diff --git a/.openpublishing.redirection.windows-deployment.json b/.openpublishing.redirection.windows-deployment.json index 5d117ed99e..7efdfec5ae 100644 --- a/.openpublishing.redirection.windows-deployment.json +++ b/.openpublishing.redirection.windows-deployment.json @@ -1684,6 +1684,11 @@ "source_path": "windows/deployment/planning/windows-10-deployment-considerations.md", "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/planning/windows-10-deployment-considerations", "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report.md", + "redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview", + "redirect_document_id": false } ] } diff --git a/education/windows/suspcs/index.md b/education/windows/suspcs/index.md index 3e41143df7..34ae3b990a 100644 --- a/education/windows/suspcs/index.md +++ b/education/windows/suspcs/index.md @@ -2,7 +2,7 @@ title: Use Set up School PCs app description: Learn how to use the Set up School PCs app and apply the provisioning package. ms.topic: how-to -ms.date: 07/09/2024 +ms.date: 02/25/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/includes/licensing/assigned-access.md b/includes/licensing/assigned-access.md index 3a980896b0..30348f5e9d 100644 --- a/includes/licensing/assigned-access.md +++ b/includes/licensing/assigned-access.md @@ -20,13 +20,3 @@ The following table lists the Windows editions that support Assigned Access: |IoT Enterprise LTSC|✅| |Pro Education|✅| |Pro|✅| - - \ No newline at end of file diff --git a/includes/licensing/shell-launcher.md b/includes/licensing/shell-launcher.md index b44ad3f92b..07418aeb82 100644 --- a/includes/licensing/shell-launcher.md +++ b/includes/licensing/shell-launcher.md @@ -20,14 +20,4 @@ The following table lists the Windows editions that support Shell Launcher: |IoT Enterprise LTSC|✅| |Pro Education|❌| |Pro|❌| - - \ No newline at end of file +|Home|❌| diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index 73dbb919ae..2a00963aef 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -5,7 +5,7 @@ author: aczechowski ms.author: aaroncz manager: aaroncz ms.date: 10/03/2017 -ms.topic: conceptual +ms.topic: article ms.service: windows-client ms.subservice: itpro-apps ms.localizationpriority: medium diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md index 65f0231016..c7c06cff12 100644 --- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md +++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md @@ -5,7 +5,7 @@ author: aczechowski ms.author: aaroncz manager: aaroncz ms.date: 09/03/2023 -ms.topic: conceptual +ms.topic: article ms.service: windows-client ms.subservice: itpro-apps ms.localizationpriority: medium diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index eefc2151ab..7b70ff0a60 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -1,7 +1,7 @@ --- title: Microsoft Entra integration with MDM description: Microsoft Entra ID is the world's largest enterprise cloud identity management service. -ms.topic: conceptual +ms.topic: integration ms.collection: - highpri - tier2 diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index aca40777f6..2b977fd6b9 100644 --- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -1,7 +1,7 @@ --- title: Automatic MDM enrollment in the Intune admin center description: Automatic MDM enrollment in the Intune admin center -ms.topic: conceptual +ms.topic: article ms.date: 07/08/2024 --- diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md index c248120cff..6ddf688ccc 100644 --- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md @@ -1,7 +1,7 @@ --- title: Bulk enrollment description: Bulk enrollment is an efficient way to set up an MDM server to manage a large number of devices without the need to reimage the devices. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/client-management/certificate-authentication-device-enrollment.md b/windows/client-management/certificate-authentication-device-enrollment.md index 2cea712e44..fb2030f3b1 100644 --- a/windows/client-management/certificate-authentication-device-enrollment.md +++ b/windows/client-management/certificate-authentication-device-enrollment.md @@ -1,7 +1,7 @@ --- title: Certificate authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md index 66d42a4d90..8123971c28 100644 --- a/windows/client-management/certificate-renewal-windows-mdm.md +++ b/windows/client-management/certificate-renewal-windows-mdm.md @@ -1,7 +1,7 @@ --- title: Certificate Renewal description: Learn how to find all the resources that you need to provide continuous access to client certificates. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/client-management/client-tools/administrative-tools-in-windows.md b/windows/client-management/client-tools/administrative-tools-in-windows.md index 785eb740cc..7e095632aa 100644 --- a/windows/client-management/client-tools/administrative-tools-in-windows.md +++ b/windows/client-management/client-tools/administrative-tools-in-windows.md @@ -2,7 +2,7 @@ title: Windows Tools description: The folders for Windows Tools and Administrative Tools are folders in the Control Panel that contain tools for system administrators and advanced users. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: article zone_pivot_groups: windows-versions-11-10 ms.collection: - essentials-manage diff --git a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md index 725c23927a..dcc696bef2 100644 --- a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md @@ -2,7 +2,7 @@ title: Windows default media removal policy description: Manage default media removal policy in Windows. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to --- # Manage default media removal policy diff --git a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md index c08492c201..ec535d0f88 100644 --- a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md +++ b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md @@ -3,7 +3,7 @@ title: Connect to remote Microsoft Entra joined device description: Learn how to use Remote Desktop Connection to connect to a Microsoft Entra joined device. ms.localizationpriority: medium ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to ms.collection: - highpri - tier2 diff --git a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md index 052dc9e72a..8c545751a6 100644 --- a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md +++ b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md @@ -2,7 +2,7 @@ title: Manage Device Installation with Group Policy description: Find out how to manage Device Installation Restrictions with Group Policy. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to --- # Manage Device Installation with Group Policy diff --git a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md index fb091f005b..b96a1bb4ac 100644 --- a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md +++ b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md @@ -2,7 +2,7 @@ title: Manage the Settings app with Group Policy description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to --- # Manage the Settings app with Group Policy diff --git a/windows/client-management/client-tools/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md index 5e64dd2f66..6313cbca68 100644 --- a/windows/client-management/client-tools/mandatory-user-profile.md +++ b/windows/client-management/client-tools/mandatory-user-profile.md @@ -2,7 +2,7 @@ title: Create mandatory user profiles description: A mandatory user profile is a special type of preconfigured roaming user profile that administrators can use to specify settings for users. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to --- # Create mandatory user profiles diff --git a/windows/client-management/client-tools/quick-assist.md b/windows/client-management/client-tools/quick-assist.md index 91ab1b998a..2123212ab0 100644 --- a/windows/client-management/client-tools/quick-assist.md +++ b/windows/client-management/client-tools/quick-assist.md @@ -2,7 +2,7 @@ title: Use Quick Assist to help users description: Learn how IT Pros can use Quick Assist to help users. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to ms.collection: - highpri - tier1 diff --git a/windows/client-management/client-tools/windows-libraries.md b/windows/client-management/client-tools/windows-libraries.md index 65a263719f..9efea447c0 100644 --- a/windows/client-management/client-tools/windows-libraries.md +++ b/windows/client-management/client-tools/windows-libraries.md @@ -1,7 +1,7 @@ --- title: Windows Libraries description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. -ms.topic: conceptual +ms.topic: concept-article ms.date: 07/01/2024 --- diff --git a/windows/client-management/client-tools/windows-version-search.md b/windows/client-management/client-tools/windows-version-search.md index 2c34266131..579d7155d0 100644 --- a/windows/client-management/client-tools/windows-version-search.md +++ b/windows/client-management/client-tools/windows-version-search.md @@ -2,7 +2,7 @@ title: What version of Windows am I running? description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to --- # What version of Windows am I running? diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md index f497c86712..bdf2eb1540 100644 --- a/windows/client-management/config-lock.md +++ b/windows/client-management/config-lock.md @@ -1,7 +1,7 @@ --- title: Secured-core configuration lock description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. -ms.topic: conceptual +ms.topic: article ms.date: 07/08/2024 appliesto: - ✅ Windows 11 diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md index 5f61783f99..4a33972765 100644 --- a/windows/client-management/device-update-management.md +++ b/windows/client-management/device-update-management.md @@ -1,7 +1,7 @@ --- title: Mobile device management MDM for device updates description: Windows provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. -ms.topic: conceptual +ms.topic: article ms.date: 07/08/2024 ms.collection: - highpri diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md index cfc52d7c69..39ad4a5693 100644 --- a/windows/client-management/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md @@ -1,7 +1,7 @@ --- title: Disconnecting from the management infrastructure (unenrollment) description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server. -ms.topic: conceptual +ms.topic: article ms.date: 07/08/2024 --- diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md index db0f36a085..39777e659b 100644 --- a/windows/client-management/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md @@ -1,7 +1,7 @@ --- title: Enable ADMX policies in MDM description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). -ms.topic: conceptual +ms.topic: how-to ms.localizationpriority: medium ms.date: 07/08/2024 --- diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index 409c283821..ea24cc6e80 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -1,7 +1,7 @@ --- title: Enroll a Windows device automatically using Group Policy description: Learn how to use a Group Policy to trigger autoenrollment to MDM for Active Directory (AD) domain-joined devices. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 ms.collection: - highpri diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md index 71b7fe55b9..589b1b90c1 100644 --- a/windows/client-management/enterprise-app-management.md +++ b/windows/client-management/enterprise-app-management.md @@ -1,7 +1,7 @@ --- title: Enterprise app management description: This article covers one of the key mobile device management (MDM) features for managing the lifecycle of apps across Windows devices. -ms.topic: conceptual +ms.topic: article ms.date: 07/08/2024 --- diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md index 2a28981591..db582151c3 100644 --- a/windows/client-management/esim-enterprise-management.md +++ b/windows/client-management/esim-enterprise-management.md @@ -2,7 +2,7 @@ title: eSIM Enterprise Management description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 07/08/2024 --- diff --git a/windows/client-management/federated-authentication-device-enrollment.md b/windows/client-management/federated-authentication-device-enrollment.md index 32b2fef7ef..6ae40cab14 100644 --- a/windows/client-management/federated-authentication-device-enrollment.md +++ b/windows/client-management/federated-authentication-device-enrollment.md @@ -1,7 +1,7 @@ --- title: Federated authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using federated authentication policy. -ms.topic: conceptual +ms.topic: article ms.date: 07/08/2024 --- diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md index f5969415ed..1e0c5d005e 100644 --- a/windows/client-management/implement-server-side-mobile-application-management.md +++ b/windows/client-management/implement-server-side-mobile-application-management.md @@ -1,7 +1,7 @@ --- title: Support for Windows Information Protection (WIP) on Windows description: Learn about implementing the Windows version of Windows Information Protection (WIP), which is a lightweight solution for managing company data access and security on personal devices. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index a43167be49..475dfb0985 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -3,7 +3,7 @@ title: Manage Windows devices in your organization - transitioning to modern man description: This article offers strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment. ms.localizationpriority: medium ms.date: 07/08/2024 -ms.topic: conceptual +ms.topic: article --- # Manage Windows devices in your organization - transitioning to modern management diff --git a/windows/client-management/mdm-collect-logs.md b/windows/client-management/mdm-collect-logs.md index 0a3b883dcd..1a1d05ff3c 100644 --- a/windows/client-management/mdm-collect-logs.md +++ b/windows/client-management/mdm-collect-logs.md @@ -1,7 +1,7 @@ --- title: Collect MDM logs description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows devices managed by an MDM server. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 ms.collection: - highpri diff --git a/windows/client-management/mdm-diagnose-enrollment.md b/windows/client-management/mdm-diagnose-enrollment.md index 5610d29c34..1b62250e8e 100644 --- a/windows/client-management/mdm-diagnose-enrollment.md +++ b/windows/client-management/mdm-diagnose-enrollment.md @@ -1,7 +1,7 @@ --- title: Diagnose MDM enrollment failures description: Learn how to diagnose enrollment failures for Windows devices -ms.topic: conceptual +ms.topic: troubleshooting-general ms.date: 07/08/2024 --- diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index f57170b82c..b8023a8c8f 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -1,7 +1,7 @@ --- title: MDM enrollment of Windows devices description: Learn about mobile device management (MDM) enrollment of Windows devices to simplify access to your organization's resources. -ms.topic: conceptual +ms.topic: how-to ms.collection: - highpri - tier2 diff --git a/windows/client-management/mdm-known-issues.md b/windows/client-management/mdm-known-issues.md index 43e571ecb6..6534f06502 100644 --- a/windows/client-management/mdm-known-issues.md +++ b/windows/client-management/mdm-known-issues.md @@ -1,7 +1,7 @@ --- title: Known issues in MDM description: Learn about known issues for Windows devices in MDM -ms.topic: conceptual +ms.topic: troubleshooting-known-issue ms.date: 07/08/2024 --- diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index 1db4cb2fee..0bac6e35c0 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -2,7 +2,7 @@ title: Mobile Device Management overview description: Windows provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy. ms.date: 07/08/2024 -ms.topic: conceptual +ms.topic: article ms.localizationpriority: medium ms.collection: - highpri diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md index bcb544c636..963ff93ebc 100644 --- a/windows/client-management/mdm/configuration-service-provider-ddf.md +++ b/windows/client-management/mdm/configuration-service-provider-ddf.md @@ -13,7 +13,7 @@ This article lists the OMA DM device description framework (DDF) files for vario As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download: -- [DDF v2 Files, September 2024](https://download.microsoft.com/download/a/a/a/aaadc008-67d4-4dcd-b864-70c479baf7d6/DDFv2September24.zip) +- [DDF v2 Files, February 2025](https://download.microsoft.com/download/a8922fbe-20a9-431d-b24f-9d5344dda25e/DDFv2Feb25.zip) ## DDF v2 schema @@ -574,6 +574,7 @@ DDF v2 XML schema definition is listed below along with the schema definition fo ## Older DDF files You can download the older DDF files for various CSPs from the links below: +- [Download all the DDF files for Windows 10 and 11 September 2024](https://download.microsoft.com/download/a/a/a/aaadc008-67d4-4dcd-b864-70c479baf7d6/DDFv2September24.zip) - [Download all the DDF files for Windows 10 and 11 May 2024](https://download.microsoft.com/download/f/6/1/f61445f7-1d38-45f7-bc8c-609b86e4aabc/DDFv2May24.zip) - [Download all the DDF files for Windows 10 and 11 September 2023](https://download.microsoft.com/download/0/e/c/0ec027e5-8971-49a2-9230-ec9352bc3ead/DDFv2September2023.zip) - [Download all the DDF files for Windows 10 and 11 December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index b3beaf7ff2..f03a64a586 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -2926,7 +2926,8 @@ This policy setting controls whether or not exclusions are visible to local admi > [!NOTE] -> Applying this setting won't remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in Get-MpPreference. +> Applying this setting won't remove exclusions from the device registry. They will be applied and enforced, but they will not be visible via the Defender manageability tools like Get-MpPreference nor by the registry editor to the Defender owned registry hive. + diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md index 480281a102..756376d2de 100644 --- a/windows/client-management/mdm/policy-csp-admx-kerberos.md +++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md @@ -174,7 +174,7 @@ This policy setting allows you to specify which DNS host names and which DNS suf > [!NOTE] -> The list of DNS host names and DNS suffixes has a 2048 character limit. This policy would not apply if you exceed this limit. +> The list of DNS host names and DNS suffixes has a 2048 character limit. This policy would not apply if you exceed this limit. For more information, see [Kerberos realm to host mapping policy string-length limitations](https://support.microsoft.com/topic/e86856c2-1e02-43fe-9c58-d7c9d6386f01). diff --git a/windows/client-management/mobile-device-enrollment.md b/windows/client-management/mobile-device-enrollment.md index 214a73f052..5c3f785c04 100644 --- a/windows/client-management/mobile-device-enrollment.md +++ b/windows/client-management/mobile-device-enrollment.md @@ -1,7 +1,7 @@ --- title: Mobile device enrollment description: Learn how mobile device enrollment verifies that only authenticated and authorized devices are managed by the enterprise. -ms.topic: conceptual +ms.topic: article ms.date: 07/08/2024 ms.collection: - highpri diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md index 053a0dd779..7be08881f7 100644 --- a/windows/client-management/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md @@ -1,7 +1,7 @@ --- title: What's new in MDM enrollment and management description: Discover what's new and breaking changes in mobile device management (MDM) enrollment and management experience across all Windows devices. -ms.topic: conceptual +ms.topic: whats-new ms.localizationpriority: medium ms.date: 07/08/2024 --- diff --git a/windows/client-management/oma-dm-protocol-support.md b/windows/client-management/oma-dm-protocol-support.md index 5caf42c5f0..7095cd64e9 100644 --- a/windows/client-management/oma-dm-protocol-support.md +++ b/windows/client-management/oma-dm-protocol-support.md @@ -1,7 +1,7 @@ --- title: OMA DM protocol support description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. -ms.topic: conceptual +ms.topic: article ms.date: 07/08/2024 --- diff --git a/windows/client-management/on-premise-authentication-device-enrollment.md b/windows/client-management/on-premise-authentication-device-enrollment.md index e6c445b43c..16f7ade83e 100644 --- a/windows/client-management/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/on-premise-authentication-device-enrollment.md @@ -1,7 +1,7 @@ --- title: On-premises authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. -ms.topic: conceptual +ms.topic: article ms.date: 07/08/2024 --- diff --git a/windows/client-management/push-notification-windows-mdm.md b/windows/client-management/push-notification-windows-mdm.md index e0842698e8..9d21cb1322 100644 --- a/windows/client-management/push-notification-windows-mdm.md +++ b/windows/client-management/push-notification-windows-mdm.md @@ -1,7 +1,7 @@ --- title: Push notification support for device management description: The DMClient CSP supports the ability to configure push-initiated device management sessions. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/client-management/server-requirements-windows-mdm.md b/windows/client-management/server-requirements-windows-mdm.md index 92e09679f4..8931bdcdbf 100644 --- a/windows/client-management/server-requirements-windows-mdm.md +++ b/windows/client-management/server-requirements-windows-mdm.md @@ -1,7 +1,7 @@ --- title: Server requirements for using OMA DM to manage Windows devices description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM. -ms.topic: conceptual +ms.topic: article ms.date: 07/08/2024 --- diff --git a/windows/client-management/structure-of-oma-dm-provisioning-files.md b/windows/client-management/structure-of-oma-dm-provisioning-files.md index a1fcf0777c..2079c53f5a 100644 --- a/windows/client-management/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/structure-of-oma-dm-provisioning-files.md @@ -1,7 +1,7 @@ --- title: Structure of OMA DM provisioning files description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/client-management/understanding-admx-backed-policies.md b/windows/client-management/understanding-admx-backed-policies.md index f327359fe3..26f9a581c9 100644 --- a/windows/client-management/understanding-admx-backed-policies.md +++ b/windows/client-management/understanding-admx-backed-policies.md @@ -1,7 +1,7 @@ --- title: Understanding ADMX policies description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices. -ms.topic: conceptual +ms.topic: concept-article ms.date: 07/08/2024 --- diff --git a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md index ca347147ab..e404a8bacd 100644 --- a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md +++ b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md @@ -1,7 +1,7 @@ --- title: Using PowerShell scripting with the WMI Bridge Provider description: This article covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider. -ms.topic: conceptual +ms.topic: article ms.date: 07/08/2024 --- diff --git a/windows/client-management/win32-and-centennial-app-policy-configuration.md b/windows/client-management/win32-and-centennial-app-policy-configuration.md index 363072d68c..eebd880b1e 100644 --- a/windows/client-management/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/win32-and-centennial-app-policy-configuration.md @@ -1,7 +1,7 @@ --- title: Win32 and Desktop Bridge app ADMX policy Ingestion description: Ingest ADMX files and set ADMX policies for Win32 and Desktop Bridge apps. -ms.topic: conceptual +ms.topic: article ms.date: 07/08/2024 --- diff --git a/windows/client-management/windows-mdm-enterprise-settings.md b/windows/client-management/windows-mdm-enterprise-settings.md index a9b47a78e9..a86920ff45 100644 --- a/windows/client-management/windows-mdm-enterprise-settings.md +++ b/windows/client-management/windows-mdm-enterprise-settings.md @@ -1,7 +1,7 @@ --- title: Enterprise settings and policy management description: The DMClient manages the interaction between a device and a server. Learn more about the client-server management workflow. -ms.topic: conceptual +ms.topic: article ms.date: 07/08/2024 --- diff --git a/windows/client-management/wmi-providers-supported-in-windows.md b/windows/client-management/wmi-providers-supported-in-windows.md index 610f0e36b9..e9a528a68b 100644 --- a/windows/client-management/wmi-providers-supported-in-windows.md +++ b/windows/client-management/wmi-providers-supported-in-windows.md @@ -1,7 +1,7 @@ --- title: WMI providers supported in Windows description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI). -ms.topic: conceptual +ms.topic: article ms.date: 07/08/2024 --- diff --git a/windows/configuration/assigned-access/configuration-file.md b/windows/configuration/assigned-access/configuration-file.md index 26cb548ff8..15fb10a733 100644 --- a/windows/configuration/assigned-access/configuration-file.md +++ b/windows/configuration/assigned-access/configuration-file.md @@ -90,7 +90,7 @@ A configuration file can contain one or more profiles. Each profile is identifie A profile can be one of two types: -- `KioskModeApp`: is used to configure a kiosk experience. Users assigned this profile don't access the desktop, but only the Universal Windows Platform (UWP) application or Microsoft Edge running in full-screen above the Lock screen +- `KioskModeApp`: is used to configure a kiosk experience. Users assigned this profile execute a Universal Windows Platform (UWP) application or Microsoft Edge running in full-screen - `AllAppList` is used to configure a restricted user experience. Users assigned this profile, access the desktop with the specific apps on the Start menu > [!IMPORTANT] @@ -149,7 +149,7 @@ Example: - + diff --git a/windows/configuration/assigned-access/includes/example-restricted-experience.md b/windows/configuration/assigned-access/includes/example-restricted-experience.md index 7ee28b6761..e8653f5e2f 100644 --- a/windows/configuration/assigned-access/includes/example-restricted-experience.md +++ b/windows/configuration/assigned-access/includes/example-restricted-experience.md @@ -23,7 +23,7 @@ ms.topic: include - + @@ -81,7 +81,7 @@ ms.topic: include - + diff --git a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md index 7267d16e53..4238a97dad 100644 --- a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md +++ b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md @@ -11,7 +11,7 @@ ms.topic: include POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations Content-Type: application/json -{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 10", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n ]]>\n \n \n \n \n \n \n \n \n \n \n" } ] } +{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 10", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n ]]>\n \n \n \n \n \n \n \n \n \n \n" } ] } ``` ::: zone-end @@ -22,7 +22,7 @@ Content-Type: application/json POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations Content-Type: application/json -{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 11", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n" } ] } +{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 11", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n" } ] } ``` ::: zone-end \ No newline at end of file diff --git a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md index 35a15c446f..94bb914c0b 100644 --- a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md +++ b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md @@ -22,7 +22,7 @@ $assignedAccessConfiguration = @" - + @@ -88,7 +88,7 @@ $assignedAccessConfiguration = @" - + diff --git a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md index 514c6ab44c..52730d3c75 100644 --- a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md +++ b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md @@ -21,7 +21,7 @@ ms.topic: include - + @@ -79,7 +79,7 @@ ms.topic: include - + diff --git a/windows/configuration/assigned-access/index.md b/windows/configuration/assigned-access/index.md index 198d5e431c..dc51e3a588 100644 --- a/windows/configuration/assigned-access/index.md +++ b/windows/configuration/assigned-access/index.md @@ -29,8 +29,8 @@ This option runs a single application in full screen, and people using the devic Windows offers two different features to configure a kiosk experience: -- **Assigned Access**: used to execute a single Universal Windows Platform (UWP) app or Microsoft Edge in full screen above the lock screen. When the kiosk account signs in, the kiosk app launches automatically. If the UWP app is closed, it automatically restarts -- **Shell Launcher**: used to configure a device to execute a Windows desktop application as the user interface. The application that you specify replaces the default Windows shell (`Explorer.exe`) that usually runs when a user signs in. This type of single-app kiosk doesn't run above the lock screen +- **Assigned Access**: used to execute a single Universal Windows Platform (UWP) app or Microsoft Edge in full screen. When the kiosk account signs in, the kiosk app launches automatically. If the UWP app is closed, it automatically restarts +- **Shell Launcher**: used to configure a device to execute a Windows desktop application as the user interface. The specified application replaces the default Windows shell (`Explorer.exe`) that usually runs when a user signs in :::row::: :::column span="1"::: diff --git a/windows/configuration/assigned-access/overview.md b/windows/configuration/assigned-access/overview.md index 9e87bd19a5..e271659707 100644 --- a/windows/configuration/assigned-access/overview.md +++ b/windows/configuration/assigned-access/overview.md @@ -9,7 +9,7 @@ ms.topic: overview Assigned Access is a Windows feature that you can use to configure a device as a kiosk or with a restricted user experience. -When you configure a **kiosk experience**, a single Universal Windows Platform (UWP) application or Microsoft Edge is executed in full screen, above the lock screen. Users can only use that application. If the kiosk app is closed, it automatically restarts. Practical examples include: +When you configure a **kiosk experience**, a single Universal Windows Platform (UWP) application or Microsoft Edge is executed in full screen. Users can only use that application and once the kiosk app is closed, it automatically restarts. Practical examples include: - Public browsing - Interactive digital signage @@ -170,7 +170,7 @@ Here are the steps to configure a kiosk using the Settings app: >[!NOTE] >If there are any local standard user accounts already, the **Create an account** dialog offers the option to **Choose an existing account** -1. Choose the application to run when the kiosk account signs in. Only apps that can run above the lock screen are available in the list of apps to choose from. If you select **Microsoft Edge** as the kiosk app, you configure the following options: +1. Choose the application to run when the kiosk account signs in. If you select **Microsoft Edge** as the kiosk app, you configure the following options: - Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser) - Which URL should be open when the kiosk accounts signs in diff --git a/windows/configuration/assigned-access/policy-settings.md b/windows/configuration/assigned-access/policy-settings.md index 64518f0dca..41072ae848 100644 --- a/windows/configuration/assigned-access/policy-settings.md +++ b/windows/configuration/assigned-access/policy-settings.md @@ -2,7 +2,7 @@ title: Assigned Access policy settings description: Learn about the policy settings enforced on a device configured with Assigned Access. ms.topic: reference -ms.date: 10/31/2024 +ms.date: 02/25/2025 --- # Assigned Access policy settings @@ -20,6 +20,7 @@ The following policy settings are applied at the device level when you deploy a | Type | Path | Name/Description | |---------|----------------------------------------------------------------------------|---------------------------------------------------------------------------| +| **CSP** | `./Vendor/MSFT/Policy/Config/Settings/AllowOnlineTips` | Allow Online Tips | | **CSP** | `./Vendor/MSFT/Policy/Config/Experience/AllowCortana` | Disable Cortana | | **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDocuments` | Disable Start documents icon | | **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDownloads` | Disable Start downloads icon | @@ -45,8 +46,9 @@ The following policy settings are applied to targeted user accounts when you dep |---------|----------------------------------------------------------------------------------|-------------------------------------------------------------------| | **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/DisableContextMenus` | Disable Context Menu for Start menu apps | | **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HidePeopleBar` | Hide People Bar from appearing on taskbar | -| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HideRecentlyAddedApps` | Hide recently added apps from appearing on the Start menu | | **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HideRecentJumplists` | Hide recent jumplists from appearing on the Start menu/taskbar | +| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HideRecentlyAddedApps` | Hide recently added apps from appearing on the Start menu | +| **CSP** | User Configuration\Administrative Templates\Windows Components\Windows Copilot | Turn off Windows Copilot | | **GPO** | User Configuration\Administrative Templates\Desktop | Hide and disable all items on the desktop | | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Clear history of recently opened documents on exit | | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Disable showing balloon notifications as toasts | @@ -54,7 +56,7 @@ The following policy settings are applied to targeted user accounts when you dep | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not allow pinning programs to the Taskbar | | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not display or track items in Jump Lists from remote locations | | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Hide and disable all items on the desktop | -| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Hide the Task View button | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Hide the TaskView button | | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Lock all taskbar settings | | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Lock the Taskbar | | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from adding or removing toolbars | @@ -81,6 +83,7 @@ The following policy settings are applied to targeted user accounts when you dep | **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer | Remove *Map network drive* and *Disconnect Network Drive* | | **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer | Remove File Explorer's default context menu | | **GPO** | User Configuration\Administrative Templates\Windows Components\Windows Copilot | Turn off Windows Copilot | +| **GPO** | User Configuration\Administrative Templates\WindowsComponents\File Explorer | Prevent access to drives from My Computer | The following policy settings are applied to the kiosk account when you configure a kiosk experience with Microsoft Edge: diff --git a/windows/configuration/assigned-access/quickstart-kiosk.md b/windows/configuration/assigned-access/quickstart-kiosk.md index b0583377da..fe38439c87 100644 --- a/windows/configuration/assigned-access/quickstart-kiosk.md +++ b/windows/configuration/assigned-access/quickstart-kiosk.md @@ -79,7 +79,7 @@ Here are the steps to configure a kiosk using the Settings app: >[!NOTE] >If there are any local standard user accounts already, the **Create an account** dialog offers the option to **Choose an existing account** -1. Choose the application to run when the kiosk account signs in. Only apps that can run above the lock screen are available in the list of apps to choose from. If you select **Microsoft Edge** as the kiosk app, you configure the following options: +1. Choose the application to run when the kiosk account signs in. If you select **Microsoft Edge** as the kiosk app, you configure the following options: - Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser) - Which URL should be open when the kiosk accounts signs in diff --git a/windows/configuration/assigned-access/recommendations.md b/windows/configuration/assigned-access/recommendations.md index 10a4e13dcf..1aeb40f5c9 100644 --- a/windows/configuration/assigned-access/recommendations.md +++ b/windows/configuration/assigned-access/recommendations.md @@ -116,7 +116,7 @@ The following guidelines help you choose an appropriate Windows app for a kiosk - Windows apps must be provisioned or installed for the Assigned Access account before they can be selected as the Assigned Access app. [Learn how to provision and install apps](/windows/client-management/mdm/enterprise-app-management#install_your_apps) - UWP app updates can sometimes change the Application User Model ID (AUMID) of the app. In such scenario, you must update the Assigned Access settings to execute the updated app, because Assigned Access uses the AUMID to determine the app to launch -- The app must be able to run above the lock screen. If the app can't run above the lock screen, it can't be used as a kiosk app +- The app must be able to run *above* the lock screen. If the app can't run above the lock screen, it can't be used as a kiosk app - Some apps can launch other apps. Assigned Access in kiosk mode prevents Windows apps from launching other apps. Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality - Microsoft Edge includes support for kiosk mode. To learn more, see [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) - Don't select Windows apps that might expose information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access diff --git a/windows/configuration/background/images/contoso-lockscreen-10.png b/windows/configuration/background/images/contoso-lockscreen-10.png new file mode 100644 index 0000000000..eefe44b6c3 Binary files /dev/null and b/windows/configuration/background/images/contoso-lockscreen-10.png differ diff --git a/windows/configuration/background/images/contoso-lockscreen-11.png b/windows/configuration/background/images/contoso-lockscreen-11.png new file mode 100644 index 0000000000..57a51518e7 Binary files /dev/null and b/windows/configuration/background/images/contoso-lockscreen-11.png differ diff --git a/windows/configuration/background/index.md b/windows/configuration/background/index.md new file mode 100644 index 0000000000..4c918bcf04 --- /dev/null +++ b/windows/configuration/background/index.md @@ -0,0 +1,135 @@ +--- +title: Configure the Desktop and Lock Screen Backgrounds in Windows +description: Learn how to configure the desktop and lock screen background in Windows using policy settings, including Intune, CSP, and GPO. +ms.topic: how-to +ms.date: 03/03/2025 +author: paolomatarazzo +ms.author: paoloma +appliesto: +zone_pivot_groups: windows-versions-11-10 +--- + +# Configure the desktop and lock screen backgrounds + +Configuring desktop and lock screen backgrounds in Windows offers a simple yet effective way to enhance productivity, enforce consistency, and strengthen organizational branding. + +Predefined backgrounds can display company logos, mission statements, or school emblems, reinforcing identity across devices. Examples where predefined backgrounds are especially valuable include kiosks, where lock screens can provide clear instructions, or student devices, where consistent branding fosters a sense of belonging and professionalism. + +::: zone pivot="windows-11" + +:::image type="content" source="images/contoso-lockscreen-11.png" alt-text="Screenshot of the Windows 11 lock screen with Windows spotlight enabled over an organization wallpaper." border="false"::: + +::: zone-end + +::: zone pivot="windows-10" + +:::image type="content" source="images/contoso-lockscreen-10.png" alt-text="Screenshot of the Windows 10 lock screen with Windows spotlight enabled over an organization wallpaper." border="false"::: + +::: zone-end + +This article explains how to configure the desktop and lock screen backgrounds in Windows using policy settings. It includes examples of how to implement these configurations using Microsoft Intune, Configuration Service Provider (CSP), and Group Policy Object (GPO). + +## Image ratios and scaling + +A key consideration when using custom images is how they appear on devices with varying screen sizes and resolutions. For example, a custom image created in a 16:9 aspect ratio (such as 1600x900) scales properly on devices with 16:9 resolutions, like 1280x720 or 1920x1080. On devices with other aspect ratios, such as 4:3 (1024x768) or 16:10 (1280x800), the image's height scales correctly, but the width is cropped to match the aspect ratio. The image remains centered on the screen. + +Images created in nonstandard aspect ratios might scale and center unpredictably when displayed on devices with different resolutions. To ensure consistent results, especially for images containing text (for example, legal statements), design the image in a 16:9 resolution and keep critical text within the 4:3 region. This approach ensures that the text remains visible across all aspect ratios. + +## Configure the desktop background + +**Windows edition requirements**. The following table summarizes the Windows editions and licensing requirements for configuring the desktop background: + +| Windows edition | Intune/CSP | GPO | +|:-|:-:|:-:| +|Pro / Pro Education|✅|✅| +|Enterprise / Education|✅|✅| +|IoT Enterprise|✅|✅| + +[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune) + +[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +| **Personalization** | Desktop Image Url | An http or https URL to a jpg, jpeg, or png image file. | + +[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][INT-1] with the [Personalization CSP][CSP-1]. + +| Setting | +|--------| +| - **OMA-URI:** `./Vendor/MSFT/Personalization/DesktopImageUrl`
- **Data type:** string
- **Value:** An http or https URL to a jpg, jpeg, or png image file. | + +#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo) + +[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)] + +| Group policy path | Group policy setting | Value | +| - | - | - | +| **User Configuration\Administrative Templates\Desktop\Desktop** |Desktop Wallpaper | Fully qualified path and name of the image file. You can use a local path or a UNC path. | + +[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)] + +--- + +## Configure the lock screen background + +**Windows edition requirements**. The following table summarizes the Windows editions and licensing requirements for configuring the lock screen background: + +| Windows edition | Intune/CSP | GPO | +|:-|:-:|:-:| +|Pro / Pro Education|✅|❌| +|Enterprise / Education|✅|✅| +|IoT Enterprise|✅|✅| + +[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune) + +[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +| **Personalization** | Lock Screen Image Url| An http or https URL to a jpg, jpeg, or png image file. | + +[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][INT-1] with the [Personalization CSP][CSP-1]. + +| Setting | +|--------| +| - **OMA-URI:** `./Vendor/MSFT/Personalization/LockScreenImageUrl`
- **Data type:** string
- **Value:** An http or https URL to a jpg, jpeg, or png image file.| + +#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo) + +[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)] + +| Group policy path | Group policy setting | Value | +| - | - | - | +| **Computer Configuration\Administrative Templates\Control Panel\Personalization** | Force a specific default lock screen and logon image | Fully qualified path and name of the image file. You can use a local path or a UNC path.| + +[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)] + +--- + +> [!TIP] +> You can also configure a custom lock screen image using [organizational messages in the Microsoft 365 admin center][M365-1]. + +## User experience + +When the policy is applied, the lock screen and desktop background images are set to the specified URL or path. The images are downloaded and cached locally on the device. The images are displayed in the background when the user signs in, and on the lock screen when the user locks the device. + +## Windows spotlight + +Windows spotlight is a feature that can display a different image on the lock screen and desktop background every day. Windows spotlight can also provide personalized content, such as tips and tricks for using Windows. You can configure a custom background image or lock screen image and still use Windows spotlight. When you do so, users can still receive suggestions, fun facts, tips, or organizational messages, but the background image is replaced with the custom image. + +To learn more, see [Configure Windows spotlight](../windows-spotlight/index.md). + + + +[CSP-1]: /windows/client-management/mdm/personalization-csp +[M365-1]: /microsoft-365/admin/misc/organizational-messages-microsoft-365?view=o365-worldwide +[INT-1]: /mem/intune/configuration/settings-catalog diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md index ec61311214..6c82ea8c13 100644 --- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md +++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md @@ -1,7 +1,7 @@ --- title: How provisioning works in Windows description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings. -ms.topic: conceptual +ms.topic: article ms.date: 07/09/2024 --- diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index a226b877f3..14273f9e99 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -2,7 +2,7 @@ title: Provisioning packages overview description: With Windows, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages are and what they do. ms.reviewer: kevinsheehan -ms.topic: conceptual +ms.topic: install-set-up-deploy ms.date: 07/08/2024 --- diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md index d8292d3413..26ceb503e8 100644 --- a/windows/configuration/provisioning-packages/provisioning-powershell.md +++ b/windows/configuration/provisioning-packages/provisioning-powershell.md @@ -1,7 +1,7 @@ --- title: PowerShell cmdlets for provisioning packages in Windows description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows devices. -ms.topic: conceptual +ms.topic: article ms.date: 07/09/2024 --- diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md index a4f68379ee..b203b2e332 100644 --- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md +++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md @@ -1,7 +1,7 @@ --- title: Settings changed when you uninstall a provisioning package description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows desktop client devices. -ms.topic: conceptual +ms.topic: install-set-up-deploy ms.date: 07/09/2024 --- diff --git a/windows/configuration/settings/images/settings-page-visibility.png b/windows/configuration/settings/images/settings-page-visibility.png new file mode 100644 index 0000000000..404bca9527 Binary files /dev/null and b/windows/configuration/settings/images/settings-page-visibility.png differ diff --git a/windows/configuration/settings/page-visibility.md b/windows/configuration/settings/page-visibility.md new file mode 100644 index 0000000000..c7f798daa6 --- /dev/null +++ b/windows/configuration/settings/page-visibility.md @@ -0,0 +1,84 @@ +--- +title: Configure the Settings Page Visibility in Windows +description: Learn how to configure the pages listed in the Windows Settings app. +ms.topic: how-to +ms.date: 03/03/2025 +author: paolomatarazzo +ms.author: paoloma +--- + +# Configure the Settings page visibility + +*Settings* is a Windows application that offers a unified interface to manage the system settings. In certain scenarios, you might want to restrict access to specific Settings pages to ensure a more controlled and secure environment. This is especially beneficial for devices used in specific environments, such as kiosks or student devices, where limiting access to certain options can prevent unauthorized changes and maintain a consistent user experience. + +:::image type="content" source="images/settings-page-visibility.png" alt-text="Screenshot of the Settings app configured with a policy setting to limit the categories displayed." border="false"::: + +This article explains how to configure the Settings app and how to implement the configurations using Microsoft Intune, Configuration Service Provider (CSP), and Group Policy Object (GPO). + +## Page visibility list policy setting + +You can configure the visibility of Settings pages using the *page visibility list* policy setting. This policy allows you to block a given set of pages from the Settings app. Blocked pages aren't visible in the app and can't be accessed through direct navigation via Uniform Resource Identifier (URI), context menu in Explorer, or other means. Direct navigation to a blocked page results in the first page of Settings displayed instead. + +The page visibility list policy has two modes: + +- **Show Specific Pages** + - Start the policy string with `showonly:` + - Follow it with a list of Settings page identifiers, separated by semicolons +- **Hide Specific Pages** + - Start the policy string with `hide:` + - Follow it with a list of Settings page identifiers, separated by semicolons + +> [!NOTE] +> The identifier for any Settings page is the published URI for that page, minus the `ms-settings:` protocol part. For the list of categories and page identifiers, see [ms-settings: URI scheme reference](https://go.microsoft.com/fwlink/?linkid=2102995#ms-settings-uri-scheme-reference). + +## Examples + +Show only the **About** and **Bluetooth** pages. Their respective URIs are `ms-settings:about` and `ms-settings:bluetooth`: + +`showonly:about;bluetooth` + +Hide only the Bluetooth page, which has the URI `ms-settings:bluetooth`: + +`hide:bluetooth` + +## Configuration + +[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune) + +[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +| **Settings** | - Page Visibility List
- Page Visibility List (User)| List of URIs to show or hide, separated by semicolons.| + +[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][INT-1] with the [Policy CSP][CSP-1]. + +| Setting | +|--| +|- **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList`
- **Data type:** string
- **Value:** List of URIs to show or hide, separated by semicolons.

