deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into patch-9

Browse Source
This commit is contained in:
Tiara Quan
2023-07-27 20:32:26 -07:00
committed by GitHub
parent 04fb3125c7 6dd9a050f6
commit 148f1697fd
44 changed files with 14690 additions and 14652 deletions
Download Patch File Download Diff File Expand all files Collapse all files

149
windows/client-management/mdm/clouddesktop-csp.md Normal file
View File

@ -0,0 +1,149 @@
---
title: CloudDesktop CSP
description: Learn more about the CloudDesktop CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 07/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- CloudDesktop-Begin -->
# CloudDesktop CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- CloudDesktop-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CloudDesktop-Editable-End -->
<!-- CloudDesktop-Tree-Begin -->
The following list shows the CloudDesktop configuration service provider nodes:
- ./Device/Vendor/MSFT/CloudDesktop
- [EnableBootToCloudSharedPCMode](#enableboottocloudsharedpcmode)
<!-- CloudDesktop-Tree-End -->
<!-- Device-EnableBootToCloudSharedPCMode-Begin -->
## EnableBootToCloudSharedPCMode
<!-- Device-EnableBootToCloudSharedPCMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview [10.0.22631.2050] |
<!-- Device-EnableBootToCloudSharedPCMode-Applicability-End -->
<!-- Device-EnableBootToCloudSharedPCMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/CloudDesktop/EnableBootToCloudSharedPCMode
```
<!-- Device-EnableBootToCloudSharedPCMode-OmaUri-End -->
<!-- Device-EnableBootToCloudSharedPCMode-Description-Begin -->
<!-- Description-Source-DDF -->
Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. For enabling boot to cloud shared pc feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned.
<!-- Device-EnableBootToCloudSharedPCMode-Description-End -->
<!-- Device-EnableBootToCloudSharedPCMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-EnableBootToCloudSharedPCMode-Editable-End -->
<!-- Device-EnableBootToCloudSharedPCMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | false |
<!-- Device-EnableBootToCloudSharedPCMode-DFProperties-End -->
<!-- Device-EnableBootToCloudSharedPCMode-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| false (Default) | Not configured. |
| true | Boot to cloud shared pc mode enabled. |
<!-- Device-EnableBootToCloudSharedPCMode-AllowedValues-End -->
<!-- Device-EnableBootToCloudSharedPCMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-EnableBootToCloudSharedPCMode-Examples-End -->
<!-- Device-EnableBootToCloudSharedPCMode-End -->
<!-- CloudDesktop-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
## EnableBootToCloudSharedPCMode technical reference
EnableBootToCloudSharedPCMode setting is used to configure **Boot to Cloud** feature for shared user mode. When you enable this setting, multiple policies are applied to achieve the intended behavior.
> [!NOTE]
> It is recommended not to set any of the policies enforced by this setting to different values, as these policies help provide a smooth UX experience for the **Boot to Cloud** feature for shared user mode.
### MDM Policies
When this mode is enabled, these MDM policies are applied for the Device scope (all users):
| Setting | Value | Value Description |
|----------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------------------------|
| [CloudDesktop/BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) | 1 | Enable Boot to Cloud Desktop |
| [WindowsLogon/OverrideShellProgram](policy-csp-windowslogon.md#overrideshellprogram) | 1 | Apply Lightweight Shell |
| [ADMX_CredentialProviders/DefaultCredentialProvider](policy-csp-admx-credentialproviders.md#defaultcredentialprovider) | Enabled | Configures default credential provider to password provider |
| [ADMX_Logon/DisableExplorerRunLegacy_2](policy-csp-admx-logon.md#disableexplorerrunlegacy_2) | Enabled | Don't process the computer legacy run list |
| [TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode) | 1 | When no keyboard is attached |
### Group Policies
When this mode is enabled, these local group policies are configured for all users:
| Policy setting | Status |
|------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
| Security Settings/Local Policies/Security Options/User Account Control: Behavior of elevation prompt for standard user | Automatically deny elevation requests |
| Security Settings/Local Policies/Security Options/Interactive logon: Don't display last signed-in | Enabled |
| Control Panel/Personalization/Prevent enabling lock screen slide show | Enabled |
| System/Logon/Block user from showing account details on sign-in | Enabled |
| System/Logon/Enumerate local users on domain-joined computers | Disabled |
| System/Logon/Hide entry points for Fast User Switching | Enabled |
| System/Logon/Show first sign-in animation | Disabled |
| System/Logon/Turn off app notifications on the lock screen | Enabled |
| System/Logon/Turn off picture password sign-in | Enabled |
| System/Logon/Turn on convenience PIN sign-in | Disabled |
| Windows Components/App Package Deployment/Allow a Windows app to share application data between users | Enabled |
| Windows Components/Biometrics/Allow the use of biometrics | Disabled |
| Windows Components/Biometrics/Allow users to log on using biometrics | Disabled |
| Windows Components/Biometrics/Allow domain users to log on using biometrics | Disabled |
| Windows Components/File Explorer/Show lock in the user tile menu | Disabled |
| Windows Components/File History/Turn off File History | Enabled |
| Windows Components/OneDrive/Prevent the usage of OneDrive for file storage | Enabled |
