[Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello)
[Windows Hotpatch](cloud-services-protect-your-work-information.md#-windows-hotpatch)
[Windows Insider and Microsoft Bug Bounty Programs](security-foundation-offensive-research.md#windows-insider-and-microsoft-bug-bounty-programs)
[Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)
[Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing)
[Windows protected print](operating-system-security-system-security.md#-windows-protected-print)
[Windows Sandbox](application-security-application-isolation.md#windows-sandbox)
[Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing)
[Windows Security](operating-system-security-system-security.md#windows-security)
[Windows Software Development Kit (SDK)](security-foundation-secure-supply-chain.md#windows-software-development-kit-sdk)
[Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)
[Windows Update for Business](cloud-services-protect-your-work-information.md#windows-update-for-business) \ No newline at end of file diff --git a/windows/security/book/hardware-security-silicon-assisted-security.md b/windows/security/book/hardware-security-silicon-assisted-security.md index 96baea25d3..40d2e4935b 100644 --- a/windows/security/book/hardware-security-silicon-assisted-security.md +++ b/windows/security/book/hardware-security-silicon-assisted-security.md @@ -42,16 +42,16 @@ With new installs of Windows 11, OS support for VBS and HVCI is turned on by def - [Enable virtualization-based protection of code integrity][LINK-2] +### :::image type="icon" source="images/new-button-title.svg" border="false"::: Hypervisor-enforced Paging Translation (HVPT) + +Hypervisor-enforced Paging Translation (HVPT) is a security enhancement to enforce the integrity of guest virtual address to guest physical address translations. HVPT helps protect critical system data from write-what-where attacks where the attacker can write an arbitrary value to an arbitrary location often as the result of a buffer overflow. HVPT helps to protect page tables that configure critical system data structures. + ### Hardware-enforced stack protection Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats like memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called *stack smashing*. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate *shadow stack* for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support. -[!INCLUDE [new-24h2](includes/new-24h2.md)] - -Hypervisor-Enforced Paging Translation (HVPT) - formerly HLAT - is a security feature designed to safeguard linear address translations from tampering. It ensures the integrity of sensitive system structures, protecting them from write-what-where attacks. - [!INCLUDE [learn-more](includes/learn-more.md)] - [Understanding Hardware-enforced Stack Protection][LINK-3] diff --git a/windows/security/book/images/azure-attestation.png b/windows/security/book/images/azure-attestation.png deleted file mode 100644 index 0f2aa5aa89..0000000000 Binary files a/windows/security/book/images/azure-attestation.png and /dev/null differ diff --git a/windows/security/book/images/azure-attestation.svg b/windows/security/book/images/azure-attestation.svg new file mode 100644 index 0000000000..0d5ef702de --- /dev/null +++ b/windows/security/book/images/azure-attestation.svg @@ -0,0 +1,20 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/book/images/chip-to-cloud.png b/windows/security/book/images/chip-to-cloud.png index 702264c85f..e26a786101 100644 Binary files a/windows/security/book/images/chip-to-cloud.png and b/windows/security/book/images/chip-to-cloud.png differ diff --git a/windows/security/book/images/defender-for-endpoint.png b/windows/security/book/images/defender-for-endpoint.png deleted file mode 100644 index 5436972929..0000000000 Binary files a/windows/security/book/images/defender-for-endpoint.png and /dev/null differ diff --git a/windows/security/book/images/defender-for-endpoint.svg b/windows/security/book/images/defender-for-endpoint.svg new file mode 100644 index 0000000000..35ff9ff372 --- /dev/null +++ b/windows/security/book/images/defender-for-endpoint.