Or

- **OMA-URI:** `./User/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList`
- **Data type:** string
- **Value:** List of URIs to show or hide, separated by semicolons.| + +#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo) + +[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)] + +| Group policy path | Group policy setting | Value | +| - | - | - | +| **Computer Configuration\Administrative Templates\Control Panel**

Or

**User Configuration\Administrative Templates\Control Panel** | Settings Page Visibility | List of URIs to show or hide, separated by semicolons.| + +[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)] + +--- + +## User Experience + +By controlling the visibility of Settings pages, you can create a customized user experience tailored to your organization's specific needs. Once the policy is applied, users have access only to the Settings pages you explicitly allow, ensuring a focused and streamlined interface. + + + +[CSP-1]: /windows/client-management/mdm/policy-csp-settings#pagevisibilitylist +[M365-1]: /microsoft-365/admin/misc/organizational-messages-microsoft-365?view=o365-worldwide +[INT-1]: /mem/intune/configuration/settings-catalog diff --git a/windows/configuration/shell-launcher/wedl-assignedaccess.md b/windows/configuration/shell-launcher/wedl-assignedaccess.md index 6203943578..acdd00a9df 100644 --- a/windows/configuration/shell-launcher/wedl-assignedaccess.md +++ b/windows/configuration/shell-launcher/wedl-assignedaccess.md @@ -1,14 +1,16 @@ --- -title: WEDL\_AssignedAccess -description: WEDL\_AssignedAccess -ms.date: 05/20/2024 +title: WEDL_AssignedAccess +description: WEDL_AssignedAccess +ms.date: 02/25/2025 ms.topic: reference --- -# WEDL\_AssignedAccess +# WEDL_AssignedAccess This Windows Management Instrumentation (WMI) provider class configures settings for assigned access. +[!INCLUDE [shell-launcher](../../../includes/licensing/assigned-access.md)] + ## Syntax ```powershell @@ -129,13 +131,3 @@ if ($AssignedAccessConfig) { "Could not set up assigned access account." } ``` - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | diff --git a/windows/configuration/shell-launcher/wesl-usersetting.md b/windows/configuration/shell-launcher/wesl-usersetting.md index 3d7851941e..ce3019dbf0 100644 --- a/windows/configuration/shell-launcher/wesl-usersetting.md +++ b/windows/configuration/shell-launcher/wesl-usersetting.md @@ -1,7 +1,7 @@ --- title: WESL_UserSetting description: WESL_UserSetting -ms.date: 05/02/2017 +ms.date: 02/25/2025 ms.topic: reference --- @@ -9,6 +9,8 @@ ms.topic: reference This class configures which application Shell Launcher starts based on the security identifier (SID) of the signed in user, and also configures the set of return codes and return actions that Shell Launcher performs when the application exits. +[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)] + ## Syntax ```powershell @@ -158,17 +160,3 @@ $ShellLauncherClass.RemoveCustomShell($Admins_SID) $ShellLauncherClass.RemoveCustomShell($Cashier_SID) ``` - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | - -## Related topics - -- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md b/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md index 5633e7df6e..6be4813c8c 100644 --- a/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md +++ b/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md @@ -1,7 +1,7 @@ --- title: WESL_UserSetting.GetCustomShell description: WESL_UserSetting.GetCustomShell -ms.date: 05/20/2024 +ms.date: 02/25/2025 ms.topic: reference --- @@ -9,6 +9,8 @@ ms.topic: reference This method retrieves the Shell Launcher configuration for a specific user or group, based on the security identifier (SID). +[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)] + ## Syntax ```powershell @@ -60,18 +62,3 @@ Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-n Shell Launcher uses the *CustomReturnCodes* and *CustomReturnCodesAction* arrays to determine the system behavior when the shell application exits, based on the return value of the application. If the return value does not exist in *CustomReturnCodes*, or if the corresponding action defined in *CustomReturnCodesAction* is not a valid value, Shell Launcher uses *DefaultAction* to determine system behavior. If *DefaultAction* is not defined, or is not a valid value, Shell Launcher restarts the shell application. - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | - -## Related topics - -- [WESL_UserSetting](wesl-usersetting.md) -- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md b/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md index 9cabb200ab..c32948ad15 100644 --- a/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md +++ b/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md @@ -1,7 +1,7 @@ --- title: WESL_UserSetting.GetDefaultShell description: WESL_UserSetting.GetDefaultShell -ms.date: 05/20/2024 +ms.date: 02/25/2025 ms.topic: reference --- @@ -9,6 +9,8 @@ ms.topic: reference This method retrieves the default Shell Launcher configuration. +[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)] + ## Syntax ```powershell @@ -40,18 +42,3 @@ Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-n ## Remarks Shell Launcher uses the default configuration when the security identifier (SID) of the user who is currently signed in does not match any custom defined Shell Launcher configurations. - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | - -## Related topics - -- [WESL_UserSetting](wesl-usersetting.md) -- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettingisenabled.md b/windows/configuration/shell-launcher/wesl-usersettingisenabled.md index fb4739ce37..1125bb1d92 100644 --- a/windows/configuration/shell-launcher/wesl-usersettingisenabled.md +++ b/windows/configuration/shell-launcher/wesl-usersettingisenabled.md @@ -1,7 +1,7 @@ --- title: WESL_UserSetting.IsEnabled description: WESL_UserSetting.IsEnabled -ms.date: 05/20/2024 +ms.date: 02/25/2025 ms.topic: reference --- @@ -9,6 +9,8 @@ ms.topic: reference This method retrieves a value that indicates if Shell Launcher is enabled or disabled. +[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)] + ## Syntax ```powershell @@ -24,18 +26,3 @@ This method retrieves a value that indicates if Shell Launcher is enabled or dis ## Return Value Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | - -## Related topics - -- [WESL_UserSetting](wesl-usersetting.md) -- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md b/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md index fb1df0e87f..e5058577a9 100644 --- a/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md +++ b/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md @@ -1,7 +1,7 @@ --- title: WESL_UserSetting.RemoveCustomShell description: WESL_UserSetting.RemoveCustomShell -ms.date: 05/20/2024 +ms.date: 02/25/2025 ms.topic: reference --- @@ -9,6 +9,8 @@ ms.topic: reference This method removes a Shell Launcher configuration for a specific user or group, based on the security identifier (SID). +[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)] + ## Syntax ```powershell @@ -28,18 +30,3 @@ Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-n ## Remarks You must restart your device for the changes to take effect. - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | - -## Related topics - -- [WESL_UserSetting](wesl-usersetting.md) -- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md b/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md index a90450063c..5b788c9295 100644 --- a/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md +++ b/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md @@ -1,7 +1,7 @@ --- title: WESL_UserSetting.SetCustomShell description: WESL_UserSetting.SetCustomShell -ms.date: 05/20/2024 +ms.date: 02/25/2025 ms.topic: reference --- @@ -9,6 +9,8 @@ ms.topic: reference This method configures Shell Launcher for a specific user or group, based on the security identifier (SID). +[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)] + ## Syntax ```powershell @@ -60,18 +62,3 @@ Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-n Shell Launcher uses the *CustomReturnCodes* and *CustomReturnCodesAction* arrays to determine the system behavior when the shell application exits, based on the return value of the shell application. If the return value does not exist in *CustomReturnCodes*, or if the corresponding action defined in *CustomReturnCodesAction* is not a valid value, Shell Launcher uses *DefaultAction* to determine system behavior. If *DefaultAction* is not defined, or is not a valid value, Shell Launcher restarts the shell application. - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | - -## Related topics - -- [WESL_UserSetting](wesl-usersetting.md) -- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md b/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md index ec89600f38..d829d7d717 100644 --- a/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md +++ b/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md @@ -1,7 +1,7 @@ --- title: WESL_UserSetting.SetDefaultShell description: WESL_UserSetting.SetDefaultShell -ms.date: 05/20/2024 +ms.date: 02/25/2025 ms.topic: reference --- @@ -9,6 +9,8 @@ ms.topic: reference This method sets the default Shell Launcher configuration. +[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)] + ## Syntax ```powershell @@ -40,18 +42,3 @@ Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-n ## Remarks Shell Launcher uses the default configuration when the security identifier (SID) of the user who is currently signed in does not match any custom defined Shell Launcher configurations. - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | - -## Related topics - -- [WESL_UserSetting](wesl-usersetting.md) -- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md b/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md index 43aff8b5a7..64d952bf88 100644 --- a/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md +++ b/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md @@ -1,7 +1,7 @@ --- title: WESL_UserSetting.SetEnabled description: WESL_UserSetting.SetEnabled -ms.date: 05/20/2024 +ms.date: 02/25/2025 ms.topic: reference --- @@ -9,6 +9,8 @@ ms.topic: reference This method enables or disables Shell Launcher. +[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)] + ## Syntax ```powershell @@ -30,18 +32,3 @@ Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-n This method enables or disables Shell Launcher by modifying the **Shell** value in the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`. If Unified Write Filter (UWF) is enabled, you may need to disable UWF or commit this registry key by using [UWF_RegistryFilter.CommitRegistry](../unified-write-filter/uwf-registryfiltercommitregistry.md) in order to enable or disable Shell Launcher. Enabling or disabling Shell Launcher does not take effect until a user signs in. - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | - -## Related topics - -- [WESL_UserSetting](wesl-usersetting.md) -- [Shell Launcher](index.md) diff --git a/windows/configuration/start/includes/hide-recently-added-apps.md b/windows/configuration/start/includes/hide-recently-added-apps.md index 92a4d13c36..8dac911b1b 100644 --- a/windows/configuration/start/includes/hide-recently-added-apps.md +++ b/windows/configuration/start/includes/hide-recently-added-apps.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 04/10/2024 +ms.date: 02/25/2025 ms.topic: include --- @@ -9,14 +9,8 @@ ms.topic: include With this policy setting, you can prevent the Start menu from displaying a list of recently installed applications: -- If **enabled**, the Start menu doesn't display the **Recently added** list. The corresponding option in Settings can't be configured (grayed out). -- If **disabled** or **not configured**, the Start menu displays the **Recently added** list. The corresponding option in Settings can be configured. - -> [!IMPORTANT] -> Starting in Windows 11, version 22H2 with [KB5048685](https://support.microsoft.com/topic/4602-ea3736d3-6948-4fd7-9faf-8d732ac2ed59), the policy setting behavior changed. -> -> - If **enabled**, the corresponding option in Settings can't be configured (grayed out). The policy setting doesn't affect the display of recently installed applications in the Recommended section of the Start menu. -> - If **disabled** or **not configured**, the corresponding option in Settings can be configured. +- If **enabled**, the Start menu doesn't display the **Recently added** list. The corresponding option in Settings can't be configured (grayed out) +- If **disabled** or **not configured**, the Start menu displays the **Recently added** list. The corresponding option in Settings can be configured | | Path | |--|--| diff --git a/windows/configuration/start/policy-settings.md b/windows/configuration/start/policy-settings.md index 88ca88a0d4..08a7751472 100644 --- a/windows/configuration/start/policy-settings.md +++ b/windows/configuration/start/policy-settings.md @@ -2,7 +2,7 @@ title: Start policy settings description: Learn about the policy settings to configure the Windows Start menu. ms.topic: reference -ms.date: 07/10/2024 +ms.date: 02/25/2025 appliesto: zone_pivot_groups: windows-versions-11-10 --- diff --git a/windows/configuration/taskbar/includes/show-notification-bell-icon.md b/windows/configuration/taskbar/includes/show-notification-bell-icon.md new file mode 100644 index 0000000000..e6b888ea52 --- /dev/null +++ b/windows/configuration/taskbar/includes/show-notification-bell-icon.md @@ -0,0 +1,23 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 02/25/2025 +ms.topic: include +--- + +### Show notification bell icon + +This policy setting allows you to show the notification bell icon in the system tray: + +- If you enable this policy setting, the notification icon is always displayed +- If you disable or don't configure this policy setting, the notification icon is only displayed when there's a special status (for example, when *do not disturb* is turned on) + +> [!NOTE] +> A reboot is required for this policy setting to take effect. + +| | Path | +|--|--| +| **CSP** |- `./User/Vendor/MSFT/Policy/Config/Start/`[AlwaysShowNotificationIcon](/windows/client-management/mdm/policy-csp-start#AlwaysShowNotificationIcon) | +| **GPO** |- **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | + + [CSP-1]: /windows/client-management/mdm/policy-csp-experience -[CSP-2]: /windows/client-management/mdm/personalization-csp [INT-1]: /mem/intune/remote-actions/organizational-messages-overview [M365-1]: /microsoft-365/admin/misc/organizational-messages-microsoft-365?view=o365-worldwide diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index 4b8d904b2e..0cd29c4772 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -6,7 +6,7 @@ ms.localizationpriority: medium author: frankroj manager: aaroncz ms.author: frankroj -ms.topic: conceptual +ms.topic: how-to ms.date: 11/23/2022 ms.subservice: itpro-deploy --- diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md index 858a5e63bf..0d282bce4e 100644 --- a/windows/deployment/customize-boot-image.md +++ b/windows/deployment/customize-boot-image.md @@ -6,7 +6,7 @@ ms.localizationpriority: medium author: frankroj manager: aaroncz ms.author: frankroj -ms.topic: conceptual +ms.topic: how-to ms.date: 08/16/2024 ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index d125b76faf..ea37b8ed81 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -6,8 +6,8 @@ description: Learn about deploying Windows with Microsoft 365 and how to use a f ms.service: windows-client ms.localizationpriority: medium author: frankroj -ms.topic: conceptual -ms.date: 02/13/2024 +ms.topic: install-set-up-deploy +ms.date: 02/27/2025 ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/do/delivery-optimization-configure.md b/windows/deployment/do/delivery-optimization-configure.md index 7722670c70..ac3bf9f54d 100644 --- a/windows/deployment/do/delivery-optimization-configure.md +++ b/windows/deployment/do/delivery-optimization-configure.md @@ -16,7 +16,7 @@ appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Delivery Optimization -ms.date: 07/23/2024 +ms.date: 02/27/2025 --- # Configure Delivery Optimization (DO) for Windows @@ -232,7 +232,12 @@ Delivery Optimization is integrated with both Microsoft Endpoint Manager and Con ## Monitor Delivery Optimization -Whether you opt for the default Delivery Optimization configurations or tailor them to suit your environment, you'll want to track the outcomes to see how they improve your efficiency. [Learn more](waas-delivery-optimization-monitor.md) about the monitoring options for Delivery Optimization. +Whether you opt for the default Delivery Optimization configurations or tailor them to suit your environment, you'll want to track the outcomes to see how they improve your efficiency. The following options are available to monitor Delivery Optimization: + +- On clients, review the activity monitor, which displays a breakdown of downloads by source, average speed, and upload stats for the current month + - **Windows 11**: Settings > Windows Update > Advanced Options > Delivery Optimization > Activity Monitor + - **Windows 10**: Settings > Update & Security > Delivery Optimization > Activity Monitor +- Windows Update for Business reports offers a Delivery Optimization report. For more information, see [Monitor Delivery Optimization](waas-delivery-optimization-monitor.md). ## Troubleshoot Delivery Optimization diff --git a/windows/deployment/do/delivery-optimization-proxy.md b/windows/deployment/do/delivery-optimization-proxy.md index 3449e9f030..c0f4cd232b 100644 --- a/windows/deployment/do/delivery-optimization-proxy.md +++ b/windows/deployment/do/delivery-optimization-proxy.md @@ -3,7 +3,7 @@ title: Using a proxy with Delivery Optimization description: Settings to use with various proxy configurations to allow Delivery Optimization to work in your environment. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: cmknox ms.author: carmenf manager: aaroncz @@ -66,7 +66,7 @@ You can set a device-wide proxy that will apply to all users including an intera Or, if you use Group Policy, you can apply proxy settings to all users of the same device by enabling the **Computer Configuration\ Administrative Templates\ Windows Components\ Internet Explorer\ Make proxy settings per-machine (rather than per-user)** policy. -This policy is meant to ensure that proxy settings apply uniformly to the same computer and do not vary from user to user, so if you enable this policy, users cannot set user-specific proxy settings. They must use the zones created for all users of the computer. If you disable this policy or do not configure it, users of the same computer can establish their own proxy settings. +This policy is meant to ensure that proxy settings apply uniformly to the same computer and don't vary from user to user, so if you enable this policy, users can't set user-specific proxy settings. They must use the zones created for all users of the computer. If you disable this policy or don't configure it, users of the same computer can establish their own proxy settings. ## Using a proxy with Microsoft Connected Cache diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md index 1f89eca0a6..8683d2cbfc 100644 --- a/windows/deployment/do/delivery-optimization-workflow.md +++ b/windows/deployment/do/delivery-optimization-workflow.md @@ -3,7 +3,7 @@ title: Delivery Optimization workflow, privacy, security, and endpoints description: Details of how Delivery Optimization communicates with the server when content is requested to download including privacy, security, and endpoints. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: cmknox ms.author: carmenf manager: aaroncz diff --git a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md index 4bf73fa9c9..b4a7bad230 100644 --- a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md +++ b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md @@ -5,7 +5,7 @@ description: Elixir images read me file ms.service: windows-client author: nidos ms.author: nidos -ms.topic: conceptual +ms.topic: article ms.date: 12/31/2017 ms.subservice: itpro-updates robots: noindex diff --git a/windows/deployment/do/mcc-ent-early-preview.md b/windows/deployment/do/mcc-ent-early-preview.md index 1e1922f15a..eb1e76aeb7 100644 --- a/windows/deployment/do/mcc-ent-early-preview.md +++ b/windows/deployment/do/mcc-ent-early-preview.md @@ -3,7 +3,7 @@ title: Microsoft Connected Cache for Enterprise and Education early preview description: Details on Microsoft Connected Cache for Enterprise early preview ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article manager: naengler ms.author: lichris author: chrisjlin diff --git a/windows/deployment/do/mcc-ent-edu-overview.md b/windows/deployment/do/mcc-ent-edu-overview.md index a09f4f9a76..c730c9e094 100644 --- a/windows/deployment/do/mcc-ent-edu-overview.md +++ b/windows/deployment/do/mcc-ent-edu-overview.md @@ -3,7 +3,7 @@ title: Microsoft Connected Cache for Enterprise and Education Overview description: Overview, supported scenarios, and content types for Microsoft Connected Cache for Enterprise and Education. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article ms.author: andyriv author: chrisjlin manager: naengler @@ -13,7 +13,7 @@ appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Microsoft Connected Cache for Enterprise and Education -ms.date: 10/30/2024 +ms.date: 02/28/2025 --- # Microsoft Connected Cache for Enterprise and Education Overview @@ -57,7 +57,7 @@ Customers may have office spaces, data centers, or Azure deployments that meet s - Have Azure VMs and/or Azure Virtual Desktop deployed - Have limited internet bandwidth (T1 or T3 lines) -To support the large enterprise scenario, customers can deploy a Connected Cache node to a server running Windows Server 2022 or Ubuntu 22.04. +To support the large enterprise scenario, customers can deploy a Connected Cache node to a server running Windows Server 2022 (or later) or Ubuntu 24.04. See [Connected Cache node host machine requirements](mcc-ent-prerequisites.md) for recommended host machine specifications in each configuration. diff --git a/windows/deployment/do/mcc-ent-prerequisites.md b/windows/deployment/do/mcc-ent-prerequisites.md index f8ddaef129..d40301587e 100644 --- a/windows/deployment/do/mcc-ent-prerequisites.md +++ b/windows/deployment/do/mcc-ent-prerequisites.md @@ -3,14 +3,14 @@ title: Microsoft Connected Cache for Enterprise and Education prerequisites description: Details of prerequisites and recommendations for using Microsoft Connected Cache for Enterprise and Education. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article ms.author: lichris author: chrisjlin manager: naengler appliesto: - ✅ Windows 11 - ✅ Microsoft Connected Cache for Enterprise and Education -ms.date: 10/30/2024 +ms.date: 02/28/2025 --- # Microsoft Connected Cache for Enterprise and Education Requirements @@ -43,7 +43,7 @@ This article details the requirements and recommended specifications for using M ### Additional requirements for Windows host machines -- The Windows host machine must be using Windows 11 or Windows Server 2022 with the latest cumulative update applied. +- The Windows host machine must be using Windows 11 or Windows Server 2022 (or later) with the latest cumulative update applied. - Windows 11 must have [OS Build 22631.3296](https://support.microsoft.com/topic/march-12-2024-kb5035853-os-builds-22621-3296-and-22631-3296-a69ac07f-e893-4d16-bbe1-554b7d9dd39b) or later - Windows Server 2022 must have [OS Build 20348.2227](https://support.microsoft.com/topic/january-9-2024-kb5034129-os-build-20348-2227-6958a36f-efaf-4ef5-a576-c5931072a89a) or later - The Windows host machine must support nested virtualization. Ensure that any security settings that may restrict nested virtualization are not enabled, such as ["Trusted launch" in Azure VMs](/azure/virtual-machines/trusted-launch-portal). @@ -52,7 +52,7 @@ This article details the requirements and recommended specifications for using M ### Additional requirements for Linux host machines - The Linux host machine must be using one of the following operating systems: - - Ubuntu 22.04 + - Ubuntu 24.04 - Red Hat Enterprise Linux (RHEL) 8.* or 9.* - If using RHEL, the default container engine (Podman) must be replaced with [Moby](https://github.com/moby/moby#readme) diff --git a/windows/deployment/do/mcc-ent-release-notes.md b/windows/deployment/do/mcc-ent-release-notes.md index 7a69747aff..9b566f4e6c 100644 --- a/windows/deployment/do/mcc-ent-release-notes.md +++ b/windows/deployment/do/mcc-ent-release-notes.md @@ -3,7 +3,7 @@ title: Microsoft Connected Cache Release Notes description: Release Notes for Microsoft Connected Cache for Enterprise and Education. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: release-notes ms.author: lichris author: chrisjlin manager: naengler @@ -11,18 +11,49 @@ appliesto: - ✅ Windows 11 - ✅ Supported Linux distributions - ✅ Microsoft Connected Cache for Enterprise and Education -ms.date: 10/30/2024 +ms.date: 02/28/2025 --- # Release Notes for Microsoft Connected Cache for Enterprise and Education This article contains details about the latest releases of Connected Cache. Since Connected Cache is a preview service, some releases may contain breaking changes. -## Install script v2.0.0.2 +## February 2025 Release + +Released on **3/03/2025** + +This release contains improvements that can only be applied by redeploying your cache nodes using the updated installation script. + +### New Connected Cache container version + +- v1.2.1.2083_E + +### New Linux-hosted installation script version + +- v1.08 + +### New Windows-hosted installation script version + +- v2.0.0.3 + +### Improvements to Windows-hosted cache nodes + +- **Connected Cache WSL distribution now uses Ubuntu 24.04**: The Windows Subsystem for Linux (WSL) distribution used by Connected Cache has been updated to Ubuntu 24.04 (was 22.04). This change ensures that the WSL distribution is up-to-date with the latest security patches and features. +- **Connected Cache container now uses Ubuntu 24.04 Docker environment**: The Connected Cache container now runs using an Ubuntu 24.04 Docker environment (was 22.04). This change ensures that the container environment is up-to-date with the latest security patches and features. +- **TLS-inspecting proxies no longer cause IoT Edge error during Connected Cache installation**: Fixed a bug that was causing proxy certificate path string to be improperly handled, leading to IoT Edge errors during Connected Cache installation. +- **Security improvements**: Kept intentionally vague to protect previous versions of Connected Cache. + +### Improvements to Linux-hosted cache nodes + +- **Connected Cache container now uses Ubuntu 24.04 Docker environment**: The Connected Cache container now runs using an Ubuntu 24.04 Docker environment (was 22.04). This change ensures that the container environment is up-to-date with the latest security patches and features. +- **TLS-inspecting proxies no longer cause IoT Edge error during Connected Cache installation**: Fixed a bug that was causing proxy certificate path string to be improperly handled, leading to IoT Edge errors during Connected Cache installation. +- **Security improvements**: Kept intentionally vague to protect previous versions of Connected Cache. + +## Windows-hosted install script v2.0.0.2 Released on **2/7/2025** -These changes only affect the installation scripts for Connected Cache. To take advantage of these changes, you'll need to redeploy your existing cache nodes using the updated installation script. +This release only contains changes to the Windows-hosted installation scripts for Connected Cache. To take advantage of these changes, you need to redeploy your existing cache nodes using the updated installation script. ### Improvements @@ -31,11 +62,15 @@ These changes only affect the installation scripts for Connected Cache. To take - **Changes install error codes from decimal to hex code**: Install error codes for Windows-hosted cache nodes are now displayed in hex code format, improving error code readability. - **Uses configured proxy to perform install**: If a proxy was configured for the Windows-hosted cache node in Azure portal, the cache node uses the specified proxy during installation. -## Release v1.2.1.2076_E (public preview launch) +## Public Preview Release -The public preview released on **10/30/2024** +Released on **10/30/2024** -For customers that installed earlier versions of Connected Cache, this release contains breaking changes that affect both Linux and Windows host machines. See the [early preview documentation page](mcc-ent-early-preview.md) for more details. +For customers that installed earlier versions of Connected Cache, this release contains breaking changes that affect both Linux-hosted and Windows-hosted cache nodes. See the [early preview documentation page](mcc-ent-early-preview.md) for more details. + +### New Connected Cache container version + +- v1.2.1.2076_E ### Feature updates diff --git a/windows/deployment/do/mcc-ent-troubleshooting.md b/windows/deployment/do/mcc-ent-troubleshooting.md index fd4a693300..60f3a726f3 100644 --- a/windows/deployment/do/mcc-ent-troubleshooting.md +++ b/windows/deployment/do/mcc-ent-troubleshooting.md @@ -11,7 +11,7 @@ appliesto: - ✅ Windows 11 - ✅ Supported Linux distributions - ✅ Microsoft Connected Cache for Enterprise -ms.date: 01/15/2025 +ms.date: 02/28/2025 --- @@ -97,7 +97,7 @@ If the Connected Cache installation is failing due to WSL-related issues, try ru Once the Connected Cache software has been successfully deployed to the Windows host machine, you can check if the cache node is running properly by doing the following on the Windows host machine: 1. Launch a PowerShell process as the account specified as the runtime account during the Connected Cache install -1. Run `wsl -d Ubuntu-22.04-Mcc-Base` to access the Linux distribution that hosts the Connected Cache container +1. Run `wsl -d Ubuntu-24.04-Mcc-Base` to access the Linux distribution that hosts the Connected Cache container 1. Run `sudo iotedge list` to show which containers are running within the IoT Edge runtime If it shows the **edgeAgent** and **edgeHub** containers but doesn't show **MCC**, you can view the status of the IoT Edge security manager using `sudo iotedge system logs -- -f`. diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md index fbe4478bf8..daa7a581db 100644 --- a/windows/deployment/do/mcc-isp-create-provision-deploy.md +++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md @@ -7,7 +7,7 @@ manager: aaroncz author: nidos ms.author: nidos ms.reviewer: mstewart -ms.topic: conceptual +ms.topic: install-set-up-deploy ms.collection: tier3 appliesto: - ✅ Windows 11 diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 34e5020572..8b0fb66a41 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -17,7 +17,7 @@ metadata: - ✅ Windows 10 - ✅ Windows Server 2019, and later - ✅ Delivery Optimization - ms.date: 10/15/2024 + ms.date: 02/27/2025 title: Frequently Asked Questions about Delivery Optimization summary: | This article answers frequently asked questions about Delivery Optimization. @@ -50,7 +50,7 @@ summary: | **Device resources questions**: - [Delivery Optimization is using device resources and I can't tell why?](#delivery-optimization-is-using-device-resources-and-i-can-t-tell-why) - + - [How do I clear the Delivery Optimization cache?](#how-do-i-clear-the-delivery-optimization-cache) sections: - name: General questions questions: @@ -179,3 +179,10 @@ sections: - question: Delivery Optimization is using device resources and I can't tell why? answer: | Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Often customers may not realize the vast application of Delivery Optimization and how it's used across different apps. Content providers have the option to run downloads in the foreground or background. It's good to check any apps running in the background to see what is running. Also note that depending on the app, closing the app may not necessarily stop the download. + - question: How do I clear the Delivery Optimization cache? + answer: | + Delivery Optimization in Windows clears its cache automatically. Files are removed from the cache after a short time period or when its contents take up too much disk space. However, if you need more disk space on your PC, you can manually clear the cache. + 1. In the search box on the taskbar, type **Disk Cleanup**, and then select it from the list of results. + 1. On the **Disk Cleanup** tab, select the **Delivery Optimization Files** check box. + 1. Select **OK**. On the dialog that appears, select **Delete Files**. + diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index 4d8f36f526..7a51eabbf8 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -47,6 +47,9 @@ The following table lists the minimum Windows 10 version that supports Delivery #### Windows Client +> [!NOTE] +> Starting March 4, 2025, Edge Browser updates will temporarily not utilize Delivery Optimization for downloads. We are actively working to resolve this issue. + | Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache | |------------------|---------------|----------------|----------|----------------| | Windows Update ([feature updates quality updates, language packs, drivers](../update/get-started-updates-channels-tools.md#types-of-updates)) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | @@ -55,7 +58,7 @@ The following table lists the minimum Windows 10 version that supports Delivery | Windows Defender definition updates | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Intune Win32 apps| Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Microsoft 365 Apps and updates | Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Edge Browser Updates | Windows 10 1809, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Edge Browser Updates | Windows 10 1809, Windows 11 | | | | | Configuration Manager Express updates| Windows 10 1709 + Configuration Manager version 1711, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Dynamic updates| Windows 10 1903, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | MDM Agent | Windows 11 | :heavy_check_mark: | | | diff --git a/windows/deployment/do/waas-optimize-windows-10-updates.md b/windows/deployment/do/waas-optimize-windows-10-updates.md index 330f5c1225..b03d0b328e 100644 --- a/windows/deployment/do/waas-optimize-windows-10-updates.md +++ b/windows/deployment/do/waas-optimize-windows-10-updates.md @@ -2,7 +2,7 @@ title: Optimize Windows update delivery description: Learn about the two methods of peer-to-peer content distribution that are available, Delivery Optimization and BranchCache. ms.service: windows-client -ms.topic: conceptual +ms.topic: how-to ms.subservice: itpro-updates ms.author: carmenf author: cmknox diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md index 607817cbf7..1e39fdbb8d 100644 --- a/windows/deployment/do/whats-new-do.md +++ b/windows/deployment/do/whats-new-do.md @@ -3,7 +3,7 @@ title: What's new in Delivery Optimization description: What's new in Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: whats-new author: cmknox ms.author: carmenf manager: aaroncz diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md index ce4b36fd45..c2b9c9452a 100644 --- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -3,7 +3,7 @@ title: Checkpoint cumulative updates and the Microsoft Update Catalog description: This article describes how to handle checkpoint cumulative updates when you use the Microsoft Update Catalog to update devices and images. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article ms.author: mstewart author: mestew manager: aaroncz diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md index bb837de075..66190ba643 100644 --- a/windows/deployment/update/check-release-health.md +++ b/windows/deployment/update/check-release-health.md @@ -3,7 +3,7 @@ title: How to check Windows release health description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: how-to ms.author: mstewart author: mestew manager: aaroncz diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md index d1b6ebd87e..12be8abe43 100644 --- a/windows/deployment/update/create-deployment-plan.md +++ b/windows/deployment/update/create-deployment-plan.md @@ -3,7 +3,7 @@ title: Create a deployment plan description: Devise the number of deployment rings you need and how you want to populate each of the deployment rings. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: install-set-up-deploy author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md index 920952b771..d12a78f404 100644 --- a/windows/deployment/update/eval-infra-tools.md +++ b/windows/deployment/update/eval-infra-tools.md @@ -3,7 +3,7 @@ title: Evaluate infrastructure and tools description: Review the steps to ensure your infrastructure is ready to deploy updates to clients in your organization. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md index 46dca308f1..f05a593282 100644 --- a/windows/deployment/update/get-started-updates-channels-tools.md +++ b/windows/deployment/update/get-started-updates-channels-tools.md @@ -3,7 +3,7 @@ title: Windows client updates, channels, and tools description: Brief summary of the kinds of Windows updates, the channels they're served through, and the tools for managing them ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index 70f2c18280..b8165cc86a 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -3,7 +3,7 @@ title: How Windows Update works description: In this article, learn about the process Windows Update uses to download and install updates on Windows client devices. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 33f43d08f6..736b716433 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -3,7 +3,7 @@ title: Update Windows installation media with Dynamic Update description: Learn how to acquire and apply Dynamic Update packages to existing Windows images prior to deployment ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: how-to author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md index d91a00bbc2..430ed73a59 100644 --- a/windows/deployment/update/optional-content.md +++ b/windows/deployment/update/optional-content.md @@ -3,7 +3,7 @@ title: Migrating and acquiring optional Windows content description: How to keep language resources and Features on Demand during operating system updates for your organization. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md index dcc9544f7e..47a408ee3e 100644 --- a/windows/deployment/update/plan-define-readiness.md +++ b/windows/deployment/update/plan-define-readiness.md @@ -3,7 +3,7 @@ title: Define readiness criteria description: Identify important roles and figure out how to classify apps so you can plan and manage your deployment ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md index e2175c7b40..37900735dd 100644 --- a/windows/deployment/update/plan-define-strategy.md +++ b/windows/deployment/update/plan-define-strategy.md @@ -3,7 +3,7 @@ title: Define update strategy description: Example of using a calendar-based approach to achieve consistent update installation in your organization. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md index ef01bc96d7..5e08f00c11 100644 --- a/windows/deployment/update/release-cycle.md +++ b/windows/deployment/update/release-cycle.md @@ -3,7 +3,7 @@ title: Update release cycle for Windows clients description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md index 3472db7106..69db899de5 100644 --- a/windows/deployment/update/safeguard-holds.md +++ b/windows/deployment/update/safeguard-holds.md @@ -3,7 +3,7 @@ title: Safeguard holds for Windows description: What are safeguard holds? How to can you tell if a safeguard hold is in effect, and what to do about it. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/safeguard-opt-out.md b/windows/deployment/update/safeguard-opt-out.md index 0e0a112ae1..0855d446f3 100644 --- a/windows/deployment/update/safeguard-opt-out.md +++ b/windows/deployment/update/safeguard-opt-out.md @@ -3,7 +3,7 @@ title: Opt out of safeguard holds description: How to install an update in your organization even when a safeguard hold for a known issue has been applied to it. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index f8476b518e..392ee59e6e 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -3,7 +3,7 @@ title: Servicing stack updates description: In this article, learn how servicing stack updates improve the code that installs the other updates. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md index 28b05bb90e..e625088cb2 100644 --- a/windows/deployment/update/update-baseline.md +++ b/windows/deployment/update/update-baseline.md @@ -3,7 +3,7 @@ title: Windows 10 Update Baseline description: Use an update baseline to optimize user experience and meet monthly update goals in your organization. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md index 0e1a4c7d47..8f10fce044 100644 --- a/windows/deployment/update/update-policies.md +++ b/windows/deployment/update/update-policies.md @@ -3,7 +3,7 @@ title: Policies for update compliance and user experience description: Explanation and recommendations for update compliance, activity, and user experience for your organization. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz @@ -94,7 +94,7 @@ options must be **Disabled** in order to take advantage of intelligent active ho If you do set active hours, we recommend setting the following policies to **Disabled** in order to increase update velocity: -- [Delay automatic reboot](waas-restart.md#delay-automatic-restart). While it's possible to set the system to delay restarts for users who are logged in, this setting might delay an update indefinitely if a user is always either logged in or shut down. Instead, we recommend setting the following polices to **Disabled**: +- [Delay automatic reboot](waas-restart.md#delay-automatic-restart). While it's possible to set the system to delay restarts for users who are logged in, this setting might delay an update indefinitely if a user is always either logged in or shut down. Instead, we recommend setting the following policies to **Disabled**: - **Turn off auto-restart during active hours** - **No auto-restart with logged on users for scheduled automatic updates** @@ -183,7 +183,7 @@ As administrators, you have set up and expect certain behaviors, so we expressly > expected. For example, if a device is not reacting to your MDM policy changes, check to see if a similar > policy is set in Group Policy with a differing value. > If you find that update velocity is not as high as you expect or if some devices are slower than others, it might be -> time to clear all polices and settings and specify only the recommended update policies. See the Policy and settings reference for a consolidated list of recommended polices. +> time to clear all policies and settings and specify only the recommended update policies. See the Policy and settings reference for a consolidated list of recommended policies. The following are policies that you might want to disable because they could decrease update velocity or there are better policies to use that might conflict: - **Defer Feature Updates Period in Days**. For maximum update velocity, it's best to set this to **0** (no diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index 11732bc1ca..8bae58b073 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -3,7 +3,7 @@ title: Configure BranchCache for Windows client updates description: In this article, learn how to use BranchCache to optimize network bandwidth during update deployment. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index cf98c00264..a3325adef6 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -6,7 +6,7 @@ ms.service: windows-client author: mestew ms.localizationpriority: medium ms.author: mstewart -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-updates ms.collection: - tier1 diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index 892daae8af..24d404f377 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -3,7 +3,7 @@ title: Integrate Windows Update for Business description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Configuration Manager. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: integration author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index bc88925736..44a8b3df30 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -3,7 +3,7 @@ title: Quick guide to Windows as a service description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index 78cf2b2e50..03cdf677fb 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -3,7 +3,7 @@ title: Assign devices to servicing channels for updates description: Learn how to assign devices to servicing channels for Windows 10 updates locally, by using Group Policy, and by using MDM ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: how-to author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index 2e0aea738c..994bb5ef07 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -3,7 +3,7 @@ title: Prepare a servicing strategy for Windows client updates description: A strong Windows client deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: how-to author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md index 0ab9c7324e..372c9e38c8 100644 --- a/windows/deployment/update/waas-wufb-csp-mdm.md +++ b/windows/deployment/update/waas-wufb-csp-mdm.md @@ -3,7 +3,7 @@ title: Configure Windows Update for Business by using CSPs and MDM description: Walk through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: how-to author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index f78cd0d3e4..52a546dcf2 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -4,7 +4,7 @@ description: Walk through of how to configure Windows Update for Business settin ms.service: windows-client ms.subservice: itpro-updates manager: aaroncz -ms.topic: conceptual +ms.topic: how-to author: mestew ms.localizationpriority: medium ms.author: mstewart diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md index c81a8e7319..55cf4cf9e5 100644 --- a/windows/deployment/update/windows-update-overview.md +++ b/windows/deployment/update/windows-update-overview.md @@ -3,7 +3,7 @@ title: Get started with Windows Update description: An overview of learning resources for Windows Update, including documents on architecture, log files, and common errors. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: get-started author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md index 013dcffe27..7ae6ec0103 100644 --- a/windows/deployment/update/windows-update-security.md +++ b/windows/deployment/update/windows-update-security.md @@ -4,7 +4,7 @@ manager: aaroncz description: Overview of the security for Windows Update including security for the metadata exchange and content download. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart appliesto: diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index e574086aa8..a348c98869 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business description: This article contains information on how to enforce compliance deadlines using Windows Update for Business. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.localizationpriority: medium ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md index 37d01729ad..ee1df9351e 100644 --- a/windows/deployment/update/wufb-reports-admin-center.md +++ b/windows/deployment/update/wufb-reports-admin-center.md @@ -5,7 +5,7 @@ manager: aaroncz description: Microsoft admin center populates Windows Update for Business reports data into the software updates page. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart ms.localizationpriority: medium diff --git a/windows/deployment/update/wufb-reports-configuration-intune.md b/windows/deployment/update/wufb-reports-configuration-intune.md index 94e36fa723..555bab68e4 100644 --- a/windows/deployment/update/wufb-reports-configuration-intune.md +++ b/windows/deployment/update/wufb-reports-configuration-intune.md @@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports description: How to configure devices to use Windows Update for Business reports from Microsoft Intune. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: how-to author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/wufb-reports-configuration-script.md b/windows/deployment/update/wufb-reports-configuration-script.md index 2d3b3f14b0..8452c0087f 100644 --- a/windows/deployment/update/wufb-reports-configuration-script.md +++ b/windows/deployment/update/wufb-reports-configuration-script.md @@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports description: How to get and use the Windows Update for Business reports configuration script to configure devices for Windows Update for Business reports. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index 04291e8ef2..cef5beedc7 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports description: This article provides information about Delivery Optimization data in Windows Update for Business reports. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/wufb-reports-enable.md b/windows/deployment/update/wufb-reports-enable.md index 157adbc776..0deac75ed2 100644 --- a/windows/deployment/update/wufb-reports-enable.md +++ b/windows/deployment/update/wufb-reports-enable.md @@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports description: How to enable the Windows Update for Business reports service through the Azure portal or the Microsoft 365 admin center. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: how-to author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/wufb-reports-help.md b/windows/deployment/update/wufb-reports-help.md index 4561a0045f..868d704195 100644 --- a/windows/deployment/update/wufb-reports-help.md +++ b/windows/deployment/update/wufb-reports-help.md @@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports description: Windows Update for Business reports support, feedback, and troubleshooting information. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: troubleshooting-general author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index 8bd8aec2da..5878b42548 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports description: List of prerequisites for enabling and using Windows Update for Business reports in your organization. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/wufb-reports-use.md b/windows/deployment/update/wufb-reports-use.md index 7fb8613fcf..4f96164a1b 100644 --- a/windows/deployment/update/wufb-reports-use.md +++ b/windows/deployment/update/wufb-reports-use.md @@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports description: How to use the Windows Update for Business reports data for custom solutions using tools like Azure Monitor Logs. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: how-to author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md index faa2671fbe..ba85a80f98 100644 --- a/windows/deployment/update/wufb-reports-workbook.md +++ b/windows/deployment/update/wufb-reports-workbook.md @@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports description: How to use the Windows Update for Business reports workbook from the Azure portal. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: how-to author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md index 2cb3016af2..0d9b10ba84 100644 --- a/windows/deployment/update/wufb-wsus.md +++ b/windows/deployment/update/wufb-wsus.md @@ -3,7 +3,7 @@ title: Use Windows Update for Business and Windows Server Update Services (WSUS) description: Learn how to use Windows Update for Business and WSUS together using the new scan source policy. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: how-to author: mestew ms.author: mstewart manager: aaroncz @@ -23,7 +23,7 @@ The Windows update scan source policy enables you to choose what types of update We added the scan source policy starting with the [September 1, 2021—KB5005101 (OS Builds 19041.1202, 19042.1202, and 19043.1202) Preview](https://support.microsoft.com/help/5005101) update and it applies to Window 10, version 2004 and above and Windows 11. This policy changes the way devices determine whether to scan against a local WSUS server or Windows Update service. > [!IMPORTANT] -> The policy **Do not allow update deferral policies to cause scans against Windows Update**, also known as Dual Scan, is no longer supported on Windows 11 and on Windows 10 it is replaced by the new Windows scan source policy and is not recommended for use. If you configure both on Windows 10, you will not get updates from Windows Update. +> The policy **Do not allow update deferral policies to cause scans against Windows Update**, also known as Dual Scan, is no longer supported on Windows 11 and on Windows 10 it's replaced by the new Windows scan source policy and isn't recommended for use. If you configure both on Windows 10, you won't get updates from Windows Update. ## About the scan source policy @@ -53,7 +53,7 @@ To help you better understand the scan source policy, see the default scan behav > The only two relevant policies for where your updates come from are the specify scan source policy and whether or not you have configured a WSUS server. This should simplify the configuration options. > [!NOTE] -> If you have devices configured for WSUS and do not configure the scan source policy for feature updates to come from Windows update or set any Windows Update for Business offering policies, then users who select "Check online for updates" on the Settings page may see the optional upgrade to Windows 11. We recommend configuring the scan source policy or a Windows Update for Business offering policy to prevent such. +> If you have devices configured for WSUS and don't configure the scan source policy for feature updates to come from Windows update or set any Windows Update for Business offering policies, then users who select "Check online for updates" on the Settings page may see the optional upgrade to Windows 11. We recommend configuring the scan source policy or a Windows Update for Business offering policy to prevent such. ## Configure the scan sources @@ -68,7 +68,7 @@ The policy can be configured using the following two methods: 2. Configuration Service Provider (CSP) Policies: **SetPolicyDrivenUpdateSourceFor<Update Type>**: > [!NOTE] -> - You should configure **all** of these policies if you are using CSPs. +> - You should configure **all** of these policies if you're using CSPs. > - Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be altered. > - If you're also using the **Specify settings for optional component installation and component repair** policy to enable content for FoDs and language packs, see [How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager](fod-and-lang-packs.md) to verify your policy configuration. diff --git a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md index 444ff9cf37..9ab18bdcfd 100644 --- a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md @@ -5,7 +5,7 @@ ms.author: frankroj description: Resolve Windows upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. author: frankroj ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: troubleshooting-general ms.service: windows-client ms.subservice: itpro-deploy ms.date: 01/29/2025 diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index 5caad8feef..fd90fdc246 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -6,7 +6,7 @@ description: Download the Feedback Hub app, and then submit Windows upgrade erro ms.service: windows-client author: frankroj ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: troubleshooting-general ms.subservice: itpro-deploy ms.date: 01/29/2025 appliesto: diff --git a/windows/deployment/upgrade/windows-edition-upgrades.md b/windows/deployment/upgrade/windows-edition-upgrades.md index b1fc50c67b..eea591bb03 100644 --- a/windows/deployment/upgrade/windows-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-edition-upgrades.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client ms.localizationpriority: medium author: frankroj -ms.topic: conceptual +ms.topic: upgrade-and-migration-article ms.collection: - highpri - tier2 diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index 34c5e47773..958dbd15ef 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -6,7 +6,7 @@ description: Learn how to review the events generated by Windows Error Reporting ms.service: windows-client author: frankroj ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy ms.date: 01/29/2025 appliesto: diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index 125f0fd64a..ca0f26473f 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -5,7 +5,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.topic: conceptual +ms.topic: upgrade-and-migration-article ms.subservice: itpro-deploy ms.date: 08/30/2024 --- diff --git a/windows/deployment/upgrade/windows-upgrade-paths.md b/windows/deployment/upgrade/windows-upgrade-paths.md index 4d1dcd205e..f6a5c42c55 100644 --- a/windows/deployment/upgrade/windows-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-upgrade-paths.md @@ -6,7 +6,7 @@ ms.localizationpriority: medium author: frankroj manager: aaroncz ms.author: frankroj -ms.topic: conceptual +ms.topic: upgrade-and-migration-article ms.collection: - highpri - tier2 diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md index 3a2a091e06..d1313e2a39 100644 --- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.topic: conceptual +ms.topic: get-started ms.subservice: itpro-deploy ms.date: 01/29/2025 appliesto: diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md index 563fffa13b..c6c0627a49 100644 --- a/windows/deployment/usmt/migrate-application-settings.md +++ b/windows/deployment/usmt/migrate-application-settings.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: how-to ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md index e69fa2a0eb..a8473748b7 100644 --- a/windows/deployment/usmt/migration-store-types-overview.md +++ b/windows/deployment/usmt/migration-store-types-overview.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: overview ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md index 631c7b6aa6..e60272da5f 100644 --- a/windows/deployment/usmt/offline-migration-reference.md +++ b/windows/deployment/usmt/offline-migration-reference.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: reference ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index 2994c4a929..fab9e7724b 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md index fe77583153..34fb82aa18 100644 --- a/windows/deployment/usmt/usmt-best-practices.md +++ b/windows/deployment/usmt/usmt-best-practices.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: best-practice ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md index e8a0d69a2f..46f76521b8 100644 --- a/windows/deployment/usmt/usmt-choose-migration-store-type.md +++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: overview ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md index 71da51bdda..cac5f93581 100644 --- a/windows/deployment/usmt/usmt-command-line-syntax.md +++ b/windows/deployment/usmt/usmt-command-line-syntax.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: overview ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md index d618b669c3..b81d59505e 100644 --- a/windows/deployment/usmt/usmt-common-migration-scenarios.md +++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: concept-article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md index f77777e41f..b0444cb0cd 100644 --- a/windows/deployment/usmt/usmt-configxml-file.md +++ b/windows/deployment/usmt/usmt-configxml-file.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md index c2a0454e4b..c514ca0de2 100644 --- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md +++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md index c398822c63..ea5761cc5e 100644 --- a/windows/deployment/usmt/usmt-custom-xml-examples.md +++ b/windows/deployment/usmt/usmt-custom-xml-examples.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy ms.date: 01/29/2025 appliesto: diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md index 00a902de28..1c80db779b 100644 --- a/windows/deployment/usmt/usmt-customize-xml-files.md +++ b/windows/deployment/usmt/usmt-customize-xml-files.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md index 098c1a8a45..afad7e7d3d 100644 --- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md +++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: concept-article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md index ae5b4e142e..0ebc0fc1de 100644 --- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md +++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: how-to ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md index 72388d511e..52a44c5d33 100644 --- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md +++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: how-to ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md index 9fefd6f0b4..8f2d1c1196 100644 --- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md +++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: how-to ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md index 950371b73e..146ed9bd56 100644 --- a/windows/deployment/usmt/usmt-general-conventions.md +++ b/windows/deployment/usmt/usmt-general-conventions.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: concept-article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index 7c21f7e783..75a8d9fb1d 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: concept-article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md index 0da69dfec4..49a7170f0c 100644 --- a/windows/deployment/usmt/usmt-how-it-works.md +++ b/windows/deployment/usmt/usmt-how-it-works.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy ms.date: 01/29/2025 appliesto: diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md index 72231c5f35..29114c8d6e 100644 --- a/windows/deployment/usmt/usmt-how-to.md +++ b/windows/deployment/usmt/usmt-how-to.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: overview ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md index 41d2a4f881..644d0c72b2 100644 --- a/windows/deployment/usmt/usmt-identify-application-settings.md +++ b/windows/deployment/usmt/usmt-identify-application-settings.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md index e46ff9f218..217fc28b31 100644 --- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md +++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: how-to ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md index 941df2cced..b37083ce78 100644 --- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md +++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md index 314590b2b7..e72d3bab25 100644 --- a/windows/deployment/usmt/usmt-identify-users.md +++ b/windows/deployment/usmt/usmt-identify-users.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.topic: conceptual +ms.topic: article ms.localizationpriority: medium ms.subservice: itpro-deploy ms.date: 01/29/2025 diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md index 6ff87626e6..aa3a9e2593 100644 --- a/windows/deployment/usmt/usmt-include-files-and-settings.md +++ b/windows/deployment/usmt/usmt-include-files-and-settings.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: how-to ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md index 30667f7873..cb3ee8ef8b 100644 --- a/windows/deployment/usmt/usmt-loadstate-syntax.md +++ b/windows/deployment/usmt/usmt-loadstate-syntax.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md index 27e897b01d..e015af4036 100644 --- a/windows/deployment/usmt/usmt-log-files.md +++ b/windows/deployment/usmt/usmt-log-files.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md index 8d146557a2..9f896b125f 100644 --- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md +++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: how-to ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md index 2e82b3db4e..ba220bc251 100644 --- a/windows/deployment/usmt/usmt-migrate-user-accounts.md +++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: how-to ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md index 2084dbdd22..0af8864e20 100644 --- a/windows/deployment/usmt/usmt-migration-store-encryption.md +++ b/windows/deployment/usmt/usmt-migration-store-encryption.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: concept-article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md index 6fbc90a488..a75bc7ea90 100644 --- a/windows/deployment/usmt/usmt-plan-your-migration.md +++ b/windows/deployment/usmt/usmt-plan-your-migration.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: concept-article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md index 74170fceed..c626ac56fe 100644 --- a/windows/deployment/usmt/usmt-recognized-environment-variables.md +++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md @@ -8,7 +8,7 @@ manager: aaroncz ms.author: frankroj author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: article ms.collection: - highpri - tier2 diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md index adeaf3c10e..a5e4eea126 100644 --- a/windows/deployment/usmt/usmt-reference.md +++ b/windows/deployment/usmt/usmt-reference.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: reference ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md index 438b71d40b..fb0d5ddf48 100644 --- a/windows/deployment/usmt/usmt-requirements.md +++ b/windows/deployment/usmt/usmt-requirements.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md index e7a5305f00..8cbda2d6c9 100644 --- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md +++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md index 6e81c92b9a..cf9749d531 100644 --- a/windows/deployment/usmt/usmt-resources.md +++ b/windows/deployment/usmt/usmt-resources.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index a25a4bde8e..04fee70623 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md index d269cd7597..4e15899fb3 100644 --- a/windows/deployment/usmt/usmt-technical-reference.md +++ b/windows/deployment/usmt/usmt-technical-reference.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: reference ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md index 4b1d005a41..08bbb67f9d 100644 --- a/windows/deployment/usmt/usmt-test-your-migration.md +++ b/windows/deployment/usmt/usmt-test-your-migration.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: concept-article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md index 56ee8a1868..98ddecb7ae 100644 --- a/windows/deployment/usmt/usmt-topics.md +++ b/windows/deployment/usmt/usmt-topics.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: concept-article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md index 3ca79322a4..98b2ed5c0e 100644 --- a/windows/deployment/usmt/usmt-troubleshooting.md +++ b/windows/deployment/usmt/usmt-troubleshooting.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: troubleshooting-general ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md index bef1f41088..29f40c6108 100644 --- a/windows/deployment/usmt/usmt-utilities.md +++ b/windows/deployment/usmt/usmt-utilities.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md index 56cee12f98..a60ce0dd07 100644 --- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md +++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: concept-article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md index fc41899980..edf9b0b470 100644 --- a/windows/deployment/usmt/usmt-xml-elements-library.md +++ b/windows/deployment/usmt/usmt-xml-elements-library.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md index 21d2195393..551883b1ab 100644 --- a/windows/deployment/usmt/usmt-xml-reference.md +++ b/windows/deployment/usmt/usmt-xml-reference.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: reference ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md index f611d55175..0f537173ad 100644 --- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md +++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: how-to ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md index 8b1d97b433..d26d21f084 100644 --- a/windows/deployment/usmt/xml-file-requirements.md +++ b/windows/deployment/usmt/xml-file-requirements.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/29/2025 -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index 182f55c874..35a89089d3 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -6,7 +6,7 @@ ms.localizationpriority: medium author: frankroj ms.author: frankroj manager: aaroncz -ms.topic: conceptual +ms.topic: article ms.date: 07/19/2024 ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md index cf038aa4a9..b6a137b5f0 100644 --- a/windows/deployment/windows-adk-scenarios-for-it-pros.md +++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md @@ -6,8 +6,8 @@ ms.author: frankroj manager: aaroncz ms.service: windows-client ms.localizationpriority: medium -ms.date: 02/13/2024 -ms.topic: conceptual +ms.date: 02/27/2025 +ms.topic: article ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index a011e4c21c..3a10604086 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -116,8 +116,6 @@ href: monitor/windows-autopatch-windows-quality-update-status-report.md - name: Quality update trending report href: monitor/windows-autopatch-windows-quality-update-trending-report.md - - name: Reliability report - href: monitor/windows-autopatch-reliability-report.md - name: Hotpatch quality update report href: monitor/windows-autopatch-hotpatch-quality-update-report.md - name: Windows feature and quality update device alerts diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md index 90528e17a2..6e8b915912 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md @@ -4,7 +4,7 @@ description: This article explains the Windows quality update end user experienc ms.date: 11/04/2024 ms.service: windows-client ms.subservice: autopatch -ms.topic: conceptual +ms.topic: article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md index ed17d7438c..31a02381ec 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md @@ -4,7 +4,7 @@ description: This article explains how Windows quality updates are managed ms.date: 11/20/2024 ms.service: windows-client ms.subservice: autopatch -ms.topic: conceptual +ms.topic: article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report.md deleted file mode 100644 index c483164956..0000000000 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report.md +++ /dev/null @@ -1,122 +0,0 @@ ---- -title: Reliability report -description: This article describes the reliability score for each Windows quality update cycle based on stop error codes detected on managed devices. -ms.date: 04/09/2024 -ms.service: windows-client -ms.subservice: autopatch -ms.topic: how-to -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: aaroncz -ms.reviewer: hathind -ms.collection: - - highpri - - tier1 ---- - -# Reliability report (public preview) - -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - -> [!IMPORTANT] -> This feature is in **public preview**. It's being actively developed, and might not be complete. - -The Reliability report provides a reliability score for each Windows quality update cycle based on [stop error codes](/troubleshoot/windows-client/performance/stop-error-or-blue-screen-error-troubleshooting) detected on managed devices. Scores are determined at both the service and tenant level. Details on modules associated with stop error codes at the tenant level are provided to better understand how devices are affected. - -> [!NOTE] -> **The Reliability report applies to quality updates only**. The Reliability report doesn't currently support Windows feature updates.