| Windows Components/Windows Hello for Business/Use biometrics | Disabled |
| Windows Components/Windows Hello for Business/Use Windows Hello for Business | Disabled |
| Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart | Disabled |
| Windows Components/Microsoft Passport for Work | Disabled |
| System/Ctrl+Alt+Del Options/Remove Task Manager | Enabled |
| System/Ctrl+Alt+Del Options/Remove Change Password | Enabled |
| Start Menu and Taskbar/Notifications/Turn off toast notifications | Enabled |
| Start Menu and Taskbar/Notifications/Remove Notifications and Action Center | Enabled |
| System/Logon/Do not process the legacy run list | Enabled |
### Registry
When this mode is enabled, these registry changes are performed:
| Registry setting | Status |
|----------------------------------------------------------------------------------------------|--------|
| Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0 |
| Software\Policies\Microsoft\PassportForWork\Enabled (Use Microsoft Passport for Work) | 0 |
<!-- CloudDesktop-CspMoreInfo-End -->
<!-- CloudDesktop-End -->
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

95
windows/client-management/mdm/clouddesktop-ddf-file.md Normal file
View File

@ -0,0 +1,95 @@
---
title: CloudDesktop DDF file
description: View the XML file containing the device description framework (DDF) for the CloudDesktop configuration service provider.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 07/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
# CloudDesktop DDF file
The following XML file contains the device description framework (DDF) for the CloudDesktop configuration service provider.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<MSFT:Diagnostics>
</MSFT:Diagnostics>
<Node>
<NodeName>CloudDesktop</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The CloudDesktop configuration service provider is used to configure different Cloud PC related scenarios.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>22631.2050</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>EnableBootToCloudSharedPCMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. For enabling boot to cloud shared pc feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Enable boot to cloud shared PC mode</DFTitle>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Not configured</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Boot to cloud shared pc mode enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```
## Related articles
[CloudDesktop configuration service provider reference](clouddesktop-csp.md)

65
windows/client-management/mdm/policy-csp-clouddesktop.md
View File

@ -4,7 +4,7 @@ description: Learn more about the CloudDesktop Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 07/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -71,6 +71,69 @@ This policy allows the user to configure the boot to cloud mode. Boot to Cloud m
<!-- BootToCloudMode-End -->
<!-- SetMaxConnectionTimeout-Begin -->
## SetMaxConnectionTimeout
<!-- SetMaxConnectionTimeout-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview [10.0.22631.2050] |
<!-- SetMaxConnectionTimeout-Applicability-End -->
<!-- SetMaxConnectionTimeout-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/CloudDesktop/SetMaxConnectionTimeout
```
<!-- SetMaxConnectionTimeout-OmaUri-End -->
<!-- SetMaxConnectionTimeout-Description-Begin -->
<!-- Description-Source-DDF -->
IT admins can use this policy to set the max connection timeout. The connection timeout decides the max wait time for connecting to Cloud PC after sign in. The default max value is 5 min. For best user experience, it's recommended to continue with the default timeout of 5 min. Update only if it takes more than 5 min to connect to the Cloud PC in your organization.
<!-- SetMaxConnectionTimeout-Description-End -->
<!-- SetMaxConnectionTimeout-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SetMaxConnectionTimeout-Editable-End -->
<!-- SetMaxConnectionTimeout-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 5 |
<!-- SetMaxConnectionTimeout-DFProperties-End -->
<!-- SetMaxConnectionTimeout-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 5 (Default) | 5 min. |
| 6 | 6 min. |
| 7 | 7 min. |
| 8 | 8 min. |
| 9 | 9 min. |
| 10 | 10 min. |
| 11 | 11 min. |
| 12 | 12 min. |
| 13 | 13 min. |
| 14 | 14 min. |
| 15 | 15 min. |
| 16 | 16 min. |
| 17 | 17 min. |
| 18 | 18 min. |
| 19 | 19 min. |
| 20 | 20 min. |
<!-- SetMaxConnectionTimeout-AllowedValues-End -->
<!-- SetMaxConnectionTimeout-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SetMaxConnectionTimeout-Examples-End -->
<!-- SetMaxConnectionTimeout-End -->
<!-- CloudDesktop-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- CloudDesktop-CspMoreInfo-End -->

80
windows/client-management/mdm/policy-csp-cloudpc.md
View File

@ -1,80 +0,0 @@
---
title: CloudPC Policy CSP
description: Learn more about the CloudPC Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 12/27/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- CloudPC-Begin -->
# Policy CSP - CloudPC
<!-- CloudPC-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CloudPC-Editable-End -->
<!-- CloudPCConfiguration-Begin -->
## CloudPCConfiguration
<!-- CloudPCConfiguration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- CloudPCConfiguration-Applicability-End -->
<!-- CloudPCConfiguration-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/CloudPC/CloudPCConfiguration
```
<!-- CloudPCConfiguration-OmaUri-End -->
<!-- CloudPCConfiguration-Description-Begin -->
<!-- Description-Source-DDF -->
This policy is used by IT admin to set the configuration mode of cloud PC.
