mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-07 18:17:22 +00:00
updates
This commit is contained in:
Paolo Matarazzo
parent
8506dff859
commit
1a254f5907
@ -78,6 +78,20 @@ Windows 11 built-in management features include:
|
||||
|
||||
- [Mobile device management overview](/windows/client-management/mdm-overview)
|
||||
|
||||
### Remote wipe
|
||||
|
||||
When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user.
|
||||
|
||||
Windows 11 supports the Remote Wipe configuration service provider (CSP) so that device management solutions can remotely initiate any of the following operations:
|
||||
|
||||
- Reset the device and remove user accounts and data
|
||||
- Reset the device and clean the drive
|
||||
- Reset the device but persist user accounts and data
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [Remote wipe CSP](/windows/client-management/mdm/remotewipe-csp)
|
||||
|
||||
## Microsoft Intune
|
||||
|
||||
Microsoft Intune<sup>[\[15\]](conclusion.md#footnote15)</sup> is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
|
||||
@ -92,6 +106,16 @@ Windows 11 enables IT professionals to move to the cloud while consistently enfo
|
||||
|
||||
- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune)
|
||||
|
||||
### Windows enrollment attestation
|
||||
|
||||
When a device enrolls into device management, the administrator expects it to receive the appropriate policies to secure and manage the PC. However, in some cases, malicious actors can remove enrollment certificates and use them on unmanaged PCs, making them appear enrolled but without the intended security and management policies.
|
||||
|
||||
With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certificates are bound to a device using the Trusted Platform Module (TPM). This ensures that the certificates cannot be transferred from one device to another, maintaining the integrity of the enrollment process.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [Windows enrollment attestation](/mem/intune/enrollment/windows-enrollment-attestation)
|
||||
|
||||
### Endpoint Privilege Management (EPM)
|
||||
|
||||
Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run tasks allowed by the organization to remain productive.
|
||||
@ -116,14 +140,6 @@ With Intune, organizations can also extend MAM App Config, MAM App Protection, a
|
||||
|
||||
- [Data protection for Windows MAM](/mem/intune/apps/protect-mam-windows?formCode=MG0AV3)
|
||||
|
||||
## MDM enrollment certificate attestation
|
||||
|
||||
When a device is enrolled into device management, the administrator assumes that the device will enroll and receive appropriate policies to secure and manage the PC as they expect. In some circumstances, enrollment certificates can be removed by malicious actors and then used on unmanaged PCs to appear as though they are enrolled, but without the security and management policies the administrator intended. With MDM enrollment certificate attestation, the certificate and keys are bound to a specific machine through the use of the Trusted Platform Module (TPM) to ensure that they can't be lifted from one device and applied to another.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [Windows enrollment attestation](/mem/intune/enrollment/windows-enrollment-attestation)
|
||||
|
||||
## Local Administrator Password (LAPs)
|
||||
|
||||
Local Administrator Password solution was a key consideration for many customers when deciding to make the transition from on-premises to cloud-managed devices using Intune. With LAPS, organizations can automatically manage and back up the password of a local administrator account on Microsoft Entra ID joined or hybrid Microsoft Entra ID joined devices.
|
||||
@ -160,20 +176,6 @@ The security baseline has been enhanced with over 70 new settings, enabling loca
|
||||
- [Intune security baseline overview](/mem/intune/protect/security-baselines)
|
||||
- [List of the settings in the Windows security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all)
|
||||
|
||||
## Remote Wipe
|
||||
|
||||
When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user.
|
||||
|
||||
Windows 11 supports the Remote Wipe configuration service provider (CSP) so that MDM Solutions<sup>[\[9\]](conclusion.md#footnote9)</sup> can remotely initiate any of the following operations:
|
||||
|
||||
- Reset the device and remove user accounts and data
|
||||
- Reset the device and clean the drive
|
||||
- Reset the device but persist user accounts and data
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [Remote Wipe CSP](/windows/client-management/mdm/remotewipe-csp)
|
||||
|
||||
## Microsoft Azure Attestation Service
|
||||
|
||||
Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they are allowed to access resources. Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> integrates with [Microsoft Azure Attestation Service](/azure/attestation/overview) to review Windows device health comprehensively and connect this information with Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> Conditional Access.
|
||||
@ -225,7 +227,7 @@ There's a lot more to learn about Windows Autopatch: this [Forrester Consulting
|
||||
|
||||
- [Windows Autopatch documentation](https://aka.ms/Autopatchdocs)
|
||||
|
||||
## Windows Autopilot and zero-touch deployment
|
||||
## Windows Autopilot
|
||||
|
||||
Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. If you're purchasing new devices or managing device refresh cycles for employees, you can use Windows Autopilot to set up and preconfigure new devices, getting them ready for productive use. Autopilot helps you ensure your devices are delivered locked down and compliant with corporate security policies. The solution can also be used to reset, repurpose, and recover devices with zero touch by your IT team and no infrastructure to manage, enhancing efficiency with a process that's both easy and simple.
|
||||
|
||||
|
||||
File diff suppressed because one or more lines are too long
Binary file not shown.
|
Before Width: | Height: | Size: 1.4 MiB After Width: | Height: | Size: 1.4 MiB |
Binary file not shown.
|
Before Width: | Height: | Size: 698 KiB After Width: | Height: | Size: 697 KiB |
@ -64,8 +64,14 @@ With the first release of PDE (Windows 11, version 22H2), the PDE API was availa
|
||||
|
||||
## Email encryption
|
||||
|
||||
Email encryption enables users to encrypt outgoing email messages and attachments so that only intended recipients with a digital identification (ID) - also called a certificate - can read them<sup>[\[10\]](conclusion.md#footnote10)</sup>. Users can digitally sign a message, which verifies the identity of the sender and ensures the message hasn't been tampered with.
|
||||
Email encryption allows users to secure email messages and attachments so that only the intended recipients with a digital identification (ID), or certificate, can read them<sup>[\[10\]](conclusion.md#footnote10)</sup>. Users can also *digitally sign* a message, which verifies the sender's identity and ensures the message hasn't been tampered with.
|
||||
|
||||
These encrypted messages can be sent by a user to people within their organization and external contacts who have proper encryption certificates.
|
||||
The new Outlook app included in Windows 11 supports various types of email encryption, including Microsoft Purview Message Encryption, S/MIME, and Information Rights Management (IRM).
|
||||
|
||||
However, recipients using Windows 11 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. Encrypted messages can be read only by recipients who have a certificate. If an encrypted message is sent to recipients whose encryption certificates aren't available, the app asks you to remove these recipients before sending the email.
|
||||
When using Secure/Multipurpose Internet Mail Extensions (S/MIME), users can send encrypted messages to people within their organization and to external contacts who have the proper encryption certificates. Recipients can only read encrypted messages if they have the corresponding decryption keys. If an encrypted message is sent to recipients whose encryption certificates aren't available, Outlook asks you to remove these recipients before sending the email.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [S/MIME for message signing and encryption in Exchange Online](/exchange/security-and-compliance/smime-exo/smime-exo)
|
||||
- [Get started with the new Outlook for Windows](https://support.microsoft.com/topic/656bb8d9-5a60-49b2-a98b-ba7822bc7627)
|
||||
- [Email encryption](/purview/email-encryption)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user