Scores used in this report are calculated based on devices running both Windows 10 and Windows 11 versions.

- -With this feature, IT admins can access the following information: - -| Information type | Description | -| ----- | ----- | -| Your score | **Your score** is a calculated tenant reliability score based on stop error codes detected on managed devices that updated successfully during the current update cycle. **Your score** is the latest single-day score in the current Windows quality update cycle. The monthly score values can be viewed under the **Trending** tab. | -| Baseline | Use the **Baseline** to compare your score with past quality update cycles. You can choose the desired historical record from the **Comparison baseline** dropdown menu at the top of the page. **Baseline** is a single-day score calculated the same number of days from the start of patching as your score. | -| Service-level | Use the **Service-level** to compare **your score** with a score computed across tenants in the Azure Data Scale Unit covering your geographic region. **Service-level** is a single-day score calculated the same number of days from the start of patching as **your score**. | -| Score details | **Score details** provides information about specific modules associated with stop error code occurrence, occurrence rate, and affected devices. View single-day or multi-day results by selecting from the **Duration** menu. Data can be exported for offline reference. | -| Trending | **Trending** provides a graphical visualization of reliability scores at both tenant and service level on a customizable timeline of 1 - 12 months. Monthly scores represent the aggregated value for a complete update cycle (second Tuesday of the month). | -| Insights | **Insights** identifies noteworthy trends that might be useful in implementing reliability improvement opportunities. | -| Affected devices | **Affected devices** are the number of unique devices associated with stop error code events. | - -## Report availability - -The Reliability report relies on device policies being configured properly. It's important to confirm that the minimum requirements are met to access the full Reliability report. - -| Data collection policies set | Devices registered in Autopatch | Devices updated | Report availability | -| ----- | ------ | ----- | ----- | -| No | - | - | No report available.

In this state, a ribbon appears on the landing page alerting the user that the diagnostic data needed to generate a report appears to be turned off. The report is available 24 and 48 hours after the following conditions are met:

  • [Diagnostic data device configuration policies enabled](../references/windows-autopatch-changes-to-tenant.md#device-configuration-policies)
  • At least 100 devices registered in Autopatch
  • At least 100 of these registered devices completed a quality update in the current update cycle (second Tuesday of the month)

| -| Yes | 0 | - | The report includes only the historical comparison baseline and service-level score. The tenant and module impact scores are unavailable until 100 devices are updated. | -| Yes | 0 < n < 100 | 0 < n < 100 | The report includes module failure details, historical comparison baseline, and service-level score. The tenant score is unavailable until 100 devices are updated. | -| Yes | n >= 100 | 0 < n < 100 | The report includes module failure details, historical comparison baseline score, and service-level score. The tenant and module impact scores are unavailable until 100 devices are updated. | -| Yes | n >= 100 | n >= 100 | Full reporting available | - -## View the Reliability report - -**To view the Reliability report:** - -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**. -3. Select the **Reports** tab. -4. Select **Reliability report**. - -> [!NOTE] -> To use the Reliability report capability, ensure that at least 100 devices are registered in the Windows Autopatch service and capable of successfully completing a quality update. The report relies on device stop error code data being available to Microsoft (transmission of this data may take up to 24 hours).

A score is generated when:

  • 100 or more devices have completed updating to the latest quality update
  • Windows Autopatch receives the stop error code data related to that update cycle

Windows Autopatch data collection must be enabled according to the [configuration policies](../references/windows-autopatch-changes-to-tenant.md#device-configuration-policies) set during tenant onboarding. For more information about data collection, see [Privacy](../overview/windows-autopatch-privacy.md)

- -## Report information - -The following information is available as default columns in the Reliability report: - -> [!NOTE] -> The report is refreshed no more than once every 24 hours with data received from your Windows Autopatch managed devices. Manual data refresh is not supported. The last refreshed date and time can be found at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency). - -### Score details - -| Column | Description | -| ----- | ----- | -| Module name | Name of module associated with stop error code detection. | -| Version | Version of module associated with stop error code detection. | -| Unique devices | Number of unique devices seeing a stop error code occurrence associated with a specific module name and version. This information is hyperlinked to the **Devices affected** flyout. | -| Total events | Total number of stop error codes detected associated with a specific module name and version. | -| Module score impact | **Your score** associated with specific module name and version. | -| Timeline | This information is hyperlinked to **Module details** flyout. | - -### Export file - -| Column | Description | -| ----- | ----- | -| DeviceName | Device name | -| MicrosoftEntraDeviceId | Microsoft Entra device ID | -| Model | Device model | -| Manufacturer | Device manufacturer | -| AutopatchGroup | Autopatch group assignment for the affected device | -| LatestOccurrence | Time of the most recent reported failure | -| WindowsVersion | Windows version (Windows 10 or Windows 11) | -| OSVersion | OS version | -| ModuleName | Name of the module associated with stop error code detection | -| Version | Version of the module associated with stop error code detection | -| BugCheckCode | Bug check code associated with stop error code | -| TenantId | Your Microsoft Entra tenant ID | - -### Devices affected - -| Column | Description | -| ----- | ----- | -| Device name | Device name | -| Microsoft Entra device ID | Microsoft Entra device ID | -| Model | Device model | -| Manufacturer | Device manufacturer | -| Autopatch group | Autopatch group assignment for the affected device | -| Latest occurrence | Time of the most recent reported failure | - -### Module details - -| Display selection | Description | -| ----- | ----- | -| Unique devices | Number of unique devices affected by module failure and the associated version | -| Total events | Number of occurrences by module failure and the associated version | -| Module impact | Score impact by module and version representing the relative importance of module failure. Higher positive values describe module failures that have a greater impact on the tenant and should be addressed with higher priority. Negative values describe module failures that have a lower-than-average impact on the tenant and thus can be treated with lower priority. Values around `0` describe module failures with average impact on the tenant. | - -## Known limitations - -The Reliability report supports tenant and service-level score data going back to September 2023. Data before that date isn't supported. A full 12 months of score data are available to select from the menu dropdowns in September 2024. diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md index 4b2f2596df..c678156938 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality and feature update reports overview description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch. -ms.date: 11/20/2024 +ms.date: 03/03/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: overview @@ -19,6 +19,15 @@ ms.collection: [!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] +## Prerequisites + +Windows Autopatch requires, and uses Windows diagnostic data to display device update statuses in Autopatch reports. + +- Service state and substate data are included for all devices configured for Windows quality and feature updates. No data collection configuration is required. +- Client and substate data are collected from devices only if Windows data collection data is properly configured. + +This data collection configuration method using Windows diagnostic data in Intune is shared across Autopatch reports. To support Autopatch reporting, you must configure the [Enable Windows diagnostic data collection settings](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) from devices at the **Required** or higher level. + ## Windows quality update reports The Windows quality reports provide you with information about: @@ -35,7 +44,6 @@ The Windows quality report types are organized into the following focus areas: | ----- | ----- | | Organizational | The [Summary dashboard](../operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md) provide the current update status summary for all devices.

The [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) provides the current update status of all devices at the device level. | | Device trends | The [Quality update trending report](../operate/windows-autopatch-groups-windows-quality-update-trending-report.md) provides the update status trend of all devices over the last 90 days. | -| [Reliability report](../operate/windows-autopatch-reliability-report.md) | The Reliability report provides a reliability score for each Windows quality update cycle based on stop error codes detected on managed devices. | ## Windows feature update reports @@ -58,6 +66,9 @@ Users with the following permissions can access the reports: - Intune Service Administrator - Global Reader - Services Support Administrator +- Policy and Profile Manager +- Read Only Operator +- Help Desk Operator ## About data latency @@ -84,7 +95,7 @@ Up to date devices are devices that meet all of the following prerequisites: - Applied the current monthly cumulative updates > [!NOTE] -> Device that are [Up to Date](#up-to-date-devices) will remain with the **In Progress** status until either the current monthly cumulative update is applied, or an [alert](../operate/windows-autopatch-device-alerts.md) is received. If the device receives an alert, the device's status will change to [Not up to Date](#not-up-to-date-devices). +> Devices that are [Up to Date](#up-to-date-devices) remain with the **In Progress** status until either the current monthly cumulative update is applied, or an [alert](../operate/windows-autopatch-device-alerts.md) is received. If the device receives an alert, the device's status changes to [Not up to Date](#not-up-to-date-devices). #### Up to Date sub statuses diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md index 97d26c798d..78bb2e7125 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md @@ -18,7 +18,7 @@ ms.reviewer: hathind # What is Windows Autopatch? > [!IMPORTANT] -> In September, Windows Update for Business deployment service unified under Windows Autopatch. Unification is going through a gradual rollout over the next several weeks. If your experience looks different from the documentation, you didn't receive the unified experience yet. Review [Prerequisites](../prepare/windows-autopatch-prerequisites.md) and [Features and capabilities](#features-and-capabilities) to understand licensing and feature entitlement. +> In September 2024, Windows Update for Business deployment service unified under Windows Autopatch. Unification is going through a gradual rollout over the next several weeks. If your experience looks different from the documentation, you didn't receive the unified experience yet. Review [Prerequisites](../prepare/windows-autopatch-prerequisites.md) and [Features and capabilities](#features-and-capabilities) to understand licensing and feature entitlement. Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index 5e7b3411e6..e66fe153ac 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -174,15 +174,18 @@ You can add the *Device configurations* permission with one or more rights to yo ### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-f3-intune-permissions) +Your account must be assigned an [Intune role-based access control](/mem/intune/fundamentals/role-based-access-control) (RBAC) role that includes the following permissions: + +- **Device configurations**: + - Assign + - Create + - Delete + - View Reports + - Update +- Read + After you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md#activate-windows-autopatch-features), use the Intune Service Administrator role to register devices, manage your update deployments, and reporting tasks. -If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Microsoft Entra groups created during the [Start using Windows Autopatch](../prepare/windows-autopatch-feature-activation.md) process: - -| Microsoft Entra group name | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions | -| --- | --- | --- | --- | --- | --- | -| Modern Workplace Roles - Service Administrator | Yes | Yes | Yes | Yes | Yes | -| Modern Workplace Roles - Service Reader | No | Yes | Yes | Yes | Yes | - For more information, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control). > [!TIP] diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md index a39b3238a9..432b2cc9ba 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md @@ -1,7 +1,7 @@ --- title: Changes made at feature activation description: This reference article details the changes made to your tenant when you activate Windows Autopatch -ms.date: 09/16/2024 +ms.date: 03/03/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: concept-article @@ -49,14 +49,6 @@ The following groups target Windows Autopatch configurations to devices and mana | Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption | | Modern Workplace Devices-WindowsAutopatch-Broad | Final deployment ring for broad rollout into the organization | -## Device configuration policies - -- Windows Autopatch - Data Collection - -| Policy name | Policy description | Properties | Value | -| ----- | ----- | ----- | ----- | -| Windows Autopatch - Data Collection | Windows Autopatch and Telemetry settings processes diagnostic data from the Windows device.

Assigned to:

  • Modern Workplace Devices-Windows Autopatch-Test
  • Modern Workplace Devices-Windows Autopatch-First
  • Modern Workplace Devices-Windows Autopatch-Fast
  • Modern Workplace Devices-Windows Autopatch-Broad
|
  1. [Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
  2. [Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
  3. [Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
  4. [Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
|
  1. Full
  2. Enabled
  3. Enabled
  4. Enabled
| - ## Windows feature update policies - Windows Autopatch - Global DSS Policy @@ -68,7 +60,7 @@ The following groups target Windows Autopatch configurations to devices and mana ## Microsoft Office update policies > [!IMPORTANT] -> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).

To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates).

+> By default, these policies aren't deployed. You can opt in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).

To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle must be set to [**Allow**](../manage/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates).

- Windows Autopatch - Office Configuration - Windows Autopatch - Office Update Configuration [Test] @@ -87,7 +79,7 @@ The following groups target Windows Autopatch configurations to devices and mana ## Microsoft Edge update policies > [!IMPORTANT] -> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).

To update Microsoft Edge, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).

+> By default, these policies aren't deployed. You can opt in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).

To update Microsoft Edge, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).

- Windows Autopatch - Edge Update Channel Stable - Windows Autopatch - Edge Update Channel Beta @@ -100,7 +92,7 @@ The following groups target Windows Autopatch configurations to devices and mana ## Driver updates for Windows 10 and later > [!IMPORTANT] -> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).

To update drivers and firmware, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).

+> By default, these policies aren't deployed. You can opt in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).

To update drivers and firmware, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).