<!-- CloudPCConfiguration-Description-End -->
<!-- CloudPCConfiguration-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CloudPCConfiguration-Editable-End -->
<!-- CloudPCConfiguration-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- CloudPCConfiguration-DFProperties-End -->
<!-- CloudPCConfiguration-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Fast Switching Configuration. |
| 1 | Boot to cloud PC Configuration. |
<!-- CloudPCConfiguration-AllowedValues-End -->
<!-- CloudPCConfiguration-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- CloudPCConfiguration-Examples-End -->
<!-- CloudPCConfiguration-End -->
<!-- CloudPC-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- CloudPC-CspMoreInfo-End -->
<!-- CloudPC-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

7
windows/client-management/mdm/toc.yml
View File

@ -384,8 +384,6 @@ items:
href: policy-csp-cellular.md
- name: CloudDesktop
href: policy-csp-clouddesktop.md
- name: CloudPC
href: policy-csp-cloudpc.md
- name: Connectivity
href: policy-csp-connectivity.md
- name: ControlPolicyConflict
@ -631,6 +629,11 @@ items:
items:
- name: ClientCertificateInstall DDF file
href: clientcertificateinstall-ddf-file.md
- name: CloudDesktop
href: clouddesktop-csp.md
items:
- name: CloudDesktop DDF file
href: clouddesktop-ddf-file.md
- name: CM_CellularEntries
href: cm-cellularentries-csp.md
- name: CMPolicy

37
windows/deployment/do/mcc-isp-overview.md
View File

@ -6,7 +6,7 @@ ms.prod: windows-client
author: amymzhou
ms.author: amyzhou
ms.topic: article
ms.date: 05/09/2023
ms.date: 07/27/2023
ms.technology: itpro-updates
ms.collection: tier3
---
@ -18,7 +18,7 @@ ms.collection: tier3
- Windows 10
- Windows 11
Microsoft Connected Cache (MCC) for Internet Service Providers (preview) is a software-only caching solution that delivers Microsoft content. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing.
Microsoft Connected Cache (MCC) for Internet Service Providers (preview) is a free software-only caching solution that delivers Microsoft content. MCC can be deployed free of charge to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing.
## Supported scenarios
@ -37,4 +37,37 @@ Microsoft Connected Cache uses Delivery Optimization as the backbone for Microso
- Endpoint protection: Windows Defender definition updates
- Xbox: Xbox Game Pass (PC only)
Do you peer with [Microsoft (ASN 8075)](/azure/internet-peering/)? Microsoft Connected Cache complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, and Edgecast. Microsoft Peering mainly caches dynamic content - by onboarding to Microsoft Connected Cache, you'll cache static content that otherwise would be served from the CDN.
For the full list of content endpoints that Microsoft Connected Cache for ISPs supports, see [Microsoft Connected Cache content and services endpoints](delivery-optimization-endpoints.md).
## How MCC works
:::image type="content" source="./images/mcc-isp-diagram.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="./images/mcc-isp-diagram.png":::
The following steps describe how MCC is provisioned and used:
1. The Azure portal is used to create and manage MCC nodes.
1. A shell script is used to provision the server and deploy the MCC application.
1. A combination of the Azure portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server.
- The publicly accessible IPv4 address of the server is configured on the portal.
- **Manual Routing:** Providing the CIDR blocks that represent the client IP address space, which should be routed to the MCC node.
- **BGP Routing:** A shell script is used to initiate a peering session with a router in the operator network, and the operator initiates a session with the MCC node.
> [!NOTE]
> Only IPv4 addresses are supported at this time. Entering IPv6 addresses will result in an error.
1. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node.
1. Microsoft clients make the range requests for content from the MCC node.
1. An MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
1. Subsequent requests from end-user devices for content will be served from cache.
1. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers.