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/security/book/images/endpoint-privilege-management.png b/windows/security/book/images/endpoint-privilege-management.png deleted file mode 100644 index 1b57dded9f..0000000000 Binary files a/windows/security/book/images/endpoint-privilege-management.png and /dev/null differ diff --git a/windows/security/book/images/endpoint-privilege-management.svg b/windows/security/book/images/endpoint-privilege-management.svg new file mode 100644 index 0000000000..7efbd9c1f1 --- /dev/null +++ b/windows/security/book/images/endpoint-privilege-management.svg @@ -0,0 +1,46 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/book/images/hardware-on.png b/windows/security/book/images/hardware-on.png index 23664c4c63..79dbe2aee5 100644 Binary files a/windows/security/book/images/hardware-on.png and b/windows/security/book/images/hardware-on.png differ diff --git a/windows/security/book/images/hardware.png b/windows/security/book/images/hardware.png index 834b6c5dca..a16761650c 100644 Binary files a/windows/security/book/images/hardware.png and b/windows/security/book/images/hardware.png differ diff --git a/windows/security/book/images/microsoft-cloud-pki.png b/windows/security/book/images/microsoft-cloud-pki.png deleted file mode 100644 index 15b14c6e7a..0000000000 Binary files a/windows/security/book/images/microsoft-cloud-pki.png and /dev/null differ diff --git a/windows/security/book/images/microsoft-cloud-pki.svg b/windows/security/book/images/microsoft-cloud-pki.svg new file mode 100644 index 0000000000..e3e369770f --- /dev/null +++ b/windows/security/book/images/microsoft-cloud-pki.svg @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/book/images/microsoft-entra-id.png b/windows/security/book/images/microsoft-entra-id.png deleted file mode 100644 index 4158a866f3..0000000000 Binary files a/windows/security/book/images/microsoft-entra-id.png and /dev/null differ diff --git a/windows/security/book/images/microsoft-entra-id.svg b/windows/security/book/images/microsoft-entra-id.svg new file mode 100644 index 0000000000..7a9eff4282 --- /dev/null +++ b/windows/security/book/images/microsoft-entra-id.svg @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/windows/security/book/images/microsoft-entra-internet-access.png b/windows/security/book/images/microsoft-entra-internet-access.png deleted file mode 100644 index bb05dbfefd..0000000000 Binary files a/windows/security/book/images/microsoft-entra-internet-access.png and /dev/null differ diff --git a/windows/security/book/images/microsoft-entra-internet-access.svg b/windows/security/book/images/microsoft-entra-internet-access.svg new file mode 100644 index 0000000000..f4a72a686f --- /dev/null +++ b/windows/security/book/images/microsoft-entra-internet-access.svg @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/book/images/microsoft-entra-private-access.png b/windows/security/book/images/microsoft-entra-private-access.png deleted file mode 100644 index 6dbecc415b..0000000000 Binary files a/windows/security/book/images/microsoft-entra-private-access.png and /dev/null differ diff --git a/windows/security/book/images/microsoft-entra-private-access.svg b/windows/security/book/images/microsoft-entra-private-access.svg new file mode 100644 index 0000000000..e28e5fff69 --- /dev/null +++ b/windows/security/book/images/microsoft-entra-private-access.svg @@ -0,0 +1,49 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/book/images/microsoft-intune.png b/windows/security/book/images/microsoft-intune.png deleted file mode 100644 index 9e70c4f99c..0000000000 Binary files a/windows/security/book/images/microsoft-intune.png and /dev/null differ diff --git a/windows/security/book/images/microsoft-intune.svg b/windows/security/book/images/microsoft-intune.svg new file mode 100644 index 0000000000..4651f1db01 --- /dev/null +++ b/windows/security/book/images/microsoft-intune.svg @@ -0,0 +1,23 @@ + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/book/images/onedrive.png b/windows/security/book/images/onedrive.png deleted file mode 100644 index 187abfefe1..0000000000 Binary files a/windows/security/book/images/onedrive.png and /dev/null differ diff --git a/windows/security/book/images/onedrive.svg b/windows/security/book/images/onedrive.svg new file mode 100644 index 0000000000..2f9f35ede0 --- /dev/null +++ b/windows/security/book/images/onedrive.svg @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/book/images/universal-print.png b/windows/security/book/images/universal-print.png deleted file mode 100644 index c7fb73b046..0000000000 Binary files a/windows/security/book/images/universal-print.png and /dev/null differ diff --git a/windows/security/book/images/universal-print.svg b/windows/security/book/images/universal-print.svg new file mode 100644 index 