mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-17 11:23:45 +00:00
Update links
This commit is contained in:
Vinay Pamnani
@ -1,7 +1,7 @@
|
||||
---
|
||||
author: paolomatarazzo
|
||||
ms.author: paoloma
|
||||
ms.date: 06/02/2023
|
||||
ms.date: 06/05/2023
|
||||
ms.topic: include
|
||||
---
|
||||
|
||||
@ -9,53 +9,53 @@ ms.topic: include
|
||||
|
||||
| Security Measures | Features & Capabilities |
|
||||
|:---|:---|
|
||||
| **[Secure Boot and Trusted Boot](https://learn.microsoft.com/windows/security/trusted-boot)** | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely. |
|
||||
| **[Measured boot](https://learn.microsoft.com/windows/compatibility/measured-boot)** | |
|
||||
| **[Device health attestation service](https://learn.microsoft.com/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. These determinations are made with data stored in the TPM which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Endpoint Manager reviews device health and connects this information with Azure Active Directory for conditional access. |
|
||||
| **[Secure Boot and Trusted Boot](/windows/security/trusted-boot)** | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely. |
|
||||
| **[Measured boot](/windows/compatibility/measured-boot)** | |
|
||||
| **[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. These determinations are made with data stored in the TPM which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Endpoint Manager reviews device health and connects this information with Azure Active Directory for conditional access. |
|
||||
|
||||
## Virus And Threat Protection
|
||||
|
||||
| Security Measures | Features & Capabilities |
|
||||
|:---|:---|
|
||||
| **[Microsoft Defender Antivirus](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)** | Microsoft Defender Antivirus is a next-generation protection solution included in all versions of Windows 10 and Windows 11. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. In addition to real time protection, updates are downloaded automatically to help keep your device safe and protect it from threats. Microsoft Defender Antivirus, includes real-time, behavior-based, and heuristic antivirus protection. This combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA) which are applications that are deemed to negatively impact your device but are not considered malware. |
|
||||
| **[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)** | Microsoft Defender Antivirus is a next-generation protection solution included in all versions of Windows 10 and Windows 11. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. In addition to real time protection, updates are downloaded automatically to help keep your device safe and protect it from threats. Microsoft Defender Antivirus, includes real-time, behavior-based, and heuristic antivirus protection. This combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA) which are applications that are deemed to negatively impact your device but are not considered malware. |
|
||||
| **Local Security Authority (LSA) Protection** | Windows has several critical processes to verify a user’s identity. Verification processes include Local Security Authority (LSA) which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft. LSA protection will be enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM/GP. |
|
||||
| **[Attack surface reduction (ASR)](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction rules help prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization. Administrators can configure specific attack surface reduction rules to help block certain behaviors, such as 1) Launching executable files and scripts that attempt to download or run files 2) Running obfuscated or otherwise suspicious scripts 3) Performing behaviors that apps don’t usually initiate during normal day-to-day work. |
|
||||
| **[Tamper protection settings for MDE](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | |
|
||||
| **[Microsoft Vulnerable Driver Blocklist](https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. Prior to Windows 11 2022 Update, Windows enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Beginning with Windows 11 2022 Update, the block policy is now on by default for all new Windows PCs and users can opt-in to enforce the policy from the Windows Security app. |
|
||||
| **[Controlled folder access](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders. Controlled folder access helps protect user’s valuable data from malicious apps and threats, such as ransomware. |
|
||||
| **[Exploit protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use Group Policy in Azure Active Directory to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
|
||||
| **[Microsoft Defender SmartScreen](https://learn.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their Microsoft credentials into a potentially risky location. IT can customize which notifications appear through Microsoft Endpoint Manager. This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. Because Windows 11 comes with these enhancements already built-in and enabled, users have extra security from the moment they turn on their device. |
|
||||
| **[Microsoft Defender for Endpoint](https://learn.microsoft.com/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents 1) Endpoint behavioral sensors, 2) Cloud security analytics 3) Threat intelligence 4) Rich response capabilities. |
|
||||
| **[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction rules help prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization. Administrators can configure specific attack surface reduction rules to help block certain behaviors, such as 1) Launching executable files and scripts that attempt to download or run files 2) Running obfuscated or otherwise suspicious scripts 3) Performing behaviors that apps don’t usually initiate during normal day-to-day work. |
|
||||
| **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | |
|
||||
| **[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. Prior to Windows 11 2022 Update, Windows enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Beginning with Windows 11 2022 Update, the block policy is now on by default for all new Windows PCs and users can opt-in to enforce the policy from the Windows Security app. |