12
windows/deployment/windows-autopatch/TOC.yml
View File

@ -70,12 +70,12 @@
items:
- name: Manage Windows feature updates
href: operate/windows-autopatch-groups-manage-windows-feature-update-release.md
- name: Microsoft 365 Apps for enterprise
href: operate/windows-autopatch-microsoft-365-apps-enterprise.md
- name: Microsoft Edge
href: operate/windows-autopatch-edge.md
- name: Microsoft Teams
href: operate/windows-autopatch-teams.md
- name: Microsoft 365 Apps for enterprise
href: operate/windows-autopatch-microsoft-365-apps-enterprise.md
- name: Microsoft Edge
href: operate/windows-autopatch-edge.md
- name: Microsoft Teams
href: operate/windows-autopatch-teams.md
- name: Windows quality and feature update reports
href: operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
items:

10
windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
View File

@ -110,11 +110,11 @@ Autopatch groups set up the [feature updates for Windows 10 and later policies](
| Policy name | Azure AD group assignment |Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
| ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
| Windows Autopatch - DSS Policy [Test] | Windows Autopatch - Test | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | May 8, 2023; 7:00PM |
| Windows Autopatch - DSS Policy [Ring1] | Windows Autopatch - Ring1 | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | May 8, 2023; 7:00PM |
| Windows Autopatch - DSS Policy [Ring2] | Windows Autopatch - Ring2 | Windows 10 20H2 | Make update available as soon as possible | December 14, 2022 | December 21, 2022 | 1 | May 8, 2023; 7:00PM |
| Windows Autopatch - DSS Policy [Ring3] | Windows Autopatch - Ring3 | Windows 10 20H2 | Make update available as soon as possible | December 15, 2022 | December 29, 2022 | 1 | May 8, 2023; 7:00PM |
| Windows Autopatch - DSS Policy [Last] | Windows Autopatch - Last | Windows 10 20H2 | Make update available as soon as possible | December 15, 2022 | December 29, 2022 | 1 | May 8, 2023; 7:00PM |
| Windows Autopatch - DSS Policy [Test] | Windows Autopatch - Test | Windows 10 21H2 | Make update available as soon as possible | N/A | N/A | N/A | June 11, 2024; 1:00AM |
| Windows Autopatch - DSS Policy [Ring1] | Windows Autopatch - Ring1 | Windows 10 21H2 | Make update available as soon as possible | N/A | N/A | N/A | June 11, 2024; 1:00AM |
| Windows Autopatch - DSS Policy [Ring2] | Windows Autopatch - Ring2 | Windows 10 21H2 | Make update available as soon as possible | December 14, 2022 | December 21, 2022 | 1 | June 11, 2024; 1:00AM |
| Windows Autopatch - DSS Policy [Ring3] | Windows Autopatch - Ring3 | Windows 10 21H2 | Make update available as soon as possible | December 15, 2022 | December 29, 2022 | 1 | June 11, 2024; 1:00AM |
| Windows Autopatch - DSS Policy [Last] | Windows Autopatch - Last | Windows 10 21H2 | Make update available as soon as possible | December 15, 2022 | December 29, 2022 | 1 | June 11, 2024; 1:00AM |
### About Custom Autopatch groups

8
windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
View File

@ -14,11 +14,11 @@ The EA set on the NI file only applies to the currently active WDAC policies. If
In some cases, if an NI file is blocked, you may see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [WDAC Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues#net-native-images-may-generate-false-positive-block-events).
To mitigate any performance impact caused when the WDAC EA isn't valid or missing, use any of the following strategies:
To mitigate any performance impact caused when the WDAC EA isn't valid or missing:
1. Work with the app developer to pre-compile their NI and digitally sign it. Then, ensure your WDAC policies allow that signature;
2. Run *ngen.exe update* to force .NET to regenerate all NI files immediately after applying changes to your WDAC policies;
3. [Create and sign a catalog file](/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control) for the native images
- Avoid updating the WDAC policies often.
- Run `ngen update` (on all machine architectures) to force .NET to regenerate all NI files immediately after applying changes to your WDAC policies.
- Migrate applications to .NET Core (.NET 6 or greater).
## WDAC and .NET hardening

4
windows/security/hardware-security/toc.yml
View File

@ -48,7 +48,9 @@ items:
href: https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815
- name: Secured-core PC 🔗
href: /windows-hardware/design/device-experiences/oem-highly-secure-11
- name: Secured-core PC configuration lock
href: /windows/client-management/config-lock 🔗
- name: Kernel Direct Memory Access (DMA) protection
href: kernel-dma-protection-for-thunderbolt.md
- name: System Guard Secure Launch
href: system-guard-secure-launch-and-smm-protection.md
href: system-guard-secure-launch-and-smm-protection.md

2
windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
View File

@ -29,7 +29,7 @@ When the PIN is created, it establishes a trusted relationship with the identity
Even though local passwords are local to the device, they're less secure than a PIN, as described in the next section.
>[!NOTE]
>For details on how Hello uses asymmetric key pairs for authentication, see [Windows Hello for Business](hello-overview.md#benefits-of-windows-hello).
>For details on how Hello uses asymmetric key pairs for authentication, see [Windows Hello for Business](index.md#benefits-of-windows-hello).
## PIN is backed by hardware

0
windows/security/identity-protection/hello-for-business/hello-overview.md → windows/security/identity-protection/hello-for-business/index.md
View File

110
windows/security/identity-protection/hello-for-business/index.yml
View File

@ -1,110 +0,0 @@
### YamlMime:Landing
title: Windows Hello for Business documentation
summary: Learn how to manage and deploy Windows Hello for Business.
metadata:
title: Windows Hello for Business documentation
description: Learn how to manage and deploy Windows Hello for Business.