- Windows Autopatch - Driver Update Policy [Test] - Windows Autopatch - Driver Update Policy [First] diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index c4cac7212b..285c7754e4 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -70,7 +70,6 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | ----- | ----- | | [MC678305](https://admin.microsoft.com/adminportal/home#/MessageCenter) | September 2023 Windows Autopatch baseline configuration update | | [MC678303](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch availability within Microsoft Intune Admin Center | -| [MC674422](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Public Preview: Windows Autopatch Reliability Report | | [MC672750](https://admin.microsoft.com/adminportal/home#/MessageCenter) | August 2023 Windows Autopatch baseline configuration update | ## August 2023 diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md index 815d13a816..f9d30352a5 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md @@ -1,7 +1,7 @@ --- title: What's new 2024 description: This article lists the 2024 feature releases and any corresponding Message center post numbers. -ms.date: 11/19/2024 +ms.date: 02/27/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: whats-new @@ -37,14 +37,6 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | ----- | ----- | | All articles | Windows Update for Business deployment service unified under Windows Autopatch. Unification is going through a gradual rollout over the next several weeks. If your experience looks different from the documentation, you didn't receive the unified experience yet. Review [Prerequisites](../prepare/windows-autopatch-prerequisites.md) and [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities) to understand licensing and feature entitlement.| -## March 2024 - -### March feature releases or updates - -| Article | Description | -| ----- | ----- | -| [Reliability report](../operate/windows-autopatch-reliability-report.md) | Added the [Reliability report](../operate/windows-autopatch-reliability-report.md) feature | - ## February 2024 ## February service releases diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index 4794ab6ddf..22734dbc08 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -5,7 +5,7 @@ manager: aaroncz ms.author: frankroj author: frankroj ms.service: windows-client -ms.topic: conceptual +ms.topic: install-set-up-deploy ms.date: 08/30/2024 ms.subservice: itpro-deploy --- diff --git a/windows/deployment/windows-deployment-scenarios.md b/windows/deployment/windows-deployment-scenarios.md index 857188ae38..faec964678 100644 --- a/windows/deployment/windows-deployment-scenarios.md +++ b/windows/deployment/windows-deployment-scenarios.md @@ -6,8 +6,8 @@ ms.author: frankroj author: frankroj ms.service: windows-client ms.localizationpriority: medium -ms.topic: conceptual -ms.date: 02/13/2024 +ms.topic: install-set-up-deploy +ms.date: 02/27/2025 ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/windows-missing-fonts.md b/windows/deployment/windows-missing-fonts.md index eabee6f44f..11091fa358 100644 --- a/windows/deployment/windows-missing-fonts.md +++ b/windows/deployment/windows-missing-fonts.md @@ -6,8 +6,8 @@ ms.localizationpriority: medium author: frankroj ms.author: frankroj manager: aaroncz -ms.topic: conceptual -ms.date: 03/28/2024 +ms.topic: how-to +ms.date: 02/27/2025 ms.subservice: itpro-deploy zone_pivot_groups: windows-versions-11-10 appliesto: diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 6fa1d2a9e2..6239e43f99 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -9,7 +9,7 @@ ms.author: danbrown manager: laurawi ms.date: 03/11/2016 ms.collection: highpri -ms.topic: conceptual +ms.topic: how-to --- # Configure Windows diagnostic data in your organization diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index bfb651939e..9e89ce6f88 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1866,20 +1866,37 @@ You can turn off Windows Update by setting the following registry entries: -OR- -- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations** to **Enabled** +This is applicable to Windows 10. + +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations** to **Enabled**. -and- -- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features** to **Enabled** +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features** to **Enabled**. -and- -- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** to **Enabled** and ensure all Option settings (Intranet Update Service, Intranet Statistics Server, Alternate Download Server) are set to **" "** +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** to **Enabled** and ensure the settings under **Options** (intranet update service, intranet statistics server, and alternate download server) are set to **" "**. -and- -- Set the Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Remove access to use all Windows Update features** to **Enabled** and then set **Computer Configurations** to **0 (zero)**. +- Set the Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Remove access to use all Windows Update features** to **Enabled** and then set **Configure notifications** to **0 - Do not show any notifications**. +This is applicable to Windows 11. + +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Manage updates offered from Windows Server Update Service** > **Do not connect to any Windows Update Internet locations** to **Enabled**. + + -and- + +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Manage updates offered from Windows Server Update Service** > **Specify intranet Microsoft update service location** to **Enabled** and ensure the settings under **Options** (intranet update service, intranet statistics server, and alternate download server) are set to **" "**. + + -and- + +- Set the Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Manage updates offered from Windows Server Update Service** > **Remove access to use all Windows Update features** to **Enabled** and then set **Configure notifications** to **0 - Do not show any notifications**. + + -and- + +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication settings** > **Turn off access to all Windows Update features** to **Enabled**. You can turn off automatic updates by doing the following. This isn't recommended. diff --git a/windows/privacy/windows-privacy-compliance-guide.md b/windows/privacy/windows-privacy-compliance-guide.md index fb9459ba79..2cb7a70074 100644 --- a/windows/privacy/windows-privacy-compliance-guide.md +++ b/windows/privacy/windows-privacy-compliance-guide.md @@ -8,7 +8,7 @@ author: DHB-MSFT ms.author: danbrown manager: laurawi ms.date: 05/20/2019 -ms.topic: conceptual +ms.topic: article ms.collection: essentials-compliance --- diff --git a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/appcontrol-appid-tagging-guide.md b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/appcontrol-appid-tagging-guide.md index 8ea04f6820..d6095213cd 100644 --- a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/appcontrol-appid-tagging-guide.md +++ b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/appcontrol-appid-tagging-guide.md @@ -3,7 +3,7 @@ title: Designing, creating, managing, and troubleshooting App Control for Busine description: How to design, create, manage, and troubleshoot your App Control AppId Tagging policies ms.localizationpriority: medium ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: article --- # App Control Application ID (AppId) Tagging guide diff --git a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/deploy-appid-tagging-policies.md index 82fbcd6156..3ab782c3a7 100644 --- a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/deploy-appid-tagging-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/deploy-appid-tagging-policies.md @@ -3,7 +3,7 @@ title: Deploying App Control for Business AppId tagging policies description: How to deploy your App Control AppId tagging policies locally and globally within your managed environment. ms.localizationpriority: medium ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: install-set-up-deploy --- # Deploying App Control for Business AppId tagging policies diff --git a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md index 363d4b5dd8..a56bbb1694 100644 --- a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md @@ -3,7 +3,7 @@ title: Create your App Control for Business AppId Tagging Policies description: Create your App Control for Business AppId tagging policies for Windows devices. ms.localizationpriority: medium ms.date: 09/23/2024 -ms.topic: conceptual +ms.topic: how-to --- # Creating your App Control AppId Tagging Policies @@ -21,7 +21,7 @@ You can use the App Control for Business Wizard and the PowerShell commands to c :::image type="content" alt-text="Configuring the policy base and template." source="../images/appid-appcontrol-wizard-1.png" lightbox="../images/appid-appcontrol-wizard-1.png"::: > [!NOTE] - > If your AppId Tagging Policy does build off the base templates or does not allow Windows in-box processes, you will notice significant performance regressions, especially during boot. For this reason, it is strongly recommended to build off the base templates. For more information on the issue, see the [AppId Tagging Known Issue](../operations/known-issues.md#slow-boot-and-performance-with-custom-policies). + > If your AppId Tagging Policy does not build off the base templates or does not allow Windows in-box processes, you will notice significant performance regressions, especially during boot. For this reason, it is strongly recommended to build off the base templates. For more information on the issue, see the [AppId Tagging Known Issue](../operations/known-issues.md#slow-boot-and-performance-with-custom-policies). 2. Set the following rule-options using the Wizard toggles: diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md index 1d72571a26..348c5b73e5 100644 --- a/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md +++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md @@ -3,7 +3,7 @@ title: App Control and AppLocker Overview description: Compare Windows application control technologies. ms.localizationpriority: medium ms.date: 03/09/2025 -ms.topic: conceptual +ms.topic: concept-article --- # App Control for Business and AppLocker Overview diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/application-security/application-control/app-control-for-business/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index 64ec3acfbf..19aa013427 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -2,7 +2,7 @@ title: Add rules for packaged apps to existing AppLocker rule-set description: This article for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md index d2e0c1da1e..f4251d5025 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md @@ -2,7 +2,7 @@ title: Administer AppLocker description: This article for IT professionals provides links to specific procedures to use when administering AppLocker policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-architecture-and-components.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-architecture-and-components.md index 7314cce2f9..b23c2bbb56 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-architecture-and-components.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-architecture-and-components.md @@ -2,7 +2,7 @@ title: AppLocker architecture and components description: This article for IT professional describes AppLocker’s basic architecture and its major components. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-functions.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-functions.md index 2ce3ad5532..cd332a947e 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-functions.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-functions.md @@ -2,7 +2,7 @@ title: AppLocker functions description: This article for the IT professional lists the functions and security levels for AppLocker. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md index 1af7a371bb..0123fba7fe 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview.md @@ -4,7 +4,7 @@ description: This article provides a description of AppLocker and can help you d ms.collection: - tier3 - must-keep -ms.topic: conceptual +ms.topic: article ms.localizationpriority: medium ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-deployment-guide.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-deployment-guide.md index 8520621d36..2708051c46 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-deployment-guide.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-deployment-guide.md @@ -2,7 +2,7 @@ title: AppLocker deployment guide description: This article for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: install-set-up-deploy ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-design-guide.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-design-guide.md index 174ed4907c..af106d2482 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-design-guide.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policies-design-guide.md @@ -2,7 +2,7 @@ title: AppLocker design guide description: This article for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policy-use-scenarios.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policy-use-scenarios.md index 0d11e182ca..0b9425c2ca 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policy-use-scenarios.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-policy-use-scenarios.md @@ -2,7 +2,7 @@ title: AppLocker policy use scenarios description: This article for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-processes-and-interactions.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-processes-and-interactions.md index 4bc0bd0949..b28e45f232 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-processes-and-interactions.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-processes-and-interactions.md @@ -2,7 +2,7 @@ title: AppLocker processes and interactions description: This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-technical-reference.md b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-technical-reference.md index 5dd3820526..057585ea54 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-technical-reference.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-technical-reference.md @@ -2,7 +2,7 @@ title: AppLocker technical reference description: This overview article for IT professionals provides links to the articles in the technical reference. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: reference ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-audit-only.md index 422f3a9acd..3d09c7ce9a 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-audit-only.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-audit-only.md @@ -2,7 +2,7 @@ title: Configure an AppLocker policy for audit only description: This article for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-enforce-rules.md index 07c51af5bb..8055479a03 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-enforce-rules.md @@ -2,7 +2,7 @@ title: Configure an AppLocker policy for enforce rules description: This article for IT professionals describes the steps to enable the AppLocker policy enforcement setting. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-exceptions-for-an-applocker-rule.md index 11900e02c0..8e24b48f1d 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-exceptions-for-an-applocker-rule.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-exceptions-for-an-applocker-rule.md @@ -2,7 +2,7 @@ title: Add exceptions for an AppLocker rule description: This article for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-appLocker-reference-device.md b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-appLocker-reference-device.md index f6acca16ba..95d762964d 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-appLocker-reference-device.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-appLocker-reference-device.md @@ -2,7 +2,7 @@ title: Configure the AppLocker reference device description: This article for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-application-identity-service.md b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-application-identity-service.md index c4156e9b57..b9668e661e 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-application-identity-service.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-application-identity-service.md @@ -2,7 +2,7 @@ title: Configure the Application Identity service description: This article for IT professionals shows how to configure the Application Identity service to start automatically or manually. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-for-packaged-apps.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-for-packaged-apps.md index 07fd6f2866..2122d84f16 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-for-packaged-apps.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-for-packaged-apps.md @@ -2,7 +2,7 @@ title: Create a rule for packaged apps description: This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-file-hash-condition.md index b764bb0493..e0c5ec4e77 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-file-hash-condition.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-file-hash-condition.md @@ -2,7 +2,7 @@ title: Create a rule that uses a file hash condition description: This article for IT professionals shows how to create an AppLocker rule with a file hash condition. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-path-condition.md index fe26c1ee6a..97e052584c 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-path-condition.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-path-condition.md @@ -2,7 +2,7 @@ title: Create a rule that uses a path condition description: This article for IT professionals shows how to create an AppLocker rule with a path condition. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-publisher-condition.md index 9b07438ec7..bebb1b7c3e 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-publisher-condition.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-publisher-condition.md @@ -2,7 +2,7 @@ title: Create a rule that uses a publisher condition description: This article for IT professionals shows how to create an AppLocker rule with a publisher condition. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-applocker-default-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-applocker-default-rules.md index fd2aa8e292..fa3029ebd9 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-applocker-default-rules.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-applocker-default-rules.md @@ -2,7 +2,7 @@ title: Create AppLocker default rules description: This article for IT professionals describes the steps to create a standard set of AppLocker rules that allow Windows system files to run. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-list-of-applications-deployed-to-each-business-group.md index f015e79882..a573b63891 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-list-of-applications-deployed-to-each-business-group.md @@ -2,7 +2,7 @@ title: Create a list of apps deployed to each business group description: This article describes the process of gathering app usage requirements from each business group to implement application control policies by using AppLocker. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: install-set-up-deploy ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-policies.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-policies.md index 69119137f4..0b361247b2 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-policies.md @@ -2,7 +2,7 @@ title: Create Your AppLocker policies description: This overview article for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-rules.md index 415e9582f8..be793460ce 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-rules.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-rules.md @@ -2,7 +2,7 @@ title: Create Your AppLocker rules description: This article for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/delete-an-applocker-rule.md b/windows/security/application-security/application-control/app-control-for-business/applocker/delete-an-applocker-rule.md index 95836e5b28..24a0f10b39 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/delete-an-applocker-rule.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/delete-an-applocker-rule.md @@ -2,7 +2,7 @@ title: Delete an AppLocker rule description: This article for IT professionals describes the steps to delete an AppLocker rule. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/application-security/application-control/app-control-for-business/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index 83e603b364..50bc9f1a76 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -2,7 +2,7 @@ title: Deploy AppLocker policies by using the enforce rules setting description: This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: install-set-up-deploy ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/application-security/application-control/app-control-for-business/applocker/deploy-the-applocker-policy-into-production.md index 941a047e99..37ffcce44c 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/deploy-the-applocker-policy-into-production.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/deploy-the-applocker-policy-into-production.md @@ -2,7 +2,7 @@ title: Deploy the AppLocker policy into production description: This article for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: install-set-up-deploy ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/application-security/application-control/app-control-for-business/applocker/determine-group-policy-structure-and-rule-enforcement.md index 29380fe1e1..64a91162b6 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/determine-group-policy-structure-and-rule-enforcement.md @@ -2,7 +2,7 @@ title: Determine the Group Policy structure and rule enforcement description: This overview article describes the process to follow when you're planning to deploy AppLocker rules. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/application-security/application-control/app-control-for-business/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index e1c6c88c0a..232f42ee6b 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -2,7 +2,7 @@ title: Find digitally signed apps on a reference device description: This article for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/application-security/application-control/app-control-for-business/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index bf1a962a76..e3764dc3cf 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -2,7 +2,7 @@ title: Display a custom URL message when users try to run a blocked app description: This article for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy blocks an app. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/dll-rules-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/dll-rules-in-applocker.md index 054c18fb61..c26bd8e92a 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/dll-rules-in-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/dll-rules-in-applocker.md @@ -2,7 +2,7 @@ title: DLL rules in AppLocker description: This article describes the file formats and available default rules for the DLL rule collection. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/application-security/application-control/app-control-for-business/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md index b440a69b68..4493170c14 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -2,7 +2,7 @@ title: Document Group Policy structure & AppLocker rule enforcement description: This planning article describes what you need to include in your plan when you use AppLocker. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-application-list.md b/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-application-list.md index 00e357875d..49bcd565c3 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-application-list.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-application-list.md @@ -2,7 +2,7 @@ title: Document your app list description: This planning article describes the app information that you should document when you create a list of apps for AppLocker policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-applocker-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-applocker-rules.md index efd0c0211f..1748c76b96 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-applocker-rules.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-applocker-rules.md @@ -2,7 +2,7 @@ title: Document your AppLocker rules description: Learn how to document your AppLocker rules and associate rule conditions with files, permissions, rule source, and implementation. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy.md index 3ebf404dc6..0b3a920b1e 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy.md @@ -2,7 +2,7 @@ title: Edit an AppLocker policy description: This article for IT professionals describes the steps required to modify an AppLocker policy. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/edit-applocker-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/edit-applocker-rules.md index 7ae6e91083..ca8f3762b4 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/edit-applocker-rules.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/edit-applocker-rules.md @@ -2,7 +2,7 @@ title: Edit AppLocker rules description: This article for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/enable-the-dll-rule-collection.md b/windows/security/application-security/application-control/app-control-for-business/applocker/enable-the-dll-rule-collection.md index c2569a0918..4cfe8b0a77 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/enable-the-dll-rule-collection.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/enable-the-dll-rule-collection.md @@ -2,7 +2,7 @@ title: Enable the DLL rule collection description: This article for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/enforce-applocker-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/enforce-applocker-rules.md index 2abb621ddc..ac0281aec5 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/enforce-applocker-rules.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/enforce-applocker-rules.md @@ -2,7 +2,7 @@ title: Enforce AppLocker rules description: This article for IT professionals describes how to enforce application control rules by using AppLocker. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/executable-rules-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/executable-rules-in-applocker.md index 99ffe04a6d..650edc17f1 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/executable-rules-in-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/executable-rules-in-applocker.md @@ -2,7 +2,7 @@ title: Executable rules in AppLocker description: This article describes the file formats and available default rules for the executable rule collection. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-from-a-gpo.md index c9fe560838..29c9cb278a 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-from-a-gpo.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-from-a-gpo.md @@ -2,7 +2,7 @@ title: Export an AppLocker policy from a GPO description: This article for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-to-an-xml-file.md index 106a4d836e..26be647e22 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-to-an-xml-file.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-to-an-xml-file.md @@ -2,7 +2,7 @@ title: Export an AppLocker policy to an XML file description: This article for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/how-applocker-works-techref.md b/windows/security/application-security/application-control/app-control-for-business/applocker/how-applocker-works-techref.md index c704a9e977..b9871903f4 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/how-applocker-works-techref.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/how-applocker-works-techref.md @@ -2,7 +2,7 @@ title: How AppLocker works description: This article for the IT professional provides links to articles about AppLocker architecture and components, processes and interactions, rules and policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-from-another-computer.md index 2472b7892c..65c625d6c9 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-from-another-computer.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-from-another-computer.md @@ -2,7 +2,7 @@ title: Import an AppLocker policy from another computer description: This article for IT professionals describes how to import an AppLocker policy. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-into-a-gpo.md index 039d978649..787dd87c42 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-into-a-gpo.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-into-a-gpo.md @@ -2,7 +2,7 @@ title: Import an AppLocker policy into a GPO description: This article for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/maintain-applocker-policies.md b/windows/security/application-security/application-control/app-control-for-business/applocker/maintain-applocker-policies.md index a4926c5f73..52f968351b 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/maintain-applocker-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/maintain-applocker-policies.md @@ -2,7 +2,7 @@ title: Maintain AppLocker policies description: Learn how to maintain rules within AppLocker policies. View common AppLocker maintenance scenarios and see the methods to use to maintain AppLocker policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/manage-packaged-apps-with-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/manage-packaged-apps-with-applocker.md index b3e041a0f1..a8a538ae01 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/manage-packaged-apps-with-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/manage-packaged-apps-with-applocker.md @@ -2,7 +2,7 @@ title: Manage packaged apps with AppLocker description: Learn concepts and lists procedures to help you manage packaged apps with AppLocker as part of your overall application control strategy. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index 4df24222a0..cb352b0eaa 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -2,7 +2,7 @@ title: Merge AppLocker policies by using Set-ApplockerPolicy description: This article for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md b/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md index 324bef3248..c28de87a29 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md @@ -2,7 +2,7 @@ title: Merge AppLocker policies manually description: This article for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/monitor-application-usage-with-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/monitor-application-usage-with-applocker.md index 14b704afe3..a77f07e9a4 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/monitor-application-usage-with-applocker.md @@ -2,7 +2,7 @@ title: Monitor app usage with AppLocker description: This article for IT professionals describes how to monitor app usage when AppLocker policies are applied. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/optimize-applocker-performance.md b/windows/security/application-security/application-control/app-control-for-business/applocker/optimize-applocker-performance.md index f160bda367..e19aced7fc 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/optimize-applocker-performance.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/optimize-applocker-performance.md @@ -2,7 +2,7 @@ title: Optimize AppLocker performance description: This article for IT professionals describes how to optimize AppLocker policy enforcement. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md index 7085567383..edae5b70c8 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md @@ -2,7 +2,7 @@ title: Packaged apps and packaged app installer rules in AppLocker description: This article explains the AppLocker rule collection for packaged app installers and packaged apps. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/plan-for-applocker-policy-management.md b/windows/security/application-security/application-control/app-control-for-business/applocker/plan-for-applocker-policy-management.md index 51f30ea841..369cd12de6 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/plan-for-applocker-policy-management.md @@ -2,7 +2,7 @@ title: Plan for AppLocker policy management description: This article describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/refresh-an-applocker-policy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/refresh-an-applocker-policy.md index 5d2df1f250..78ddebd7b1 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/refresh-an-applocker-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/refresh-an-applocker-policy.md @@ -2,7 +2,7 @@ title: Refresh an AppLocker policy description: This article for IT professionals describes the steps to force an update for an AppLocker policy. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/application-security/application-control/app-control-for-business/applocker/requirements-for-deploying-applocker-policies.md index 2caf917483..ca1dd0b0c7 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/requirements-for-deploying-applocker-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/requirements-for-deploying-applocker-policies.md @@ -2,7 +2,7 @@ title: Requirements for deploying AppLocker policies description: This deployment article for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: install-set-up-deploy ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/requirements-to-use-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/requirements-to-use-applocker.md index 7bb94f1197..1cdee958cf 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/requirements-to-use-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/requirements-to-use-applocker.md @@ -2,7 +2,7 @@ title: Requirements to use AppLocker description: This article for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/rule-collection-extensions.md b/windows/security/application-security/application-control/app-control-for-business/applocker/rule-collection-extensions.md index e4481ab2c7..deab94e661 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/rule-collection-extensions.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/rule-collection-extensions.md @@ -4,7 +4,7 @@ description: This article describes the RuleCollectionExtensions added in Window ms.collection: - tier3 - must-keep -ms.topic: conceptual +ms.topic: article ms.localizationpriority: medium ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/application-security/application-control/app-control-for-business/applocker/run-the-automatically-generate-rules-wizard.md index 3108458c0f..d503b89562 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/run-the-automatically-generate-rules-wizard.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/run-the-automatically-generate-rules-wizard.md @@ -2,7 +2,7 @@ title: Run the Automatically Generate Rules wizard description: This article for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/script-rules-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/script-rules-in-applocker.md index bc342eba8b..a9f2b80103 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/script-rules-in-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/script-rules-in-applocker.md @@ -2,7 +2,7 @@ title: Script rules in AppLocker description: This article describes the file formats and available default rules for the script rule collection. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- @@ -26,7 +26,7 @@ The following table lists the default rules that are available for the script ru | Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder | Everyone | Path: `%programfiles%\*`| > [!NOTE] -> When a script runs that is not allowed by policy, AppLocker raises an event indicating that the script was "blocked". However, the actual script enforcement behavior is handled by the script host. In the case of PowerShell, "blocked" scripts will still run, but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). Authorized scripts run in Full Language Mode. +> When a script runs that isn't allowed by policy, AppLocker raises an event indicating that the script was "blocked". However, the actual script enforcement behavior is handled by the script host. In the case of PowerShell, "blocked" scripts will still run, but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). Authorized scripts run in Full Language Mode. ## Related articles diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/security-considerations-for-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/security-considerations-for-applocker.md index 6a11796ca7..894f2f14ac 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/security-considerations-for-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/security-considerations-for-applocker.md @@ -2,7 +2,7 @@ title: Security considerations for AppLocker description: This article for the IT professional describes the security considerations you need to address when implementing AppLocker. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/app-control-for-business/applocker/select-types-of-rules-to-create.md index 8000ce41d4..b6385e0a25 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/select-types-of-rules-to-create.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/select-types-of-rules-to-create.md @@ -2,7 +2,7 @@ title: Select the types of rules to create description: This article lists resources you can use when selecting your application control policy rules by using AppLocker. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md index c7042db13e..88e65e3da6 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md @@ -2,7 +2,7 @@ title: Test an AppLocker policy by using Test-AppLockerPolicy description: This article for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/test-and-update-an-applocker-policy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/test-and-update-an-applocker-policy.md index 00e03f5081..4b23691309 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/test-and-update-an-applocker-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/test-and-update-an-applocker-policy.md @@ -2,7 +2,7 @@ title: Test and update an AppLocker policy description: This article discusses the steps required to test an AppLocker policy prior to deployment. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/tools-to-use-with-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/tools-to-use-with-applocker.md index 5b1ed0083d..f595601d15 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/tools-to-use-with-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/tools-to-use-with-applocker.md @@ -2,7 +2,7 @@ title: Tools to use with AppLocker description: This article for the IT professional describes the tools available to create and administer AppLocker policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-policy-design-decisions.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-policy-design-decisions.md index 3cc00fdf6e..4cca71d421 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-policy-design-decisions.md @@ -2,7 +2,7 @@ title: Understand AppLocker policy design decisions description: Review some common considerations while you're planning to use AppLocker to deploy application control policies within a Windows environment. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index 89f62e0cb9..28f45a1745 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -2,7 +2,7 @@ title: Understand AppLocker rules and enforcement setting inheritance in Group Policy description: This article for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-the-applocker-policy-deployment-process.md index 43e63220e5..74fde9a437 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-the-applocker-policy-deployment-process.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-the-applocker-policy-deployment-process.md @@ -2,7 +2,7 @@ title: Understand the AppLocker policy deployment process description: This planning and deployment article for the IT professional describes the process for using AppLocker when deploying application control policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md index 86c795601f..042da1bb93 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -2,7 +2,7 @@ title: Understanding AppLocker allow and deny actions on rules description: This article explains the differences between allow and deny actions on AppLocker rules. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-default-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-default-rules.md index 67b52608e3..d1ebca2a82 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-default-rules.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-default-rules.md @@ -2,7 +2,7 @@ title: Understanding AppLocker default rules description: This article for IT professional describes the set of rules that can be used to ensure that required Windows system files continue to run when the policy is applied. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-behavior.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-behavior.md index 0d9b08e51c..bb26a44584 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-behavior.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-behavior.md @@ -2,7 +2,7 @@ title: Understanding AppLocker rule behavior description: This article describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-collections.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-collections.md index 8ee9ed92d5..16d2b01891 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-collections.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-collections.md @@ -2,7 +2,7 @@ title: Understanding AppLocker rule collections description: This article explains the five different types of AppLocker rule collections used to enforce AppLocker policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- @@ -19,11 +19,11 @@ An AppLocker rule collection is a set of rules that apply to one of five types: - Packaged apps and packaged app installers: .appx > [!IMPORTANT] -> Each app can load several DLLs, and AppLocker must check each DLL before it is allowed to run. Be sure you create DLL allow rules for every DLL that is used by any of the allowed apps. Denying some DLLs from running can also create app compatibility problems. +> Each app can load several DLLs, and AppLocker must check each DLL before it's allowed to run. Be sure you create DLL allow rules for every DLL that is used by any of the allowed apps. Denying some DLLs from running can also create app compatibility problems. > > DLL rules might cause performance problems on some computers which are already resource constrained. > -> As a result, the DLL rule collection is not enabled by default. +> As a result, the DLL rule collection isn't enabled by default. For info about how to enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md). diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-condition-types.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-condition-types.md index 1bbbc6329c..fcdb46f43a 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-condition-types.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-condition-types.md @@ -2,7 +2,7 @@ title: Understanding AppLocker rule condition types description: This article for the IT professional describes the three types of AppLocker rule conditions. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-exceptions.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-exceptions.md index b95fadae6e..1b3ef8493e 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-exceptions.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-exceptions.md @@ -2,7 +2,7 @@ title: Understanding AppLocker rule exceptions description: This article describes the result of applying AppLocker rule exceptions to rule collections. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-file-hash-rule-condition-in-applocker.md index b9460ff54a..690672cd30 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-file-hash-rule-condition-in-applocker.md @@ -2,7 +2,7 @@ title: Understanding the file hash rule condition in AppLocker description: This article explains how to use the AppLocker file hash rule condition and its advantages and disadvantages. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-path-rule-condition-in-applocker.md index 4175eba0ef..608669ebc2 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-path-rule-condition-in-applocker.md @@ -2,7 +2,7 @@ title: Understanding the path rule condition in AppLocker description: This article explains how to apply the AppLocker path rule condition and its advantages and disadvantages. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-publisher-rule-condition-in-applocker.md index be3c3767d4..4250c2c57b 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-publisher-rule-condition-in-applocker.md @@ -2,7 +2,7 @@ title: Understanding the publisher rule condition in AppLocker description: This article explains how to apply the AppLocker publisher rule condition and what controls are available. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/application-security/application-control/app-control-for-business/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index 8bc76ea93a..d9101a04ea 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -2,7 +2,7 @@ title: Use a reference device to create and maintain AppLocker policies description: This article for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/application-security/application-control/app-control-for-business/applocker/use-the-applocker-windows-powershell-cmdlets.md index 574c33a03b..8bf591dcbe 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/use-the-applocker-windows-powershell-cmdlets.md @@ -2,7 +2,7 @@ title: Use the AppLocker Windows PowerShell cmdlets description: This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker.md index 65fa1be015..e73c36db1f 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker.md @@ -2,7 +2,7 @@ title: Using Event Viewer with AppLocker description: This article lists AppLocker events and describes how to use Event Viewer with AppLocker. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker.md index 9fa362969d..9ea3549d83 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker.md @@ -2,7 +2,7 @@ title: What Is AppLocker description: This article for the IT professional describes what AppLocker is. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/windows-installer-rules-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/windows-installer-rules-in-applocker.md index cfc1ce02c6..bbf33108ab 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/windows-installer-rules-in-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/windows-installer-rules-in-applocker.md @@ -2,7 +2,7 @@ title: Windows Installer rules in AppLocker description: This article describes the file formats and available default rules for the Windows Installer rule collection. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/working-with-applocker-policies.md b/windows/security/application-security/application-control/app-control-for-business/applocker/working-with-applocker-policies.md index 2a7f5153ec..24899eecfc 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/working-with-applocker-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/working-with-applocker-policies.md @@ -2,7 +2,7 @@ title: Working with AppLocker policies description: This article for IT professionals provides links to procedural articles about creating, maintaining, and testing AppLocker policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/working-with-applocker-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/working-with-applocker-rules.md index c827358a61..74f328bc4a 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/working-with-applocker-rules.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/working-with-applocker-rules.md @@ -4,7 +4,7 @@ description: This article for IT professionals describes AppLocker rule types an ms.localizationpriority: medium msauthor: jsuther ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: article --- # Working with AppLocker rules diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md b/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md index 6f8919e77d..5689af4c35 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md @@ -3,7 +3,7 @@ title: Use audit events to create App Control policy rules description: Audits allow admins to discover apps, binaries, and scripts that should be added to the App Control policy. ms.localizationpriority: medium ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: how-to --- # Use audit events to create App Control policy rules diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol.md index 773daf6a82..3629311b66 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol.md @@ -2,7 +2,7 @@ title: Create a code signing cert for App Control for Business description: Learn how to set up a publicly issued code signing certificate, so you can sign catalog files or App Control policies internally. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/use-code-signing-for-better-control-and-protection.md b/windows/security/application-security/application-control/app-control-for-business/deployment/use-code-signing-for-better-control-and-protection.md index 69735b11bd..3710567ff2 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/use-code-signing-for-better-control-and-protection.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/use-code-signing-for-better-control-and-protection.md @@ -2,7 +2,7 @@ title: Use code signing for added control and protection with App Control description: Code signing can be used to better control Win32 app authorization and add protection for your App Control for Business policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/use-signed-policies-to-protect-appcontrol-against-tampering.md b/windows/security/application-security/application-control/app-control-for-business/deployment/use-signed-policies-to-protect-appcontrol-against-tampering.md index 6aa667b28a..af4b9ec7a8 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/use-signed-policies-to-protect-appcontrol-against-tampering.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/use-signed-policies-to-protect-appcontrol-against-tampering.md @@ -2,7 +2,7 @@ title: Use signed policies to protect App Control for Business against tampering description: Signed App Control for Business policies give organizations the highest level of malware protection available in Windows 10 and Windows 11. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-and-dotnet.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-and-dotnet.md index be104082d9..6c3a409ac1 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-and-dotnet.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-and-dotnet.md @@ -3,7 +3,7 @@ title: App Control for Business and .NET description: Understand how App Control and .NET work together and use Dynamic Code Security to verify code loaded by .NET at runtime. ms.localizationpriority: medium ms.date: 02/13/2025 -ms.topic: conceptual +ms.topic: article --- # App Control for Business and .NET diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-design-guide.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-design-guide.md index 73bbde562c..74cccbdaad 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-design-guide.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-design-guide.md @@ -2,7 +2,7 @@ title: App Control for Business design guide description: Microsoft App Control for Business allows organizations to control what apps and drivers will run on their managed Windows devices. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-base-policy.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-base-policy.md index 5de28ef21c..02e0814f1f 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-base-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-base-policy.md @@ -2,7 +2,7 @@ title: App Control for Business Wizard Base Policy Creation description: Creating new base App Control policies with the App Control Wizard. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-supplemental-policy.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-supplemental-policy.md index 3cd72d3fcd..e0bb02d843 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-supplemental-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-create-supplemental-policy.md @@ -2,7 +2,7 @@ title: App Control for Business Wizard Supplemental Policy Creation description: Creating supplemental App Control policies with the App Control Wizard. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-editing-policy.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-editing-policy.md index 8818dc5ae7..832e5b3936 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-editing-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-editing-policy.md @@ -2,7 +2,7 @@ title: Editing App Control for Business Policies with the Wizard description: Editing existing base and supplemental policies with the Microsoft App Control Wizard. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-merging-policies.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-merging-policies.md index a0c8c1e69a..ad430e20d0 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-merging-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-merging-policies.md @@ -2,7 +2,7 @@ title: App Control for Business Wizard Policy Merging Operation description: Merging multiple policies into a single App Control policy with the App Control Wizard. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-parsing-event-logs.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-parsing-event-logs.md index 5e2b4e4017..4cd50e9bd2 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-parsing-event-logs.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-parsing-event-logs.md @@ -2,7 +2,7 @@ title: App Control for Business Wizard App Control Event Parsing description: Creating App Control policy rules from the App Control event logs and the MDE Advanced Hunting App Control events. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard.md index 5fab393481..5cd068e7b1 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard.md @@ -2,7 +2,7 @@ title: App Control for Business Wizard description: The App Control for Business policy wizard tool allows you to create, edit, and merge App Control policies in a simple to use Windows application. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md b/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md index 0d5feeb80f..d09c9fa379 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/common-appcontrol-use-cases.md @@ -3,7 +3,7 @@ title: Policy creation for common App Control usage scenarios description: Develop a plan for deploying App Control for Business in your organization based on these common scenarios. ms.localizationpriority: medium ms.date: 01/31/2025 -ms.topic: conceptual +ms.topic: install-set-up-deploy --- # App Control for Business deployment in different scenarios: types of devices diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md index 1563a69a95..97c05323c3 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md @@ -1,7 +1,7 @@ --- title: Create an App Control policy for fully managed devices description: App Control for Business restricts which applications users are allowed to run and the code that runs in system core. -ms.topic: conceptual +ms.topic: how-to ms.localizationpriority: medium ms.date: 09/11/2024 --- @@ -10,12 +10,12 @@ ms.date: 09/11/2024 [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -This section outlines the process to create an App Control for Business policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-appcontrol-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device can't install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Intune. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access. +This section outlines the process to create an App Control for Business policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-appcontrol-policy-for-lightly-managed-devices.md) is that all software that's deployed to a fully managed device is managed by IT and users of the device can't install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Intune. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access. > [!NOTE] > Some of the App Control for Business options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's App Control policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. -As described in [common App Control for Business deployment scenarios](common-appcontrol-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices. +As described in [common App Control for Business deployment scenarios](common-appcontrol-use-cases.md), we use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices. **Alice Pena** is the IT team lead tasked with the rollout of App Control. @@ -55,7 +55,7 @@ Having defined the "circle-of-trust", Alice is ready to generate the initial pol Alice follows these steps to complete this task: > [!NOTE] -> If you do not use Configuration Manager or prefer to use a different [example App Control for Business base policy](example-appcontrol-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy. +> If you don't use Configuration Manager or prefer to use a different [example App Control for Business base policy](example-appcontrol-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy. 1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above, or Windows 11. diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index 4238536c5a..d3c6c9b9e3 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -1,7 +1,7 @@ --- title: Use the Smart App Control policy to build your starter base policy description: App Control for Business restricts which applications users are allowed to run and the code that runs in the system core. -ms.topic: conceptual +ms.topic: how-to ms.localizationpriority: medium ms.date: 03/09/2025 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/design/plan-appcontrol-management.md b/windows/security/application-security/application-control/app-control-for-business/design/plan-appcontrol-management.md index ff41a98da8..90bef6240f 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/plan-appcontrol-management.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/plan-appcontrol-management.md @@ -3,7 +3,7 @@ title: Plan for App Control policy management description: Learn about the decisions you need to make to establish the processes for managing and maintaining App Control for Business policies. ms.localizationpriority: medium ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: how-to --- # Plan for App Control for Business lifecycle policy management diff --git a/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md b/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md index 16b4739600..48193d95b6 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md @@ -3,7 +3,7 @@ title: Understand App Control script enforcement description: App Control script enforcement ms.manager: jsuther ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: concept-article ms.localizationpriority: medium --- @@ -12,7 +12,7 @@ ms.localizationpriority: medium [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] > [!IMPORTANT] -> Option **11 Disabled:Script Enforcement** is not supported on **Windows Server 2016** or on **Windows 10 1607 LTSB** and should not be used on those platforms. Doing so will result in unexpected script enforcement behaviors. +> Option **11 Disabled:Script Enforcement** isn't supported on **Windows Server 2016** or on **Windows 10 1607 LTSB** and shouldn't be used on those platforms. Doing so will result in unexpected script enforcement behaviors. ## Script enforcement overview @@ -23,7 +23,7 @@ Validation for signed scripts is done using the [WinVerifyTrust API](/windows/wi App Control shares the *AppLocker - MSI and Script* event log for all script enforcement events. Whenever a script host asks App Control if a script should be allowed, an event is logged with the answer App Control returned to the script host. For more information on App Control script enforcement events, see [Understanding App Control events](../operations/event-id-explanations.md#app-control-block-events-for-packaged-apps-msi-installers-scripts-and-com-objects). > [!NOTE] -> When a script runs that is not allowed by policy, App Control raises an event indicating that the script was "blocked." However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running. +> When a script runs that isn't allowed by policy, App Control raises an event indicating that the script was "blocked." However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running. > > Also be aware that some script hosts may change how they behave even if an App Control policy is in audit mode only. You should review the script host specific information in this article and test thoroughly within your environment to ensure the scripts you need to run are working properly. diff --git a/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md index 0c9fb3469f..c35d1b5431 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md @@ -3,7 +3,7 @@ title: Understand App Control for Business policy rules and file rules description: Learn how App Control policy rules and file rules can control your Windows 10 and Windows 11 computers. ms.localizationpriority: medium ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: concept-article --- # Understand App Control for Business policy rules and file rules diff --git a/windows/security/application-security/application-control/app-control-for-business/design/understand-appcontrol-policy-design-decisions.md b/windows/security/application-security/application-control/app-control-for-business/design/understand-appcontrol-policy-design-decisions.md index f808763724..6bbb22ad79 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/understand-appcontrol-policy-design-decisions.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/understand-appcontrol-policy-design-decisions.md @@ -3,7 +3,7 @@ title: Understand App Control for Business policy design decisions description: Understand App Control for Business policy design decisions. ms.localizationpriority: medium ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: concept-article --- # Understand App Control for Business policy design decisions diff --git a/windows/security/application-security/application-control/app-control-for-business/design/understanding-appcontrol-policy-settings.md b/windows/security/application-security/application-control/app-control-for-business/design/understanding-appcontrol-policy-settings.md index 995deda446..f4cb6a9205 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/understanding-appcontrol-policy-settings.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/understanding-appcontrol-policy-settings.md @@ -3,7 +3,7 @@ title: Understanding App Control for Business secure settings description: Learn about secure settings in App Control for Business. ms.localizationpriority: medium ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: concept-article --- # Understanding App Control Policy Settings diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md index f2db0b2d7a..eb8c5af737 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md @@ -3,7 +3,7 @@ title: Understanding App Control event tags description: Learn what different App Control for Business event tags signify. ms.localizationpriority: medium ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: article --- # Understanding App Control event tags diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/inbox-appcontrol-policies.md b/windows/security/application-security/application-control/app-control-for-business/operations/inbox-appcontrol-policies.md index f62b037cb4..6520b17bbb 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/inbox-appcontrol-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/inbox-appcontrol-policies.md @@ -3,7 +3,7 @@ title: Inbox App Control policies description: This article describes the inbox App Control policies that may be active on a device. ms.manager: jsuther ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: article ms.localizationpriority: medium --- diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md b/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md index 4baf2a1a12..eae2463669 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md @@ -62,7 +62,7 @@ Although App Control audit mode is designed to avoid any effect on apps, some fe ### .NET native images may generate false positive block events -In some cases, the code integrity logs where App Control for Business errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET regenerates the native image at its next scheduled maintenance window. +In some cases, the code integrity logs where App Control for Business errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET regenerates the native image at its next scheduled maintenance window. To prevent that, consider compiling your .NET application ahead of time using the [Native AOT](/dotnet/core/deploying/native-aot) feature. ### .NET doesn't load Component Object Model (COM) objects with mismatched GUIDs diff --git a/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md b/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md index ce8d6225a0..9f6ad2b2dc 100644 --- a/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md +++ b/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md @@ -6,7 +6,7 @@ author: vinaypamnani-msft ms.author: vinpa manager: aaroncz ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: article appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md index cc5f471678..436c24ff57 100644 --- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md @@ -2,7 +2,7 @@ title: Microsoft Defender Application Guard description: Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet. ms.date: 07/11/2024 -ms.topic: conceptual +ms.topic: overview --- # Microsoft Defender Application Guard overview diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index 275a28dd9e..9fdffea69e 100644 --- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -3,7 +3,7 @@ title: Testing scenarios with Microsoft Defender Application Guard description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. ms.localizationpriority: medium ms.date: 07/11/2024 -ms.topic: conceptual +ms.topic: article --- # Application Guard testing scenarios diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md index fcb9b56ddc..671352b771 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md @@ -1,7 +1,7 @@ --- title: Windows Sandbox architecture description: Windows Sandbox architecture -ms.topic: conceptual +ms.topic: article ms.date: 09/09/2024 --- diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md index 42ffe331cc..aa15412076 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md @@ -1,7 +1,7 @@ --- title: Windows Sandbox versions description: Windows Sandbox versions -ms.topic: conceptual +ms.topic: article ms.date: 10/22/2024 --- diff --git a/windows/security/book/cloud-services-protect-your-personal-information.md b/windows/security/book/cloud-services-protect-your-personal-information.md index 36707a697b..085aecff6a 100644 --- a/windows/security/book/cloud-services-protect-your-personal-information.md +++ b/windows/security/book/cloud-services-protect-your-personal-information.md @@ -9,57 +9,10 @@ ms.date: 11/18/2024 :::image type="content" source="images/cloud-security.png" alt-text="Diagram containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false"::: -## Microsoft account +[!INCLUDE [microsoft-account](includes/microsoft-account.md)] -Your Microsoft account (MSA) provides seamless access to Microsoft products and services with just one sign-in, allowing you to manage everything in one place. You can easily keep track of your subscriptions and order history, update your privacy and security settings, monitor the health and safety of your devices, and earn rewards. Your information stays with you in the cloud, accessible across devices and operating systems, including iOS and Android. +[!INCLUDE [find-my-device](includes/find-my-device.md)] -You can even go passwordless with your Microsoft account by removing the password from your MSA: +[!INCLUDE [onedrive-for-personal](includes/onedrive-for-personal.md)] -- Use Windows Hello to eliminate the password sign-in method for an even more secure experience -- Use the Microsoft Authenticator app on your Android or iOS device - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [What is a Microsoft account?][LINK-1] -- [Go passwordless with your Microsoft account][LINK-5] - -## Find my device - -When location services and *Find my device* settings are turned on, basic system services like time zone and Find my device are allowed to use the device's location. Find my device can be used to help recover lost or stolen Windows devices, reducing the security threats that rely on physical access. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [How to set up, find, and lock a lost Windows device using a Microsoft account][LINK-2] - -## OneDrive for personal - -Microsoft OneDrive for personal[\[10\]](conclusion.md#footnote10) offers enhanced security, backup, and restore options for important personal files. Users can access their data from anywhere, since their files are stored and protected in the cloud. OneDrive provides an excellent solution for backing up folders, ensuring that: - -- If a device is lost or stolen, users can quickly recover all their important files from the cloud -- If a user is targeted by a ransomware attack, OneDrive enables recovery. With configured backups, users have more options to mitigate and recover from such attacks - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Get started with OneDrive][LINK-6] -- [How to recover from a ransomware attack using Microsoft 365][LINK-7] -- [How to restore from OneDrive][LINK-3] - -## Personal Vault - -Personal Vault offers robust protection for the most important or sensitive files, without sacrificing the convenience of anywhere access. Secure digital copies of crucial documents in Personal Vault, where they're protected by identity verification and are easily accessible across devices. - -Once the Personal Vault is configured, users can access it using a strong authentication method or a second step of identity verification. The second steps of verification include fingerprint, face recognition, PIN, or a code sent via email or text. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Protect your OneDrive files in Personal Vault][LINK-4] - - - -[LINK-1]: https://support.microsoft.com/topic/4a7c48e9-ff5a-e9c6-5a5c-1a57d66c3bfa -[LINK-2]: https://support.microsoft.com/topic/890bf25e-b8ba-d3fe-8253-e98a12f26316 -[LINK-3]: https://support.microsoft.com/topic/fa231298-759d-41cf-bcd0-25ac53eb8a15 -[LINK-4]: https://support.microsoft.com/topic/6540ef37-e9bf-4121-a773-56f98dce78c4 -[LINK-5]: https://support.microsoft.com/topic/585a71d7-2295-4878-aeac-a014984df856 -[LINK-6]: https://support.microsoft.com/onedrive -[LINK-7]: /microsoft-365/security/office-365-security/recover-from-ransomware +[!INCLUDE [personal-vault](includes/personal-vault.md)] diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index 033200a8f1..d29800ce98 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -9,374 +9,28 @@ ms.date: 11/04/2024 :::image type="content" source="images/cloud-security.png" alt-text="Diagram containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false"::: -## :::image type="icon" source="images/microsoft-entra-id.svg" border="false"::: Microsoft Entra ID +[!INCLUDE [microsoft-entra-id](includes/microsoft-entra-id.md)] -Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies. +[!INCLUDE [azure-attestation-service](includes/azure-attestation-service.md)] -Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. For the most seamless and delightful end to end single sign-on (SSO) experience, we recommend users configure Windows Hello for Business during the out of box experience for easy passwordless sign-in to Entra ID . +[!INCLUDE [microsoft-defender-for-endpoint](includes/microsoft-defender-for-endpoint.md)] -:::row::: - :::column::: - For users wanting to connect to Microsoft Entra on their personal devices, they can do so by adding their work or school account to Windows. This action registers the user's personal device with Microsoft Entra ID, allowing IT admins to support users in bring your own device (BYOD) scenarios. Credentials are authenticated and bound to the joined device, and can't be copied to another device without explicit reverification. - :::column-end::: - :::column::: -:::image type="content" source="images/device-registration.png" alt-text="Screenshot of the Entra account registration page." border="false" lightbox="images/device-registration.png"::: - :::column-end::: -:::row-end::: +[!INCLUDE [cloud-native-device-management](includes/cloud-native-device-management.md)] -To provide more security and control for IT and a seamless experience for users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management. +[!INCLUDE [microsoft-intune](includes/microsoft-intune.md)] -Windows 11 works with Microsoft Entra ID to provide secure access, identity management, and single sign-on to apps and services from anywhere. Windows has built-in settings to add work or school accounts by syncing the device configuration to an Active Directory domain or Microsoft Entra ID tenant. +[!INCLUDE [security-baselines](includes/security-baselines.md)] -:::image type="content" source="images/access-work-or-school.png" alt-text="Screenshot of the add work or school account in Settings." border="false"::: +[!INCLUDE [windows-laps](includes/windows-laps.md)] -When a device is Microsoft Entra ID joined and managed with Microsoft Intune[\[4\]](conclusion.md#footnote4), it receives the following security benefits: +[!INCLUDE [windows-autopilot](includes/windows-autopilot.md)] -- Default managed user and device settings and policies -- Single sign-in to all Microsoft Online Services -- Full suite of authentication management capabilities using Windows Hello for Business -- Single sign-on (SSO) to enterprise and SaaS applications -- No use of consumer Microsoft account identity +[!INCLUDE [windows-update-for-business](includes/windows-update-for-business.md)] -Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can set up Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication. +[!INCLUDE [windows-autopatch](includes/windows-autopatch.md)] -In combination with Microsoft Intune, Microsoft Entra ID offers powerful security control through Conditional Access to restrict access to organizational resources to healthy and compliant devices. Note that Microsoft Entra ID is only supported on Windows Pro and Enterprise editions. +[!INCLUDE [windows-hotpatch](includes/windows-hotpatch.md)] -Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID. +[!INCLUDE [onedrive-for-work-or-school](includes/onedrive-for-work-or-school.md)] -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Entra ID documentation][LINK-1] -- [Microsoft Entra plans and pricing][LINK-2] - -### Microsoft Entra Private Access - -Microsoft Entra Private Access provides organizations the ability to manage and give users access to private or internal fully qualified domain names (FQDNs) and IP addresses. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Entra Private Access][LINK-4] - -### Microsoft Entra Internet Access - -Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. - -> [!NOTE] -> Both Microsoft Entra Private Access and Microsoft Entra Internet Access requires Microsoft Entra ID and Microsoft Entra Joined devices for deployment. The two solutions use the Global Secure Access client for Windows, which secures and controls the features. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Entra Internet Access][LINK-3] -- [Global Secure Access client for Windows][LINK-6] -- [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept][LINK-5] - -### Enterprise State Roaming - -Available to any organization with a Microsoft Entra ID Premium[\[4\]](conclusion.md#footnote4) license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Enterprise State Roaming in Microsoft Entra ID][LINK-7] - -## :::image type="icon" source="images/azure-attestation.svg" border="false"::: Azure Attestation service - -Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they're allowed to access resources. Microsoft Intune[\[4\]](conclusion.md#footnote4) integrates with Azure Attestation service to review Windows device health comprehensively and connect this information with Microsoft Entra ID[\[4\]](conclusion.md#footnote4) Conditional Access. - -**Attestation policies are configured in the Azure Attestation service which can then:** - -- Verify the integrity of evidence provided by the Windows Attestation component by validating the signature and ensuring the Platform Configuration Registers (PCRs) match the values recomputed by replaying the measured boot log -- Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM -- Verify that security features are in the expected states - -Once this verification is complete, the attestation service returns a signed report with the security features state to the relying party - such as Microsoft Intune - to assess the trustworthiness of the platform relative to the admin-configured device compliance specifications. Conditional access is then granted or denied based on the device's compliance. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Azure Attestation overview][LINK-8] - -## :::image type="icon" source="images/defender-for-endpoint.svg" border="false"::: Microsoft Defender for Endpoint - -Microsoft Defender for Endpoint[\[4\]](conclusion.md#footnote4) is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. - -Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: - -- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated cloud instance of Microsoft Defender for Endpoint -- With Automatic Attack Disruption uses AI, machine learning, and Microsoft Security Intelligence to analyze the entire attack and respond at the incident level, where it's able to contain a device, and/or a user which reduces the impact of attacks such as ransomware, human-operated attacks, and other advanced attacks. -- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365[\[4\]](conclusion.md#footnote4), and online assets -- Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours, yielding a deep and broad view into the evolving threat landscape. Combined with our global team of security experts and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. This threat intelligence helps provide unparalleled protection for our customers. The protections built into our platforms and products blocked attacks that include 31 billion identity threats and 32 billion email threats -- Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate, remediate, and remote into machines to further investigate and stop active threats in their environment, as well as block files, network destinations, and create alerts for them. In addition, Automated Investigation and Remediation can help reduce the load on the SOC by automatically performing otherwise manual steps towards remediation and providing -detailed investigation outcomes - -Defender for Endpoint is also part of Microsoft Defender XDR, our end-to-end, cloud-native extended detection and response (XDR) solution that combines best-of-breed endpoint, email, and identity security products. It enables organizations to prevent, detect, investigate, and remediate attacks by delivering deep visibility, granular context, and actionable insights generated from raw signals harnessed across the Microsoft 365 environment and other -platforms, all synthesized into a single dashboard. This solution offers tremendous value to organizations of any size, especially those that are looking to break away from the added complexity of multiple point solutions, keeping them protected from sophisticated attacks and saving IT and security teams' time and resources. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint) -- [Microsoft 365 Defender](/defender-xdr/microsoft-365-defender) - -## Cloud-native device management - -Microsoft recommends cloud-based device management so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With cloud-native device management solutions like Microsoft Intune[\[4\]](conclusion.md#footnote4), IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate device management client. - -Windows 11 built-in management features include: - -- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server -- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Mobile device management overview][LINK-9] - -### Remote wipe - -When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user. - -Windows 11 supports the Remote Wipe configuration service provider (CSP) so that device management solutions can remotely initiate any of the following operations: - -- Reset the device and remove user accounts and data -- Reset the device and clean the drive -- Reset the device but persist user accounts and data - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Remote wipe CSP][LINK-10] - -## :::image type="icon" source="images/microsoft-intune.svg" border="false"::: Microsoft Intune - -Microsoft Intune[\[4\]](conclusion.md#footnote4) is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization. - -Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication and conditional access. - -Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies[\[11\]](conclusion.md#footnote11). For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot. - -Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices. - -Customers have asked for App Control for Business (previously called *Windows Defender Application Control*) to support manage installer for a long time. Now it's possible to enable allowlisting of Win32 apps to proactively reduce the number of malware infections. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [What is Microsoft Intune][LINK-12] - -### Windows enrollment attestation - -When a device enrolls into device management, the administrator expects it to receive the appropriate policies to secure and manage the PC. However, in some cases, malicious actors can remove enrollment certificates and use them on unmanaged PCs, making them appear enrolled but without the intended security and management policies. - -With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certificates are bound to a device using the Trusted Platform Module (TPM). This ensures that the certificates can't be transferred from one device to another, maintaining the integrity of the enrollment process. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows enrollment attestation][LINK-13] - -### Microsoft Cloud PKI - -Microsoft Cloud PKI is a cloud-based service included in the Microsoft Intune Suite[\[4\]](conclusion.md#footnote4) that simplifies and automates the management of a Public Key Infrastructure (PKI) for organizations. It eliminates the need for on-premises servers, hardware, and connectors, making it easier to set up and manage a PKI compared to, for instance, Microsoft Active Directory Certificate Services (AD CS) combined with the Certificate Connector for Microsoft Intune. - -Key features include: - -- Certificate lifecycle management: automates the lifecycle of certificates, including issuance, renewal, and revocation, for all devices managed by Intune -- Multi-platform support: supports certificate management for Windows, iOS/iPadOS, macOS, and Android devices -- Enhanced security: enables certificate-based authentication for Wi-Fi, VPN, and other scenarios, improving security over traditional password-based methods. All certificate requests leverage Simple Certificate Enrollment Protocol (SCEP), making sure that the private key never leaves the requesting client -- Simplified management: provides easy management of certification authorities (CAs), registration authorities (RAs), certificate revocation lists (CRLs), monitoring, and reporting - -With Microsoft Cloud PKI, organizations can accelerate their digital transformation and achieve a fully managed cloud PKI service with minimal effort. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Overview of Microsoft Cloud PKI for Microsoft Intune](/mem/intune/protect/microsoft-cloud-pki-overview) - -### Endpoint Privilege Management (EPM) - -Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run elevated tasks allowed by the organization to remain productive. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Endpoint Privilege Management][LINK-14] - -### Mobile application management (MAM) - -With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Data protection for Windows MAM][LINK-15] - -## Security baselines - -Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company might focus on protecting its internet-facing web apps, while a hospital on confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. - -A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Security baselines][LINK-11] - -### Security baseline for cloud-based device management solutions - -Windows 11 can be configured with Microsoft's security baseline, designed for cloud-based device management solutions like Microsoft Intune[\[4\]](conclusion.md#footnote4). These security baselines function similarly to group policy-based ones and can be easily integrated into existing device management tools. - -The security baseline includes policies for: - -- Microsoft inbox security technologies such as BitLocker, Microsoft Defender SmartScreen, Virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall -- Restricting remote access to devices -- Setting credential requirements for passwords and PINs -- Restricting the use of legacy technology - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Intune security baseline overview][LINK-16] -- [List of the settings in the Windows security baseline in Intune][LINK-17] - -## Windows Local Administrator Password Solution (LAPS) - -Windows Local Administrator Password Solution (LAPS) is a feature that automatically manages and backs up the password of a local administrator account on Microsoft Entra joined and Active Directory-joined devices. It helps enhance security by regularly rotating and managing local administrator account passwords, protecting against pass-the-hash and lateral-traversal attacks. - -Windows LAPS can be configured via group policy or with a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4). - -[!INCLUDE [new-24h2](includes/new-24h2.md)] - -Several enhancements have been made to improve manageability and security. Administrators can now configure LAPS to automatically create managed local accounts, integrating with existing policies to enhance security and efficiency. Policy settings have been updated to generate more readable passwords by ignoring certain characters and to support the generation of readable passphrases, with options to choose from three separate word source list and control passphrase length. Additionally, LAPS can detect when a computer rolls back to a previous image, ensuring password consistency between the computer and Active Directory. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows LAPS overview][LINK-18] - -## Windows Autopilot - -Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. If you're purchasing new devices or managing device refresh cycles, you can use Windows Autopilot to set up and preconfigure new devices, getting them ready for productive use. Autopilot helps you ensure your devices are delivered locked down and compliant with corporate security policies. The solution can also be used to reset, repurpose, and recover devices with zero touch by your IT team and no infrastructure to manage, enhancing efficiency with a process that's both easy and simple. - -With Windows Autopilot, there's no need to reimage or manually set-up devices before giving them to the users. Your hardware vendor can ship them, ready to go, directly to the users. From a user perspective, they turn on their device, go online, and Windows Autopilot delivers apps and settings. - -Windows Autopilot enables you to: - -- Automatically join devices to Microsoft Entra ID or Active Directory via Microsoft Entra hybrid join -- Autoenroll devices into a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4) (requires a Microsoft Entra ID Premium subscription for configuration) -- Create and autoassignment of devices to configuration groups based on a device's profile -- Customize of the out-of-box experience (OOBE) content specific to your organization - -Existing devices can also be quickly prepared for a new user with Windows Autopilot Reset. The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Autopilot][LINK-19] -- [Windows Autopilot Reset][LINK-20] - -## Windows Update for Business - -Windows Update for Business empowers IT administrators to ensure that their organization's Windows client devices are consistently up to date with the latest security updates and features. By directly connecting these systems to the Windows Update service, administrators can maintain a high level of security and functionality. - -Administrators can utilize group policy or a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4), to configure Windows Update for Business settings. These settings control the timing and manner in which updates are applied, allowing for thorough reliability and performance testing on a subset of devices before deploying updates across the entire organization. - -This approach not only provides control over the update process but also ensures a seamless and positive update experience for all users within the organization. By using Windows Update for Business, organizations can achieve a more secure and efficient operational environment. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Update for Business documentation][LINK-21] - -## Windows Autopatch - -Cybercriminals commonly exploit obsolete or unpatched software to infiltrate networks. It's essential to maintain current updates to seal security gaps. Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates so your IT Admins can focus on other activities and tasks. - -There's a lot more to learn about Windows Autopatch: this [Forrester Consulting Total Economic Impact™ Study][LINK-22] commissioned by Microsoft, features insights from customers who deployed Windows Autopatch and its impact on their organizations. You can also find out more information about new Autopatch features and the future of the service in the regularly published Windows IT Pro Blog and Windows Autopatch community. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/) -- [Windows updates API overview](/graph/windowsupdates-concept-overview) -- [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows-ITPro-blog/label-name/Windows%20Autopatch) -- [Windows Autopatch community](https://techcommunity.microsoft.com/t5/windows-autopatch/bd-p/Windows-Autopatch) - -## :::image type="icon" source="images/soon-button-title.svg" border="false"::: Windows Hotpatch - -Windows Hotpatch is a feature designed to enhance security and minimize disruptions. With Windows Hotpatch, organizations can apply critical security updates without requiring a system restart, reducing the time to adopt a security update by 60% from the moment the update is offered. Hotpatch updates streamline the installation process, enhance compliance efficiency, and provide a per-policy level view of update statuses for all devices. - -By utilizing hotpatching through Windows Autopatch, the number of system restarts for Windows updates can be reduced from 12 times a year to just 4, ensuring consistent protection and uninterrupted productivity. This means less downtime, a streamlined experience for users, and a reduction in security risks. This technology, proven in the Azure Server environment, is now expanding to Windows 11, offering immediate security from day one without the need for a restart. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/) - -## :::image type="icon" source="images/onedrive.svg" border="false"::: OneDrive for work or school - -OneDrive for work or school is a cloud storage service that allows users to store, share, and collaborate on files. It's a part of Microsoft 365 and is designed to help organizations protect their data and comply with regulations. OneDrive for work or school is protected both in transit and at rest. - -When data transits either into the service from clients or between datacenters, it's protected using transport layer security (TLS) encryption. OneDrive only permits secure access. - -Authenticated connections aren't allowed over HTTP and instead redirect to HTTPS. - -There are several ways that OneDrive for work or school is protected at rest: - -- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security). -- Network protection: The networks and identities are isolated from the corporate network. Firewalls limit traffic into the environment from unauthorized locations -- Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The [Microsoft Security Response Center](https://technet.microsoft.com/security/dn440717.aspx) helps triage incoming vulnerability reports and evaluate mitigations. Through the [Microsoft Cloud Bug Bounty Terms](https://technet.microsoft.com/dn800983), people across the world can earn money by reporting vulnerabilities -- Content protection: Each file is encrypted at rest with a unique AES-256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/topic/23c6ea94-3608-48d7-8bf0-80e142edd1e1) - -## :::image type="icon" source="images/universal-print.svg" border="false"::: Universal Print - -Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models][LINK-23]. It also supports existing printers by using the connector software that comes with Universal Print. - -Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices don't need to be on the same local network as the printers or the Universal Print connector. - -Universal Print supports Zero Trust security by requiring that: - -- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID[\[4\]](conclusion.md#footnote4). A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service -- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data -- Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data -- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it's highly recommended that only cloud applications use application authentication -- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant -- Each authentication with Microsoft Entra ID from an acting application can't extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached - -Additionally, Windows 11 includes device management support to simplify printer setup for users. With support from Microsoft Intune[\[4\]](conclusion.md#footnote4), admins can now configure policy settings to provision specific printers onto the user's Windows devices. - -Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft 365 products. - -More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here][LINK-24]. - -The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here][LINK-25]. - -Universal Print supports Administrative Units in Microsoft Entra ID to enable the assignments of a *Printer Administrator* role to specific teams in the organization. The assigned team can configure only the printers that are part of the same Administrative Unit. - -For customers who want to stay on print servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Universal Print][LINK-26] -- [Data handling in Universal Print][LINK-27] -- [Delegate Printer Administration with Administrative Units][LINK-28] -- [Print support app design guide][LINK-29] - - - -[LINK-1]: /entra -[LINK-2]: https://www.microsoft.com/security/business/microsoft-entra-pricing -[LINK-3]: /entra/global-secure-access/concept-internet-access -[LINK-4]: /entra/global-secure-access/concept-private-access -[LINK-5]: /entra/architecture/sse-deployment-guide-internet-access -[LINK-6]: /entra/global-secure-access/how-to-install-windows-client -[LINK-7]: /entra/identity/devices/enterprise-state-roaming-enable -[LINK-8]: /azure/attestation/overview -[LINK-9]: /windows/client-management/mdm-overview -[LINK-10]: /windows/client-management/mdm/remotewipe-csp -[LINK-11]: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines -[LINK-12]: /mem/intune/fundamentals/what-is-intune -[LINK-13]: /mem/intune/enrollment/windows-enrollment-attestation -[LINK-14]: /mem/intune/protect/epm-overview?formCode=MG0AV3 -[LINK-15]: /mem/intune/apps/protect-mam-windows?formCode=MG0AV3 -[LINK-16]: /mem/intune/protect/security-baselines -[LINK-17]: /mem/intune/protect/security-baseline-settings-mdm-all -[LINK-18]: /windows-server/identity/laps/laps-overview -[LINK-19]: /autopilot/overview -[LINK-20]: /mem/autopilot/windows-autopilot-reset -[LINK-21]: /windows/deployment/update/waas-manage-updates-wufb -[LINK-22]: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW10vlw -[LINK-23]: /universal-print/fundamentals/universal-print-partner-integrations -[LINK-24]: /microsoft-365/enterprise/m365-dr-overview -[LINK-25]: /universal-print/fundamentals/universal-print-qrcode -[LINK-26]: https://www.microsoft.com/microsoft-365/windows/universal-print -[LINK-27]: /universal-print/data-handling -[LINK-28]: /universal-print/portal/delegated-admin -[LINK-29]: /windows-hardware/drivers/devapps/print-support-app-design-guide +[!INCLUDE [universal-print](includes/universal-print.md)] diff --git a/windows/security/book/hardware-security-hardware-root-of-trust.md b/windows/security/book/hardware-security-hardware-root-of-trust.md index 1b2345a22b..e7b5572e7f 100644 --- a/windows/security/book/hardware-security-hardware-root-of-trust.md +++ b/windows/security/book/hardware-security-hardware-root-of-trust.md @@ -9,39 +9,6 @@ ms.date: 11/18/2024 :::image type="content" source="images/hardware.png" alt-text="Diagram containing a list of security features." lightbox="images/hardware.png" border="false"::: -## Trusted Platform Module (TPM) +[!INCLUDE [trusted-platform-module](includes/trusted-platform-module.md)] -Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. These capabilities in turn help organizations strengthen the protection of their identities and data. The 2.0 version of TPM includes support for newer algorithms, which provides improvements like support for stronger cryptography. To upgrade to Windows 11, existing Windows 10 devices much meet minimum system requirements for CPU, RAM, storage, firmware, TPM, and more. All new Windows 11 devices come with TPM 2.0 built-in. With Windows 11, both new and upgraded devices must have TPM 2.0. The requirement strengthens the security posture across all Windows 11 devices and helps ensure that these devices can benefit from future security capabilities that depend on a hardware root-of-trust. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows 11 TPM specifications][LINK-1] -- [Enable TPM 2.0 on your PC][LINK-2] -- [Trusted Platform Module Technology Overview][LINK-3] - -## Microsoft Pluton security processor - -The Microsoft Pluton security processor is the result of Microsoft's close partnership with silicon partners. Pluton enhances the protection of Windows 11 devices with a hardware security processor that provides extra protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface by integrating the security chip directly into the processor. It can be used as a TPM 2.0 or as a standalone security processor. When a security processor is located on a separate, discrete chip on the motherboard, the communication path between the hardware root-of-trust and the CPU can be vulnerable to physical attack. Embedding Pluton into the CPU makes it harder to exploit the communication path. - -Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs, including BitLocker, Windows Hello, and System Guard. Pluton can also support other security functionality beyond what is possible with the TPM 2.0 specification. This extensibility allows for more Pluton firmware and OS features to be delivered over time via Windows Update. - -As with other TPMs, credentials, encryption keys, and other sensitive information can't be easily extracted from Pluton even if an attacker installed malware or has physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers can't access sensitive data - even if attackers use emerging techniques like speculative execution. - -Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive security firmware updates from different sources, which might make it difficult to get alerts about security updates, and keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs. - -Pluton aims to ensure long-term security resilience. With the rising threat landscape influenced by artificial intelligence, memory safety will become ever more critical. To meet these demands, in addition to facilitating reliable updates to security processor firmware, we chose the open-source Tock system as the Rust-based foundation to develop the Pluton security processor firmware and actively contribute back to the Tock community. This collaboration with an open community ensures rigorous security scrutiny, and using Rust mitigates memory safety threats. - -Ultimately, Pluton establishes the security backbone for Copilot + PC, thanks to tight partnerships with our silicon collaborators and OEMs. The Qualcomm Snapdragon X, AMD Ryzen AI, and Intel Core Ultra 200V mobile processors (codenamed Lunar Lake) processor platforms all incorporate Pluton as their security subsystem . - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Pluton processor - The security chip designed for the future of Windows PCs][LINK-4] -- [Microsoft Pluton security processor][LINK-5] - - - -[LINK-1]: https://www.microsoft.com/windows/windows-11-specifications -[LINK-2]: https://support.microsoft.com/topic/1fd5a332-360d-4f46-a1e7-ae6b0c90645c -[LINK-3]: /windows/security/hardware-security/tpm/trusted-platform-module-overview -[LINK-4]: https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/ -[LINK-5]: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor +[!INCLUDE [microsoft-pluton-security-processor](includes/microsoft-pluton-security-processor.md)] \ No newline at end of file diff --git a/windows/security/book/hardware-security-silicon-assisted-security.md b/windows/security/book/hardware-security-silicon-assisted-security.md index da7cf92de1..09f47b09a5 100644 --- a/windows/security/book/hardware-security-silicon-assisted-security.md +++ b/windows/security/book/hardware-security-silicon-assisted-security.md @@ -11,104 +11,8 @@ ms.date: 11/18/2024 In addition to a modern hardware root-of-trust, there are multiple capabilities in the latest chips that harden the operating system against threats. These capabilities protect the boot process, safeguard the integrity of memory, isolate security-sensitive compute logic, and more. -## Secured kernel +[!INCLUDE [secured-kernel](includes/secured-kernel.md)] -To secure the kernel, we have two key features: Virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices support HVCI and come with VBS and HVCI protection turned on by default on most/all devices. +[!INCLUDE [kernel-direct-memory-access-protection](includes/kernel-direct-memory-access-protection.md)] -### Virtualization-based security (VBS) - -:::row::: - :::column::: - Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel. - :::column-end::: - :::column::: -:::image type="content" source="images/vbs-diagram.png" alt-text="Diagram of VBS architecture." lightbox="images/vbs-diagram.png" border="false"::: - :::column-end::: -:::row-end::: - -Since more privileged virtual trust levels (VTLs) can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Virtualization-based security (VBS)][LINK-1] - -### Hypervisor-protected code integrity (HVCI) - -Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it's allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor uses processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that hasn't been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs. - -With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Enable virtualization-based protection of code integrity][LINK-2] - -### :::image type="icon" source="images/new-button-title.svg" border="false"::: Hypervisor-enforced Paging Translation (HVPT) - -Hypervisor-enforced Paging Translation (HVPT) is a security enhancement to enforce the integrity of guest virtual address to guest physical address translations. HVPT helps protect critical system data from write-what-where attacks where the attacker can write an arbitrary value to an arbitrary location often as the result of a buffer overflow. HVPT helps to protect page tables that configure critical system data structures. - -### Hardware-enforced stack protection - -Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats like memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. - -Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called *stack smashing*. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate *shadow stack* for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Understanding Hardware-enforced Stack Protection][LINK-3] -- [Developer Guidance for hardware-enforced stack protection][LINK-4] - -## Kernel direct memory access (DMA) protection - -Windows 11 protects against physical threats such as drive-by direct memory access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices, including Thunderbolt, USB4, and CFexpress, enable users to connect a wide variety of external peripherals to their PCs with the same plug-and-play convenience as USB. These devices encompass graphics cards and other PCI components. Since PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that don't require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Kernel direct memory access (DMA) protection][LINK-5] - -## Secured-core PC and Edge Secured-Core - -The March 2021 Security Signals report found that more than 80% of enterprises have experienced at least one firmware attack in the past two years. For customers in data-sensitive industries like financial services, government, and healthcare, Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs (SCPCs), and an equivalent category of embedded IoT devices called Edge Secured-Core (ESc). The devices ship with more security measures enabled at the firmware layer, or device core, that underpins Windows. - -Secured-core PCs and edge devices help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root-of-trust. Virtualization-based security comes enabled by default. Built-in hypervisor-protected code integrity (HVCI) shield system memory, ensuring that all kernel executable code is signed only by known and approved authorities. Secured-core PCs and edge devices also protect against physical threats such as drive-by direct memory access (DMA) attacks with kernel DMA protection. - -Secured-core PCs and edge devices provide multiple layers of robust protection against hardware and firmware attacks. Sophisticated malware attacks commonly attempt to install *bootkits* or *rootkits* on the system to evade detection and achieve persistence. This malicious software may run at the firmware level prior to Windows being loaded or during the Windows boot process itself, enabling the system to start with the highest level of privilege. Because critical subsystems in Windows use Virtualization-based security, protecting the hypervisor becomes increasingly important. To ensure that no unauthorized firmware or software can start before the Windows bootloader, Windows PCs rely on the Unified Extensible Firmware Interface (UEFI) Secure Boot standard, a baseline security feature of all Windows 11 PCs. Secure Boot helps ensure that only authorized firmware and software with trusted digital signatures can execute. In addition, measurements of all boot components are securely stored in the TPM to help establish a nonrepudiable audit log of the boot called the Static Root of Trust for Measurement (SRTM). - -Thousands of OEM vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements. - -### Dynamic Root of Trust for Measurement (DRTM) - -In secured-core PCs and edge devices, System Guard Secure Launch protects bootup with a technology known as the *Dynamic Root of Trust for Measurement (DRTM)*. With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU down a hardware-secured code path. If a malware rootkit or bootkit bypasses UEFI Secure Boot and resides in memory, DRTM prevents it from accessing secrets and critical code protected by the Virtualization-based security environment. Firmware Attack Surface Reduction (FASR) technology can be used instead of DRTM on supported devices, such as Microsoft Surface. - -System Management Mode (SMM) isolation is an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. SMM complements the protections provided by DRTM by helping to reduce the attack surface. Relying on capabilities provided by silicon providers like Intel and AMD, SMM isolation enforces policies that implement restrictions such as preventing SMM code from accessing OS memory. The SMM isolation policy is included as part of the DRTM measurements that can be sent to a verifier like Microsoft Azure Remote Attestation. - -:::image type="content" source="images/secure-launch.png" alt-text="Diagram of secure launch components." lightbox="images/secure-launch.png" border="false"::: - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [System Guard Secure Launch][LINK-6] -- [Firmware Attack Surface Reduction][LINK-7] -- [Windows 11 secured-core PCs][LINK-8] -- [Edge Secured-Core][LINK-9] - -### Configuration lock - -In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a noncompliant state can be vulnerable until the next sync, when configuration is reset with the device management solution. - -Configuration lock is a secured-core PC and edge device feature that prevents users from making unwanted changes to security settings. With configuration lock, Windows monitors supported registry keys and reverts to the IT-desired state in seconds after detecting a drift. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Secured-core PC configuration lock][LINK-10] - - - -[LINK-1]: /windows-hardware/design/device-experiences/oem-vbs -[LINK-2]: /windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity -[LINK-3]: https://techcommunity.microsoft.com/blog/windowsosplatform/understanding-hardware-enforced-stack-protection/1247815 -[LINK-4]: https://techcommunity.microsoft.com/blog/windowsosplatform/developer-guidance-for-hardware-enforced-stack-protection/2163340 -[LINK-5]: /windows/security/hardware-security/kernel-dma-protection-for-thunderbolt -[LINK-6]: /windows/security/hardware-security/system-guard-secure-launch-and-smm-protection -[LINK-7]: /windows-hardware/drivers/bringup/firmware-attack-surface-reduction -[LINK-8]: /windows-hardware/design/device-experiences/oem-highly-secure-11 -[LINK-9]: /en-us/azure/certification/overview -[LINK-10]: /windows/client-management/mdm/config-lock +[!INCLUDE [secured-core-pc-and-edge-secured-core](includes/secured-core-pc-and-edge-secured-core.md)] diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md index 0e35e41bc8..0a7d8cad1f 100644 --- a/windows/security/book/identity-protection-advanced-credential-protection.md +++ b/windows/security/book/identity-protection-advanced-credential-protection.md @@ -11,109 +11,16 @@ ms.date: 11/18/2024 In addition to adopting passwordless sign-in, organizations can strengthen security for user and domain credentials in Windows 11 with Credential Guard and Remote Credential Guard. -## Local Security Authority (LSA) protection +[!INCLUDE [local-security-authority-protection](includes/local-security-authority-protection.md)] -Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users, and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single sign-on to a Microsoft account and Entra ID account. +[!INCLUDE [credential-guard](includes/credential-guard.md)] -By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection supports configuration using group policy and other device management solutions. +[!INCLUDE [remote-credential-guard](includes/remote-credential-guard.md)] -[!INCLUDE [new-24h2](includes/new-24h2.md)] +[!INCLUDE [vbs-key-protection](includes/vbs-key-protection.md)] -To help keep these credentials safe, LSA protection is enabled by default on all devices (MSA, Microsoft Entra joined, hybrid, and local). For new installs, it is enabled immediately. For upgrades, it is enabled after rebooting after an evaluation period of 10 days. +[!INCLUDE [token-protection](includes/token-protection.md)] -Users have the ability to manage the LSA protection state in the Windows Security application under **Device Security** > **Core Isolation** > **Local Security Authority protection**. +[!INCLUDE [account-lockout-policies](includes/account-lockout-policies.md)] -To ensure a seamless transition and enhanced security for all users, the enterprise policy for LSA protection takes precedence over enablement on upgrade. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Configuring additional LSA protection][LINK-2] - -## Credential Guard - -:::row::: - :::column::: - Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. - -By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from user credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. - :::column-end::: - :::column::: -:::image type="content" source="images/credential-guard-architecture.png" alt-text="Diagram of the Credential Guard's architecture." lightbox="images/credential-guard-architecture.png" border="false"::: - :::column-end::: -:::row-end::: - -[!INCLUDE [new-24h2](includes/new-24h2.md)] - -Credential Guard protections are expanded to optionally include machine account passwords for Active Directory-joined devices. Administrators can enable audit mode or enforcement of this capability using Credential Guard policy settings. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Protect derived domain credentials with Credential Guard][LINK-3] - -## Remote Credential Guard - -Remote Credential Guard helps organizations protect credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. - -Administrator credentials are highly privileged and must be protected. When Remote Credential Guard is configured to connect during Remote Desktop sessions, the credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, the credentials aren't exposed. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Remote Credential Guard][LINK-4] - -## :::image type="icon" source="images/new-button-title.svg" border="false"::: VBS key protection - -VBS key protection enables developers to secure cryptographic keys using Virtualization-based security (VBS). VBS uses the virtualization extension capability of the CPU to create an isolated runtime outside of the normal OS. When in use, VBS keys are isolated in a secure process, allowing key operations to occur without ever exposing the private key material outside of this space. At rest, private key material is encrypted by a TPM key, which binds VBS keys to the device. Keys protected in this way can't be dumped from process memory or exported in plain text from a user's machine, preventing exfiltration attacks by any admin-level attacker. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Advancing key protection in Windows using VBS][LINK-8] - -## Token protection (preview) - -Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies[\[4\]](conclusion.md#footnote4) can be configured to require token protection when using sign-in tokens for specific services. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Token protection in Entra ID Conditional Access][LINK-5] - -### Sign-in session token protection policy - -This feature allows applications and services to cryptographically bind security tokens to the device, restricting attackers' ability to impersonate users on a different device if tokens are stolen. - -## Account lockout policies - -New devices with Windows 11 installed will have account lockout policies that are secure by default. These policies mitigate brute-force attacks such as hackers attempting to access Windows devices via the Remote Desktop Protocol (RDP). - -The account lockout threshold policy is now set to 10 failed sign-in attempts by default, with the account lockout duration set to 10 minutes. The *Allow Administrator account lockout* is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default as well. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Account lockout policy][LINK-6] - -## Access management and control - -Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage the access of users, groups, and computers to objects and assets on a network or computer. After a user is authenticated, Windows implements the second phase of protecting resources with built-in authorization and access control technologies. These technologies determine if an authenticated user has the correct permissions. - -Access Control Lists (ACLs) describe the permissions for a specific object and can also contain System Access Control Lists (SACLs). SACLs provide a way to audit specific system level events, such as when a user attempts to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. - -IT administrators can refine the application and management of access to: - -- Protect a greater number and variety of network resources from misuse -- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. Organizations can implement the principle of least-privilege access, which asserts that users should be granted access only to the data and operations they require to perform their jobs -- Update users' ability to access resources regularly, as an organization's policies change or as users' jobs change -- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and phones -- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Access control][LINK-7] - - - -[LINK-2]: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection -[LINK-3]: /windows/security/identity-protection/credential-guard -[LINK-4]: /windows/security/identity-protection/remote-credential-guard -[LINK-5]: /azure/active-directory/conditional-access/concept-token-protection -[LINK-6]: /windows/security/threat-protection/security-policy-settings/account-lockout-policy -[LINK-7]: /windows/security/identity-protection/access-control/access-control -[LINK-8]: https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-key-protection-in-windows-using-vbs/4050988 \ No newline at end of file +[!INCLUDE [access-management-and-control](includes/access-management-and-control.md)] diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md index 5187c49058..8c8b1efb2f 100644 --- a/windows/security/book/identity-protection-passwordless-sign-in.md +++ b/windows/security/book/identity-protection-passwordless-sign-in.md @@ -11,233 +11,22 @@ ms.date: 11/18/2024 Passwords are a fundamental part of digital security, but they're often inconvenient and vulnerable to cyberattacks. With Windows 11, users can enjoy passwordless protection, which offers a more secure and user-friendly alternative. After a secure authorization process, credentials are safeguarded by multiple layers of hardware and software security, providing users with seamless, passwordless access to their apps and cloud services. -## Windows Hello +[!INCLUDE [windows-hello](includes/windows-hello.md)] -Too often, passwords are weak, stolen, or forgotten. Organizations are moving toward passwordless sign-in to reduce the risk of breaches, lower the cost of managing passwords, and improve productivity and satisfaction for their users and customers. Microsoft is committed to helping organizations move toward a secure, passwordless future with Windows Hello, a cornerstone of Windows security and identity protection. +[!INCLUDE [windows-presence-sensing](includes/windows-presence-sensing.md)] -Windows Hello can enable passwordless sign-in using biometric or PIN verification and provides built-in support for the FIDO2 passwordless industry standard. As a result, people no longer need to carry external hardware like a security key for authentication. +[!INCLUDE [windows-hello-for-business](includes/windows-hello-for-business.md)] -The secure, convenient sign-in experience can augment or replace passwords with a stronger authentication model based on a PIN or biometric data such as facial or fingerprint recognition secured by the Trusted Platform Module (TPM). Step-by-step guidance makes setup easy. +[!INCLUDE [enhanced-sign-in-security](includes/enhanced-sign-in-security.md)] -Using asymmetric keys provisioned in the TPM, Windows Hello protects authentication by binding a user's credentials to their device. Windows Hello validates the user based on either a PIN or biometrics match and only then allows the use of cryptographic keys bound to that user in the TPM. +[!INCLUDE [fido2](includes/fido2.md)] -PIN and biometric data stay on the device and can't be stored or accessed externally. Since the data can't be accessed by anyone without physical access to the device, credentials are protected against replay attacks, phishing, and spoofing as well as password reuse and leaks. +[!INCLUDE [microsoft-authenticator](includes/microsoft-authenticator.md)] -Windows Hello can authenticate users to a Microsoft account (MSA), identity provider services, or the relying parties that also implement the FIDO2 or WebAuthn standards. +[!INCLUDE [web-sign-in](includes/web-sign-in.md)] -[!INCLUDE [learn-more](includes/learn-more.md)] +[!INCLUDE [federated-sign-in](includes/federated-sign-in.md)] -- [Configure Windows Hello][LINK-1] +[!INCLUDE [smart-cards](includes/smart-cards.md)] -### Windows Hello PIN - -The Windows Hello PIN, which can only be entered by someone with physical access to the device, can be used for strong multifactor authentication. The PIN is protected by the TPM and, like biometric data, never leaves the device. When a user enters their PIN, an authentication key is unlocked and used to sign a request sent to the authenticating server. - -The TPM protects against threats including PIN brute-force attacks on lost or stolen devices. After too many incorrect guesses, the device locks. IT admins can set security policies for PINs, such as complexity, length, and expiration requirements. - -[!INCLUDE [new-24h2](includes/new-24h2.md)] - -If your device doesn't have built-in biometrics, Windows Hello has been enhanced to use Virtualization-based Security (VBS) by default to isolate credentials. This added layer of protection helps guard against admin-level attacks. Even when you sign in with a PIN, your credentials are stored in a secure container, ensuring protection on devices with or without built-in biometric sensors. - -### Windows Hello biometric - -Windows Hello biometric sign-in enhances both security and productivity with a quick and convenient sign-in experience. There's no need to enter your PIN; just use your biometric data for an easy and delightful sign-in. - -Windows devices that support biometric hardware, such as fingerprint or facial recognition cameras, integrate directly with Windows Hello, enabling access to Windows client resources and services. Biometric readers for both face and fingerprint must comply with Windows Hello biometric requirements. Windows Hello facial recognition is designed to authenticate only from trusted cameras used at the time of enrollment. - -If a peripheral camera is attached to the device after enrollment, it can be used for facial authentication once validated by signing in with the internal camera. For added security, external cameras can be disabled for use with Windows Hello facial recognition. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Hello biometric requirements][LINK-4] - -## Windows presence sensing - -Windows presence sensing[\[9\]](conclusion.md#footnote9) provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment. - -Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers can customize and build extensions for the presence sensor. - -Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. The new app privacy settings enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup. - -Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We're also supporting developers with new APIs for presence sensing for third-party applications. Third-party applications can now access user presence information on devices with presence sensors. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Presence sensing][LINK-7] -- [Manage presence sensing settings in Windows 11][LINK-8] - -## Windows Hello for Business - -Windows Hello for Business extends Windows Hello to work with an organization's Active Directory and Microsoft Entra ID accounts. It provides single sign-on access to work or school resources such as OneDrive, work email, and other business apps. Windows Hello for Business also gives IT admins the ability to manage PIN and other sign-in requirements for devices connecting to work or school resources. - -After Windows Hello for Business is provisioned, users can use a PIN, face, or fingerprint to unlock credentials and sign into their Windows device. - -Provisioning methods include: - -- Passkeys (preview), which provide a seamless way for users to authenticate to Microsoft Entra ID without entering a username or password -- Temporary Access Pass (TAP), a time-limited passcode with strong authentication requirements issued through Microsoft Entra ID -- Existing multifactor authentication with Microsoft Entra ID, including the Microsoft Authenticator app - -Windows Hello for Business enhances security by replacing traditional usernames and passwords with a combination of a security key or certificate and a PIN or biometric data. This setup securely maps the credentials to a user account. - -There are various deployment models available for Windows Hello for Business, providing flexibility to meet the diverse needs of different organizations. Among these, the *Hybrid cloud Kerberos trust* model is recommended and considered the simplest for organizations operating in hybrid environments. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Hello for Business overview][LINK-2] -- [Enable passkeys (FIDO2) for your organization][LINK-9] - -### PIN reset - -The Microsoft PIN Reset Service allows users to reset their forgotten Windows Hello PINs without requiring re-enrollment. After registering the service in the Microsoft Entra ID tenant, the capability must be enabled on the Windows devices using group policy or a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4). - -Users can initiate a PIN reset from the Windows lock screen or from the sign-in options in Settings. The process involves authenticating and completing multifactor authentication to reset the PIN. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [PIN reset][LINK-15] - -### Multi-factor unlock - -For organizations that need an extra layer of sign-in security, multi-factor unlock enables IT admins to configure Windows to require a combination of two unique trusted signals to sign in. Trusted signal examples include a PIN or biometric data (face or fingerprint) combined with either a PIN, Bluetooth, IP configuration, or Wi-Fi. - -Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Multi-factor unlock][LINK-6] - -### Windows passwordless experience - -**Windows Hello for Business now support a fully passwordless experience.** - -IT admins can configure a policy on Microsoft Entra ID joined machines so users no longer see the option to enter a password when accessing company resources. Once the policy is configured, passwords are removed from the Windows user experience, both for device unlock and in-session authentication scenarios. However, passwords aren't eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can use passwordless recovery mechanisms such as Microsoft PIN reset service or web sign-in. - -Users authenticate directly with Microsoft Entra ID, helping speed access to on-premises applications and other resources. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows passwordless experience][LINK-3] - -## Enhanced Sign-in Security (ESS) - -Windows Hello supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in. - -Enhanced Sign-in Security biometrics uses Virtualization-based security (VBS) and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. - -These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent more attack classes. - -Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations - check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Reach out to specific OEMs for support details. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Hello Enhanced Sign-in Security][LINK-5] - -## FIDO2 - -The FIDO Alliance, the Fast Identity Online industry standards body, was established to promote authentication technologies and standards that reduce reliance on passwords. FIDO Alliance and World Wide Web Consortium (W3C) worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications. These specifications are the industry standard for providing strong, phishing-resistant, user friendly, and privacy preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets. - -Windows 11 can also use external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services. - -### Passkeys - -Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the cross-platform future of secure sign-in. Microsoft and other technology leaders are supporting passkeys across their platforms and services. - -A passkey is a unique, unguessable cryptographic secret that is securely stored on the device. Instead of using a username and password to sign in to a website or application, Windows 11 users can create and use a passkey with Windows Hello, a third-party passkey provider, an external FIDO2 security key, or their mobile device. Passkeys on Windows work in any browsers or apps that support them for sign in. - -Passkeys created and saved with Windows Hello are protected by Windows Hello or Windows Hello for Business. Users can sign in to the site or app using their face, fingerprint, or device PIN. Users can manage their passkeys from **Settings** > **Accounts** > **Passkeys**. - -:::row::: - :::column span="2"::: -[!INCLUDE [coming-soon](includes/coming-soon.md)] - -The plug-in model for third-party passkey providers enables users to manage their passkeys with third-party passkey managers. This model ensures a seamless platform experience, regardless of whether passkeys are managed directly by Windows or by a third-party authenticator. When a third-party passkey provider is used, the passkeys are securely protected and managed by the third-party provider. - :::column-end::: - :::column span="2"::: -:::image type="content" border="false" source="images/passkey-save-3p.png" alt-text="Screenshot of the save passkey dialog box showing third-party providers." lightbox="images/passkey-save-3p.png"::: - :::column-end::: -:::row-end::: - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Support for passkeys in Windows][LINK-10] -- [Enable passkeys (FIDO2) for your organization][LINK-9] - -## Microsoft Authenticator - -The Microsoft Authenticator app, which runs on iOS and Android devices, helps keeping Windows 11 users secure and productive. Microsoft Authenticator with Microsoft Entra passkeys can be used as a phish-resistant method to bootstrap Windows Hello for Business. - -Microsoft Authenticator also enables easy, secure sign-in for all online accounts using multifactor authentication, passwordless phone sign-in, phishing-resistant authentication (passkeys), or password autofill. The accounts in the Authenticator app are secured with a public/private key pair in hardware-backed storage such as the Keychain in iOS and Keystore on Android. IT admins can use different tools to nudge their users to set up the Authenticator app, provide them with extra context about where the authentication is coming from, and ensure that they're actively using it. - -Individual users can back up their credentials to the cloud by enabling the encrypted backup option in settings. They can also see their sign-in history and security settings for Microsoft personal, work, or school accounts. - -Using this secure app for authentication and authorization enables people to be in control of how, where, and when their credentials are used. To keep up with an ever-changing security landscape, the app is constantly updated, and new capabilities are added to stay ahead of emerging threat vectors. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Authentication methods in Microsoft Entra ID - Microsoft Authenticator app][LINK-11] - -## Web sign-in - -With the support of web sign-in, users can sign in without a password using the Microsoft Authenticator app or a Temporary Access Pass (TAP). Web sign in also enables federated sign in with a SAML-P identity provider. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Web sign-in for Windows][LINK-13] - -## Federated sign-in - -Windows 11 supports federated sign-in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign-in through methods like QR codes or pictures. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Configure federated sign-in for Windows devices][LINK-14] - -## Smart cards - -Organizations can also opt for smart cards, an authentication method that existed before biometric authentication. These tamper-resistant, portable storage devices enhance Windows security by authenticating users, signing code, securing e-mails, and signing in with Windows domain accounts. - -Smart cards provide: - -- Ease of use in scenarios such as healthcare, where users need to sign in and out quickly without using their hands or when sharing a workstation -- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card -- Portability of credentials and other private information between computers at work, home, or on the road - -Smart cards can only be used to sign in to domain accounts or Microsoft Entra ID accounts. - -When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Microsoft Entra ID certificate-based authentication. Smart cards can't be used with local accounts. - -Windows Hello for Business and FIDO2 security keys are modern, two-factor authentication methods for Windows. Customers using virtual smart cards are encouraged to move to Windows Hello for Business or FIDO2. For new Windows installations, we recommend Windows Hello for Business or FIDO2 security keys. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Smart Card technical reference][LINK-12] - -## Enhanced phishing protection in Microsoft Defender SmartScreen - -As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing is a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business. - -We know that people are in different parts of their passwordless journey. To help on that journey for people still using passwords, Windows 11 offers powerful credential protection. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Enhanced phishing protection in Microsoft Defender SmartScreen][LINK-16] - - - -[LINK-1]: https://support.microsoft.com/topic/dae28983-8242-bb2a-d3d1-87c9d265a5f0 -[LINK-2]: /windows/security/identity-protection/hello-for-business -[LINK-3]: /windows/security/identity-protection/passwordless-experience -[LINK-4]: /windows-hardware/design/device-experiences/windows-hello-biometric-requirements -[LINK-5]: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security -[LINK-6]: /windows/security/identity-protection/hello-for-business/feature-multifactor-unlock -[LINK-7]: /windows-hardware/design/device-experiences/sensors-presence-sensing -[LINK-8]: https://support.microsoft.com/topic/82285c93-440c-4e15-9081-c9e38c1290bb -[LINK-9]: /entra/identity/authentication/how-to-enable-passkey-fido2 -[LINK-10]: /windows/security/identity-protection/passkeys -[LINK-11]: /entra/identity/authentication/concept-authentication-authenticator-app -[LINK-12]: /windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference -[LINK-13]: /windows/security/identity-protection/web-sign-in -[LINK-14]: /education/windows/federated-sign-in -[LINK-15]: /windows/security/identity-protection/hello-for-business/pin-reset -[LINK-16]: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection +[!INCLUDE [enhanced-phishing-protection-in-microsoft-defender-smartscreen](includes/enhanced-phishing-protection-in-microsoft-defender-smartscreen.md)] diff --git a/windows/security/book/includes/5g-and-esim.md b/windows/security/book/includes/5g-and-esim.md new file mode 100644 index 0000000000..5fd47718b9 --- /dev/null +++ b/windows/security/book/includes/5g-and-esim.md @@ -0,0 +1,14 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## 5G and eSIM + +5G networks use stronger encryption and better network segmentation compared to previous generations of cellular protocols. Unlike Wi-Fi, 5G access is always mutually authenticated. Access credentials are stored in an EAL4-certified eSIM that is physically embedded in the device, making it much harder for attackers to tamper with. Together, 5G and eSIM provide a strong foundation for security. + +[!INCLUDE [learn-more](learn-more.md)] + +- [eSIM configuration of a download server](/mem/intune/configuration/esim-device-configuration-download-server) diff --git a/windows/security/book/includes/access-management-and-control.md b/windows/security/book/includes/access-management-and-control.md new file mode 100644 index 0000000000..9558f332b2 --- /dev/null +++ b/windows/security/book/includes/access-management-and-control.md @@ -0,0 +1,24 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Access management and control + +Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage the access of users, groups, and computers to objects and assets on a network or computer. After a user is authenticated, Windows implements the second phase of protecting resources with built-in authorization and access control technologies. These technologies determine if an authenticated user has the correct permissions. + +Access Control Lists (ACLs) describe the permissions for a specific object and can also contain System Access Control Lists (SACLs). SACLs provide a way to audit specific system level events, such as when a user attempts to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. + +IT administrators can refine the application and management of access to: + +- Protect a greater number and variety of network resources from misuse +- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. Organizations can implement the principle of least-privilege access, which asserts that users should be granted access only to the data and operations they require to perform their jobs +- Update users' ability to access resources regularly, as an organization's policies change or as users' jobs change +- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and phones +- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs + +[!INCLUDE [learn-more](learn-more.md)] + +- [Access control](/windows/security/identity-protection/access-control/access-control) diff --git a/windows/security/book/includes/account-lockout-policies.md b/windows/security/book/includes/account-lockout-policies.md new file mode 100644 index 0000000000..1ba4ef6d8b --- /dev/null +++ b/windows/security/book/includes/account-lockout-policies.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Account lockout policies + +New devices with Windows 11 installed will have account lockout policies that are secure by default. These policies mitigate brute-force attacks such as hackers attempting to access Windows devices via the Remote Desktop Protocol (RDP). + +The account lockout threshold policy is now set to 10 failed sign-in attempts by default, with the account lockout duration set to 10 minutes. The *Allow Administrator account lockout* is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default as well. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Account lockout policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy) diff --git a/windows/security/book/includes/administrator-protection.md b/windows/security/book/includes/administrator-protection.md index e993800f31..94e0654680 100644 --- a/windows/security/book/includes/administrator-protection.md +++ b/windows/security/book/includes/administrator-protection.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## :::image type="icon" source="../images/soon-button-title.svg" border="false"::: Administrator protection diff --git a/windows/security/book/includes/app-containers.md b/windows/security/book/includes/app-containers.md index 32e39cdd35..805fc850e7 100644 --- a/windows/security/book/includes/app-containers.md +++ b/windows/security/book/includes/app-containers.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## App containers diff --git a/windows/security/book/includes/app-control-for-business.md b/windows/security/book/includes/app-control-for-business.md index c6b63cb102..7f07d0c010 100644 --- a/windows/security/book/includes/app-control-for-business.md +++ b/windows/security/book/includes/app-control-for-business.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## App Control for Business diff --git a/windows/security/book/includes/attack-surface-reduction-rules.md b/windows/security/book/includes/attack-surface-reduction-rules.md new file mode 100644 index 0000000000..b5afd2b419 --- /dev/null +++ b/windows/security/book/includes/attack-surface-reduction-rules.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Attack surface reduction rules + +Attack surface reduction rules help prevent actions and applications or scripts that are often abused to compromise devices and networks. By controlling when and how executables and/or script can run, thereby reducing the attack surface, you can reduce the overall vulnerability of your organization. Administrators can configure specific attack surface reduction rules to help block certain behaviors, such as: + +- Launching executable files and scripts that attempt to download or run files +- Running obfuscated or otherwise suspicious scripts +- Performing behaviors that apps don't usually initiate during normal day-to-day work + +For example, an attacker might try to run an unsigned script from a USB drive or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve the defensive posture of the device. For comprehensive protection, follow steps for enabling hardware-based isolation + +[!INCLUDE [learn-more](learn-more.md)] + +- [Attack surface reduction](/defender-endpoint/overview-attack-surface-reduction) diff --git a/windows/security/book/includes/azure-attestation-service.md b/windows/security/book/includes/azure-attestation-service.md new file mode 100644 index 0000000000..a25cd36b5e --- /dev/null +++ b/windows/security/book/includes/azure-attestation-service.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/azure-attestation.svg" border="false"::: Azure Attestation service + +Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they're allowed to access resources. Microsoft Intune[\[4\]](../conclusion.md#footnote4) integrates with Azure Attestation service to review Windows device health comprehensively and connect this information with Microsoft Entra ID[\[4\]](../conclusion.md#footnote4) Conditional Access. + +**Attestation policies are configured in the Azure Attestation service which can then:** + +- Verify the integrity of evidence provided by the Windows Attestation component by validating the signature and ensuring the Platform Configuration Registers (PCRs) match the values recomputed by replaying the measured boot log +- Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM +- Verify that security features are in the expected states + +Once this verification is complete, the attestation service returns a signed report with the security features state to the relying party - such as Microsoft Intune - to assess the trustworthiness of the platform relative to the admin-configured device compliance specifications. Conditional access is then granted or denied based on the device's compliance. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Azure Attestation overview](/azure/attestation/overview) diff --git a/windows/security/book/includes/bitlocker.md b/windows/security/book/includes/bitlocker.md new file mode 100644 index 0000000000..1a4fe7f87e --- /dev/null +++ b/windows/security/book/includes/bitlocker.md @@ -0,0 +1,28 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## BitLocker + +BitLocker is a data protection feature that integrates with the operating system to address the threats of data theft or exposure from lost, stolen, or improperly decommissioned devices. It uses the AES algorithm in XTS or CBC mode with 128-bit or 256-bit key lengths to encrypt data on the volume. During the initial setup, when BitLocker is enabled during OOBE and the user signs into their Microsoft account for the first time, BitLocker automatically saves its recovery password to the Microsoft account for retrieval if needed. Users also have the option to export the recovery password if they manually enable BitLocker. Recovery key content can be saved to cloud storage on OneDrive or Azure[\[4\]](../conclusion.md#footnote4). + +For organizations, BitLocker can be managed via group policy or with a device management solution like Microsoft Intune[\[3\]](../conclusion.md#footnote3). It provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), using technologies such as Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. + +[!INCLUDE [new-24h2](new-24h2.md)] + +The BitLocker preboot recovery screen includes the Microsoft account (MSA) hint, if the recovery password is saved to an MSA. This hint helps the user to understand which MSA account was used to store recovery key information. + +[!INCLUDE [learn-more](learn-more.md)] + +- [BitLocker overview](/windows/security/operating-system-security/data-protection/bitlocker/index) + +### BitLocker To Go + +BitLocker To Go refers to BitLocker on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password. + +[!INCLUDE [learn-more](learn-more.md)] + +- [BitLocker FAQ](/windows/security/operating-system-security/data-protection/bitlocker/faq) diff --git a/windows/security/book/includes/bluetooth-protection.md b/windows/security/book/includes/bluetooth-protection.md new file mode 100644 index 0000000000..6ee4c77147 --- /dev/null +++ b/windows/security/book/includes/bluetooth-protection.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Bluetooth protection + +The number of Bluetooth devices connected to Windows 11 continues to increase. Windows users connect their Bluetooth headsets, mice, keyboards, and other accessories and improve their day-to-day PC experience by enjoying streaming, productivity, and gaming. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host-based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG) and Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that Bluetooth accessories' firmware and software are kept up to date. + +IT-managed environments have a number policy settings available via configuration service providers, group policy, and PowerShell. These settings can be managed through device management solutions like Microsoft Intune[\[4\]](../conclusion.md#footnote4). You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Policy CSP - Bluetooth](/windows/client-management/mdm/policy-csp-bluetooth) diff --git a/windows/security/book/includes/certificates.md b/windows/security/book/includes/certificates.md new file mode 100644 index 0000000000..baeffee1ce --- /dev/null +++ b/windows/security/book/includes/certificates.md @@ -0,0 +1,10 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Certificates + +To help safeguard and authenticate information, Windows provides comprehensive support for certificates and certificate management. The built-in certificate management command-line utility (certmgr.exe) or Microsoft Management Console (MMC) snap-in (certmgr.msc) can be used to view and manage certificates, certificate trust lists (CTLs), and certificate revocation lists (CRLs). Whenever a certificate is used in Windows, we validate that the leaf certificate and all the certificates in its chain of trust haven't been revoked or compromised. The trusted root and intermediate certificates and publicly revoked certificates on the machine are used as a reference for Public Key Infrastructure (PKI) trust and are updated monthly by the Microsoft Trusted Root program. If a trusted certificate or root is revoked, all global devices are updated, meaning users can trust that Windows will automatically protect against vulnerabilities in public key infrastructure. For cloud and enterprise deployments, Windows also offers users the ability to autoenroll and renew certificates in Active Directory with group policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. diff --git a/windows/security/book/includes/cloud-native-device-management.md b/windows/security/book/includes/cloud-native-device-management.md new file mode 100644 index 0000000000..9a41462bfa --- /dev/null +++ b/windows/security/book/includes/cloud-native-device-management.md @@ -0,0 +1,33 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Cloud-native device management + +Microsoft recommends cloud-based device management so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With cloud-native device management solutions like Microsoft Intune[\[4\]](../conclusion.md#footnote4), IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate device management client. + +Windows 11 built-in management features include: + +- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server +- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT + +[!INCLUDE [learn-more](learn-more.md)] + +- [Mobile device management overview](/windows/client-management/mdm-overview) + +### Remote wipe + +When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user. + +Windows 11 supports the Remote Wipe configuration service provider (CSP) so that device management solutions can remotely initiate any of the following operations: + +- Reset the device and remove user accounts and data +- Reset the device and clean the drive +- Reset the device but persist user accounts and data + +[!INCLUDE [learn-more](learn-more.md)] + +- [Remote wipe CSP](/windows/client-management/mdm/remotewipe-csp) diff --git a/windows/security/book/includes/code-signing-and-integrity.md b/windows/security/book/includes/code-signing-and-integrity.md new file mode 100644 index 0000000000..addb51e857 --- /dev/null +++ b/windows/security/book/includes/code-signing-and-integrity.md @@ -0,0 +1,12 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Code signing and integrity + +To ensure that Windows files haven't been tampered with, the Windows Code Integrity process verifies the signature of each file in Windows. Code signing is core to establishing the integrity of firmware, drivers, and software across the Windows platform. Code signing creates a digital signature by encrypting the hash of the file with the private key portion of a code-signing certificate and embedding the signature into the file. The Windows code integrity process verifies the signed file by decrypting the signature to check the integrity of the file and confirm that it is from a reputable publisher, ensuring that the file hasn't been tampered with. + +The digital signature is evaluated across the Windows environment on Windows boot code, Windows kernel code, and Windows user mode applications. Secure Boot and Code Integrity verify the signature on bootloaders, Option ROMs, and other boot components to ensure that it's trusted and from a reputable publisher. For drivers not published by Microsoft, Kernel Code Integrity verifies the signature on kernel drivers and requires that drivers be signed by Windows or certified by the [Windows Hardware Compatibility Program (WHCP)](/windows-hardware/design/compatibility/). This program ensures that third-party drivers are compatible with various hardware and Windows and that the drivers are from vetted driver developers. diff --git a/windows/security/book/includes/coming-soon.md b/windows/security/book/includes/coming-soon.md index 4122be1932..7a334c6765 100644 --- a/windows/security/book/includes/coming-soon.md +++ b/windows/security/book/includes/coming-soon.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 11/18/2024 ms.topic: include -ms.service: windows-client --- :::image type="icon" source="../images/soon-arrow.svg" border="false"::: **Coming soon[\[7\]](..\conclusion.md#footnote7)** diff --git a/windows/security/book/includes/common-criteria.md b/windows/security/book/includes/common-criteria.md new file mode 100644 index 0000000000..ce3d43a27b --- /dev/null +++ b/windows/security/book/includes/common-criteria.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Common Criteria (CC) + +Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. Common Criteria defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. + +Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria) diff --git a/windows/security/book/includes/config-refresh.md b/windows/security/book/includes/config-refresh.md new file mode 100644 index 0000000000..0840ffa1ed --- /dev/null +++ b/windows/security/book/includes/config-refresh.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Config Refresh + +With traditional group policy, policy settings are refreshed on a PC when a user signs in and every 90 minutes by default. Administrators can adjust that timing to be shorter to ensure that the policy settings are compliant with the management settings set by IT. + +By contrast, with a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4), policies are refreshed when a user signs in and then at eight-hours interval by default. But policy settings are migrated from GPO to a device management solution, one remaining gap is the longer period between the reapplication of a changed policy. + +Config Refresh allows settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to be reset to the value the administrator intended every 90 minutes by default. It's configurable to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that were traditionally set with group policy and are now set through Mobile Device Management (MDM) protocols. + +Config Refresh can also be paused for a configurable period of time, after which it will be reenabled. This is to support scenarios where a helpdesk technician might need to reconfigure a device for troubleshooting purposes. It can also be resumed at any time by an administrator. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Config Refresh](https://techcommunity.microsoft.com/blog/windows-itpro-blog/intro-to-config-refresh-%e2%80%93-a-refreshingly-new-mdm-feature/4176921) diff --git a/windows/security/book/includes/controlled-folder-access.md b/windows/security/book/includes/controlled-folder-access.md new file mode 100644 index 0000000000..ff63f852ba --- /dev/null +++ b/windows/security/book/includes/controlled-folder-access.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Controlled folder access + +You can protect your valuable information in specific folders by managing app access to them. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, and downloads, are included in the list of controlled folders. + +Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that aren't included in the trusted list are prevented from making any changes to files inside protected folders. + +Controlled folder access helps protect user's valuable data from malicious apps and threats such as ransomware. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Controlled folder access](/defender-endpoint/controlled-folders) diff --git a/windows/security/book/includes/credential-guard.md b/windows/security/book/includes/credential-guard.md new file mode 100644 index 0000000000..585a959e83 --- /dev/null +++ b/windows/security/book/includes/credential-guard.md @@ -0,0 +1,27 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Credential Guard + +:::row::: + :::column::: + Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. + +By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from user credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. + :::column-end::: + :::column::: +:::image type="content" source="../images/credential-guard-architecture.png" alt-text="Diagram of the Credential Guard's architecture." lightbox="../images/credential-guard-architecture.png" border="false"::: + :::column-end::: +:::row-end::: + +[!INCLUDE [new-24h2](new-24h2.md)] + +Credential Guard protections are expanded to optionally include machine account passwords for Active Directory-joined devices. Administrators can enable audit mode or enforcement of this capability using Credential Guard policy settings. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard) diff --git a/windows/security/book/includes/cryptography.md b/windows/security/book/includes/cryptography.md new file mode 100644 index 0000000000..afcd245f7d --- /dev/null +++ b/windows/security/book/includes/cryptography.md @@ -0,0 +1,33 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Cryptography + +Cryptography is designed to protect user and system data. The cryptography stack in Windows 11 extends from the chip to the cloud, enabling Windows, applications, and services to protect system and user secrets. For example, data can be encrypted so that only a specific reader with a unique key can read it. As a basis for data security, cryptography helps prevent anyone except the intended recipient from reading data, performs integrity checks to ensure data is free of tampering, and authenticates identity to ensure that communication is secure. Windows 11 cryptography is certified to meet the Federal Information Processing Standard (FIPS) 140. FIPS 140 certification ensures that US government-approved algorithms are correctly implemented. + +[!INCLUDE [learn-more](learn-more.md)] + +- FIPS 140 validation + +Windows cryptographic modules provide low-level primitives such as: + +- Random number generators (RNG) +- Support for AES 128/256 with XTS, ECB, CBC, CFB, CCM, and GCM modes of operation; RSA and DSA 2048, 3072, and 4,096 key sizes; ECDSA over curves P-256, P-384, P-521 +- Hashing (support for SHA1, SHA-256, SHA-384, and SHA-512) +- Signing and verification (padding support for OAEP, PSS, and PKCS1) +- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521 and HKDF) + +Application developers can use these cryptographic modules to perform low-level cryptographic operations (Bcrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG). + +[!INCLUDE [learn-more](learn-more.md)] + +- Cryptography and certificate management + +Developers can access the modules on Windows through the Cryptography Next Generation API (CNG), which is powered by Microsoft's open-source cryptographic library, SymCrypt. SymCrypt supports complete transparency through its open-source code. In addition, SymCrypt offers performance optimization for cryptographic operations by taking advantage of assembly and hardware acceleration when available. + +SymCrypt is part of Microsoft's commitment to transparency, which includes the global Microsoft Government Security Program that aims to provide the confidential security information and resources people need to trust Microsoft's products and services. The program offers controlled access to source code, threat and vulnerability information +exchange, opportunities to engage with technical content about Microsoft's products and services, and access to five globally distributed Transparency Centers. diff --git a/windows/security/book/includes/device-encryption.md b/windows/security/book/includes/device-encryption.md new file mode 100644 index 0000000000..90c1598aca --- /dev/null +++ b/windows/security/book/includes/device-encryption.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Device encryption + +Device encryption is a Windows feature that simplifies the process of enabling BitLocker encryption on certain devices. It ensures that only the OS drive and fixed drives are encrypted, while external/USB drives remain unencrypted. Additionally, devices with externally accessible ports that allow DMA access are not eligible for device encryption. Unlike standard BitLocker implementation, device encryption is enabled automatically to ensure continuous protection. Once a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use with encryption already in place. + +Organizations have the option to disable device encryption in favor of a full BitLocker implementation. This allows for more granular control over encryption policies and settings, ensuring that the organization's specific security requirements are met. + +[!INCLUDE [new-24h2](new-24h2.md)] + +The Device encryption prerequisites of DMA and HSTI/Modern Standby are removed. This change makes more devices eligible for both automatic and manual device encryption. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Device encryption](/windows/security/operating-system-security/data-protection/bitlocker#device-encryption) diff --git a/windows/security/book/includes/device-health-attestation.md b/windows/security/book/includes/device-health-attestation.md new file mode 100644 index 0000000000..f2e29c7df4 --- /dev/null +++ b/windows/security/book/includes/device-health-attestation.md @@ -0,0 +1,23 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Device Health Attestation + +The Windows Device Health Attestation process supports a Zero Trust paradigm that shifts the focus from static, network-based perimeters to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. These determinations are made with data stored in the TPM, which provides a secure root-of-trust. The information is sent to an attestation service such as Azure Attestation to verify that the device is in a trusted state. Then a cloud-native device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4) reviews device health and connects this information with Microsoft Entra ID[\[4\]](../conclusion.md#footnote4) for conditional access. + +Windows includes many security features to help protect users from malware and attacks. However, security components are trustworthy only if the platform boots as expected and isn't tampered with. As noted above, Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot, and other low-level hardware and firmware security features to protect your PC from attacks. From the moment you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configurations that help keep you safe. Measured Boot, implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to the TPM, that functions as a hardware root-of-trust. Remote attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper-resilient report. Remote attestation is the trusted auditor of your system's boot, allowing reliant parties to bind trust to the device and its security. + +A summary of the steps involved in attestation and Zero-Trust on a Windows device are as follows: + +- During each step of the boot process - such as a file load, update of special variables, and more - information such as file hashes and signature(s) are measured in the TPM Platform Configuration Register (PCRs). The measurements are bound by a Trusted Computing Group specification that dictates which events can be recorded and the format of each event. The data provides important information about device security from the moment it powers on +- Once Windows has booted, the attestor (or verifier) requests the TPM get the measurements stored in its PCRs alongside the Measured Boot log. Together, these form the attestation evidence that's sent to the Azure Attestation service +- The TPM is verified by using the keys or cryptographic material available on the chipset with an Azure Certificate Service +- The above information is sent to the Azure Attestation Service to verify that the device is in a trusted state. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Control the health of Windows devices](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices) diff --git a/windows/security/book/includes/domain-name-system-security.md b/windows/security/book/includes/domain-name-system-security.md new file mode 100644 index 0000000000..aab79775f9 --- /dev/null +++ b/windows/security/book/includes/domain-name-system-security.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Domain Name System (DNS) security + +In Windows 11, the Windows DNS client supports DNS over HTTPS and DNS over TLS, two encrypted DNS protocols. These allow administrators to ensure their devices protect their +name queries from on-path attackers, whether they're passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites. In a Zero Trust +model where no trust is placed in a network boundary, having a secure connection to a trusted name resolver is required. + +Windows 11 provides group policy and programmatic controls to configure DNS over HTTPS behavior. As a result, IT administrators can extend existing security to adopt new models such as Zero Trust. IT administrators can mandate DNS over HTTPS protocol, ensuring that devices that use insecure DNS will fail to connect to network resources. IT administrators also have the option not to use DNS over HTTPS or DNS over TLS for legacy deployments where network edge appliances are trusted to inspect plain-text DNS traffic. By default, Windows 11 will defer to the local administrator on which resolvers should use encrypted DNS. + +Support for DNS encryption integrates with existing Windows DNS configurations such as the Name Resolution Policy Table (NRPT), the system Hosts file, and resolvers specified per network adapter or network profile. The integration helps Windows 11 ensure that the benefits of greater DNS security do not regress existing DNS control mechanisms. diff --git a/windows/security/book/includes/email-encryption.md b/windows/security/book/includes/email-encryption.md new file mode 100644 index 0000000000..911c19fb82 --- /dev/null +++ b/windows/security/book/includes/email-encryption.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Email encryption + +Email encryption allows users to secure email messages and attachments so that only the intended recipients with a digital identification (ID), or certificate, can read them[\[8\]](../conclusion.md#footnote8). Users can also *digitally sign* a message, which verifies the sender's identity and ensures the message hasn't been tampered with. + +The new Outlook app included in Windows 11 supports various types of email encryption, including Microsoft Purview Message Encryption, S/MIME, and Information Rights Management (IRM). + +When using Secure/Multipurpose Internet Mail Extensions (S/MIME), users can send encrypted messages to people within their organization and to external contacts who have the proper encryption certificates. Recipients can only read encrypted messages if they have the corresponding decryption keys. If an encrypted message is sent to recipients whose encryption certificates aren't available, Outlook asks you to remove these recipients before sending the email. + +[!INCLUDE [learn-more](learn-more.md)] + +- [S/MIME for message signing and encryption in Exchange Online](/exchange/security-and-compliance/smime-exo/smime-exo) +- [Get started with the new Outlook for Windows](https://support.microsoft.com/topic/656bb8d9-5a60-49b2-a98b-ba7822bc7627) +- [Email encryption](/purview/email-encryption) diff --git a/windows/security/book/includes/encrypted-hard-drive.md b/windows/security/book/includes/encrypted-hard-drive.md new file mode 100644 index 0000000000..03fbd3f9c4 --- /dev/null +++ b/windows/security/book/includes/encrypted-hard-drive.md @@ -0,0 +1,23 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Encrypted hard drive + +Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level. They allow for full-disk hardware encryption and are transparent to the user. These drives combine the security and management benefits provided by BitLocker, with the power of self-encrypting drives. + +By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. + +Encrypted hard drives enable: + +- Smooth performance: encryption hardware integrated into the drive controller allows the drive to operate at full data rate without performance degradation +- Strong security based in hardware: encryption is always-on, and the keys for encryption never leave the hard drive. The drive authenticates the user independently from the operating system before it unlocks +- Ease of use: encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using an onboard encryption key. There's no need to re-encrypt data on the drive +- Lower cost of ownership: there's no need for new infrastructure to manage encryption keys since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process + +[!INCLUDE [learn-more](learn-more.md)] + +- [Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive) diff --git a/windows/security/book/includes/enhanced-phishing-protection-in-microsoft-defender-smartscreen.md b/windows/security/book/includes/enhanced-phishing-protection-in-microsoft-defender-smartscreen.md new file mode 100644 index 0000000000..28cd032482 --- /dev/null +++ b/windows/security/book/includes/enhanced-phishing-protection-in-microsoft-defender-smartscreen.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Enhanced phishing protection in Microsoft Defender SmartScreen + +As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing is a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business. + +We know that people are in different parts of their passwordless journey. To help on that journey for people still using passwords, Windows 11 offers powerful credential protection. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Enhanced phishing protection in Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection) diff --git a/windows/security/book/includes/enhanced-sign-in-security.md b/windows/security/book/includes/enhanced-sign-in-security.md new file mode 100644 index 0000000000..09b15d70c5 --- /dev/null +++ b/windows/security/book/includes/enhanced-sign-in-security.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Enhanced Sign-in Security (ESS) + +Windows Hello supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in. + +Enhanced Sign-in Security biometrics uses Virtualization-based security (VBS) and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. + +These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent more attack classes. + +Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations - check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Reach out to specific OEMs for support details. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) diff --git a/windows/security/book/includes/exploit-protection.md b/windows/security/book/includes/exploit-protection.md new file mode 100644 index 0000000000..aa573e5c43 --- /dev/null +++ b/windows/security/book/includes/exploit-protection.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Exploit Protection + +Exploit Protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit Protection works best with Microsoft Defender for Endpoint[\[4\]](../conclusion.md#footnote4), which gives organizations detailed reporting into Exploit Protection events and blocks as part of typical alert investigation scenarios. You can enable Exploit Protection on an individual device and then use policy settings to distribute the configuration XML file to multiple devices simultaneously. + +When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. + +You can use audit mode to evaluate how Exploit Protection would impact your organization if it were enabled. And go through safe deployment practices (SDP). + +Windows 11 provides configuration options for Exploit Protection. You can prevent users from modifying these specific options with device management solutions like Microsoft Intune or group policy. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Protecting devices from exploits](/defender-endpoint/enable-exploit-protection) diff --git a/windows/security/book/includes/federal-information-processing-standard.md b/windows/security/book/includes/federal-information-processing-standard.md new file mode 100644 index 0000000000..3968fa8c02 --- /dev/null +++ b/windows/security/book/includes/federal-information-processing-standard.md @@ -0,0 +1,14 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Federal Information Processing Standard (FIPS) + +The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that specifies the minimum security requirements for cryptographic modules in IT products. Microsoft is dedicated to adhering to the requirements in the FIPS 140 standard, consistently validating its cryptographic modules against FIPS 140 since the standard's inception. Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows FIPS 140 validation](/windows/security/security-foundations/certification/fips-140-validation) diff --git a/windows/security/book/includes/federated-sign-in.md b/windows/security/book/includes/federated-sign-in.md new file mode 100644 index 0000000000..51165aa8a2 --- /dev/null +++ b/windows/security/book/includes/federated-sign-in.md @@ -0,0 +1,14 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Federated sign-in + +Windows 11 supports federated sign-in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign-in through methods like QR codes or pictures. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) diff --git a/windows/security/book/includes/fido2.md b/windows/security/book/includes/fido2.md new file mode 100644 index 0000000000..24498aad60 --- /dev/null +++ b/windows/security/book/includes/fido2.md @@ -0,0 +1,36 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## FIDO2 + +The FIDO Alliance, the Fast Identity Online industry standards body, was established to promote authentication technologies and standards that reduce reliance on passwords. FIDO Alliance and World Wide Web Consortium (W3C) worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications. These specifications are the industry standard for providing strong, phishing-resistant, user friendly, and privacy preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets. + +Windows 11 can also use external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services. + +### Passkeys + +Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the cross-platform future of secure sign-in. Microsoft and other technology leaders are supporting passkeys across their platforms and services. + +A passkey is a unique, unguessable cryptographic secret that is securely stored on the device. Instead of using a username and password to sign in to a website or application, Windows 11 users can create and use a passkey with Windows Hello, a third-party passkey provider, an external FIDO2 security key, or their mobile device. Passkeys on Windows work in any browsers or apps that support them for sign in. + +Passkeys created and saved with Windows Hello are protected by Windows Hello or Windows Hello for Business. Users can sign in to the site or app using their face, fingerprint, or device PIN. Users can manage their passkeys from **Settings** > **Accounts** > **Passkeys**. + +:::row::: + :::column span="2"::: +[!INCLUDE [coming-soon](coming-soon.md)] + +The plug-in model for third-party passkey providers enables users to manage their passkeys with third-party passkey managers. This model ensures a seamless platform experience, regardless of whether passkeys are managed directly by Windows or by a third-party authenticator. When a third-party passkey provider is used, the passkeys are securely protected and managed by the third-party provider. + :::column-end::: + :::column span="2"::: +:::image type="content" border="false" source="../images/passkey-save-3p.png" alt-text="Screenshot of the save passkey dialog box showing third-party providers." lightbox="../images/passkey-save-3p.png"::: + :::column-end::: +:::row-end::: + +[!INCLUDE [learn-more](learn-more.md)] + +- [Support for passkeys in Windows](/windows/security/identity-protection/passkeys) +- [Enable passkeys (FIDO2) for your organization](/entra/identity/authentication/how-to-enable-passkey-fido2) diff --git a/windows/security/book/includes/find-my-device.md b/windows/security/book/includes/find-my-device.md new file mode 100644 index 0000000000..a39d698fa9 --- /dev/null +++ b/windows/security/book/includes/find-my-device.md @@ -0,0 +1,14 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Find my device + +When location services and *Find my device* settings are turned on, basic system services like time zone and Find my device are allowed to use the device's location. Find my device can be used to help recover lost or stolen Windows devices, reducing the security threats that rely on physical access. + +[!INCLUDE [learn-more](learn-more.md)] + +- [How to set up, find, and lock a lost Windows device using a Microsoft account](https://support.microsoft.com/topic/890bf25e-b8ba-d3fe-8253-e98a12f26316) \ No newline at end of file diff --git a/windows/security/book/includes/kernel-direct-memory-access-protection.md b/windows/security/book/includes/kernel-direct-memory-access-protection.md new file mode 100644 index 0000000000..de343c3873 --- /dev/null +++ b/windows/security/book/includes/kernel-direct-memory-access-protection.md @@ -0,0 +1,14 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Kernel direct memory access (DMA) protection + +Windows 11 protects against physical threats such as drive-by direct memory access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices, including Thunderbolt, USB4, and CFexpress, enable users to connect a wide variety of external peripherals to their PCs with the same plug-and-play convenience as USB. These devices encompass graphics cards and other PCI components. Since PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that don't require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Kernel direct memory access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt) diff --git a/windows/security/book/includes/kiosk-mode.md b/windows/security/book/includes/kiosk-mode.md new file mode 100644 index 0000000000..cfd97b6215 --- /dev/null +++ b/windows/security/book/includes/kiosk-mode.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Kiosk mode + +:::row::: + :::column span="2"::: + Windows allows you to restrict functionality to specific applications using built-in features, making it ideal for public-facing or shared devices like kiosks. You can set up Windows as a kiosk either locally on the device, or through a cloud-based device management solution like Microsoft Intune[\[7\]](../conclusion.md#footnote7). Kiosk mode can be configured to run a single app, multiple apps, or a full-screen web browser. You can also configure the device to automatically sign in and launch the designated kiosk app at startup. + :::column-end::: + :::column span="2"::: +:::image type="content" source="../images/kiosk.png" alt-text="Screenshot of a Windows kiosk." border="false" lightbox="../images/kiosk.png" ::: + :::column-end::: +:::row-end::: + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows kiosks and restricted user experiences](/windows/configuration/assigned-access) diff --git a/windows/security/book/includes/learn-more.md b/windows/security/book/includes/learn-more.md index 7ed46da843..22dcad82dc 100644 --- a/windows/security/book/includes/learn-more.md +++ b/windows/security/book/includes/learn-more.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 11/18/2024 ms.topic: include -ms.service: windows-client --- :::image type="icon" source="../images/information.svg" border="false"::: **Learn more** diff --git a/windows/security/book/includes/local-security-authority-protection.md b/windows/security/book/includes/local-security-authority-protection.md new file mode 100644 index 0000000000..9e924356bb --- /dev/null +++ b/windows/security/book/includes/local-security-authority-protection.md @@ -0,0 +1,24 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Local Security Authority (LSA) protection + +Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users, and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single sign-on to a Microsoft account and Entra ID account. + +By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection supports configuration using group policy and other device management solutions. + +[!INCLUDE [new-24h2](new-24h2.md)] + +To help keep these credentials safe, LSA protection is enabled by default on all devices (MSA, Microsoft Entra joined, hybrid, and local). For new installs, it's enabled immediately. For upgrades, it's enabled after rebooting after an evaluation period of five days. + +Users have the ability to manage the LSA protection state in the Windows Security application under **Device Security** > **Core Isolation** > **Local Security Authority protection**. + +To ensure a seamless transition and enhanced security for all users, the enterprise policy for LSA protection takes precedence over enablement on upgrade. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Configuring additional LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection) \ No newline at end of file diff --git a/windows/security/book/includes/microsoft-account.md b/windows/security/book/includes/microsoft-account.md new file mode 100644 index 0000000000..3d91117714 --- /dev/null +++ b/windows/security/book/includes/microsoft-account.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Microsoft account + +Your Microsoft account (MSA) provides seamless access to Microsoft products and services with just one sign-in, allowing you to manage everything in one place. You can easily keep track of your subscriptions and order history, update your privacy and security settings, monitor the health and safety of your devices, and earn rewards. Your information stays with you in the cloud, accessible across devices and operating systems, including iOS and Android. + +You can even go passwordless with your Microsoft account by removing the password from your MSA: + +- Use Windows Hello to eliminate the password sign-in method for an even more secure experience +- Use the Microsoft Authenticator app on your Android or iOS device + +[!INCLUDE [learn-more](learn-more.md)] + +- [What is a Microsoft account?](https://support.microsoft.com/topic/4a7c48e9-ff5a-e9c6-5a5c-1a57d66c3bfa) +- [Go passwordless with your Microsoft account](https://support.microsoft.com/topic/585a71d7-2295-4878-aeac-a014984df856) \ No newline at end of file diff --git a/windows/security/book/includes/microsoft-authenticator.md b/windows/security/book/includes/microsoft-authenticator.md new file mode 100644 index 0000000000..3343772fe9 --- /dev/null +++ b/windows/security/book/includes/microsoft-authenticator.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Microsoft Authenticator + +The Microsoft Authenticator app, which runs on iOS and Android devices, helps keeping Windows 11 users secure and productive. Microsoft Authenticator with Microsoft Entra passkeys can be used as a phish-resistant method to bootstrap Windows Hello for Business. + +Microsoft Authenticator also enables easy, secure sign-in for all online accounts using multifactor authentication, passwordless phone sign-in, phishing-resistant authentication (passkeys), or password autofill. The accounts in the Authenticator app are secured with a public/private key pair in hardware-backed storage such as the Keychain in iOS and Keystore on Android. IT admins can use different tools to nudge their users to set up the Authenticator app, provide them with extra context about where the authentication is coming from, and ensure that they're actively using it. + +Individual users can back up their credentials to the cloud by enabling the encrypted backup option in settings. They can also see their sign-in history and security settings for Microsoft personal, work, or school accounts. + +Using this secure app for authentication and authorization enables people to be in control of how, where, and when their credentials are used. To keep up with an ever-changing security landscape, the app is constantly updated, and new capabilities are added to stay ahead of emerging threat vectors. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Authentication methods in Microsoft Entra ID - Microsoft Authenticator app](/entra/identity/authentication/concept-authentication-authenticator-app) diff --git a/windows/security/book/includes/microsoft-defender-antivirus.md b/windows/security/book/includes/microsoft-defender-antivirus.md new file mode 100644 index 0000000000..838e3f57c6 --- /dev/null +++ b/windows/security/book/includes/microsoft-defender-antivirus.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Microsoft Defender Antivirus + +Microsoft Defender Antivirus is a next-generation protection solution included in all versions of Windows 10 and Windows 11. From the moment you turn on Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. In addition to real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus turns off automatically. If you uninstall the other app, Microsoft Defender Antivirus turns back on. + +Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection. This combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA), applications deemed to negatively impact your device but aren't considered malware. + +Microsoft Defender Antivirus always-on protection is integrated with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats. This combination of local and cloud-delivered technologies including advanced memory scanning, behavior monitoring, and machine learning, provides award-winning protection at home and at work. + +:::image type="content" source="../images/defender-antivirus.png" alt-text="Diagram of the Microsoft Defender Antivirus components." border="false"::: + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Defender Antivirus in Windows Overview](/defender-endpoint/microsoft-defender-antivirus-windows) diff --git a/windows/security/book/includes/microsoft-defender-for-endpoint.md b/windows/security/book/includes/microsoft-defender-for-endpoint.md new file mode 100644 index 0000000000..53de82c725 --- /dev/null +++ b/windows/security/book/includes/microsoft-defender-for-endpoint.md @@ -0,0 +1,27 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/defender-for-endpoint.svg" border="false"::: Microsoft Defender for Endpoint + +Microsoft Defender for Endpoint[\[4\]](../conclusion.md#footnote4) is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. + +Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: + +- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated cloud instance of Microsoft Defender for Endpoint +- With Automatic Attack Disruption uses AI, machine learning, and Microsoft Security Intelligence to analyze the entire attack and respond at the incident level, where it's able to contain a device, and/or a user which reduces the impact of attacks such as ransomware, human-operated attacks, and other advanced attacks. +- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365[\[4\]](../conclusion.md#footnote4), and online assets +- Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours, yielding a deep and broad view into the evolving threat landscape. Combined with our global team of security experts and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. This threat intelligence helps provide unparalleled protection for our customers. The protections built into our platforms and products blocked attacks that include 31 billion identity threats and 32 billion email threats +- Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate, remediate, and remote into machines to further investigate and stop active threats in their environment, as well as block files, network destinations, and create alerts for them. In addition, Automated Investigation and Remediation can help reduce the load on the SOC by automatically performing otherwise manual steps towards remediation and providing +detailed investigation outcomes + +Defender for Endpoint is also part of Microsoft Defender XDR, our end-to-end, cloud-native extended detection and response (XDR) solution that combines best-of-breed endpoint, email, and identity security products. It enables organizations to prevent, detect, investigate, and remediate attacks by delivering deep visibility, granular context, and actionable insights generated from raw signals harnessed across the Microsoft 365 environment and other +platforms, all synthesized into a single dashboard. This solution offers tremendous value to organizations of any size, especially those that are looking to break away from the added complexity of multiple point solutions, keeping them protected from sophisticated attacks and saving IT and security teams' time and resources. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint) +- [Microsoft 365 Defender](/defender-xdr/microsoft-365-defender) diff --git a/windows/security/book/includes/microsoft-defender-smartscreen.md b/windows/security/book/includes/microsoft-defender-smartscreen.md new file mode 100644 index 0000000000..a0de2dec1e --- /dev/null +++ b/windows/security/book/includes/microsoft-defender-smartscreen.md @@ -0,0 +1,28 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Microsoft Defender SmartScreen + +Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. + +SmartScreen determines whether a site is potentially malicious by: + +- Analyzing visited webpages to find indications of suspicious behavior. If it determines a page is suspicious, it will show a warning page advising caution +- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen warns that the site might be malicious + +SmartScreen also determines whether a downloaded app or app installer is potentially malicious by: + +- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen warns that the file might be malicious +- Checking downloaded files against a list of well-known files. If the file is of a dangerous type and not well-known, SmartScreen displays a caution alert + +With enhanced phishing protection in Windows 11, SmartScreen also alerts people when they're entering their Microsoft credentials into a potentially risky location, regardless of which application or browser is used. IT can customize which notifications appear through Microsoft Intune[\[4\]](../conclusion.md#footnote4). This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. + +Because Windows 11 comes with these enhancements already built in and enabled, users have extra security from the moment they turn on their device. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Defender SmartScreen documentation library](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/) \ No newline at end of file diff --git a/windows/security/book/includes/microsoft-entra-id.md b/windows/security/book/includes/microsoft-entra-id.md new file mode 100644 index 0000000000..a3be65569d --- /dev/null +++ b/windows/security/book/includes/microsoft-entra-id.md @@ -0,0 +1,83 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/microsoft-entra-id.svg" border="false"::: Microsoft Entra ID + +Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies. + +Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. For the most seamless and delightful end to end single sign-on (SSO) experience, we recommend users configure Windows Hello for Business during the out of box experience for easy passwordless sign-in to Entra ID . + +:::row::: + :::column::: + For users wanting to connect to Microsoft Entra on their personal devices, they can do so by adding their work or school account to Windows. This action registers the user's personal device with Microsoft Entra ID, allowing IT admins to support users in bring your own device (BYOD) scenarios. Credentials are authenticated and bound to the joined device, and can't be copied to another device without explicit reverification. + :::column-end::: + :::column::: +:::image type="content" source="../images/device-registration.png" alt-text="Screenshot of the Entra account registration page." border="false" lightbox="../images/device-registration.png"::: + :::column-end::: +:::row-end::: + +To provide more security and control for IT and a seamless experience for users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management. + +Windows 11 works with Microsoft Entra ID to provide secure access, identity management, and single sign-on to apps and services from anywhere. Windows has built-in settings to add work or school accounts by syncing the device configuration to an Active Directory domain or Microsoft Entra ID tenant. + +:::image type="content" source="../images/access-work-or-school.png" alt-text="Screenshot of the add work or school account in Settings." border="false"::: + +When a device is Microsoft Entra ID joined and managed with Microsoft Intune[\[4\]](../conclusion.md#footnote4), it receives the following security benefits: + +- Default managed user and device settings and policies +- Single sign-in to all Microsoft Online Services +- Full suite of authentication management capabilities using Windows Hello for Business +- Single sign-on (SSO) to enterprise and SaaS applications +- No use of consumer Microsoft account identity + +Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can set up Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication. + +In combination with Microsoft Intune, Microsoft Entra ID offers powerful security control through Conditional Access to restrict access to organizational resources to healthy and compliant devices. Note that Microsoft Entra ID is only supported on Windows Pro and Enterprise editions. + +Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Entra ID documentation][LINK-1] +- [Microsoft Entra plans and pricing][LINK-2] + +### Microsoft Entra Private Access + +Microsoft Entra Private Access provides organizations the ability to manage and give users access to private or internal fully qualified domain names (FQDNs) and IP addresses. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Entra Private Access][LINK-4] + +### Microsoft Entra Internet Access + +Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. + +> [!NOTE] +> Both Microsoft Entra Private Access and Microsoft Entra Internet Access requires Microsoft Entra ID and Microsoft Entra Joined devices for deployment. The two solutions use the Global Secure Access client for Windows, which secures and controls the features. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Entra Internet Access][LINK-3] +- [Global Secure Access client for Windows][LINK-6] +- [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept][LINK-5] + +### Enterprise State Roaming + +Available to any organization with a Microsoft Entra ID Premium[\[4\]](../conclusion.md#footnote4) license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Enterprise State Roaming in Microsoft Entra ID][LINK-7] + +[LINK-1]: /entra +[LINK-2]: https://www.microsoft.com/security/business/microsoft-entra-pricing +[LINK-3]: /entra/global-secure-access/concept-internet-access +[LINK-4]: /entra/global-secure-access/concept-private-access +[LINK-5]: /entra/architecture/sse-deployment-guide-internet-access +[LINK-6]: /entra/global-secure-access/how-to-install-windows-client +[LINK-7]: /entra/identity/devices/enterprise-state-roaming-enable diff --git a/windows/security/book/includes/microsoft-intune.md b/windows/security/book/includes/microsoft-intune.md new file mode 100644 index 0000000000..37580c57b1 --- /dev/null +++ b/windows/security/book/includes/microsoft-intune.md @@ -0,0 +1,65 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/microsoft-intune.svg" border="false"::: Microsoft Intune + +Microsoft Intune[\[4\]](../conclusion.md#footnote4) is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization. + +Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication and conditional access. + +Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies[\[11\]](../conclusion.md#footnote11). For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot. + +Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices. + +Customers have asked for App Control for Business (previously called *Windows Defender Application Control*) to support manage installer for a long time. Now it's possible to enable allowlisting of Win32 apps to proactively reduce the number of malware infections. + +[!INCLUDE [learn-more](learn-more.md)] + +- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) + +### Windows enrollment attestation + +When a device enrolls into device management, the administrator expects it to receive the appropriate policies to secure and manage the PC. However, in some cases, malicious actors can remove enrollment certificates and use them on unmanaged PCs, making them appear enrolled but without the intended security and management policies. + +With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certificates are bound to a device using the Trusted Platform Module (TPM). This ensures that the certificates can't be transferred from one device to another, maintaining the integrity of the enrollment process. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows enrollment attestation](/mem/intune/enrollment/windows-enrollment-attestation) + +### Microsoft Cloud PKI + +Microsoft Cloud PKI is a cloud-based service included in the Microsoft Intune Suite[\[4\]](../conclusion.md#footnote4) that simplifies and automates the management of a Public Key Infrastructure (PKI) for organizations. It eliminates the need for on-premises servers, hardware, and connectors, making it easier to set up and manage a PKI compared to, for instance, Microsoft Active Directory Certificate Services (AD CS) combined with the Certificate Connector for Microsoft Intune. + +Key features include: + +- Certificate lifecycle management: automates the lifecycle of certificates, including issuance, renewal, and revocation, for all devices managed by Intune +- Multi-platform support: supports certificate management for Windows, iOS/iPadOS, macOS, and Android devices +- Enhanced security: enables certificate-based authentication for Wi-Fi, VPN, and other scenarios, improving security over traditional password-based methods. All certificate requests leverage Simple Certificate Enrollment Protocol (SCEP), making sure that the private key never leaves the requesting client +- Simplified management: provides easy management of certification authorities (CAs), registration authorities (RAs), certificate revocation lists (CRLs), monitoring, and reporting + +With Microsoft Cloud PKI, organizations can accelerate their digital transformation and achieve a fully managed cloud PKI service with minimal effort. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Overview of Microsoft Cloud PKI for Microsoft Intune](/mem/intune/protect/microsoft-cloud-pki-overview) + +### Endpoint Privilege Management (EPM) + +Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run elevated tasks allowed by the organization to remain productive. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Endpoint Privilege Management](/mem/intune/protect/epm-overview?formCode=MG0AV3) + +### Mobile application management (MAM) + +With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Data protection for Windows MAM](/mem/intune/apps/protect-mam-windows?formCode=MG0AV3) diff --git a/windows/security/book/includes/microsoft-offensive-research-and-security-engineering.md b/windows/security/book/includes/microsoft-offensive-research-and-security-engineering.md new file mode 100644 index 0000000000..75c37b8a7a --- /dev/null +++ b/windows/security/book/includes/microsoft-offensive-research-and-security-engineering.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Microsoft Offensive Research and Security Engineering + +Microsoft Offensive Research and Security Engineering (MORSE) performs targeted design reviews, audits, and deep penetration testing of Windows features using Microsoft's open-source OneFuzz platform as part of their development and testing cycle. + +[!INCLUDE [learn-more](learn-more.md)] + +- [MORSE security team takes proactive approach to finding bugs](https://news.microsoft.com/source/features/innovation/morse-microsoft-offensive-research-security-engineering) +- [MORSE Blog](https://www.microsoft.com/security/blog/author/microsoft-offensive-research-security-engineering-team) diff --git a/windows/security/book/includes/microsoft-pluton-security-processor.md b/windows/security/book/includes/microsoft-pluton-security-processor.md new file mode 100644 index 0000000000..fe93c04335 --- /dev/null +++ b/windows/security/book/includes/microsoft-pluton-security-processor.md @@ -0,0 +1,25 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Microsoft Pluton security processor + +The Microsoft Pluton security processor is the result of Microsoft's close partnership with silicon partners. Pluton enhances the protection of Windows 11 devices with a hardware security processor that provides extra protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface by integrating the security chip directly into the processor. It can be used as a TPM 2.0 or as a standalone security processor. When a security processor is located on a separate, discrete chip on the motherboard, the communication path between the hardware root-of-trust and the CPU can be vulnerable to physical attack. Embedding Pluton into the CPU makes it harder to exploit the communication path. + +Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs, including BitLocker, Windows Hello, and System Guard. Pluton can also support other security functionality beyond what is possible with the TPM 2.0 specification. This extensibility allows for more Pluton firmware and OS features to be delivered over time via Windows Update. + +As with other TPMs, credentials, encryption keys, and other sensitive information can't be easily extracted from Pluton even if an attacker installed malware or has physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers can't access sensitive data - even if attackers use emerging techniques like speculative execution. + +Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive security firmware updates from different sources, which might make it difficult to get alerts about security updates, and keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs. + +Pluton aims to ensure long-term security resilience. With the rising threat landscape influenced by artificial intelligence, memory safety will become ever more critical. To meet these demands, in addition to facilitating reliable updates to security processor firmware, we chose the open-source Tock system as the Rust-based foundation to develop the Pluton security processor firmware and actively contribute back to the Tock community. This collaboration with an open community ensures rigorous security scrutiny, and using Rust mitigates memory safety threats. + +Ultimately, Pluton establishes the security backbone for Copilot + PC, thanks to tight partnerships with our silicon collaborators and OEMs. The Qualcomm Snapdragon X, AMD Ryzen AI, and Intel Core Ultra 200V mobile processors (codenamed Lunar Lake) processor platforms all incorporate Pluton as their security subsystem . + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Pluton processor - The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/) +- [Microsoft Pluton security processor](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor) diff --git a/windows/security/book/includes/microsoft-privacy-dashboard.md b/windows/security/book/includes/microsoft-privacy-dashboard.md new file mode 100644 index 0000000000..4046ba5fb2 --- /dev/null +++ b/windows/security/book/includes/microsoft-privacy-dashboard.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Microsoft Privacy Dashboard + +Customers can use the Microsoft Privacy Dashboard to view, export, and delete their information, giving them further transparency and control. They can also use the Microsoft Privacy Report to learn more about Windows data collection and how to manage it. For organizations, we provide a guide for Windows Privacy Compliance that includes more details on the available controls and transparency. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Privacy Dashboard](https://account.microsoft.com/privacy) +- [Microsoft Privacy Report](https://privacy.microsoft.com/privacy-report) diff --git a/windows/security/book/includes/microsoft-security-development-lifecycle.md b/windows/security/book/includes/microsoft-security-development-lifecycle.md new file mode 100644 index 0000000000..687e9a1b80 --- /dev/null +++ b/windows/security/book/includes/microsoft-security-development-lifecycle.md @@ -0,0 +1,10 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Microsoft Security Development Lifecycle (SDL) + +The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. diff --git a/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md b/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md index 73ddeba96b..dd34d489ee 100644 --- a/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md +++ b/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## Microsoft vulnerable driver blocklist diff --git a/windows/security/book/includes/network-protection.md b/windows/security/book/includes/network-protection.md new file mode 100644 index 0000000000..ce1c9d0173 --- /dev/null +++ b/windows/security/book/includes/network-protection.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Network protection + +While Microsoft Defender Smartscreen works with Microsoft Edge, for third-party browsers and processes, Windows 11 has Network protection that protects against phishing scams, malware websites, and the downloading of potentially malicious files. + +When using Network Protection with Microsoft Defender for Endpoint, you can use *Indicators of Compromise* to block specific URLs and/or ip addresses. +Also integrates with Microsoft Defender for Cloud Apps to block unsactioned web apps in your organization. Allow or block access to websites based on category with Microsoft Defender for Endpoint's Web Content Filtering. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Network Protection library](/defender-endpoint/network-protection) +- [Web protection library](/defender-endpoint/web-protection-overview) diff --git a/windows/security/book/includes/new-24h2.md b/windows/security/book/includes/new-24h2.md index b90019f189..8d1dcba478 100644 --- a/windows/security/book/includes/new-24h2.md +++ b/windows/security/book/includes/new-24h2.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 11/18/2024 ms.topic: include -ms.service: windows-client --- :::image type="icon" source="../images/new-button.svg" border="false"::: **New in Windows 11, version 24H2** diff --git a/windows/security/book/includes/onedrive-for-personal.md b/windows/security/book/includes/onedrive-for-personal.md new file mode 100644 index 0000000000..912f163c57 --- /dev/null +++ b/windows/security/book/includes/onedrive-for-personal.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## OneDrive for personal + +Microsoft OneDrive for personal[\[10\]](../conclusion.md#footnote10) offers enhanced security, backup, and restore options for important personal files. Users can access their data from anywhere, since their files are stored and protected in the cloud. OneDrive provides an excellent solution for backing up folders, ensuring that: + +- If a device is lost or stolen, users can quickly recover all their important files from the cloud +- If a user is targeted by a ransomware attack, OneDrive enables recovery. With configured backups, users have more options to mitigate and recover from such attacks + +[!INCLUDE [learn-more](learn-more.md)] + +- [Get started with OneDrive](https://support.microsoft.com/onedrive) +- [How to recover from a ransomware attack using Microsoft 365](/microsoft-365/security/office-365-security/recover-from-ransomware) +- [How to restore from OneDrive](https://support.microsoft.com/topic/fa231298-759d-41cf-bcd0-25ac53eb8a15) \ No newline at end of file diff --git a/windows/security/book/includes/onedrive-for-work-or-school.md b/windows/security/book/includes/onedrive-for-work-or-school.md new file mode 100644 index 0000000000..77069d92a2 --- /dev/null +++ b/windows/security/book/includes/onedrive-for-work-or-school.md @@ -0,0 +1,25 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/onedrive.svg" border="false"::: OneDrive for work or school + +OneDrive for work or school is a cloud storage service that allows users to store, share, and collaborate on files. It's a part of Microsoft 365 and is designed to help organizations protect their data and comply with regulations. OneDrive for work or school is protected both in transit and at rest. + +When data transits either into the service from clients or between datacenters, it's protected using transport layer security (TLS) encryption. OneDrive only permits secure access. + +Authenticated connections aren't allowed over HTTP and instead redirect to HTTPS. + +There are several ways that OneDrive for work or school is protected at rest: + +- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security). +- Network protection: The networks and identities are isolated from the corporate network. Firewalls limit traffic into the environment from unauthorized locations +- Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The [Microsoft Security Response Center](https://technet.microsoft.com/security/dn440717.aspx) helps triage incoming vulnerability reports and evaluate mitigations. Through the [Microsoft Cloud Bug Bounty Terms](https://technet.microsoft.com/dn800983), people across the world can earn money by reporting vulnerabilities +- Content protection: Each file is encrypted at rest with a unique AES-256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault + +[!INCLUDE [learn-more](learn-more.md)] + +- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/topic/23c6ea94-3608-48d7-8bf0-80e142edd1e1) diff --git a/windows/security/book/includes/onefuzz-service.md b/windows/security/book/includes/onefuzz-service.md new file mode 100644 index 0000000000..d8a11df8c5 --- /dev/null +++ b/windows/security/book/includes/onefuzz-service.md @@ -0,0 +1,10 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## OneFuzz service + +A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code is released. diff --git a/windows/security/book/includes/personal-data-encryption.md b/windows/security/book/includes/personal-data-encryption.md new file mode 100644 index 0000000000..df921aa6a5 --- /dev/null +++ b/windows/security/book/includes/personal-data-encryption.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Personal Data Encryption + +Personal Data Encryption is a user-authenticated encryption mechanism designed to protect user's content. Personal Data Encryption uses Windows Hello for Business as its modern authentication scheme, with PIN or biometric authentication methods. The encryption keys used by Personal Data Encryption are securely stored within the Windows Hello container. When a user signs in with Windows Hello, the container is unlocked, making the keys available to decrypt the user's content. + +The initial release of Personal Data Encryption in Windows 11, version 22H2, introduced a set of public APIs that applications can adopt to safeguard content. + +[!INCLUDE [new-24h2](new-24h2.md)] + +Personal Data Encryption is further enhanced with *Personal Data Encryption for known folders*, which extends protection to the Windows folders: Documents, Pictures, and Desktop. + +:::image type="content" source="../images/pde.png" alt-text="Screenshot of files encrypted with Personal Data Encryption showing a padlock." border="false"::: + +[!INCLUDE [learn-more](learn-more.md)] + +- [Personal Data Encryption](/windows/security/operating-system-security/data-protection/personal-data-encryption) diff --git a/windows/security/book/includes/personal-vault.md b/windows/security/book/includes/personal-vault.md new file mode 100644 index 0000000000..2dde8778f3 --- /dev/null +++ b/windows/security/book/includes/personal-vault.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Personal Vault + +Personal Vault offers robust protection for the most important or sensitive files, without sacrificing the convenience of anywhere access. Secure digital copies of crucial documents in Personal Vault, where they're protected by identity verification and are easily accessible across devices. + +Once the Personal Vault is configured, users can access it using a strong authentication method or a second step of identity verification. The second steps of verification include fingerprint, face recognition, PIN, or a code sent via email or text. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Protect your OneDrive files in Personal Vault](https://support.microsoft.com/topic/6540ef37-e9bf-4121-a773-56f98dce78c4) \ No newline at end of file diff --git a/windows/security/book/includes/privacy-resource-usage.md b/windows/security/book/includes/privacy-resource-usage.md new file mode 100644 index 0000000000..80e2023a9e --- /dev/null +++ b/windows/security/book/includes/privacy-resource-usage.md @@ -0,0 +1,12 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Privacy resource usage + +Every Microsoft customer should be able to use our products secure in the knowledge that we protect their privacy, and give them the information and tools they need to easily make privacy decisions with confidence. From Settings, the app usage history feature provides users with a seven-day history of resource access for Location, Camera, Microphone, Phone Calls, Messaging, Contacts, Pictures, Videos, Music library, Screenshots, and other apps. + +This information helps you determine if an app is behaving as expected so that you can change the app's access to resources as desired. diff --git a/windows/security/book/includes/privacy-transparency-and-controls.md b/windows/security/book/includes/privacy-transparency-and-controls.md new file mode 100644 index 0000000000..310dfda7b3 --- /dev/null +++ b/windows/security/book/includes/privacy-transparency-and-controls.md @@ -0,0 +1,10 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Privacy transparency and controls + +Prominent system tray icons show users when resources and apps like microphones and location are in use. A description of the app and its activity are presented in a simple tooltip that appears when you hover over an icon with your cursor. Apps can also make use of new Windows APIs to support Quick Mute functionality and more. diff --git a/windows/security/book/includes/remote-credential-guard.md b/windows/security/book/includes/remote-credential-guard.md new file mode 100644 index 0000000000..1f3048a2bd --- /dev/null +++ b/windows/security/book/includes/remote-credential-guard.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Remote Credential Guard + +Remote Credential Guard helps organizations protect credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. + +Administrator credentials are highly privileged and must be protected. When Remote Credential Guard is configured to connect during Remote Desktop sessions, the credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, the credentials aren't exposed. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) diff --git a/windows/security/book/includes/rust-for-windows.md b/windows/security/book/includes/rust-for-windows.md new file mode 100644 index 0000000000..85428c1b32 --- /dev/null +++ b/windows/security/book/includes/rust-for-windows.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Rust for Windows + +Rust is a modern programming language known for its focus on safety, performance, and concurrency. It was designed to prevent common programming errors such as null pointer dereferencing and buffer overflows, which can lead to security vulnerabilities and crashes. Rust achieves this through its unique ownership system, which ensures memory safety without needing a garbage collector. +We're expanding the integration of Rust into the Windows kernel to enhance the safety and reliability of Windows' codebase. This strategic move underscores our commitment to adopting modern technologies to improve the quality and security of Windows. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Rust for Windows, and the windows crate](/windows/dev-environment/rust/rust-for-windows) diff --git a/windows/security/book/includes/secure-future-initiative.md b/windows/security/book/includes/secure-future-initiative.md new file mode 100644 index 0000000000..cb14affd1d --- /dev/null +++ b/windows/security/book/includes/secure-future-initiative.