|
||||
| **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders. Controlled folder access helps protect user’s valuable data from malicious apps and threats, such as ransomware. |
|
||||
| **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use Group Policy in Azure Active Directory to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
|
||||
| **[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their Microsoft credentials into a potentially risky location. IT can customize which notifications appear through Microsoft Endpoint Manager. This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. Because Windows 11 comes with these enhancements already built-in and enabled, users have extra security from the moment they turn on their device. |
|
||||
| **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents 1) Endpoint behavioral sensors, 2) Cloud security analytics 3) Threat intelligence 4) Rich response capabilities. |
|
||||
|
||||
## Network Security
|
||||
|
||||
| Security Measures | Features & Capabilities |
|
||||
|:---|:---|
|
||||
| **[Transport layer security (TLS)](https://learn.microsoft.com/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
|
||||
| **[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
|
||||
| **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
|
||||
| **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | "The current security standard for Wi-Fi Authentication is WPA3 which provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows support 3 WPA3 modes – WPA3 personal, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B Window includes WPA3 personal with the new H2E protocol, and WPA3 Enterprise 192-bit Suite B Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication " |
|
||||
| **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots. |
|
||||
| **[Windows Firewall](https://learn.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Security is an important part of a layered security model. It provides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Win 11 Firewall offers the following benefits 1) Reduces the risk of network security threats: Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack. 2) Safeguards sensitive data and intellectual property: With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. 3) Extends the value of existing investments: Windows Firewall is a host based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
|
||||
| **[Virtual Private Network (VPN)](https://learn.microsoft.com/windows/security/identity-protection/vpn/vpn-guide)** | Organizations have long relied on Windows to provide reliable, secured, and manageable virtual private network (VPN) solutions. The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways. In Windows 11 we’ve integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane users can see the status of their VPN, start and stop the VPN tunnels, and with one click can go to the modern Settings app for more control. For E3 customers you have the option to have this always on by default. |
|
||||
| **[Always On VPN (device tunnel)](https://learn.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/)** | |
|
||||
| **[Direct Access](https://learn.microsoft.com/windows-server/remote/remote-access/directaccess/directaccess)** | |
|
||||
| **[Server Message Block (SMB) file service](https://learn.microsoft.com/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. SMB and file services are the most common Windows workload in the commercial and public sector ecosystem. In Windows 11, the SMB protocol has significant security updates to meet today’s threats, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and entirely new scenario, SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of this more advanced security or continue to use the more compatible and still-safe AES-128 encryption. |
|
||||
| **[Server Message Block Direct (SMB Direct)](https://learn.microsoft.com/windows-server/storage/file-server/smb-direct)** | In Windows 11 Enterprise, Education, and Pro Workstation, SMB Direct now supports encryption. For demanding workloads like video rendering, data science, or extremely large files, you can now operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. |
|
||||
| **[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Security is an important part of a layered security model. It provides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Win 11 Firewall offers the following benefits 1) Reduces the risk of network security threats: Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack. 2) Safeguards sensitive data and intellectual property: With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. 3) Extends the value of existing investments: Windows Firewall is a host based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
|
||||
| **[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)** | Organizations have long relied on Windows to provide reliable, secured, and manageable virtual private network (VPN) solutions. The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways. In Windows 11 we’ve integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane users can see the status of their VPN, start and stop the VPN tunnels, and with one click can go to the modern Settings app for more control. For E3 customers you have the option to have this always on by default. |
|
||||
| **[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)** | |
|
||||
| **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | |
|
||||
| **[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. SMB and file services are the most common Windows workload in the commercial and public sector ecosystem. In Windows 11, the SMB protocol has significant security updates to meet today’s threats, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and entirely new scenario, SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of this more advanced security or continue to use the more compatible and still-safe AES-128 encryption. |
|
||||