ms.topic: landing-page
ms.date: 03/09/2023
ms.collection:
- highpri
- tier1
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new
landingContent:
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card
- title: About Windows Hello For Business
linkLists:
- linkListType: overview
links:
- text: Windows Hello for Business Overview
url: hello-overview.md
- linkListType: concept
links:
- text: Passwordless Strategy
url: passwordless-strategy.md
- text: Why a PIN is better than a password
url: hello-why-pin-is-better-than-password.md
- text: Windows Hello biometrics in the enterprise
url: hello-biometrics-in-enterprise.md
- text: How Windows Hello for Business works
url: hello-how-it-works.md
- linkListType: learn
links:
- text: Technical Deep Dive - Device Registration
url: hello-how-it-works-device-registration.md
- text: Technical Deep Dive - Provisioning
url: hello-how-it-works-provisioning.md
- text: Technical Deep Dive - Authentication
url: hello-how-it-works-authentication.md
- text: Technology and Terminology
url: hello-how-it-works-technology.md
- text: Frequently Asked Questions (FAQ)
url: hello-faq.yml
# Card
- title: Configure and manage Windows Hello for Business
linkLists:
- linkListType: concept
links:
- text: Windows Hello for Business Deployment Overview
url: hello-deployment-guide.md
- text: Planning a Windows Hello for Business Deployment
url: hello-planning-guide.md
- text: Deployment Prerequisite Overview
url: hello-identity-verification.md
- linkListType: how-to-guide
links:
- text: Hybrid Cloud Kerberos Trust Deployment
url: hello-hybrid-cloud-kerberos-trust.md
- text: Hybrid Azure AD Joined Key Trust Deployment
url: hello-hybrid-key-trust.md
- text: Hybrid Azure AD Joined Certificate Trust Deployment
url: hello-hybrid-cert-trust.md
- text: On-premises SSO for Azure AD Joined Devices
url: hello-hybrid-aadj-sso.md
- text: On-premises Key Trust Deployment
url: hello-deployment-key-trust.md
- text: On-premises Certificate Trust Deployment
url: hello-deployment-cert-trust.md
- linkListType: learn
links:
- text: Manage Windows Hello for Business in your organization
url: hello-manage-in-organization.md
- text: Windows Hello and password changes
url: hello-and-password-changes.md
- text: Prepare people to use Windows Hello
url: hello-prepare-people-to-use.md
# Card
- title: Windows Hello for Business Features
linkLists:
- linkListType: how-to-guide
links:
- text: Conditional Access
url: hello-feature-conditional-access.md
- text: PIN Reset
url: hello-feature-pin-reset.md
- text: Dual Enrollment
url: hello-feature-dual-enrollment.md
- text: Dynamic Lock
url: hello-feature-dynamic-lock.md
- text: Multi-factor Unlock
url: feature-multifactor-unlock.md
- text: Remote Desktop
url: hello-feature-remote-desktop.md
# Card
- title: Windows Hello for Business Troubleshooting
linkLists:
- linkListType: how-to-guide
links:
- text: Known Deployment Issues
url: hello-deployment-issues.md
- text: Errors During PIN Creation
url: hello-errors-during-pin-creation.md

6
windows/security/identity-protection/hello-for-business/toc.yml
View File

@ -1,11 +1,9 @@
items:
- name: Windows Hello for Business documentation
href: index.yml
- name: Overview
href: index.md
- name: Concepts
expanded: true
items:
- name: Windows Hello for Business overview
href: hello-overview.md
- name: Passwordless strategy
href: passwordless-strategy.md
- name: Why a PIN is better than a password

4
windows/security/identity-protection/hello-for-business/webauthn-apis.md
View File

@ -1,7 +1,7 @@
---
title: WebAuthn APIs
description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps.
ms.date: 03/09/2023
ms.date: 07/27/2023
ms.topic: article
---
# WebAuthn APIs for passwordless authentication on Windows
@ -14,7 +14,7 @@ Starting in **Windows 11, version 22H2**, WebAuthn APIs support ECC algorithms.
## What does this mean?
By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.yml) or [FIDO2 Security Keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to implement passwordless multi-factor authentication for their applications on Windows devices.
By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.md) or [FIDO2 Security Keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to implement passwordless multi-factor authentication for their applications on Windows devices.
Users of these apps or sites can use any browser that supports WebAuthn APIs for passwordless authentication. Users will have a familiar and consistent experience on Windows, no matter which browser they use.

24
windows/security/identity-protection/index.md
View File

@ -1,26 +1,14 @@
---
title: Identity and access management
description: Learn more about identity and access protection technologies in Windows.
title: Windows identity protection
description: Learn more about identity protection technologies in Windows.
ms.topic: article
ms.date: 05/31/2023
ms.date: 07/27/2023
---
# Identity and access management
# Windows identity protection
Learn more about identity and access management technologies in Windows.
Learn more about identity protection technologies in Windows.