0000000000..d91cd2a276 --- /dev/null +++ b/windows/security/book/images/universal-print.svg @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/book/images/windows-security.svg b/windows/security/book/images/windows-security.svg new file mode 100644 index 0000000000..f8574a500f --- /dev/null +++ b/windows/security/book/images/windows-security.svg @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure.md b/windows/security/operating-system-security/network-security/windows-firewall/configure.md index b8e9d793fc..f6540ef8df 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure.md @@ -11,7 +11,7 @@ This article contains examples how to configure Windows Firewall rules using the ## Access the Windows Firewall with Advanced Security console -If you're configuring devices joined to an Active Directory domain, to complete these procedures you must be a member of the Domain Administrators group, or otherwise have delegated permissions to modify the GPOs in the domain. To access the *Windows Firewall with Advanced Security* console, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**. +If you're configuring devices joined to an Active Directory domain, to complete these procedures you must be a member of the Domain Administrators group, or otherwise have delegated permissions to modify the GPOs in the domain. To access the *Windows Firewall with Advanced Security* console, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**. Pay attention to the [Group policy processing considerations][GPPC] when using Group Policy. If you are configuring a single device, you must have administrative rights on the device. In which case, to access the *Windows Firewall with Advanced Security* console, select START, type `wf.msc`, and press ENTER. @@ -176,3 +176,5 @@ Using the two rules configured as described in this topic helps to protect your 1. On the **Action** page, select **Allow the connection**, and then select **Next** 1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next** 1. On the **Name** page, type a name and description for your rule, and then select **Finish** + +[GPPC]: /windows/security/operating-system-security/network-security/windows-firewall/tools#group-policy-processing-considerations \ No newline at end of file diff --git a/windows/security/operating-system-security/network-security/windows-firewall/index.md b/windows/security/operating-system-security/network-security/windows-firewall/index.md index 8952b535cf..4de85b91d4 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/index.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/index.md @@ -73,6 +73,18 @@ The *public network* profile is designed with higher security in mind for public > [!TIP] > Use the PowerShell cmdlet `Get-NetConnectionProfile` to retrieve the active network category (`NetworkCategory`). Use the PowerShell cmdlet `Set-NetConnectionProfile` to switch the category between *private* and *public*. +## Disable Windows Firewall + +Microsoft recommends that you don't disable Windows Firewall because you lose other benefits, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, Windows Service Hardening, and [boot time filters][BTF]. Non-Microsoft firewall software can programmatically disable only the [rule types][FWRC] of Windows Firewall that need to be disabled for compatibility. You shouldn't disable the firewall yourself for this purpose. +If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the Services snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc). Stopping the Windows Firewall service isn't supported by Microsoft and can cause problems, including: + +- Start menu can stop working +- Modern applications can fail to install or update +- Activation of Windows via phone fails +- Application or OS incompatibilities that depend on Windows Firewall + +The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running. See [Manage Windows Firewall with the command line][MFWC] for detailed steps. + ## Next steps > [!div class="nextstepaction"] @@ -89,3 +101,6 @@ To provide feedback for Windows Firewall, open [**Feedback Hub**][FHUB] (WI [FHUB]: feedback-hub:?tabid=2&newFeedback=true [NLA]: /windows/win32/winsock/network-location-awareness-service-provider-nla--2 [CSP-1]: /windows/client-management/mdm/policy-csp-networklistmanager +[BTF]: /windows/win32/fwp/basic-operation +[MFWC]: /windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line +[FWRC]: /windows/win32/api/icftypes/ne-icftypes-net_fw_rule_category