| **[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)** | In Windows 11 Enterprise, Education, and Pro Workstation, SMB Direct now supports encryption. For demanding workloads like video rendering, data science, or extremely large files, you can now operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. |
|
||||
|
||||
## Data Protection
|
||||
|
||||
| Security Measures | Features & Capabilities |
|
||||
|:---|:---|
|
||||
| **[BitLocker management](https://learn.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)** | |
|
||||
| **[BitLocker enablement](https://learn.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune using a configuration service provider (CSP). BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
|
||||
| **[Encrypted hard drive](https://learn.microsoft.com/windows/security/information-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives. By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. Encrypted hard drives enable 1) Smooth performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate without performance degradation. 2) Strong security based in hardware: Encryption is always “on” and the keys for encryption never leave the hard drive. The drive authenticates users independently from the operating system before it unlocks. 3) Ease of use: Encryption is transparent to the user and the user does not need to enable it. Encrypted hard drives are easily erased using an on-board encryption key; there is no need to re-encrypt data on the drive. 4) Lower cost of ownership: There is no need for new infrastructure to manage encryption keys since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process. |
|
||||
| **[Personal data encryption (PDE)](https://learn.microsoft.com/windows/security/information-protection/personal-data-encryption/overview-pde)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow. Windows Hello for Business, either with PIN or biometrics (Face or Fingerprint), is used to protect the container which houses the encryption keys used by PDE. When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content. |
|
||||
| **[Email Encryption (S/MIME)](https://learn.microsoft.com/windows/security/identity-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. These encrypted messages can be sent by a user to people within their organization as well as external contacts if they have proper encryption certificates. |
|
||||
| **[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)** | |
|
||||
| **[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune using a configuration service provider (CSP). BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
|
||||
| **[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives. By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. Encrypted hard drives enable 1) Smooth performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate without performance degradation. 2) Strong security based in hardware: Encryption is always “on” and the keys for encryption never leave the hard drive. The drive authenticates users independently from the operating system before it unlocks. 3) Ease of use: Encryption is transparent to the user and the user does not need to enable it. Encrypted hard drives are easily erased using an on-board encryption key; there is no need to re-encrypt data on the drive. 4) Lower cost of ownership: There is no need for new infrastructure to manage encryption keys since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process. |
|
||||
| **[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow. Windows Hello for Business, either with PIN or biometrics (Face or Fingerprint), is used to protect the container which houses the encryption keys used by PDE. When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content. |
|
||||
| **[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. These encrypted messages can be sent by a user to people within their organization as well as external contacts if they have proper encryption certificates. |
|
||||
|
||||
## Modern Device Management
|
||||
|
||||
| Security Measures | Features & Capabilities |
|
||||
|:---|:---|
|
||||
| **[Windows Security policy settings and auditing](https://learn.microsoft.com/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Security policy settings are a critical part of your overall security strategy. Windows provides a robust set of security setting policies IT administrators can use to help protect Windows devices and other resources in your organization. Security settings policies are rules you can configure on a device, or multiple devices, to control - User authentication to a network or device, Resources users are permitted to access, Whether to record a user’s or group’s actions in the event log, Membership in a group. |
|
||||
| **[Secured-core configuration lock](https://learn.microsoft.com/windows/client-management/config-lock)** | In an enterprise organization, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Secured-core configuration lock (config lock) is a Secured-core PC feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. |
|
||||
| **[Assigned Access (kiosk mode)](https://learn.microsoft.com/windows/configuration/kiosk-methods)** | |
|
||||
| **[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Security policy settings are a critical part of your overall security strategy. Windows provides a robust set of security setting policies IT administrators can use to help protect Windows devices and other resources in your organization. Security settings policies are rules you can configure on a device, or multiple devices, to control - User authentication to a network or device, Resources users are permitted to access, Whether to record a user’s or group’s actions in the event log, Membership in a group. |
|
||||
| **[Secured-core configuration lock](/windows/client-management/config-lock)** | In an enterprise organization, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Secured-core configuration lock (config lock) is a Secured-core PC feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. |
|
||||
| **[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)** | |
|
||||
|
||||
Reference in New Issue
Block a user