[!INCLUDE [virtual-smart-card-deprecation-notice](../includes/virtual-smart-card-deprecation-notice.md)]
| Section | Description |
|-|-|
| [Windows Hello for Business](hello-for-business/index.yml) | Windows Hello replaces passwords with strong two-factor authentication on client devices. The authentication consists of a type of user credential that is tied to a device and a biometric or PIN. |
| [Windows Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview) | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices.
| [Technical support policy for lost or forgotten passwords](password-support-policy.md)| Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. |
| [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
| [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) | Credential Guard uses Virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them. Unauthorized access to the secrets can lead to credential theft attacks, such as *pass the hash* or *pass the ticket*. Credential Guard helps prevent such attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
| [User Account Control](../application-security/application-control/user-account-control/index.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references articles about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
| [Windows Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows. |
| [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](../threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) |
[!INCLUDE [identity](../includes/sections/identity.md)]

46
windows/security/identity-protection/password-support-policy.md
View File

@ -1,46 +0,0 @@
---
title: Technical support policy for lost or forgotten passwords
description: Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so.
ms.topic: article
ms.date: 11/20/2019
---
# Technical support policy for lost or forgotten passwords
Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating system, and other Microsoft products include passwords to help secure your information. This article provides some options that you can use to reset or recover your password if you forget it. If these options don't work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password.
If you lose or forget a password, you can use the links in this article to find published support information that will help you reset the password.
## How to reset a password for a domain account
If you lose or forget the password for a domain account, contact your IT administrator or Helpdesk. For more information, see [Change or reset your Windows password](https://support.microsoft.com/help/4490115).
## How to reset a password for a Microsoft account
If you lose or forget the password for your Microsoft Account, use the [Recover your account](https://account.live.com/ResetPassword.aspx) wizard.
This wizard requests your security proofs. If you've forgotten your security proofs, or no longer have access to them, select **I no longer have these anymore**. After you select this option, fill out a form for the Microsoft Account team. Provide as much information as you can on this form. The Microsoft Account team reviews the information that you provide to determine whether you're the account holder. This decision is final. Microsoft doesn't influence the team's choice of action.
## How to reset a password for a local account on a Windows device
Local accounts on a device include the device's Administrator account.
### Windows 10
If you lose or forget the password for a local account on a device that runs Windows 10, see [Reset your Windows 10 local account password](https://support.microsoft.com/help/4028457).
### Windows 8.1 or Windows 7
If you lose or forget the password for a local account on a device that runs Windows 8.1 or Windows 7, see [Change or reset your Windows password](https://support.microsoft.com/help/4490115). In that article, you can select your operating system version from the **Select Product Version** menu.
## How to reset a hardware BIOS password
If you lose or forget the password for the hardware BIOS of a device, contact the device manufacturer for help and support. If you do contact the manufacturer online, make sure that you visit the manufacturer website and not the website of some third party.
## How to reset a password for an individual file
Some applications let you password-protect individual files. If you lose or forget such a password, you can rely on that application only to reset or recover it. Microsoft support engineers can't help you reset, retrieve, or circumvent such passwords.
## Using third-party password tools
Some third-party companies claim to be able to circumvent passwords that have been applied to files and features that Microsoft programs use. For legal reasons, we can't recommend or endorse any one of these companies. If you want help to circumvent or reset a password, you can locate and contact a third party for this help. However, you use such third-party products and services at your own risk.

42
windows/security/identity-protection/toc.yml
View File

@ -1,12 +1,10 @@
items:
- name: Overview
href: ../identity.md
- name: Windows credential theft mitigation guide
href: windows-credential-theft-mitigation-guide-abstract.md
href: index.md
- name: Passwordless sign-in
items:
- name: Windows Hello for Business 🔗
href: hello-for-business/index.yml
href: hello-for-business/index.md
- name: Windows presence sensing
href: https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb
- name: Windows Hello for Business Enhanced Security Sign-in (ESS) 🔗
@ -22,28 +20,24 @@ items:
displayName: VSC
- name: Enterprise Certificate Pinning
href: enterprise-certificate-pinning.md
- name: Account Lockout Policy 🔗
href: ../threat-protection/security-policy-settings/account-lockout-policy.md
- name: Technical support policy for lost or forgotten passwords
href: password-support-policy.md
- name: Windows LAPS (Local Administrator Password Solution) 🔗
displayName: LAPS
href: /windows-server/identity/laps/laps-overview
- name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
href: ../operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
displayName: EPP
- name: Access Control
items:
- name: Overview
href: access-control/access-control.md
displayName: ACL
- name: Local Accounts
href: access-control/local-accounts.md
- name: Security policy settings 🔗
href: ../threat-protection/security-policy-settings/security-policy-settings.md
- name: Advanced credential protection
items:
- name: Windows LAPS (Local Administrator Password Solution) 🔗
displayName: LAPS
href: /windows-server/identity/laps/laps-overview
- name: Account Lockout Policy 🔗
href: ../threat-protection/security-policy-settings/account-lockout-policy.md
- name: Enhanced phishing protection with SmartScreen
href: ../operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
displayName: EPP
- name: Access Control
href: access-control/access-control.md
displayName: ACL/SACL
- name: Windows Defender Credential Guard
href: credential-guard/toc.yml
- name: Windows Defender Remote Credential Guard
href: remote-credential-guard.md
href: remote-credential-guard.md
- name: LSA Protection
href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
- name: Local Accounts
href: access-control/local-accounts.md

58
windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
View File

@ -1,58 +0,0 @@
---
title: Windows Credential Theft Mitigation Guide Abstract
description: Provides a summary of the Windows credential theft mitigation guide.
ms.topic: conceptual
ms.date: 03/31/2023
---
# Windows Credential Theft Mitigation Guide Abstract
This article provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx).
This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages:
- Identify high-value assets
- Protect against known and unknown threats
- Detect pass-the-hash and related attacks
- Respond to suspicious activity
- Recover from a breach
![Security stages.](images/security-stages.png)
## Attacks that steal credentials
Learn about the different types of attacks that are used to steal credentials, and the factors that can place your organization at risk.
The types of attacks that are covered include:
- Pass the hash
- Kerberos pass the ticket
- Kerberos golden ticket and silver ticket
- Key loggers
- Shoulder surfing
## Credential protection strategies
This part of the guide helps you consider the mindset of the attacker, with prescriptive guidance about how to prioritize high-value accounts and computers.
You'll learn how to architect a defense against credential theft:
- Establish a containment model for account privileges
- Harden and restrict administrative hosts
- Ensure that security configurations and best practices are implemented
## Technical countermeasures for credential theft
Objectives and expected outcomes are covered for each of these countermeasures:
- Use Windows 10 with Credential Guard
- Restrict and protect high-privilege domain accounts
- Restrict and protect local accounts with administrative privileges
- Restrict inbound network traffic
Many other countermeasures are also covered, such as using Microsoft Passport and Windows Hello, or multifactor authentication.
## Detecting credential attacks
This section covers how to detect the use of stolen credentials and how to collect computer events to help you detect credential theft.
## Responding to suspicious activity
Learn Microsoft's recommendations for responding to incidents, including how to recover control of compromised accounts, how to investigate attacks, and how to recover from a breach.

25
windows/security/identity.md
View File

@ -1,25 +0,0 @@
---
title: Windows identity and user security
description: Get an overview of identity security in Windows 11 and Windows 10
ms.reviewer:
manager: aaroncz
ms.author: paoloma
author: paolomatarazzo
ms.prod: windows-client
ms.technology: itpro-security
ms.date: 12/31/2017
ms.topic: article
---
# Windows identity and privacy
Malicious actors launch millions of password attacks every day. Weak passwords, password spraying, and phishing are the entry point for many attacks. Knowing that the right user is accessing the right device and the right data is critical to keeping your business, family, and self, safe and secure. Windows Hello, Windows Hello for Business, and Credential Guard enable customers to move to passwordless multifactor authentication (MFA). MFA can reduce the risk of compromise in organizations.
| Security capabilities | Description |
|:---|:---|
| Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) |
| Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)|
| FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). |
| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone). |
| Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).|
| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).|

0
windows/security/includes/sections/operating-system-data-protection-overview.md → windows/security/includes/sections/operating-system-encryption-and-data-protection-overview.md
View File

6
windows/security/includes/sections/operating-system.md
View File

@ -21,7 +21,7 @@ ms.topic: include
| **Local Security Authority (LSA) Protection** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.<br><br>LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. |
| **[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction (ASR) rules help to prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization.<br><br>Administrators can configure specific ASR rules to help block certain behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, performing behaviors that apps don't usually initiate during normal day-to-day work. |
| **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
| **[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
| **[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt in to enforce the policy from the Windows Security app. |
| **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders. <br><br>Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware. |
| **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
| **[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
@ -35,14 +35,14 @@ ms.topic: include
| **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
| **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification programs designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.<br><br>Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
| **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots. |
| **[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.<br><br>With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
| **[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Security provides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.<br><br>With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
| **[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.<br><br>In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls. |
| **[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)** | |
| **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.<br><br>With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. |
| **[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. In Windows 11, the SMB protocol has significant security updates, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of more advanced security or continue to use the more compatible, and still-safe, AES-128 encryption. |
| **[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)** | SMB Direct (SMB over remote direct memory access) is a storage protocol that enables direct memory-to-memory data transfers between device and storage, with minimal CPU usage, while using standard RDMA-capable network adapters.<br><br>SMB Direct supports encryption, and now you can operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. |
## Data Protection
## Encryption And Data Protection
| Security Measures | Features & Capabilities |
|:---|:---|

7
windows/security/index.yml
View File

@ -10,7 +10,6 @@ metadata:
ms.prod: windows-client
ms.technology: itpro-security
ms.collection:
- highpri
- tier1
author: paolomatarazzo
ms.author: paoloma
@ -62,8 +61,6 @@ landingContent:
links:
- text: Trusted boot
url: operating-system-security\system-security\trusted-boot.md
- text: Encryption and data protection
url: operating-system-security/data-protection/index.md
- text: Windows security baselines
url: operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md
- text: Virtual private network guide
@ -107,9 +104,7 @@ landingContent:
- linkListType: concept
links:
- text: Windows Hello for Business
url: identity-protection/hello-for-business/hello-overview.md
- text: Windows Credential Theft Mitigation
url: identity-protection/windows-credential-theft-mitigation-guide-abstract.md
url: identity-protection/hello-for-business/index.md
- text: Protect domain credentials
url: identity-protection/credential-guard/credential-guard.md
- text: Windows Defender Credential Guard

4
windows/security/introduction/index.md
View File

@ -25,7 +25,7 @@ A Zero Trust security model gives the right people the right access at the right
1. When verified, give people and devices access to only necessary resources for the necessary amount of time
1. Use continuous analytics to drive threat detection and improve defenses
For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](../identity-protection/hello-for-business/hello-overview.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](../identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
### Security, by default
@ -45,7 +45,7 @@ In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/d
### Secured identities
Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](../information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](../identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](../identity-protection/hello-for-business/hello-overview.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](../information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](../identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](../identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
### Connecting to cloud services

49
windows/security/operating-system-security/data-protection/index.md
View File

@ -1,49 +0,0 @@
---
title: Encryption and data protection in Windows
description: Get an overview encryption and data protection in Windows 11 and Windows 10
ms.topic: overview
ms.date: 09/22/2022
ms.reviewer: rafals
---
# Encryption and data protection in Windows client
When people travel with their computers and devices, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications.
Encryption and data protection features include:
- Encrypted Hard Drive
- BitLocker
## Encrypted Hard Drive
Encrypted Hard Drive uses the rapid encryption provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
Encrypted hard drives provide:
- Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
- Strong security based in hardware: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system.
- Ease of use: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive.
- Lower cost of ownership: There's no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process.
Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption.
## BitLocker
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
BitLocker provides encryption for the operating system, fixed data, and removable data drives, using technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
Windows consistently improves data protection by improving existing options and providing new strategies.
## Personal Data Encryption (PDE)
<!-- Max 5963468 OS 32516487 -->
(*Applies to: Windows 11, version 22H2 and later*)
[!INCLUDE [Personal Data Encryption (PDE) description](personal-data-encryption/includes/pde-description.md)]
## See also
- [Encrypted Hard Drive](encrypted-hard-drive.md)
- [BitLocker](bitlocker/index.md)
- [Personal Data Encryption (PDE)](personal-data-encryption/index.md)

2
windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
View File

@ -16,7 +16,7 @@ ms.date: 03/13/2023
### Required
- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
- [Windows Hello for Business Overview](../../../identity-protection/hello-for-business/hello-overview.md)
- [Windows Hello for Business Overview](../../../identity-protection/hello-for-business/index.md)
- Windows 11, version 22H2 and later Enterprise and Education editions
### Not supported with PDE

6
windows/security/operating-system-security/data-protection/toc.yml
View File

@ -1,13 +1,11 @@
items:
- name: Overview
href: index.md
- name: BitLocker
href: bitlocker/toc.yml
- name: Encrypted Hard Drive
href: encrypted-hard-drive.md
- name: Personal Data Encryption (PDE)
- name: Personal data encryption (PDE)
href: personal-data-encryption/toc.yml
- name: Configure S/MIME for Windows
- name: Email Encryption (S/MIME)
href: configure-s-mime.md
- name: Windows Information Protection (WIP)
href: ../../information-protection/windows-information-protection/protect-enterprise-data-using-wip.md

2
windows/security/operating-system-security/toc.yml
View File

@ -7,7 +7,7 @@ items:
href: virus-and-threat-protection/toc.yml
- name: Network security
href: network-security/toc.yml
- name: Data protection
- name: Encryption and data protection
href: data-protection/toc.yml
- name: Device management
href: device-management/toc.yml

2
windows/security/operating-system-security/virus-and-threat-protection/toc.yml
View File

@ -1,8 +1,6 @@
items:
- name: Microsoft Defender Antivirus 🔗
href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
- name: Configuring LSA Protection
href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
preserveContext: true
- name: Attack surface reduction (ASR) 🔗
href: /microsoft-365/security/defender-endpoint/attack-surface-reduction

4
windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
View File

@ -38,7 +38,7 @@ Requiring users to use long, complex passwords for authentication enhances netwo
### Best practices
- Set **Interactive logon: Require Windows Hello for Business or smart card** to Enabled. All users will have to use smart cards to sign in to the network, or a Windows Hello for Business method. This requirement means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users. For more information about password-less authentication, see [Windows Hello for Business overview](../../identity-protection/hello-for-business/hello-overview.md).
- Set **Interactive logon: Require Windows Hello for Business or smart card** to Enabled. All users will have to use smart cards to sign in to the network, or a Windows Hello for Business method. This requirement means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users. For more information about password-less authentication, see [Windows Hello for Business overview](../../identity-protection/hello-for-business/index.md).
### Location
@ -92,4 +92,4 @@ All users of a device with this setting enabled must use smart cards or a Window
## Related articles
- [Security Options](security-options.md)
- [Windows Hello for Business overview](../../identity-protection/hello-for-business/hello-overview.md)
- [Windows Hello for Business overview](../../identity-protection/hello-for-business/index.md)

2
windows/security/toc.yml
View File

@ -1,4 +1,4 @@
items:
- name: Windows security
href: index.yml
expanded: true