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Secure Future Initiative (SFI) + +Launched in November 2023, the Microsoft Secure Future Initiative (SFI) is a multiyear commitment dedicated to advancing the way we design, build, test, and operate our technology. Our goal is to ensure that our solutions meet the highest possible standards for security. + +The increasing scale and high stakes of cyberattacks prompted the launch of SFI. This program brings together every part of Microsoft to enhance cybersecurity protection across our company and products. We carefully considered our internal observations and feedback from customers, governments, and partners to identify the greatest opportunities to impact the future of security. + +To maintain accountability and keep our customers, partners, and the security community informed, Microsoft provides regular updates on the progress of SFI. + +:::image type="content" source="../images/sfi.png" alt-text="Diagram of the SFI initiative." lightbox="../images/sfi.png" border="false"::: + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Secure Future Initiative](https://www.microsoft.com/security/blog/2024/09/23/securing-our-future-september-2024-progress-update-on-microsofts-secure-future-initiative-sfi/) +- [September 2024 progress update on SFI](https://www.microsoft.com/trust-center/security/secure-future-initiative) diff --git a/windows/security/book/includes/secured-core-pc-and-edge-secured-core.md b/windows/security/book/includes/secured-core-pc-and-edge-secured-core.md new file mode 100644 index 0000000000..0255043353 --- /dev/null +++ b/windows/security/book/includes/secured-core-pc-and-edge-secured-core.md @@ -0,0 +1,41 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Secured-core PC and Edge Secured-Core + +The March 2021 Security Signals report found that more than 80% of enterprises have experienced at least one firmware attack in the past two years. For customers in data-sensitive industries like financial services, government, and healthcare, Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs (SCPCs), and an equivalent category of embedded IoT devices called Edge Secured-Core (ESc). The devices ship with more security measures enabled at the firmware layer, or device core, that underpins Windows. + +Secured-core PCs and edge devices help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root-of-trust. Virtualization-based security comes enabled by default. Built-in hypervisor-protected code integrity (HVCI) shield system memory, ensuring that all kernel executable code is signed only by known and approved authorities. Secured-core PCs and edge devices also protect against physical threats such as drive-by direct memory access (DMA) attacks with kernel DMA protection. + +Secured-core PCs and edge devices provide multiple layers of robust protection against hardware and firmware attacks. Sophisticated malware attacks commonly attempt to install *bootkits* or *rootkits* on the system to evade detection and achieve persistence. This malicious software may run at the firmware level prior to Windows being loaded or during the Windows boot process itself, enabling the system to start with the highest level of privilege. Because critical subsystems in Windows use Virtualization-based security, protecting the hypervisor becomes increasingly important. To ensure that no unauthorized firmware or software can start before the Windows bootloader, Windows PCs rely on the Unified Extensible Firmware Interface (UEFI) Secure Boot standard, a baseline security feature of all Windows 11 PCs. Secure Boot helps ensure that only authorized firmware and software with trusted digital signatures can execute. In addition, measurements of all boot components are securely stored in the TPM to help establish a nonrepudiable audit log of the boot called the Static Root of Trust for Measurement (SRTM). + +Thousands of OEM vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements. + +### Dynamic Root of Trust for Measurement (DRTM) + +In secured-core PCs and edge devices, System Guard Secure Launch protects bootup with a technology known as the *Dynamic Root of Trust for Measurement (DRTM)*. With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU down a hardware-secured code path. If a malware rootkit or bootkit bypasses UEFI Secure Boot and resides in memory, DRTM prevents it from accessing secrets and critical code protected by the Virtualization-based security environment. Firmware Attack Surface Reduction (FASR) technology can be used instead of DRTM on supported devices, such as Microsoft Surface. + +System Management Mode (SMM) isolation is an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. SMM complements the protections provided by DRTM by helping to reduce the attack surface. Relying on capabilities provided by silicon providers like Intel and AMD, SMM isolation enforces policies that implement restrictions such as preventing SMM code from accessing OS memory. The SMM isolation policy is included as part of the DRTM measurements that can be sent to a verifier like Microsoft Azure Remote Attestation. + +:::image type="content" source="../images/secure-launch.png" alt-text="Diagram of secure launch components." lightbox="../images/secure-launch.png" border="false"::: + +[!INCLUDE [learn-more](learn-more.md)] + +- [System Guard Secure Launch](/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection) +- [Firmware Attack Surface Reduction](/windows-hardware/drivers/bringup/firmware-attack-surface-reduction) +- [Windows 11 secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure-11) +- [Edge Secured-Core](/azure/certification/overview) + +### Configuration lock + +In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a noncompliant state can be vulnerable until the next sync, when configuration is reset with the device management solution. + +Configuration lock is a secured-core PC and edge device feature that prevents users from making unwanted changes to security settings. With configuration lock, Windows monitors supported registry keys and reverts to the IT-desired state in seconds after detecting a drift. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Secured-core PC configuration lock](/windows/client-management/mdm/config-lock) diff --git a/windows/security/book/includes/secured-kernel.md b/windows/security/book/includes/secured-kernel.md new file mode 100644 index 0000000000..e375041c7c --- /dev/null +++ b/windows/security/book/includes/secured-kernel.md @@ -0,0 +1,52 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Secured kernel + +To secure the kernel, we have two key features: Virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices support HVCI and come with VBS and HVCI protection turned on by default on most/all devices. + +### Virtualization-based security (VBS) + +:::row::: + :::column::: + Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel. + :::column-end::: + :::column::: +:::image type="content" source="../images/vbs-diagram.png" alt-text="Diagram of VBS architecture." lightbox="../images/vbs-diagram.png" border="false"::: + :::column-end::: +:::row-end::: + +Since more privileged virtual trust levels (VTLs) can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) + +### Hypervisor-protected code integrity (HVCI) + +Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it's allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor uses processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that hasn't been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs. + +With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Enable virtualization-based protection of code integrity](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity) + +### :::image type="icon" source="../images/new-button-title.svg" border="false"::: Hypervisor-enforced Paging Translation (HVPT) + +Hypervisor-enforced Paging Translation (HVPT) is a security enhancement to enforce the integrity of guest virtual address to guest physical address translations. HVPT helps protect critical system data from write-what-where attacks where the attacker can write an arbitrary value to an arbitrary location often as the result of a buffer overflow. HVPT helps to protect page tables that configure critical system data structures. + +### Hardware-enforced stack protection + +Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats like memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. + +Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called *stack smashing*. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate *shadow stack* for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Understanding Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/blog/windowsosplatform/understanding-hardware-enforced-stack-protection/1247815) +- [Developer Guidance for hardware-enforced stack protection](https://techcommunity.microsoft.com/blog/windowsosplatform/developer-guidance-for-hardware-enforced-stack-protection/2163340) diff --git a/windows/security/book/includes/security-baselines.md b/windows/security/book/includes/security-baselines.md new file mode 100644 index 0000000000..7b505a86c4 --- /dev/null +++ b/windows/security/book/includes/security-baselines.md @@ -0,0 +1,32 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Security baselines + +Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company might focus on protecting its internet-facing web apps, while a hospital on confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. + +A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines) + +### Security baseline for cloud-based device management solutions + +Windows 11 can be configured with Microsoft's security baseline, designed for cloud-based device management solutions like Microsoft Intune[\[4\]](../conclusion.md#footnote4). These security baselines function similarly to group policy-based ones and can be easily integrated into existing device management tools. + +The security baseline includes policies for: + +- Microsoft inbox security technologies such as BitLocker, Microsoft Defender SmartScreen, Virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall +- Restricting remote access to devices +- Setting credential requirements for passwords and PINs +- Restricting the use of legacy technology + +[!INCLUDE [learn-more](learn-more.md)] + +- [Intune security baseline overview](/mem/intune/protect/security-baselines) +- [List of the settings in the Windows security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all) diff --git a/windows/security/book/includes/server-message-block-file-services.md b/windows/security/book/includes/server-message-block-file-services.md new file mode 100644 index 0000000000..c1786ce7d5 --- /dev/null +++ b/windows/security/book/includes/server-message-block-file-services.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Server Message Block file services + +Server Message Block (SMB) and file services are the most common Windows workloads in the commercial and public sector ecosystem. Users and applications rely on SMB to access the files that run organizations of all sizes. + +Windows 11 introduced significant security updates to meet today's threats, including AES-256 SMB encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. + +[!INCLUDE [new-24h2](new-24h2.md)] + +New security options include mandatory SMB signing by default, NTLM blocking, authentication rate limiting, and several other enhancements. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Server Message Block (SMB) protocol changes in Windows 11, version 24H2](/windows/whats-new/whats-new-windows-11-version-24h2#server-message-block-smb-protocol-changes) +- [File sharing using the SMB 3 protocol](/windows-server/storage/file-server/file-server-smb-overview) diff --git a/windows/security/book/includes/smart-app-control.md b/windows/security/book/includes/smart-app-control.md index 9d3548d40f..b5ac53b02f 100644 --- a/windows/security/book/includes/smart-app-control.md +++ b/windows/security/book/includes/smart-app-control.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## Smart App Control diff --git a/windows/security/book/includes/smart-cards.md b/windows/security/book/includes/smart-cards.md new file mode 100644 index 0000000000..99e1902345 --- /dev/null +++ b/windows/security/book/includes/smart-cards.md @@ -0,0 +1,26 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Smart cards + +Organizations can also opt for smart cards, an authentication method that existed before biometric authentication. These tamper-resistant, portable storage devices enhance Windows security by authenticating users, signing code, securing e-mails, and signing in with Windows domain accounts. + +Smart cards provide: + +- Ease of use in scenarios such as healthcare, where users need to sign in and out quickly without using their hands or when sharing a workstation +- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card +- Portability of credentials and other private information between computers at work, home, or on the road + +Smart cards can only be used to sign in to domain accounts or Microsoft Entra ID accounts. + +When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Microsoft Entra ID certificate-based authentication. Smart cards can't be used with local accounts. + +Windows Hello for Business and FIDO2 security keys are modern, two-factor authentication methods for Windows. Customers using virtual smart cards are encouraged to move to Windows Hello for Business or FIDO2. For new Windows installations, we recommend Windows Hello for Business or FIDO2 security keys. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Smart Card technical reference](/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference) diff --git a/windows/security/book/includes/software-bill-of-materials.md b/windows/security/book/includes/software-bill-of-materials.md new file mode 100644 index 0000000000..2313e00800 --- /dev/null +++ b/windows/security/book/includes/software-bill-of-materials.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Software bill of materials (SBOM) + +In the Windows ecosystem, ensuring the integrity and authenticity of software components is paramount. To achieve this, we utilize Software Bill of Materials (SBOMs) and COSE (CBOR Object Signing and Encryption) sign all evidence. SBOMs provide a comprehensive inventory of software components, including their dependencies and associated metadata. Transparency is crucial for vulnerability management and compliance with security standards. + +The COSE signing process enhances the trustworthiness of SBOMs by providing cryptographic signatures that verify the integrity and authenticity of the SBOM content. The CoseSignTool, a platform-agnostic command line application, is employed to apply and verify these digital signatures. This tool ensures that all SBOMs and other build evidence are signed and validated, maintaining a high level of security within the software supply chain. + +By integrating SBOMs and COSE signing evidence, we offer stakeholders visibility into the components they use, ensuring that all software artifacts are trustworthy and secure. This approach aligns with our commitment to end-to-end supply chain security, providing a robust framework for managing and verifying software components across the Windows ecosystem. + +[!INCLUDE [learn-more](learn-more.md)] + +- [SBOM tool](https://github.com/microsoft/sbom-tool) +- [Code Sign Tool](https://github.com/microsoft/CoseSignTool) diff --git a/windows/security/book/includes/tamper-protection.md b/windows/security/book/includes/tamper-protection.md new file mode 100644 index 0000000000..86c6148c0b --- /dev/null +++ b/windows/security/book/includes/tamper-protection.md @@ -0,0 +1,26 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Tamper protection + +Attacks like ransomware attempt to disable security features, such as anti-virus protection. Bad actors like to disable security features to get easier access to user's data, to install malware, or otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities. + +With tamper protection, malware is prevented from taking actions such as: + +- Disabling real-time protection +- Turning off behavior monitoring +- Disabling antivirus protection, such as Scan all downloaded files and attachments (IOfficeAntivirus (IOAV)) +- Disabling cloud-delivered protection +- Removing security intelligence updates +- Disabling automatic actions on detected threats +- Disabling archived files +- Altering exclusions +- Disabling notifications in the Windows Security app + +[!INCLUDE [learn-more](learn-more.md)] + +- [Tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) diff --git a/windows/security/book/includes/token-protection.md b/windows/security/book/includes/token-protection.md new file mode 100644 index 0000000000..17d3df3d13 --- /dev/null +++ b/windows/security/book/includes/token-protection.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Token protection (preview) + +Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies[\[4\]](../conclusion.md#footnote4) can be configured to require token protection when using sign-in tokens for specific services. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Token protection in Entra ID Conditional Access](/azure/active-directory/conditional-access/concept-token-protection) + +### Sign-in session token protection policy + +This feature allows applications and services to cryptographically bind security tokens to the device, restricting attackers' ability to impersonate users on a different device if tokens are stolen. diff --git a/windows/security/book/includes/transport-layer-security.md b/windows/security/book/includes/transport-layer-security.md new file mode 100644 index 0000000000..765bf1db96 --- /dev/null +++ b/windows/security/book/includes/transport-layer-security.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Transport Layer Security (TLS) + +Transport Layer Security (TLS) is a popular security protocol, encrypting data in transit to help provide a more secure communication channel between two endpoints. Windows enables the latest protocol versions and strong cipher suites by default and offers a full suite of extensions such as client authentication for enhanced server security, or session resumption for improved application performance. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows. This version helps to eliminate obsolete cryptographic algorithms, enhance security over older versions, and aim to encrypt as much of the TLS handshake as possible. The handshake is more performant with one less round trip per connection on average and supports only strong cipher suites which provide perfect forward secrecy and less operational risk. Using TLS 1.3 provides more privacy and lower latencies for encrypted online connections. If the client or server application on either side of the connection doesn't support TLS 1.3, the connection falls back to TLS 1.2. Windows uses the latest Datagram Transport Layer Security (DTLS) 1.2 for UDP communications. + +[!INCLUDE [learn-more](learn-more.md)] + +- [TLS/SSL overview (Schannel SSP)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview) +- [TLS 1.0 and TLS 1.1 soon to be disabled in Windows](https://techcommunity.microsoft.com/blog/windows-itpro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/3887947) diff --git a/windows/security/book/includes/trusted-boot.md b/windows/security/book/includes/trusted-boot.md new file mode 100644 index 0000000000..275e3da5b3 --- /dev/null +++ b/windows/security/book/includes/trusted-boot.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Trusted Boot (Secure Boot + Measured Boot) + +Windows 11 requires all PCs to use Unified Extensible Firmware Interface (UEFI)'s Secure Boot feature. When a Windows 11 device starts, Secure Boot and Trusted Boot work together to prevent malware and corrupted components from loading. Secure Boot provides initial protection, then Trusted Boot picks up the process. + +Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments. + +To mitigate the risk of firmware rootkits, the PC verifies the digital signature of the firmware at the start of the boot process. Secure Boot then checks the digital signature of the OS bootloader and all code that runs before the operating system starts, ensuring that the signature and code are uncompromised and trusted according to the Secure Boot policy. + +Trusted Boot picks up the process that begins with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and any anti-malware product's early-launch anti-malware (ELAM) driver. If any of these files have been tampered with, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Secure the Windows boot process](/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process) +- [Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot) diff --git a/windows/security/book/includes/trusted-platform-module.md b/windows/security/book/includes/trusted-platform-module.md new file mode 100644 index 0000000000..54688ee765 --- /dev/null +++ b/windows/security/book/includes/trusted-platform-module.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Trusted Platform Module (TPM) + +Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. These capabilities in turn help organizations strengthen the protection of their identities and data. The 2.0 version of TPM includes support for newer algorithms, which provides improvements like support for stronger cryptography. To upgrade to Windows 11, existing Windows 10 devices much meet minimum system requirements for CPU, RAM, storage, firmware, TPM, and more. All new Windows 11 devices come with TPM 2.0 built-in. With Windows 11, both new and upgraded devices must have TPM 2.0. The requirement strengthens the security posture across all Windows 11 devices and helps ensure that these devices can benefit from future security capabilities that depend on a hardware root-of-trust. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows 11 TPM specifications](https://www.microsoft.com/windows/windows-11-specifications) +- [Enable TPM 2.0 on your PC](https://support.microsoft.com/topic/1fd5a332-360d-4f46-a1e7-ae6b0c90645c) +- [Trusted Platform Module Technology Overview](/windows/security/hardware-security/tpm/trusted-platform-module-overview) diff --git a/windows/security/book/includes/trusted-signing.md b/windows/security/book/includes/trusted-signing.md index 123195a9cc..3d0d8437ed 100644 --- a/windows/security/book/includes/trusted-signing.md +++ b/windows/security/book/includes/trusted-signing.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Trusted Signing diff --git a/windows/security/book/includes/universal-print.md b/windows/security/book/includes/universal-print.md new file mode 100644 index 0000000000..e7c33679f1 --- /dev/null +++ b/windows/security/book/includes/universal-print.md @@ -0,0 +1,50 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/universal-print.svg" border="false"::: Universal Print + +Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models][LINK-23]. It also supports existing printers by using the connector software that comes with Universal Print. + +Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices don't need to be on the same local network as the printers or the Universal Print connector. + +Universal Print supports Zero Trust security by requiring that: + +- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID[\[4\]](../conclusion.md#footnote4). A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service +- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data +- Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data +- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it's highly recommended that only cloud applications use application authentication +- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant +- Each authentication with Microsoft Entra ID from an acting application can't extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached + +Additionally, Windows 11 includes device management support to simplify printer setup for users. With support from Microsoft Intune[\[4\]](../conclusion.md#footnote4), admins can now configure policy settings to provision specific printers onto the user's Windows devices. + +Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft 365 products. + +More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here][LINK-24]. + +The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here][LINK-25]. + +Universal Print supports Administrative Units in Microsoft Entra ID to enable the assignments of a *Printer Administrator* role to specific teams in the organization. The assigned team can configure only the printers that are part of the same Administrative Unit. + +For customers who want to stay on print servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Universal Print][LINK-26] +- [Data handling in Universal Print][LINK-27] +- [Delegate Printer Administration with Administrative Units][LINK-28] +- [Print support app design guide][LINK-29] + + + +[LINK-23]: /universal-print/fundamentals/universal-print-partner-integrations +[LINK-24]: /microsoft-365/enterprise/m365-dr-overview +[LINK-25]: /universal-print/fundamentals/universal-print-qrcode +[LINK-26]: https://www.microsoft.com/microsoft-365/windows/universal-print +[LINK-27]: /universal-print/data-handling +[LINK-28]: /universal-print/portal/delegated-admin +[LINK-29]: /windows-hardware/drivers/devapps/print-support-app-design-guide diff --git a/windows/security/book/includes/vbs-key-protection.md b/windows/security/book/includes/vbs-key-protection.md new file mode 100644 index 0000000000..9e7d9a6b4b --- /dev/null +++ b/windows/security/book/includes/vbs-key-protection.md @@ -0,0 +1,14 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/new-button-title.svg" border="false"::: VBS key protection + +VBS key protection enables developers to secure cryptographic keys using Virtualization-based security (VBS). VBS uses the virtualization extension capability of the CPU to create an isolated runtime outside of the normal OS. When in use, VBS keys are isolated in a secure process, allowing key operations to occur without ever exposing the private key material outside of this space. At rest, private key material is encrypted by a TPM key, which binds VBS keys to the device. Keys protected in this way can't be dumped from process memory or exported in plain text from a user's machine, preventing exfiltration attacks by any admin-level attacker. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Advancing key protection in Windows using VBS](https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-key-protection-in-windows-using-vbs/4050988) diff --git a/windows/security/book/includes/virtual-private-networks.md b/windows/security/book/includes/virtual-private-networks.md new file mode 100644 index 0000000000..e12da89a32 --- /dev/null +++ b/windows/security/book/includes/virtual-private-networks.md @@ -0,0 +1,24 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Virtual private networks (VPN) + +Organizations have long relied on Windows to provide reliable, secured, and manageable virtual private network (VPN) solutions. The Windows VPN client platform includes built-in VPN +protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and +consumer VPNs, including apps for the most popular enterprise VPN gateways. + +In Windows 11, we've integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane, users can verify the status of their VPN, start and stop the connection, and easily open Settings for more controls. + +The Windows VPN platform connects to Microsoft Entra ID[\[4\]](../conclusion.md#footnote4) and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune[\[4\]](../conclusion.md#footnote4) and other device management solutions. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites. + +With Universal Windows Platform (UWP) VPN apps, end users never get stuck on an old version of their VPN client. VPN apps from the store will be automatically updated as needed. Naturally, the updates are in the control of your IT admins. + +The Windows VPN platform is tuned and hardened for cloud-based VPN providers like Azure VPN. Features like Microsoft Entra ID authentication, Windows user interface integration, plumbing IKE traffic selectors, and server support are all built into the Windows VPN platform. The integration into the Windows VPN platform leads to a simpler IT admin experience. User authentication is more consistent, and users can easily find and control their VPN. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows VPN technical guide](/windows/security/operating-system-security/network-security/vpn/vpn-guide) diff --git a/windows/security/book/includes/virtualization-based-security-enclaves.md b/windows/security/book/includes/virtualization-based-security-enclaves.md index 238c1d1681..ac2c868d50 100644 --- a/windows/security/book/includes/virtualization-based-security-enclaves.md +++ b/windows/security/book/includes/virtualization-based-security-enclaves.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Virtualization-based security enclaves diff --git a/windows/security/book/includes/web-sign-in.md b/windows/security/book/includes/web-sign-in.md new file mode 100644 index 0000000000..0bdcc9906e --- /dev/null +++ b/windows/security/book/includes/web-sign-in.md @@ -0,0 +1,14 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Web sign-in + +With the support of web sign-in, users can sign in without a password using the Microsoft Authenticator app or a Temporary Access Pass (TAP). Web sign in also enables federated sign in with a SAML-P identity provider. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Web sign-in for Windows](/windows/security/identity-protection/web-sign-in) diff --git a/windows/security/book/includes/wi-fi-connections.md b/windows/security/book/includes/wi-fi-connections.md new file mode 100644 index 0000000000..3af4c8a6f8 --- /dev/null +++ b/windows/security/book/includes/wi-fi-connections.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Wi-Fi connections + +Windows Wi-Fi supports industry-standard authentication and encryption methods when connecting to Wi-Fi networks. WPA (Wi-Fi Protected Access) is a security standard defined by the Wi-Fi Alliance (WFA) to provide sophisticated data encryption and better user authentication. + +The current security standard for Wi-Fi authentication is WPA3, which provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes - WPA3 Personal, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B. + +Windows 11 includes WPA3 Personal with the new H2E protocol and WPA3 Enterprise 192-bit Suite B. Windows 11 also supports WPA3 Enterprise, which includes enhanced server certificate validation and TLS 1.3 for authentication using EAP-TLS authentication. + +Opportunistic Wireless Encryption (OWE), a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots, is also included. diff --git a/windows/security/book/includes/win32-app-isolation.md b/windows/security/book/includes/win32-app-isolation.md index 88ab8625b0..cdf174203e 100644 --- a/windows/security/book/includes/win32-app-isolation.md +++ b/windows/security/book/includes/win32-app-isolation.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Win32 app isolation diff --git a/windows/security/book/includes/windows-autopatch.md b/windows/security/book/includes/windows-autopatch.md new file mode 100644 index 0000000000..fd24c75902 --- /dev/null +++ b/windows/security/book/includes/windows-autopatch.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Autopatch + +Cybercriminals commonly exploit obsolete or unpatched software to infiltrate networks. It's essential to maintain current updates to seal security gaps. Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates so your IT Admins can focus on other activities and tasks. + +There's a lot more to learn about Windows Autopatch: this [Forrester Consulting Total Economic Impact™ Study](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW10vlw) commissioned by Microsoft, features insights from customers who deployed Windows Autopatch and its impact on their organizations. You can also find out more information about new Autopatch features and the future of the service in the regularly published Windows IT Pro Blog and Windows Autopatch community. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/) +- [Windows updates API overview](/graph/windowsupdates-concept-overview) +- [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows-ITPro-blog/label-name/Windows%20Autopatch) +- [Windows Autopatch community](https://techcommunity.microsoft.com/t5/windows-autopatch/bd-p/Windows-Autopatch) diff --git a/windows/security/book/includes/windows-autopilot.md b/windows/security/book/includes/windows-autopilot.md new file mode 100644 index 0000000000..e46a1a1982 --- /dev/null +++ b/windows/security/book/includes/windows-autopilot.md @@ -0,0 +1,26 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Autopilot + +Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. If you're purchasing new devices or managing device refresh cycles, you can use Windows Autopilot to set up and preconfigure new devices, getting them ready for productive use. Autopilot helps you ensure your devices are delivered locked down and compliant with corporate security policies. The solution can also be used to reset, repurpose, and recover devices with zero touch by your IT team and no infrastructure to manage, enhancing efficiency with a process that's both easy and simple. + +With Windows Autopilot, there's no need to reimage or manually set-up devices before giving them to the users. Your hardware vendor can ship them, ready to go, directly to the users. From a user perspective, they turn on their device, go online, and Windows Autopilot delivers apps and settings. + +Windows Autopilot enables you to: + +- Automatically join devices to Microsoft Entra ID or Active Directory via Microsoft Entra hybrid join +- Autoenroll devices into a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4) (requires a Microsoft Entra ID Premium subscription for configuration) +- Create and autoassignment of devices to configuration groups based on a device's profile +- Customize of the out-of-box experience (OOBE) content specific to your organization + +Existing devices can also be quickly prepared for a new user with Windows Autopilot Reset. The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Autopilot](/autopilot/overview) +- [Windows Autopilot Reset](/mem/autopilot/windows-autopilot-reset) diff --git a/windows/security/book/includes/windows-diagnostic-data-processor-configuration.md b/windows/security/book/includes/windows-diagnostic-data-processor-configuration.md new file mode 100644 index 0000000000..c8dfa0b2d3 --- /dev/null +++ b/windows/security/book/includes/windows-diagnostic-data-processor-configuration.md @@ -0,0 +1,14 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows diagnostic data processor configuration + +The Windows diagnostic data processor configuration enables the user to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that meet the configuration requirements. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration) diff --git a/windows/security/book/includes/windows-firewall.md b/windows/security/book/includes/windows-firewall.md new file mode 100644 index 0000000000..6e75d17aae --- /dev/null +++ b/windows/security/book/includes/windows-firewall.md @@ -0,0 +1,30 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Firewall + +Windows Firewall is an important part of a layered security model. It provides host-based, two-way network traffic +filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks the device is connected to. + +Windows Firewall offers the following benefits: + +- Reduces the risk of network security threats: Windows Firewall reduces the attack surface of a device with rules that restrict or allow traffic by many properties, such as IP addresses, ports, or program paths. This functionality increases manageability and decreases the likelihood of a successful attack +- Safeguards sensitive data and intellectual property: By integrating with Internet Protocol Security (IPSec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data +- Extends the value of existing investments: Because Windows Firewall is a host-based firewall that is included with the operating system, there's no extra hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API) + +Windows 11 makes the Windows Firewall easier to analyze and debug. IPSec behavior is integrated with Packet Monitor, an in-box, cross-component network diagnostic tool for Windows. Additionally, the Windows Firewall event logs are enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on third-party tools. + +Admins can configure more settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune[\[4\]](../conclusion.md#footnote4), using the platform support from the Firewall configuration service provider (CSP) and applying these settings to Windows endpoints. + +[!INCLUDE [new-24h2](new-24h2.md)] + +The Firewall Configuration Service Provider (CSP) in Windows now enforces an all-or-nothing approach to applying firewall rules within each atomic block. Previously, if the CSP encountered an issue with any rule in a block, it would not only stop processing that rule but also cease processing subsequent rules, potentially leaving a security gap with partially deployed rule blocks. Now, if any rule in the block cannot be successfully applied, the CSP stops processing subsequent rules and roll back all rules from that atomic block, eliminating the ambiguity of partially deployed rule blocks. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Firewall overview](/windows/security/operating-system-security/network-security/windows-firewall) +- [Firewall CSP](/windows/client-management/mdm/firewall-csp) diff --git a/windows/security/book/includes/windows-hello-for-business.md b/windows/security/book/includes/windows-hello-for-business.md new file mode 100644 index 0000000000..fa1f376c9d --- /dev/null +++ b/windows/security/book/includes/windows-hello-for-business.md @@ -0,0 +1,59 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Hello for Business + +Windows Hello for Business extends Windows Hello to work with an organization's Active Directory and Microsoft Entra ID accounts. It provides single sign-on access to work or school resources such as OneDrive, work email, and other business apps. Windows Hello for Business also gives IT admins the ability to manage PIN and other sign-in requirements for devices connecting to work or school resources. + +After Windows Hello for Business is provisioned, users can use a PIN, face, or fingerprint to unlock credentials and sign into their Windows device. + +Provisioning methods include: + +- Passkeys (preview), which provide a seamless way for users to authenticate to Microsoft Entra ID without entering a username or password +- Temporary Access Pass (TAP), a time-limited passcode with strong authentication requirements issued through Microsoft Entra ID +- Existing multifactor authentication with Microsoft Entra ID, including the Microsoft Authenticator app + +Windows Hello for Business enhances security by replacing traditional usernames and passwords with a combination of a security key or certificate and a PIN or biometric data. This setup securely maps the credentials to a user account. + +There are various deployment models available for Windows Hello for Business, providing flexibility to meet the diverse needs of different organizations. Among these, the *Hybrid cloud Kerberos trust* model is recommended and considered the simplest for organizations operating in hybrid environments. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Hello for Business overview](/windows/security/identity-protection/hello-for-business) +- [Enable passkeys (FIDO2) for your organization](/entra/identity/authentication/how-to-enable-passkey-fido2) + +### PIN reset + +The Microsoft PIN Reset Service allows users to reset their forgotten Windows Hello PINs without requiring re-enrollment. After registering the service in the Microsoft Entra ID tenant, the capability must be enabled on the Windows devices using group policy or a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4). + +Users can initiate a PIN reset from the Windows lock screen or from the sign-in options in Settings. The process involves authenticating and completing multifactor authentication to reset the PIN. + +[!INCLUDE [learn-more](learn-more.md)] + +- [PIN reset](/windows/security/identity-protection/hello-for-business/pin-reset) + +### Multi-factor unlock + +For organizations that need an extra layer of sign-in security, multi-factor unlock enables IT admins to configure Windows to require a combination of two unique trusted signals to sign in. Trusted signal examples include a PIN or biometric data (face or fingerprint) combined with either a PIN, Bluetooth, IP configuration, or Wi-Fi. + +Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Multi-factor unlock](/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock) + +### Windows passwordless experience + +**Windows Hello for Business now support a fully passwordless experience.** + +IT admins can configure a policy on Microsoft Entra ID joined machines so users no longer see the option to enter a password when accessing company resources. Once the policy is configured, passwords are removed from the Windows user experience, both for device unlock and in-session authentication scenarios. However, passwords aren't eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can use passwordless recovery mechanisms such as Microsoft PIN reset service or web sign-in. + +Users authenticate directly with Microsoft Entra ID, helping speed access to on-premises applications and other resources. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows passwordless experience](/windows/security/identity-protection/passwordless-experience) diff --git a/windows/security/book/includes/windows-hello.md b/windows/security/book/includes/windows-hello.md new file mode 100644 index 0000000000..806ed4ee22 --- /dev/null +++ b/windows/security/book/includes/windows-hello.md @@ -0,0 +1,46 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Hello + +Too often, passwords are weak, stolen, or forgotten. Organizations are moving toward passwordless sign-in to reduce the risk of breaches, lower the cost of managing passwords, and improve productivity and satisfaction for their users and customers. Microsoft is committed to helping organizations move toward a secure, passwordless future with Windows Hello, a cornerstone of Windows security and identity protection. + +Windows Hello can enable passwordless sign-in using biometric or PIN verification and provides built-in support for the FIDO2 passwordless industry standard. As a result, people no longer need to carry external hardware like a security key for authentication. + +The secure, convenient sign-in experience can augment or replace passwords with a stronger authentication model based on a PIN or biometric data such as facial or fingerprint recognition secured by the Trusted Platform Module (TPM). Step-by-step guidance makes setup easy. + +Using asymmetric keys provisioned in the TPM, Windows Hello protects authentication by binding a user's credentials to their device. Windows Hello validates the user based on either a PIN or biometrics match and only then allows the use of cryptographic keys bound to that user in the TPM. + +PIN and biometric data stay on the device and can't be stored or accessed externally. Since the data can't be accessed by anyone without physical access to the device, credentials are protected against replay attacks, phishing, and spoofing as well as password reuse and leaks. + +Windows Hello can authenticate users to a Microsoft account (MSA), identity provider services, or the relying parties that also implement the FIDO2 or WebAuthn standards. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Configure Windows Hello](https://support.microsoft.com/topic/dae28983-8242-bb2a-d3d1-87c9d265a5f0) + +### Windows Hello PIN + +The Windows Hello PIN, which can only be entered by someone with physical access to the device, can be used for strong multifactor authentication. The PIN is protected by the TPM and, like biometric data, never leaves the device. When a user enters their PIN, an authentication key is unlocked and used to sign a request sent to the authenticating server. + +The TPM protects against threats including PIN brute-force attacks on lost or stolen devices. After too many incorrect guesses, the device locks. IT admins can set security policies for PINs, such as complexity, length, and expiration requirements. + +[!INCLUDE [new-24h2](new-24h2.md)] + +If your device doesn't have built-in biometrics, Windows Hello has been enhanced to use Virtualization-based Security (VBS) by default to isolate credentials. This added layer of protection helps guard against admin-level attacks. Even when you sign in with a PIN, your credentials are stored in a secure container, ensuring protection on devices with or without built-in biometric sensors. + +### Windows Hello biometric + +Windows Hello biometric sign-in enhances both security and productivity with a quick and convenient sign-in experience. There's no need to enter your PIN; just use your biometric data for an easy and delightful sign-in. + +Windows devices that support biometric hardware, such as fingerprint or facial recognition cameras, integrate directly with Windows Hello, enabling access to Windows client resources and services. Biometric readers for both face and fingerprint must comply with Windows Hello biometric requirements. Windows Hello facial recognition is designed to authenticate only from trusted cameras used at the time of enrollment. + +If a peripheral camera is attached to the device after enrollment, it can be used for facial authentication once validated by signing in with the internal camera. For added security, external cameras can be disabled for use with Windows Hello facial recognition. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) diff --git a/windows/security/book/includes/windows-hotpatch.md b/windows/security/book/includes/windows-hotpatch.md new file mode 100644 index 0000000000..a417cec5fd --- /dev/null +++ b/windows/security/book/includes/windows-hotpatch.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/soon-button-title.svg" border="false"::: Windows Hotpatch + +Windows Hotpatch is a feature designed to enhance security and minimize disruptions. With Windows Hotpatch, organizations can apply critical security updates without requiring a system restart, reducing the time to adopt a security update by 60% from the moment the update is offered. Hotpatch updates streamline the installation process, enhance compliance efficiency, and provide a per-policy level view of update statuses for all devices. + +By utilizing hotpatching through Windows Autopatch, the number of system restarts for Windows updates can be reduced from 12 times a year to just 4, ensuring consistent protection and uninterrupted productivity. This means less downtime, a streamlined experience for users, and a reduction in security risks. This technology, proven in the Azure Server environment, is now expanding to Windows 11, offering immediate security from day one without the need for a restart. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/) diff --git a/windows/security/book/includes/windows-insider-and-microsoft-bug-bounty-programs.md b/windows/security/book/includes/windows-insider-and-microsoft-bug-bounty-programs.md new file mode 100644 index 0000000000..ef4cf44951 --- /dev/null +++ b/windows/security/book/includes/windows-insider-and-microsoft-bug-bounty-programs.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Insider and Microsoft Bug Bounty Programs + +As part of our secure development process, the Windows Insider Preview Program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. + +The goal of the Windows Insider Preview Program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows. + +Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities and quickly fix the issues before releasing our final Windows. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Insider Program](/windows-insider/get-started) +- [Microsoft Bug Bounty Programs](https://www.microsoft.com/msrc/bounty) diff --git a/windows/security/book/includes/windows-laps.md b/windows/security/book/includes/windows-laps.md new file mode 100644 index 0000000000..9b4d12e98b --- /dev/null +++ b/windows/security/book/includes/windows-laps.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Local Administrator Password Solution (LAPS) + +Windows Local Administrator Password Solution (LAPS) is a feature that automatically manages and backs up the password of a local administrator account on Microsoft Entra joined and Active Directory-joined devices. It helps enhance security by regularly rotating and managing local administrator account passwords, protecting against pass-the-hash and lateral-traversal attacks. + +Windows LAPS can be configured via group policy or with a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4). + +[!INCLUDE [new-24h2](new-24h2.md)] + +Several enhancements have been made to improve manageability and security. Administrators can now configure LAPS to automatically create managed local accounts, integrating with existing policies to enhance security and efficiency. Policy settings have been updated to generate more readable passwords by ignoring certain characters and to support the generation of readable passphrases, with options to choose from three separate word source list and control passphrase length. Additionally, LAPS can detect when a computer rolls back to a previous image, ensuring password consistency between the computer and Active Directory. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows LAPS overview](/windows-server/identity/laps/laps-overview) diff --git a/windows/security/book/includes/windows-presence-sensing.md b/windows/security/book/includes/windows-presence-sensing.md new file mode 100644 index 0000000000..c0a2c00c41 --- /dev/null +++ b/windows/security/book/includes/windows-presence-sensing.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows presence sensing + +Windows presence sensing[\[9\]](../conclusion.md#footnote9) provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment. + +Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers can customize and build extensions for the presence sensor. + +Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. The new app privacy settings enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup. + +Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We're also supporting developers with new APIs for presence sensing for third-party applications. Third-party applications can now access user presence information on devices with presence sensors. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Presence sensing](/windows-hardware/design/device-experiences/sensors-presence-sensing) +- [Manage presence sensing settings in Windows 11](https://support.microsoft.com/topic/82285c93-440c-4e15-9081-c9e38c1290bb) diff --git a/windows/security/book/includes/windows-protected-print.md b/windows/security/book/includes/windows-protected-print.md new file mode 100644 index 0000000000..4dc9cda421 --- /dev/null +++ b/windows/security/book/includes/windows-protected-print.md @@ -0,0 +1,23 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Windows protected print + +Windows protected print is built to provide a more modern and secure print system that maximizes compatibility and puts users first. It simplifies the printing experience by allowing devices to exclusively print using the Windows modern print stack. + +The benefits of Windows protected print include: + +- Increased PC security +- Simplified and consistent printing experience, regardless of PC architecture +- Removes the need to manage print drivers + +Windows protected print is designed to work with Mopria certified printers only. Many existing printers are already compatible. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows protected print](/windows-hardware/drivers/print/modern-print-platform) +- [New, modern, and secure print experience from Windows](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645) diff --git a/windows/security/book/includes/windows-sandbox.md b/windows/security/book/includes/windows-sandbox.md index d8d6385b3f..c219cb8339 100644 --- a/windows/security/book/includes/windows-sandbox.md +++ b/windows/security/book/includes/windows-sandbox.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## Windows Sandbox diff --git a/windows/security/book/includes/windows-security-policy-settings-and-auditing.md b/windows/security/book/includes/windows-security-policy-settings-and-auditing.md new file mode 100644 index 0000000000..82787e2e83 --- /dev/null +++ b/windows/security/book/includes/windows-security-policy-settings-and-auditing.md @@ -0,0 +1,30 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows security policy settings and auditing + +Security policy settings are a critical part of your overall security strategy. Windows provides a robust set of security setting policies that IT administrators can use to help protect Windows devices and other resources in your organization. Security policies settings are rules you can configure on a device, or multiple devices, to control: + +- User authentication to a network or device +- Resources that users are permitted to access +- Whether to record a user or group's actions in the event log +- Membership in a group + +Security auditing is one of the most powerful tools that you can use to maintain the integrity of your network and assets. Auditing can help identify attacks, network vulnerabilities, and attacks against high-value targets. You can specify categories of security-related events to create an audit policy tailored to the needs of your organization using configuration service providers (CSP) or group policies. + +All auditing categories are disabled when Windows is first installed. Before enabling them, follow these steps to create an effective security auditing policy: + +1. Identify your most critical resources and activities. +1. Identify the audit settings you need to track them. +1. Assess the advantages and potential costs associated with each resource or setting. +1. Test these settings to validate your choices. +1. Develop plans for deploying and managing your audit policy. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Security policy settings](/windows/security/threat-protection/security-policy-settings/security-policy-settings) +- [Security auditing](/windows/security/threat-protection/auditing/security-auditing-overview) diff --git a/windows/security/book/includes/windows-security.md b/windows/security/book/includes/windows-security.md new file mode 100644 index 0000000000..5372df0ece --- /dev/null +++ b/windows/security/book/includes/windows-security.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Security + +:::row::: + :::column span="2"::: + Visibility and awareness of device security and health are key to any action taken. The Windows Security app provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and act to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more. + :::column-end::: + :::column span="2"::: +:::image type="content" source="../images/windows-security.png" alt-text="Screenshot of the Windows Security app." border="false" lightbox="../images/windows-security.png" ::: + :::column-end::: +:::row-end::: + +[!INCLUDE [learn-more](learn-more.md)] + +- [Stay Protected With the Windows Security App](https://support.microsoft.com/topic/2ae0363d-0ada-c064-8b56-6a39afb6a963) +- [Windows Security](/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center) diff --git a/windows/security/book/includes/windows-software-development-kit.md b/windows/security/book/includes/windows-software-development-kit.md new file mode 100644 index 0000000000..81a15b2dc8 --- /dev/null +++ b/windows/security/book/includes/windows-software-development-kit.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Software Development Kit (SDK) + +Developers can design highly secure applications that benefit from the latest Windows 11 safeguards using the Windows SDK. The SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows 11 and Windows 10. To help create apps that are up to date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows application development - best practices](/windows/apps/get-started/best-practices) +- [Windows SDK samples on GitHub](https://github.com/microsoft/WindowsAppSDK-Samples) diff --git a/windows/security/book/includes/windows-subsystem-for-linux.md b/windows/security/book/includes/windows-subsystem-for-linux.md index 957410b0fb..ae408bb558 100644 --- a/windows/security/book/includes/windows-subsystem-for-linux.md +++ b/windows/security/book/includes/windows-subsystem-for-linux.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## Windows Subsystem for Linux (WSL) diff --git a/windows/security/book/includes/windows-update-for-business.md b/windows/security/book/includes/windows-update-for-business.md new file mode 100644 index 0000000000..1cf9b9731b --- /dev/null +++ b/windows/security/book/includes/windows-update-for-business.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Update for Business + +Windows Update for Business empowers IT administrators to ensure that their organization's Windows client devices are consistently up to date with the latest security updates and features. By directly connecting these systems to the Windows Update service, administrators can maintain a high level of security and functionality. + +Administrators can utilize group policy or a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4), to configure Windows Update for Business settings. These settings control the timing and manner in which updates are applied, allowing for thorough reliability and performance testing on a subset of devices before deploying updates across the entire organization. + +This approach not only provides control over the update process but also ensures a seamless and positive update experience for all users within the organization. By using Windows Update for Business, organizations can achieve a more secure and efficient operational environment. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Update for Business documentation](/windows/deployment/update/waas-manage-updates-wufb) diff --git a/windows/security/book/operating-system-security-encryption-and-data-protection.md b/windows/security/book/operating-system-security-encryption-and-data-protection.md index d9ab85a02b..045bef6f75 100644 --- a/windows/security/book/operating-system-security-encryption-and-data-protection.md +++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md @@ -11,85 +11,12 @@ ms.date: 11/18/2024 When people travel with their PCs, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. -## BitLocker +[!INCLUDE [bitlocker](includes/bitlocker.md)] -BitLocker is a data protection feature that integrates with the operating system to address the threats of data theft or exposure from lost, stolen, or improperly decommissioned devices. It uses the AES algorithm in XTS or CBC mode with 128-bit or 256-bit key lengths to encrypt data on the volume. During the initial setup, when BitLocker is enabled during OOBE and the user signs into their Microsoft account for the first time, BitLocker automatically saves its recovery password to the Microsoft account for retrieval if needed. Users also have the option to export the recovery password if they manually enable BitLocker. Recovery key content can be saved to cloud storage on OneDrive or Azure[\[4\]](conclusion.md#footnote4). +[!INCLUDE [device-encryption](includes/device-encryption.md)] -For organizations, BitLocker can be managed via group policy or with a device management solution like Microsoft Intune[\[3\]](conclusion.md#footnote3). It provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), using technologies such as Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. +[!INCLUDE [encrypted-hard-drive](includes/encrypted-hard-drive.md)] -[!INCLUDE [new-24h2](includes/new-24h2.md)] +[!INCLUDE [personal-data-encryption](includes/personal-data-encryption.md)] -The BitLocker preboot recovery screen includes the Microsoft account (MSA) hint, if the recovery password is saved to an MSA. This hint helps the user to understand which MSA account was used to store recovery key information. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [BitLocker overview](../operating-system-security/data-protection/bitlocker/index.md) - -### BitLocker To Go - -BitLocker To Go refers to BitLocker on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [BitLocker FAQ](../operating-system-security/data-protection/bitlocker/faq.yml) - -## Device encryption - -Device encryption is a Windows feature that simplifies the process of enabling BitLocker encryption on certain devices. It ensures that only the OS drive and fixed drives are encrypted, while external/USB drives remain unencrypted. Additionally, devices with externally accessible ports that allow DMA access are not eligible for device encryption. Unlike standard BitLocker implementation, device encryption is enabled automatically to ensure continuous protection. Once a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use with encryption already in place. - -Organizations have the option to disable device encryption in favor of a full BitLocker implementation. This allows for more granular control over encryption policies and settings, ensuring that the organization's specific security requirements are met. - -[!INCLUDE [new-24h2](includes/new-24h2.md)] - -The Device encryption prerequisites of DMA and HSTI/Modern Standby are removed. This change makes more devices eligible for both automatic and manual device encryption. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Device encryption](../operating-system-security/data-protection/bitlocker/index.md#device-encryption) - -## Encrypted hard drive - -Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level. They allow for full-disk hardware encryption and are transparent to the user. These drives combine the security and management benefits provided by BitLocker, with the power of self-encrypting drives. - -By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. - -Encrypted hard drives enable: - -- Smooth performance: encryption hardware integrated into the drive controller allows the drive to operate at full data rate without performance degradation -- Strong security based in hardware: encryption is always-on, and the keys for encryption never leave the hard drive. The drive authenticates the user independently from the operating system before it unlocks -- Ease of use: encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using an onboard encryption key. There's no need to re-encrypt data on the drive -- Lower cost of ownership: there's no need for new infrastructure to manage encryption keys since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Encrypted hard drive](../operating-system-security/data-protection/encrypted-hard-drive.md) - -## Personal Data Encryption - -Personal Data Encryption is a user-authenticated encryption mechanism designed to protect user's content. Personal Data Encryption uses Windows Hello for Business as its modern authentication scheme, with PIN or biometric authentication methods. The encryption keys used by Personal Data Encryption are securely stored within the Windows Hello container. When a user signs in with Windows Hello, the container is unlocked, making the keys available to decrypt the user's content. - -The initial release of Personal Data Encryption in Windows 11, version 22H2, introduced a set of public APIs that applications can adopt to safeguard content. - -[!INCLUDE [new-24h2](includes/new-24h2.md)] - -Personal Data Encryption is further enhanced with *Personal Data Encryption for known folders*, which extends protection to the Windows folders: Documents, Pictures, and Desktop. - -:::image type="content" source="images/pde.png" alt-text="Screenshot of files encrypted with Personal Data Encryption showing a padlock." border="false"::: - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Personal Data Encryption](../operating-system-security/data-protection/personal-data-encryption/index.md) - -## Email encryption - -Email encryption allows users to secure email messages and attachments so that only the intended recipients with a digital identification (ID), or certificate, can read them[\[8\]](conclusion.md#footnote8). Users can also *digitally sign* a message, which verifies the sender's identity and ensures the message hasn't been tampered with. - -The new Outlook app included in Windows 11 supports various types of email encryption, including Microsoft Purview Message Encryption, S/MIME, and Information Rights Management (IRM). - -When using Secure/Multipurpose Internet Mail Extensions (S/MIME), users can send encrypted messages to people within their organization and to external contacts who have the proper encryption certificates. Recipients can only read encrypted messages if they have the corresponding decryption keys. If an encrypted message is sent to recipients whose encryption certificates aren't available, Outlook asks you to remove these recipients before sending the email. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [S/MIME for message signing and encryption in Exchange Online](/exchange/security-and-compliance/smime-exo/smime-exo) -- [Get started with the new Outlook for Windows](https://support.microsoft.com/topic/656bb8d9-5a60-49b2-a98b-ba7822bc7627) -- [Email encryption](/purview/email-encryption) +[!INCLUDE [email-encryption](includes/email-encryption.md)] diff --git a/windows/security/book/operating-system-security-network-security.md b/windows/security/book/operating-system-security-network-security.md index fff427b5b2..3ef8199a90 100644 --- a/windows/security/book/operating-system-security-network-security.md +++ b/windows/security/book/operating-system-security-network-security.md @@ -19,121 +19,20 @@ In enterprise environments, network protection works best with Microsoft Defende [!INCLUDE [learn-more](includes/learn-more.md)] -- [How to protect your network][LINK-1] +- [How to protect your network](/defender-endpoint/network-protection) -## Transport Layer Security (TLS) +[!INCLUDE [transport-layer-security](includes/transport-layer-security.md)] -Transport Layer Security (TLS) is a popular security protocol, encrypting data in transit to help provide a more secure communication channel between two endpoints. Windows enables the latest protocol versions and strong cipher suites by default and offers a full suite of extensions such as client authentication for enhanced server security, or session resumption for improved application performance. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows. This version helps to eliminate obsolete cryptographic algorithms, enhance security over older versions, and aim to encrypt as much of the TLS handshake as possible. The handshake is more performant with one less round trip per connection on average and supports only strong cipher suites which provide perfect forward secrecy and less operational risk. Using TLS 1.3 provides more privacy and lower latencies for encrypted online connections. If the client or server application on either side of the connection doesn't support TLS 1.3, the connection falls back to TLS 1.2. Windows uses the latest Datagram Transport Layer Security (DTLS) 1.2 for UDP communications. +[!INCLUDE [domain-name-system-security](includes/domain-name-system-security.md)] -[!INCLUDE [learn-more](includes/learn-more.md)] +[!INCLUDE [bluetooth-protection](includes/bluetooth-protection.md)] -- [TLS/SSL overview (Schannel SSP)][LINK-2] -- [TLS 1.0 and TLS 1.1 soon to be disabled in Windows][LINK-3] +[!INCLUDE [wi-fi-connections](includes/wi-fi-connections.md)] -## Domain Name System (DNS) security +[!INCLUDE [5g-and-esim](includes/5g-and-esim.md)] -In Windows 11, the Windows DNS client supports DNS over HTTPS and DNS over TLS, two encrypted DNS protocols. These allow administrators to ensure their devices protect their -name queries from on-path attackers, whether they're passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites. In a Zero Trust -model where no trust is placed in a network boundary, having a secure connection to a trusted name resolver is required. +[!INCLUDE [windows-firewall](includes/windows-firewall.md)] -Windows 11 provides group policy and programmatic controls to configure DNS over HTTPS behavior. As a result, IT administrators can extend existing security to adopt new models such as Zero Trust. IT administrators can mandate DNS over HTTPS protocol, ensuring that devices that use insecure DNS will fail to connect to network resources. IT administrators also have the option not to use DNS over HTTPS or DNS over TLS for legacy deployments where network edge appliances are trusted to inspect plain-text DNS traffic. By default, Windows 11 will defer to the local administrator on which resolvers should use encrypted DNS. +[!INCLUDE [virtual-private-networks](includes/virtual-private-networks.md)] -Support for DNS encryption integrates with existing Windows DNS configurations such as the Name Resolution Policy Table (NRPT), the system Hosts file, and resolvers specified per network adapter or network profile. The integration helps Windows 11 ensure that the benefits of greater DNS security do not regress existing DNS control mechanisms. - -## Bluetooth protection - -The number of Bluetooth devices connected to Windows 11 continues to increase. Windows users connect their Bluetooth headsets, mice, keyboards, and other accessories and improve their day-to-day PC experience by enjoying streaming, productivity, and gaming. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host-based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG) and Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that Bluetooth accessories' firmware and software are kept up to date. - -IT-managed environments have a number policy settings available via configuration service providers, group policy, and PowerShell. These settings can be managed through device management solutions like Microsoft Intune[\[4\]](conclusion.md#footnote4). You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Policy CSP - Bluetooth][LINK-4] - -## Wi-Fi connections - -Windows Wi-Fi supports industry-standard authentication and encryption methods when connecting to Wi-Fi networks. WPA (Wi-Fi Protected Access) is a security standard defined by the Wi-Fi Alliance (WFA) to provide sophisticated data encryption and better user authentication. - -The current security standard for Wi-Fi authentication is WPA3, which provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes - WPA3 Personal, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B. - -Windows 11 includes WPA3 Personal with the new H2E protocol and WPA3 Enterprise 192-bit Suite B. Windows 11 also supports WPA3 Enterprise, which includes enhanced server certificate validation and TLS 1.3 for authentication using EAP-TLS authentication. - -Opportunistic Wireless Encryption (OWE), a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots, is also included. - -## 5G and eSIM - -5G networks use stronger encryption and better network segmentation compared to previous generations of cellular protocols. Unlike Wi-Fi, 5G access is always mutually authenticated. Access credentials are stored in an EAL4-certified eSIM that is physically embedded in the device, making it much harder for attackers to tamper with. Together, 5G and eSIM provide a strong foundation for security. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [eSIM configuration of a download server][LINK-5] - -## Windows Firewall - -Windows Firewall is an important part of a layered security model. It provides host-based, two-way network traffic -filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks the device is connected to. - -Windows Firewall offers the following benefits: - -- Reduces the risk of network security threats: Windows Firewall reduces the attack surface of a device with rules that restrict or allow traffic by many properties, such as IP addresses, ports, or program paths. This functionality increases manageability and decreases the likelihood of a successful attack -- Safeguards sensitive data and intellectual property: By integrating with Internet Protocol Security (IPSec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data -- Extends the value of existing investments: Because Windows Firewall is a host-based firewall that is included with the operating system, there's no extra hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API) - -Windows 11 makes the Windows Firewall easier to analyze and debug. IPSec behavior is integrated with Packet Monitor, an in-box, cross-component network diagnostic tool for Windows. Additionally, the Windows Firewall event logs are enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on third-party tools. - -Admins can configure more settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune[\[4\]](conclusion.md#footnote4), using the platform support from the Firewall configuration service provider (CSP) and applying these settings to Windows endpoints. - -[!INCLUDE [new-24h2](includes/new-24h2.md)] - -The Firewall Configuration Service Provider (CSP) in Windows now enforces an all-or-nothing approach to applying firewall rules within each atomic block. Previously, if the CSP encountered an issue with any rule in a block, it would not only stop processing that rule but also cease processing subsequent rules, potentially leaving a security gap with partially deployed rule blocks. Now, if any rule in the block cannot be successfully applied, the CSP stops processing subsequent rules and roll back all rules from that atomic block, eliminating the ambiguity of partially deployed rule blocks. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Firewall overview][LINK-6] -- [Firewall CSP][LINK-7] - -## Virtual private networks (VPN) - -Organizations have long relied on Windows to provide reliable, secured, and manageable virtual private network (VPN) solutions. The Windows VPN client platform includes built-in VPN -protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and -consumer VPNs, including apps for the most popular enterprise VPN gateways. - -In Windows 11, we've integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane, users can verify the status of their VPN, start and stop the connection, and easily open Settings for more controls. - -The Windows VPN platform connects to Microsoft Entra ID[\[4\]](conclusion.md#footnote4) and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune[\[4\]](conclusion.md#footnote4) and other device management solutions. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites. - -With Universal Windows Platform (UWP) VPN apps, end users never get stuck on an old version of their VPN client. VPN apps from the store will be automatically updated as needed. Naturally, the updates are in the control of your IT admins. - -The Windows VPN platform is tuned and hardened for cloud-based VPN providers like Azure VPN. Features like Microsoft Entra ID authentication, Windows user interface integration, plumbing IKE traffic selectors, and server support are all built into the Windows VPN platform. The integration into the Windows VPN platform leads to a simpler IT admin experience. User authentication is more consistent, and users can easily find and control their VPN. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows VPN technical guide][LINK-8] - -## Server Message Block file services - -Server Message Block (SMB) and file services are the most common Windows workloads in the commercial and public sector ecosystem. Users and applications rely on SMB to access the files that run organizations of all sizes. - -Windows 11 introduced significant security updates to meet today's threats, including AES-256 SMB encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. - -[!INCLUDE [new-24h2](includes/new-24h2.md)] - -New security options include mandatory SMB signing by default, NTLM blocking, authentication rate limiting, and several other enhancements. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Server Message Block (SMB) protocol changes in Windows 11, version 24H2][LINK-9] -- [File sharing using the SMB 3 protocol][LINK-10] - - - -[LINK-1]: /defender-endpoint/network-protection -[LINK-2]: /windows-server/security/tls/tls-ssl-schannel-ssp-overview -[LINK-3]: https://techcommunity.microsoft.com/blog/windows-itpro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/3887947 -[LINK-4]: /windows/client-management/mdm/policy-csp-bluetooth -[LINK-5]: /mem/intune/configuration/esim-device-configuration-download-server -[LINK-6]: /windows/security/operating-system-security/network-security/windows-firewall -[LINK-7]: /windows/client-management/mdm/firewall-csp -[LINK-8]: /windows/security/operating-system-security/network-security/vpn/vpn-guide -[LINK-9]: /windows/whats-new/whats-new-windows-11-version-24h2#server-message-block-smb-protocol-changes -[LINK-10]: /windows-server/storage/file-server/file-server-smb-overview \ No newline at end of file +[!INCLUDE [server-message-block-file-services](includes/server-message-block-file-services.md)] diff --git a/windows/security/book/operating-system-security-system-security.md b/windows/security/book/operating-system-security-system-security.md index dd056f219e..6d8c6adc24 100644 --- a/windows/security/book/operating-system-security-system-security.md +++ b/windows/security/book/operating-system-security-system-security.md @@ -9,181 +9,24 @@ ms.date: 11/18/2024 :::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false"::: -## Trusted Boot (Secure Boot + Measured Boot) +[!INCLUDE [trusted-boot](includes/trusted-boot.md)] -Windows 11 requires all PCs to use Unified Extensible Firmware Interface (UEFI)'s Secure Boot feature. When a Windows 11 device starts, Secure Boot and Trusted Boot work together to prevent malware and corrupted components from loading. Secure Boot provides initial protection, then Trusted Boot picks up the process. +[!INCLUDE [cryptography](includes/cryptography.md)] -Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments. +[!INCLUDE [certificates](includes/certificates.md)] -To mitigate the risk of firmware rootkits, the PC verifies the digital signature of the firmware at the start of the boot process. Secure Boot then checks the digital signature of the OS bootloader and all code that runs before the operating system starts, ensuring that the signature and code are uncompromised and trusted according to the Secure Boot policy. +[!INCLUDE [code-signing-and-integrity](includes/code-signing-and-integrity.md)] -Trusted Boot picks up the process that begins with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and any anti-malware product's early-launch anti-malware (ELAM) driver. If any of these files have been tampered with, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally. +[!INCLUDE [device-health-attestation](includes/device-health-attestation.md)] -[!INCLUDE [learn-more](includes/learn-more.md)] +[!INCLUDE [windows-security-policy-settings-and-auditing](includes/windows-security-policy-settings-and-auditing.md)] -- [Secure the Windows boot process][LINK-1] -- [Secure Boot and Trusted Boot][LINK-2] +[!INCLUDE [windows-security](includes/windows-security.md)] -## Cryptography +[!INCLUDE [config-refresh](includes/config-refresh.md)] -Cryptography is designed to protect user and system data. The cryptography stack in Windows 11 extends from the chip to the cloud, enabling Windows, applications, and services to protect system and user secrets. For example, data can be encrypted so that only a specific reader with a unique key can read it. As a basis for data security, cryptography helps prevent anyone except the intended recipient from reading data, performs integrity checks to ensure data is free of tampering, and authenticates identity to ensure that communication is secure. Windows 11 cryptography is certified to meet the Federal Information Processing Standard (FIPS) 140. FIPS 140 certification ensures that US government-approved algorithms are correctly implemented. +[!INCLUDE [kiosk-mode](includes/kiosk-mode.md)] -[!INCLUDE [learn-more](includes/learn-more.md)] +[!INCLUDE [windows-protected-print](includes/windows-protected-print.md)] -- FIPS 140 validation - -Windows cryptographic modules provide low-level primitives such as: - -- Random number generators (RNG) -- Support for AES 128/256 with XTS, ECB, CBC, CFB, CCM, and GCM modes of operation; RSA and DSA 2048, 3072, and 4,096 key sizes; ECDSA over curves P-256, P-384, P-521 -- Hashing (support for SHA1, SHA-256, SHA-384, and SHA-512) -- Signing and verification (padding support for OAEP, PSS, and PKCS1) -- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521 and HKDF) - -Application developers can use these cryptographic modules to perform low-level cryptographic operations (Bcrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG). - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- Cryptography and certificate management - -Developers can access the modules on Windows through the Cryptography Next Generation API (CNG), which is powered by Microsoft's open-source cryptographic library, SymCrypt. SymCrypt supports complete transparency through its open-source code. In addition, SymCrypt offers performance optimization for cryptographic operations by taking advantage of assembly and hardware acceleration when available. - -SymCrypt is part of Microsoft's commitment to transparency, which includes the global Microsoft Government Security Program that aims to provide the confidential security information and resources people need to trust Microsoft's products and services. The program offers controlled access to source code, threat and vulnerability information -exchange, opportunities to engage with technical content about Microsoft's products and services, and access to five globally distributed Transparency Centers. - -## Certificates - -To help safeguard and authenticate information, Windows provides comprehensive support for certificates and certificate management. The built-in certificate management command-line utility (certmgr.exe) or Microsoft Management Console (MMC) snap-in (certmgr.msc) can be used to view and manage certificates, certificate trust lists (CTLs), and certificate revocation lists (CRLs). Whenever a certificate is used in Windows, we validate that the leaf certificate and all the certificates in its chain of trust haven't been revoked or compromised. The trusted root and intermediate certificates and publicly revoked certificates on the machine are used as a reference for Public Key Infrastructure (PKI) trust and are updated monthly by the Microsoft Trusted Root program. If a trusted certificate or root is revoked, all global devices are updated, meaning users can trust that Windows will automatically protect against vulnerabilities in public key infrastructure. For cloud and enterprise deployments, Windows also offers users the ability to autoenroll and renew certificates in Active Directory with group policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. - -## Code signing and integrity - -To ensure that Windows files haven't been tampered with, the Windows Code Integrity process verifies the signature of each file in Windows. Code signing is core to establishing the integrity of firmware, drivers, and software across the Windows platform. Code signing creates a digital signature by encrypting the hash of the file with the private key portion of a code-signing certificate and embedding the signature into the file. The Windows code integrity process verifies the signed file by decrypting the signature to check the integrity of the file and confirm that it is from a reputable publisher, ensuring that the file hasn't been tampered with. - -The digital signature is evaluated across the Windows environment on Windows boot code, Windows kernel code, and Windows user mode applications. Secure Boot and Code Integrity verify the signature on bootloaders, Option ROMs, and other boot components to ensure that it's trusted and from a reputable publisher. For drivers not published by Microsoft, Kernel Code Integrity verifies the signature on kernel drivers and requires that drivers be signed by Windows or certified by the [Windows Hardware Compatibility Program (WHCP)][LINK-3]. This program ensures that third-party drivers are compatible with various hardware and Windows and that the drivers are from vetted driver developers. - -## Device Health Attestation - -The Windows Device Health Attestation process supports a Zero Trust paradigm that shifts the focus from static, network-based perimeters to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. These determinations are made with data stored in the TPM, which provides a secure root-of-trust. The information is sent to an attestation service such as Azure Attestation to verify that the device is in a trusted state. Then a cloud-native device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4) reviews device health and connects this information with Microsoft Entra ID[\[4\]](conclusion.md#footnote4) for conditional access. - -Windows includes many security features to help protect users from malware and attacks. However, security components are trustworthy only if the platform boots as expected and isn't tampered with. As noted above, Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot, and other low-level hardware and firmware security features to protect your PC from attacks. From the moment you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configurations that help keep you safe. Measured Boot, implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to the TPM, that functions as a hardware root-of-trust. Remote attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper-resilient report. Remote attestation is the trusted auditor of your system's boot, allowing reliant parties to bind trust to the device and its security. - -A summary of the steps involved in attestation and Zero-Trust on a Windows device are as follows: - -- During each step of the boot process - such as a file load, update of special variables, and more - information such as file hashes and signature(s) are measured in the TPM Platform Configuration Register (PCRs). The measurements are bound by a Trusted Computing Group specification that dictates which events can be recorded and the format of each event. The data provides important information about device security from the moment it powers on -- Once Windows has booted, the attestor (or verifier) requests the TPM get the measurements stored in its PCRs alongside the Measured Boot log. Together, these form the attestation evidence that's sent to the Azure Attestation service -- The TPM is verified by using the keys or cryptographic material available on the chipset with an Azure Certificate Service -- The above information is sent to the Azure Attestation Service to verify that the device is in a trusted state. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Control the health of Windows devices][LINK-4] - -## Windows security policy settings and auditing - -Security policy settings are a critical part of your overall security strategy. Windows provides a robust set of security setting policies that IT administrators can use to help protect Windows devices and other resources in your organization. Security policies settings are rules you can configure on a device, or multiple devices, to control: - -- User authentication to a network or device -- Resources that users are permitted to access -- Whether to record a user or group's actions in the event log -- Membership in a group - -Security auditing is one of the most powerful tools that you can use to maintain the integrity of your network and assets. Auditing can help identify attacks, network vulnerabilities, and attacks against high-value targets. You can specify categories of security-related events to create an audit policy tailored to the needs of your organization using configuration service providers (CSP) or group policies. - -All auditing categories are disabled when Windows is first installed. Before enabling them, follow these steps to create an effective security auditing policy: - -1. Identify your most critical resources and activities. -1. Identify the audit settings you need to track them. -1. Assess the advantages and potential costs associated with each resource or setting. -1. Test these settings to validate your choices. -1. Develop plans for deploying and managing your audit policy. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Security policy settings][LINK-5] -- [Security auditing][LINK-6] - -## Windows Security - -:::row::: - :::column span="2"::: - Visibility and awareness of device security and health are key to any action taken. The Windows Security app provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and act to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more. - :::column-end::: - :::column span="2"::: -:::image type="content" source="images/windows-security.png" alt-text="Screenshot of the Windows Security app." border="false" lightbox="images/windows-security.png" ::: - :::column-end::: -:::row-end::: - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Stay protected with Windows Security][LINK-7] -- [Windows Security][LINK-8] - -## :::image type="icon" source="images/new-button-title.svg" border="false"::: Config Refresh - -With traditional group policy, policy settings are refreshed on a PC when a user signs in and every 90 minutes by default. Administrators can adjust that timing to be shorter to ensure that the policy settings are compliant with the management settings set by IT. - -By contrast, with a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4), policies are refreshed when a user signs in and then at eight-hours interval by default. But policy settings are migrated from GPO to a device management solution, one remaining gap is the longer period between the reapplication of a changed policy. - -Config Refresh allows settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to be reset to the value the administrator intended every 90 minutes by default. It's configurable to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that were traditionally set with group policy and are now set through Mobile Device Management (MDM) protocols. - -Config Refresh can also be paused for a configurable period of time, after which it will be reenabled. This is to support scenarios where a helpdesk technician might need to reconfigure a device for troubleshooting purposes. It can also be resumed at any time by an administrator. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Config Refresh][LINK-9] - -## Kiosk mode - -:::row::: - :::column span="2"::: - Windows allows you to restrict functionality to specific applications using built-in features, making it ideal for public-facing or shared devices like kiosks. You can set up Windows as a kiosk either locally on the device, or through a cloud-based device management solution like Microsoft Intune[\[7\]](conclusion.md#footnote7). Kiosk mode can be configured to run a single app, multiple apps, or a full-screen web browser. You can also configure the device to automatically sign in and launch the designated kiosk app at startup. - :::column-end::: - :::column span="2"::: -:::image type="content" source="images/kiosk.png" alt-text="Screenshot of a Windows kiosk." border="false" lightbox="images/kiosk.png" ::: - :::column-end::: -:::row-end::: - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows kiosks and restricted user experiences](/windows/configuration/assigned-access) - -## :::image type="icon" source="images/new-button-title.svg" border="false"::: Windows protected print - -Windows protected print is built to provide a more modern and secure print system that maximizes compatibility and puts users first. It simplifies the printing experience by allowing devices to exclusively print using the Windows modern print stack. - -The benefits of Windows protected print include: - -- Increased PC security -- Simplified and consistent printing experience, regardless of PC architecture -- Removes the need to manage print drivers - -Windows protected print is designed to work with Mopria certified printers only. Many existing printers are already compatible. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows protected print][LINK-10] -- [New, modern, and secure print experience from Windows][LINK-11] - -## :::image type="icon" source="images/new-button-title.svg" border="false"::: Rust for Windows - -Rust is a modern programming language known for its focus on safety, performance, and concurrency. It was designed to prevent common programming errors such as null pointer dereferencing and buffer overflows, which can lead to security vulnerabilities and crashes. Rust achieves this through its unique ownership system, which ensures memory safety without needing a garbage collector. -We're expanding the integration of Rust into the Windows kernel to enhance the safety and reliability of Windows' codebase. This strategic move underscores our commitment to adopting modern technologies to improve the quality and security of Windows. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Rust for Windows, and the windows crate][LINK-12] - - - -[LINK-1]: /windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process -[LINK-2]: /windows/security/operating-system-security/system-security/trusted-boot -[LINK-3]: /windows-hardware/design/compatibility/ -[LINK-4]: /windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices -[LINK-5]: /windows/security/threat-protection/security-policy-settings/security-policy-settings -[LINK-6]: /windows/security/threat-protection/auditing/security-auditing-overview -[LINK-7]: https://support.microsoft.com/topic/2ae0363d-0ada-c064-8b56-6a39afb6a963 -[LINK-8]: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center -[LINK-9]: https://techcommunity.microsoft.com/blog/windows-itpro-blog/intro-to-config-refresh-%e2%80%93-a-refreshingly-new-mdm-feature/4176921 -[LINK-10]: /windows-hardware/drivers/print/modern-print-platform -[LINK-11]: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645 -[LINK-12]: /windows/dev-environment/rust/rust-for-windows +[!INCLUDE [rust-for-windows](includes/rust-for-windows.md)] diff --git a/windows/security/book/operating-system-security-virus-and-threat-protection.md b/windows/security/book/operating-system-security-virus-and-threat-protection.md index cb69b30617..fcc31121e8 100644 --- a/windows/security/book/operating-system-security-virus-and-threat-protection.md +++ b/windows/security/book/operating-system-security-virus-and-threat-protection.md @@ -11,109 +11,16 @@ ms.date: 11/18/2024 Today's threat landscape is more complex than ever. This new world requires a new approach to threat prevention, detection, and response. Microsoft Defender Antivirus, along with many other features that are built into Windows 11, is at the frontlines, protecting customers against current and emerging threats. -## Microsoft Defender SmartScreen +[!INCLUDE [microsoft-defender-smartscreen](includes/microsoft-defender-smartscreen.md)] -Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. +[!INCLUDE [network-protection](includes/network-protection.md)] -SmartScreen determines whether a site is potentially malicious by: +[!INCLUDE [tamper-protection](includes/tamper-protection.md)] -- Analyzing visited webpages to find indications of suspicious behavior. If it determines a page is suspicious, it will show a warning page advising caution -- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen warns that the site might be malicious +[!INCLUDE [microsoft-defender-antivirus](includes/microsoft-defender-antivirus.md)] -SmartScreen also determines whether a downloaded app or app installer is potentially malicious by: +[!INCLUDE [attack-surface-reduction-rules](includes/attack-surface-reduction-rules.md)] -- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen warns that the file might be malicious -- Checking downloaded files against a list of well-known files. If the file is of a dangerous type and not well-known, SmartScreen displays a caution alert +[!INCLUDE [controlled-folder-access](includes/controlled-folder-access.md)] -With enhanced phishing protection in Windows 11, SmartScreen also alerts people when they're entering their Microsoft credentials into a potentially risky location, regardless of which application or browser is used. IT can customize which notifications appear through Microsoft Intune[\[4\]](conclusion.md#footnote4). This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. - -Because Windows 11 comes with these enhancements already built in and enabled, users have extra security from the moment they turn on their device. - -The app and browser control section contains information and settings for Microsoft Defender SmartScreen. IT administrators and IT pros can get configuration guidance in the [Microsoft Defender SmartScreen documentation library](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/). - -## Network protection - -While Microsoft Defender Smartscreen works with Microsoft Edge, for third-party browsers and processes, Windows 11 has Network protection that protects against phishing scams, malware websites, and the downloading of potentially malicious files. - -When using Network Protection with Microsoft Defender for Endpoint, you'll be able to use Indicators of Compromise to block specific URL's and/or ip addresses. -Also integrates with Microsoft Defender for Cloud Apps to block unsactioned web apps in your organization. Allow or block access to websites based on category with Microsoft Defender for Endpoint's Web Content Filtering. - -[Network Protection library](/defender-endpoint/network-protection) -[Web protection library](/defender-endpoint/web-protection-overview) - -## Tamper protection - -Attacks like ransomware attempt to disable security features, such as anti-virus protection. Bad actors like to disable security features to get easier access to user's data, to install malware, or otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities. - -With tamper protection, malware is prevented from taking actions such as: - -- Disabling real-time protection -- Turning off behavior monitoring -- Disabling antivirus protection, such as Scan all downloaded files and attachments (IOfficeAntivirus (IOAV)) -- Disabling cloud-delivered protection -- Removing security intelligence updates -- Disabling automatic actions on detected threats -- Disabling archived files -- Altering exclusions -- Disabling notifications in the Windows Security app - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) - -## Microsoft Defender Antivirus - -Microsoft Defender Antivirus is a next-generation protection solution included in all versions of Windows 10 and Windows 11. From the moment you turn on Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. In addition to real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus turns off automatically. If you uninstall the other app, Microsoft Defender Antivirus turns back on. - -Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection. This combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA), applications deemed to negatively impact your device but aren't considered malware. - -Microsoft Defender Antivirus always-on protection is integrated with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats. This combination of local and cloud-delivered technologies including advanced memory scanning, behavior monitoring, and machine learning, provides award-winning protection at home and at work. - -:::image type="content" source="images/defender-antivirus.png" alt-text="Diagram of the Microsoft Defender Antivirus components." border="false"::: - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Defender Antivirus in Windows Overview](/defender-endpoint/microsoft-defender-antivirus-windows). - -## Attack surface reduction rules - -Attack surface reduction rules help prevent actions and applications or scripts that are often abused to compromise devices and networks. By controlling when and how executables and/or script can run, thereby reducing the attack surface, you can reduce the overall vulnerability of your organization. Administrators can configure specific attack surface reduction rules to help block certain behaviors, such as: - -- Launching executable files and scripts that attempt to download or run files -- Running obfuscated or otherwise suspicious scripts -- Performing behaviors that apps don't usually initiate during normal day-to-day work - -For example, an attacker might try to run an unsigned script from a USB drive or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve the defensive posture of the device. For comprehensive protection, follow steps for enabling hardware-based isolation - -For Microsoft Edge and reducing the attack surface across applications, folders, device, -network, and firewall. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Attack surface reduction](/defender-endpoint/overview-attack-surface-reduction) - -## Controlled folder access - -You can protect your valuable information in specific folders by managing app access to them. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, and downloads, are included in the list of controlled folders. - -Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that aren't included in the trusted list are prevented from making any changes to files inside protected folders. - -Controlled folder access helps protect user's valuable data from malicious apps and threats such as ransomware. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Controlled folder access](/defender-endpoint/controlled-folders) - -## Exploit Protection - -Exploit Protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit Protection works best with Microsoft Defender for Endpoint[\[4\]](conclusion.md#footnote4), which gives organizations detailed reporting into Exploit Protection events and blocks as part of typical alert investigation scenarios. You can enable Exploit Protection on an individual device and then use policy settings to distribute the configuration XML file to multiple devices simultaneously. - -When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. - -You can use audit mode to evaluate how Exploit Protection would impact your organization if it were enabled. And go through safe deployment practices (SDP). - -Windows 11 provides configuration options for Exploit Protection. You can prevent users from modifying these specific options with device management solutions like Microsoft Intune or group policy. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Protecting devices from exploits](/defender-endpoint/enable-exploit-protection) \ No newline at end of file +[!INCLUDE [exploit-protection](includes/exploit-protection.md)] diff --git a/windows/security/book/privacy-controls.md b/windows/security/book/privacy-controls.md index 9aa5d2bd86..217043c134 100644 --- a/windows/security/book/privacy-controls.md +++ b/windows/security/book/privacy-controls.md @@ -7,29 +7,10 @@ ms.date: 11/18/2024 # Privacy controls -## Microsoft Privacy Dashboard +[!INCLUDE [microsoft-privacy-dashboard](includes/microsoft-privacy-dashboard.md)] -Customers can use the Microsoft Privacy Dashboard to view, export, and delete their information, giving them further transparency and control. They can also use the Microsoft Privacy Report to learn more about Windows data collection and how to manage it. For organizations, we provide a guide for Windows Privacy Compliance that includes more details on the available controls and transparency. +[!INCLUDE [privacy-transparency-and-controls](includes/privacy-transparency-and-controls.md)] -[!INCLUDE [learn-more](includes/learn-more.md)] +[!INCLUDE [privacy-resource-usage](includes/privacy-resource-usage.md)] -- [Microsoft Privacy Dashboard](https://account.microsoft.com/privacy) -- [Microsoft Privacy Report](https://privacy.microsoft.com/privacy-report) - -## Privacy transparency and controls - -Prominent system tray icons show users when resources and apps like microphones and location are in use. A description of the app and its activity are presented in a simple tooltip that appears when you hover over an icon with your cursor. Apps can also make use of new Windows APIs to support Quick Mute functionality and more. - -## Privacy resource usage - -Every Microsoft customer should be able to use our products secure in the knowledge that we protect their privacy, and give them the information and tools they need to easily make privacy decisions with confidence. From Settings, the app usage history feature provides users with a seven-day history of resource access for Location, Camera, Microphone, Phone Calls, Messaging, Contacts, Pictures, Videos, Music library, Screenshots, and other apps. - -This information helps you determine if an app is behaving as expected so that you can change the app's access to resources as desired. - -## Windows diagnostic data processor configuration - -The Windows diagnostic data processor configuration enables the user to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that meet the configuration requirements. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration) +[!INCLUDE [windows-diagnostic-data-processor-configuration](includes/windows-diagnostic-data-processor-configuration.md)] diff --git a/windows/security/book/security-foundation-certification.md b/windows/security/book/security-foundation-certification.md index 1f8c8c878d..2cc0aad27e 100644 --- a/windows/security/book/security-foundation-certification.md +++ b/windows/security/book/security-foundation-certification.md @@ -11,25 +11,6 @@ ms.date: 11/18/2024 Microsoft is committed to supporting product security standards and certifications, including FIPS 140 and Common Criteria, as an external validation of security assurance. -## Federal Information Processing Standard (FIPS) +[!INCLUDE [federal-information-processing-standard](includes/federal-information-processing-standard.md)] -The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that specifies the minimum security requirements for cryptographic modules in IT products. Microsoft is dedicated to adhering to the requirements in the FIPS 140 standard, consistently validating its cryptographic modules against FIPS 140 since the standard's inception. Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows FIPS 140 validation][LINK-1] - -## Common Criteria (CC) - -Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. Common Criteria defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. - -Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Common Criteria certifications][LINK-2] - - - -[LINK-1]: /windows/security/security-foundations/certification/fips-140-validation -[LINK-2]: /windows/security/threat-protection/windows-platform-common-criteria \ No newline at end of file +[!INCLUDE [common-criteria](includes/common-criteria.md)] diff --git a/windows/security/book/security-foundation-offensive-research.md b/windows/security/book/security-foundation-offensive-research.md index f40f549653..ce6cfae794 100644 --- a/windows/security/book/security-foundation-offensive-research.md +++ b/windows/security/book/security-foundation-offensive-research.md @@ -9,56 +9,12 @@ ms.date: 11/18/2024 :::image type="content" source="images/security-foundation.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false"::: -## Secure Future Initiative (SFI) +[!INCLUDE [secure-future-initiative](includes/secure-future-initiative.md)] -Launched in November 2023, the Microsoft Secure Future Initiative (SFI) is a multiyear commitment dedicated to advancing the way we design, build, test, and operate our technology. Our goal is to ensure that our solutions meet the highest possible standards for security. +[!INCLUDE [microsoft-security-development-lifecycle](includes/microsoft-security-development-lifecycle.md)] -The increasing scale and high stakes of cyberattacks prompted the launch of SFI. This program brings together every part of Microsoft to enhance cybersecurity protection across our company and products. We carefully considered our internal observations and feedback from customers, governments, and partners to identify the greatest opportunities to impact the future of security. +[!INCLUDE [onefuzz-service](includes/onefuzz-service.md)] -To maintain accountability and keep our customers, partners, and the security community informed, Microsoft provides regular updates on the progress of SFI. +[!INCLUDE [microsoft-offensive-research-and-security-engineering](includes/microsoft-offensive-research-and-security-engineering.md)] -:::image type="content" source="images/sfi.png" alt-text="Diagram of the SFI initiative." lightbox="images/sfi.png" border="false"::: - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Secure Future Initiative][LINK-6] -- [September 2024 progress update on SFI][LINK-5] - -## Microsoft Security Development Lifecycle (SDL) - -The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. - -## OneFuzz service - -A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code is released. - -## Microsoft Offensive Research and Security Engineering - -Microsoft Offensive Research and Security Engineering (MORSE) performs targeted design reviews, audits, and deep penetration testing of Windows features using Microsoft's open-source OneFuzz platform as part of their development and testing cycle. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [MORSE security team takes proactive approach to finding bugs][LINK-1] -- [MORSE Blog][LINK-2] - -## Windows Insider and Microsoft Bug Bounty Programs - -As part of our secure development process, the Windows Insider Preview Program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. - -The goal of the Windows Insider Preview Program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows. - -Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities and quickly fix the issues before releasing our final Windows. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Insider Program][LINK-3] -- [Microsoft Bug Bounty Programs][LINK-4] - - - -[LINK-1]: https://news.microsoft.com/source/features/innovation/morse-microsoft-offensive-research-security-engineering -[LINK-2]: https://www.microsoft.com/security/blog/author/microsoft-offensive-research-security-engineering-team -[LINK-3]: /windows-insider/get-started -[LINK-4]: https://www.microsoft.com/msrc/bounty -[LINK-5]: https://www.microsoft.com/security/blog/2024/09/23/securing-our-future-september-2024-progress-update-on-microsofts-secure-future-initiative-sfi/ -[LINK-6]: https://www.microsoft.com/trust-center/security/secure-future-initiative +[!INCLUDE [windows-insider-and-microsoft-bug-bounty-programs](includes/windows-insider-and-microsoft-bug-bounty-programs.md)] diff --git a/windows/security/book/security-foundation-secure-supply-chain.md b/windows/security/book/security-foundation-secure-supply-chain.md index 9e638bfbc5..aff2c2efad 100644 --- a/windows/security/book/security-foundation-secure-supply-chain.md +++ b/windows/security/book/security-foundation-secure-supply-chain.md @@ -51,24 +51,6 @@ Microsoft requires the Windows 11 supply chain to comply with controls including - Warehouse & storage - Logistics management -## Software bill of materials (SBOM) +[!INCLUDE [software-bill-of-materials](includes/software-bill-of-materials.md)] -In the Windows ecosystem, ensuring the integrity and authenticity of software components is paramount. To achieve this, we utilize Software Bill of Materials (SBOMs) and COSE (CBOR Object Signing and Encryption) sign all evidence. SBOMs provide a comprehensive inventory of software components, including their dependencies and associated metadata. Transparency is crucial for vulnerability management and compliance with security standards. - -The COSE signing process enhances the trustworthiness of SBOMs by providing cryptographic signatures that verify the integrity and authenticity of the SBOM content. The CoseSignTool, a platform-agnostic command line application, is employed to apply and verify these digital signatures. This tool ensures that all SBOMs and other build evidence are signed and validated, maintaining a high level of security within the software supply chain. - -By integrating SBOMs and COSE signing evidence, we offer stakeholders visibility into the components they use, ensuring that all software artifacts are trustworthy and secure. This approach aligns with our commitment to end-to-end supply chain security, providing a robust framework for managing and verifying software components across the Windows ecosystem. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [SBOM tool](https://github.com/microsoft/sbom-tool) -- [Code Sign Tool](https://github.com/microsoft/CoseSignTool) - -## Windows Software Development Kit (SDK) - -Developers can design highly secure applications that benefit from the latest Windows 11 safeguards using the Windows SDK. The SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows 11 and Windows 10. To help create apps that are up to date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows application development - best practices](/windows/apps/get-started/best-practices) -- [Windows SDK samples on GitHub](https://github.com/microsoft/WindowsAppSDK-Samples) \ No newline at end of file +[!INCLUDE [windows-software-development-kit](includes/windows-software-development-kit.md)] diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md index f89ec506b2..928f69bd65 100644 --- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md @@ -1,7 +1,7 @@ --- title: Enable memory integrity description: This article explains the steps to opt in to using memory integrity on Windows devices. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/10/2024 appliesto: - "✅ Windows 11" diff --git a/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md index 54f9cc0237..6e2dcf5d19 100644 --- a/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md @@ -3,7 +3,7 @@ title: How System Guard helps protect Windows description: Learn how System Guard reorganizes the existing Windows system integrity features under one roof. ms.localizationpriority: medium ms.date: 07/10/2024 -ms.topic: conceptual +ms.topic: article --- # System Guard: How a hardware-based root of trust helps protect Windows diff --git a/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md b/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md index d010c70d1c..71947fb098 100644 --- a/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md @@ -3,7 +3,7 @@ title: Kernel DMA Protection description: Learn how Kernel DMA Protection protects Windows devices against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices. ms.collection: - tier1 -ms.topic: conceptual +ms.topic: article ms.date: 07/10/2024 --- diff --git a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md index dfdb572272..0e940b9215 100644 --- a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md +++ b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md @@ -1,7 +1,7 @@ --- title: Microsoft Pluton security processor description: Learn more about Microsoft Pluton security processor -ms.topic: conceptual +ms.topic: article ms.date: 07/10/2024 --- diff --git a/windows/security/hardware-security/pluton/pluton-as-tpm.md b/windows/security/hardware-security/pluton/pluton-as-tpm.md index 2946f43e11..c73773ce96 100644 --- a/windows/security/hardware-security/pluton/pluton-as-tpm.md +++ b/windows/security/hardware-security/pluton/pluton-as-tpm.md @@ -1,7 +1,7 @@ --- title: Microsoft Pluton as Trusted Platform Module (TPM 2.0) description: Learn more about Microsoft Pluton security processor as Trusted Platform Module (TPM 2.0) -ms.topic: conceptual +ms.topic: article ms.date: 07/10/2024 --- diff --git a/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md b/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md index af01702227..d088aaf278 100644 --- a/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md @@ -2,7 +2,7 @@ title: System Guard Secure Launch and SMM protection description: Explains how to configure System Guard Secure Launch and System Management Mode (SMM protection) to improve the startup security of Windows devices. ms.date: 07/10/2024 -ms.topic: conceptual +ms.topic: article --- # System Guard Secure Launch and SMM protection diff --git a/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md index 7a1c590a9a..c6bbdddee7 100644 --- a/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md +++ b/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md @@ -1,7 +1,7 @@ --- title: Back up TPM recovery information to Active Directory description: Learn how to back up the Trusted Platform Module (TPM) recovery information to Active Directory. -ms.topic: conceptual +ms.topic: article ms.date: 07/10/2024 --- diff --git a/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md b/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md index 37025f1eca..12ec2add28 100644 --- a/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md +++ b/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md @@ -1,7 +1,7 @@ --- title: Change the TPM owner password description: This article for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. -ms.topic: conceptual +ms.topic: article ms.date: 07/10/2024 --- diff --git a/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md b/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md index a4d314ad3f..fc8234350c 100644 --- a/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md @@ -1,7 +1,7 @@ --- title: How Windows uses the TPM description: Learn how Windows uses the Trusted Platform Module (TPM) to enhance security. -ms.topic: conceptual +ms.topic: article ms.date: 07/10/2024 --- diff --git a/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md index bede99fdbe..4534e82e7a 100644 --- a/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -1,7 +1,7 @@ --- title: Troubleshoot the TPM description: Learn how to view and troubleshoot the Trusted Platform Module (TPM). -ms.topic: conceptual +ms.topic: troubleshooting-general ms.date: 07/10/2024 ms.collection: - tier1 diff --git a/windows/security/hardware-security/tpm/manage-tpm-commands.md b/windows/security/hardware-security/tpm/manage-tpm-commands.md index fc2bcfb404..f65591233c 100644 --- a/windows/security/hardware-security/tpm/manage-tpm-commands.md +++ b/windows/security/hardware-security/tpm/manage-tpm-commands.md @@ -1,7 +1,7 @@ --- title: Manage TPM commands description: This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/10/2024 --- diff --git a/windows/security/hardware-security/tpm/manage-tpm-lockout.md b/windows/security/hardware-security/tpm/manage-tpm-lockout.md index 7dfa150354..070cfc617b 100644 --- a/windows/security/hardware-security/tpm/manage-tpm-lockout.md +++ b/windows/security/hardware-security/tpm/manage-tpm-lockout.md @@ -1,7 +1,7 @@ --- title: Manage TPM lockout description: This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/10/2024 --- diff --git a/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index c3cd7b4d47..d33b3d16c9 100644 --- a/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -1,7 +1,7 @@ --- title: Understand PCR banks on TPM 2.0 devices description: Learn about what happens when you switch PCR banks on TPM 2.0 devices. -ms.topic: conceptual +ms.topic: concept-article ms.date: 07/10/2024 --- diff --git a/windows/security/hardware-security/tpm/tpm-fundamentals.md b/windows/security/hardware-security/tpm/tpm-fundamentals.md index a6b202ab80..973ba406fe 100644 --- a/windows/security/hardware-security/tpm/tpm-fundamentals.md +++ b/windows/security/hardware-security/tpm/tpm-fundamentals.md @@ -1,7 +1,7 @@ --- title: Trusted Platform Module (TPM) fundamentals description: Learn about the components of the Trusted Platform Module and how they're used to mitigate dictionary attacks. -ms.topic: conceptual +ms.topic: article ms.date: 07/10/2024 --- diff --git a/windows/security/hardware-security/tpm/tpm-recommendations.md b/windows/security/hardware-security/tpm/tpm-recommendations.md index ff2f368320..5d8894c0dd 100644 --- a/windows/security/hardware-security/tpm/tpm-recommendations.md +++ b/windows/security/hardware-security/tpm/tpm-recommendations.md @@ -1,7 +1,7 @@ --- title: TPM recommendations description: This article provides recommendations for Trusted Platform Module (TPM) technology for Windows. -ms.topic: conceptual +ms.topic: article ms.date: 07/10/2024 ms.collection: - tier1 diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md index 372d8ad9ee..65628f0704 100644 --- a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md +++ b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md @@ -1,7 +1,7 @@ --- title: Trusted Platform Module Technology Overview description: Learn about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. -ms.topic: conceptual +ms.topic: concept-article ms.date: 07/10/2024 ms.collection: - tier1 diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md index fdc858bcd3..11597ee071 100644 --- a/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md @@ -1,7 +1,7 @@ --- title: TPM Group Policy settings description: This article describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. -ms.topic: conceptual +ms.topic: article ms.date: 07/10/2024 --- diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index dde02e443a..72b234fa55 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -1,5 +1,5 @@ --- -ms.date: 06/20/2024 +ms.date: 02/25/2025 title: Additional mitigations description: Learn how to improve the security of your domain environment with additional mitigations for Credential Guard and sample code. ms.topic: reference diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md index 192b60aca0..84a8a1ab89 100644 --- a/windows/security/identity-protection/credential-guard/configure.md +++ b/windows/security/identity-protection/credential-guard/configure.md @@ -1,5 +1,5 @@ --- -ms.date: 06/20/2024 +ms.date: 02/25/2025 title: Configure Credential Guard description: Learn how to configure Credential Guard using MDM, Group Policy, or the registry. ms.topic: how-to diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md index e4531d1f84..61c3a2f4ad 100644 --- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md +++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md @@ -1,5 +1,5 @@ --- -ms.date: 06/20/2024 +ms.date: 02/25/2025 title: Considerations and known issues when using Credential Guard description: Considerations, recommendations, and known issues when using Credential Guard. ms.topic: troubleshooting diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md index beedce6046..57b7f1812e 100644 --- a/windows/security/identity-protection/credential-guard/how-it-works.md +++ b/windows/security/identity-protection/credential-guard/how-it-works.md @@ -1,5 +1,5 @@ --- -ms.date: 06/20/2024 +ms.date: 02/25/2025 title: How Credential Guard works description: Learn how Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them. ms.topic: concept-article diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md index 386e6883e1..ed560fd572 100644 --- a/windows/security/identity-protection/credential-guard/index.md +++ b/windows/security/identity-protection/credential-guard/index.md @@ -1,5 +1,5 @@ --- -ms.date: 06/20/2024 +ms.date: 02/25/2025 title: Credential Guard overview description: Learn about Credential Guard and how it isolates secrets so that only privileged system software can access them. ms.topic: overview diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md index f2c4e29919..3d39fd5952 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md +++ b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business cloud-only deployment guide description: Learn how to deploy Windows Hello for Business in a cloud-only deployment scenario. -ms.date: 11/22/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md index d17d8078a4..3e243e7804 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md @@ -1,7 +1,7 @@ --- title: Configure Active Directory Federation Services in a hybrid certificate trust model description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business hybrid certificate trust model. -ms.date: 06/23/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md index 436f28fe2d..62058ca259 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md @@ -1,7 +1,7 @@ --- title: Configure and enroll in Windows Hello for Business in hybrid certificate trust model description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario. -ms.date: 09/26/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md index ff9434bc73..201dcb360e 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md @@ -1,7 +1,7 @@ --- title: Configure and validate the PKI in a hybrid certificate trust model description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model. -ms.date: 06/23/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md index 8b2347f411..ae5c58048b 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business hybrid certificate trust deployment guide description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario. -ms.date: 06/23/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md index e4312d8684..c5415b75d6 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business cloud Kerberos trust deployment guide description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario. -ms.date: 11/22/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- @@ -45,7 +45,7 @@ When Microsoft Entra Kerberos is enabled in an Active Directory domain, an *Azur - Is only used by Microsoft Entra ID to generate TGTs for the Active Directory domain > [!NOTE] - > Similar rules and restrictions used for RODCs apply to the AzureADKerberos computer object. For example, users that are direct or indirect members of priviliged built-in security groups won't be able to use cloud Kerberos trust. + > Similar rules and restrictions used for RODCs apply to the AzureADKerberos computer object. For example, users that are direct or indirect members of privileged built-in security groups won't be able to use cloud Kerberos trust. :::image type="content" source="images/azuread-kerberos-object.png" alt-text="Screenshot of the Active Directory Users and Computers console, showing the computer object representing the Microsoft Entra Kerberos server." lightbox="images/azuread-kerberos-object.png"::: diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md index 742939bf9d..fb1fca3ac8 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md @@ -1,7 +1,7 @@ --- title: Configure and enroll in Windows Hello for Business in a hybrid key trust model description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario. -ms.date: 11/22/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md index ce6526f4a7..6c4e14aced 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business hybrid key trust deployment guide description: Learn how to deploy Windows Hello for Business in a hybrid key trust scenario. -ms.date: 11/22/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/index.md b/windows/security/identity-protection/hello-for-business/deploy/index.md index fb262a5ee4..22fb26e965 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/index.md +++ b/windows/security/identity-protection/hello-for-business/deploy/index.md @@ -1,7 +1,7 @@ --- title: Plan a Windows Hello for Business Deployment description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. -ms.date: 10/30/2024 +ms.date: 02/25/2025 ms.topic: concept-article --- @@ -251,7 +251,7 @@ Here are some considerations regarding licensing requirements for cloud services ### Windows requirements -All supported Windows versions can be used with Windows Hello for Business. However, cloud Kerberos trust requires minimum versions: +All supported Windows (client) versions can be used with Windows Hello for Business. However, cloud Kerberos trust requires minimum versions: || Deployment model | Trust type | Windows version| |--|--|--|--| diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md index 73dd0d6cbf..2c00e42350 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md @@ -1,7 +1,7 @@ --- title: Configure Active Directory Federation Services in an on-premises certificate trust model description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business on-premises certificate trust model. -ms.date: 06/23/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md index 3a9200db54..d718cd9fc4 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md @@ -1,5 +1,5 @@ --- -ms.date: 06/23/2024 +ms.date: 02/25/2025 ms.topic: tutorial title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md index 0240088385..7967a0cd35 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business on-premises certificate trust deployment guide description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust scenario. -ms.date: 06/23/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md index 123d35b434..32a928a19c 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md @@ -1,7 +1,7 @@ --- title: Configure Active Directory Federation Services in an on-premises key trust model description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business key trust model. -ms.date: 11/22/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md index 41cea6946f..c8081dd141 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md @@ -1,5 +1,5 @@ --- -ms.date: 06/23/2024 +ms.date: 02/25/2025 ms.topic: tutorial title: Configure Windows Hello for Business Policy settings in an on-premises key trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md index 347471eeef..3fb4866bff 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business on-premises key trust deployment guide description: Learn how to deploy Windows Hello for Business in an on-premises, key trust scenario. -ms.date: 06/24/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md index efbea47423..8bdef8c5ea 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md +++ b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md @@ -1,7 +1,7 @@ --- title: Prepare users to provision and use Windows Hello for Business description: Learn how to prepare users to enroll and to use Windows Hello for Business. -ms.date: 11/22/2024 +ms.date: 02/25/2025 ms.topic: end-user-help --- diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md index 2b1e13953b..c6807e111b 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/index.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md @@ -146,4 +146,4 @@ For more information about device encryption, see [BitLocker device encryption h [WIN-1]: /windows/deployment/mbr-to-gpt [WIN-2]: /windows-server/administration/windows-commands/bdehdcfg [WIN-3]: /windows-hardware/design/device-experiences/modern-standby -[WIN-4]: /windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption \ No newline at end of file +[WIN-4]: /windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption diff --git a/windows/security/operating-system-security/data-protection/configure-s-mime.md b/windows/security/operating-system-security/data-protection/configure-s-mime.md index ef44453923..8005268fd0 100644 --- a/windows/security/operating-system-security/data-protection/configure-s-mime.md +++ b/windows/security/operating-system-security/data-protection/configure-s-mime.md @@ -2,7 +2,7 @@ title: Configure S/MIME For Windows description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. Learn how to configure S/MIME for Windows. ms.topic: how-to -ms.date: 12/02/2024 +ms.date: 02/25/2025 --- diff --git a/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md b/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md index 61a6b9a820..625c644314 100644 --- a/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md +++ b/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md @@ -1,7 +1,7 @@ --- title: Encrypted hard drives description: Learn how encrypted hard drives use the rapid encryption that is provided by BitLocker to enhance data security and management. -ms.date: 07/22/2024 +ms.date: 02/25/2025 ms.topic: concept-article --- diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md index 75939e36c9..e4e9708f86 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md @@ -2,7 +2,7 @@ title: Get support for security baselines description: Find answers to frequently asked question on how to get support for baselines, the Security Compliance Toolkit (SCT), and related articles. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 10/01/2024 --- diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md index 08bb94eda4..1d9af2fdd1 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md @@ -3,7 +3,7 @@ title: Guide to removing Microsoft Baseline Security Analyzer (MBSA) description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions. ms.localizationpriority: medium ms.date: 07/10/2024 -ms.topic: conceptual +ms.topic: concept-article --- # What is Microsoft Baseline Security Analyzer and its uses? diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md index 3556919a26..704206929a 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -1,7 +1,7 @@ --- title: Microsoft Security Compliance Toolkit Guide description: This article describes how to use Security Compliance Toolkit in your organization. -ms.topic: conceptual +ms.topic: concept-article ms.date: 10/01/2024 --- diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md index 436a88a7a3..50bf145b5d 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md @@ -1,7 +1,7 @@ --- title: Security baselines guide description: Learn how to use security baselines in your organization. -ms.topic: conceptual +ms.topic: article ms.date: 07/10/2024 --- diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md index 85561cf109..b332d7b87d 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md @@ -74,6 +74,10 @@ Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd) +``` cmd +netsh.exe advfirewall set allprofiles state off +``` + --- ## Deploy basic firewall rules diff --git a/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md b/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md index 0d9d62c33e..0cc64c4d6f 100644 --- a/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md +++ b/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md @@ -1,7 +1,7 @@ --- title: Cryptography and Certificate Management description: Get an overview of cryptography and certificate management in Windows -ms.topic: conceptual +ms.topic: article ms.date: 07/10/2024 ms.reviewer: skhadeer, aathipsa --- diff --git a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index 1c997805c4..f25f5692a9 100644 --- a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -2,7 +2,7 @@ title: Control the health of Windows devices description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows devices. ms.date: 07/10/2024 -ms.topic: conceptual +ms.topic: how-to --- # Control the health of Windows devices diff --git a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md index c931ca2dcb..39e6da5648 100644 --- a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md +++ b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md @@ -1,7 +1,7 @@ --- title: Secure the Windows boot process description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/10/2024 ms.collection: - tier1 diff --git a/windows/security/operating-system-security/system-security/trusted-boot.md b/windows/security/operating-system-security/system-security/trusted-boot.md index 4da0621dc6..8265bf9725 100644 --- a/windows/security/operating-system-security/system-security/trusted-boot.md +++ b/windows/security/operating-system-security/system-security/trusted-boot.md @@ -1,7 +1,7 @@ --- title: Secure Boot and Trusted Boot description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11 -ms.topic: conceptual +ms.topic: article ms.date: 07/10/2024 ms.reviewer: jsuther appliesto: diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md index 2a65943ed8..0fdbcab450 100644 --- a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md @@ -2,7 +2,7 @@ title: Windows Security description: Windows Security brings together common Windows security features into one place. ms.date: 06/27/2024 -ms.topic: conceptual +ms.topic: article --- # Windows Security diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md index ee7a31a01b..595cb143ba 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md @@ -2,7 +2,7 @@ title: Enhanced Phishing Protection in Microsoft Defender SmartScreen description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps. ms.date: 07/10/2024 -ms.topic: conceptual +ms.topic: article appliesto: - ✅ Windows 11, version 22H2 --- diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md index 56fc48b2bf..909ccb5dd2 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md @@ -2,7 +2,7 @@ title: Microsoft Defender SmartScreen overview description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. ms.date: 07/10/2024 -ms.topic: conceptual +ms.topic: overview appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md b/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md index 392c293fd2..d41e015648 100644 --- a/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md +++ b/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md @@ -1,7 +1,7 @@ --- title: Common Criteria certifications for previous Windows Server releases description: Learn about the completed Common Criteria certifications for previous Windows Server releases. -ms.date: 2/1/2024 +ms.date: 2/24/2025 ms.topic: reference --- @@ -28,16 +28,16 @@ The following tables list the completed Common Criteria certifications for Windo |Product details |Date |Scope |Documents | |---------|---------|---------|---------| -|Validated editions: Standard, Enterprise, Datacenter, Itanium. |March 24, 2011 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Administrative Guide][admin-guide-march-2011]; [Certification Report][certification-report-march-2011] | +|Validated editions: Standard, Enterprise, Datacenter, Itanium. |March 24, 2011 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Certification Report][certification-report-march-2011] | |Server Core 2008 R2: Hyper-V Server Role|July 24, 2009 |(Hyper-V certification.) Common Criteria for Information Technology Security Evaluation Version 3.1 Revision 3. It is CC Part 2 extended and Part 3 conformant, with a claimed Evaluation Assurance Level of EAL4, augmented by ALC_FLR.3. |[Security Target][security-target-july-2009]; [Administrative Guide][admin-guide-july-2009]; [Certification Report][certification-report-july-2009] | ## Windows Server 2008 |Product details |Date |Scope |Documents | |---------|---------|---------|---------| -|Validated edition: Standard, Enterprise, Datacenter. |August 15, 2009 |Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 4. |[Security Target][security-target-august-2009]; [Administrative Guide][admin-guide-august-2009]; [Certification Report][certification-report-august-2009] | +|Validated edition: Standard, Enterprise, Datacenter. |August 15, 2009 |Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 4. |[Security Target][security-target-august-2009]; [Certification Report][certification-report-august-2009] | |Microsoft Windows Server Core 2008: Hyper-V Server Role. |July 24, 2009 |CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 4. |[Security Target][security-target-july-2009-hyperv]; [Administrative Guide][admin-guide-july-2009-hyperv]; [Certification Report][certification-report-july-2009-hyperv] | -|Validated edition: Standard, Enterprise, Datacenter. |September 17, 2008 |CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 1. |[Security Target][security-target-september-2008]; [Administrative Guide][admin-guide-september-2008]; [Certification Report][certification-report-september-2008] | +|Validated edition: Standard, Enterprise, Datacenter. |September 17, 2008 |CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 1. |[Security Target][security-target-september-2008]; [Certification Report][certification-report-september-2008] | ## Windows Server 2003 Certificate Server @@ -77,11 +77,8 @@ The following tables list the completed Common Criteria certifications for Windo [admin-guide-january-2015-pro]: https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx [admin-guide-april-2014]: https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf [admin-guide-january-2014]: https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx -[admin-guide-march-2011]: https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00 [admin-guide-july-2009]: https://www.microsoft.com/download/en/details.aspx?id=29308 [admin-guide-july-2009-hyperv]: https://www.microsoft.com/en-us/download/details.aspx?id=14252 -[admin-guide-august-2009]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567 -[admin-guide-september-2008]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567 diff --git a/windows/security/security-foundations/certification/validations/fips-140-windows10.md b/windows/security/security-foundations/certification/validations/fips-140-windows10.md index 9bf64e0084..e7cecf69e6 100644 --- a/windows/security/security-foundations/certification/validations/fips-140-windows10.md +++ b/windows/security/security-foundations/certification/validations/fips-140-windows10.md @@ -1,7 +1,7 @@ --- title: FIPS 140 validated modules for Windows 10 description: This topic lists the completed FIPS 140 cryptographic module validations for Windows 10. -ms.date: 11/13/2024 +ms.date: 2/24/2025 ms.topic: reference --- @@ -339,6 +339,6 @@ Build: 10.0.10240. Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, M [sp-4515]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4515.pdf [sp-4536]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4536.pdf [sp-4537]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf -[sp-4538]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf +[sp-4538]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4538.pdf [sp-4766]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4766.pdf [sp-4825]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4825.pdf diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 0409ddfbb3..a7938a1a29 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -4,7 +4,7 @@ description: Describes the security capabilities in Windows client focused on th author: aczechowski ms.author: aaroncz manager: aaroncz -ms.topic: conceptual +ms.topic: article ms.date: 12/31/2017 --- diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 327b1336ab..abb60675b1 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -6,7 +6,7 @@ author: aczechowski ms.author: aaroncz manager: aaroncz ms.date: 12/31/2017 -ms.topic: conceptual +ms.topic: how-to --- # Mitigate threats by using Windows 10 security features diff --git a/windows/whats-new/extended-security-updates.md b/windows/whats-new/extended-security-updates.md index e5f8535abe..0a74721232 100644 --- a/windows/whats-new/extended-security-updates.md +++ b/windows/whats-new/extended-security-updates.md @@ -7,7 +7,7 @@ ms.author: mstewart author: mestew manager: aaroncz ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 02/19/2025 ms.collection: - highpri diff --git a/windows/whats-new/removed-features.md b/windows/whats-new/removed-features.md index 991c787969..0c7e01a1bf 100644 --- a/windows/whats-new/removed-features.md +++ b/windows/whats-new/removed-features.md @@ -8,7 +8,7 @@ ms.author: mstewart manager: aaroncz ms.topic: reference ms.subservice: itpro-fundamentals -ms.date: 12/09/2024 +ms.date: 02/25/2025 ms.collection: - highpri - tier1 @@ -38,6 +38,7 @@ The following features and functionalities have been removed from the installed |Feature | Details and mitigation | Support removed | | ----------- | --------------------- | ------ | +| Data Encryption Standard (DES) | DES, the symmetric-key block encryption cipher, is considered nonsecure against modern cryptographic attacks, and replaced by more robust encryption algorithms. DES was disabled by default starting with Windows 7 and Windows Server 2008 R2. It's removed from Windows 11, version 24H2 and later, and [Windows Server 2025](/windows-server/get-started/removed-deprecated-features-windows-server-2025) and later.| September 2025 | | NTLMv1 | NTLMv1 is removed starting in Windows 11, version 24H2 and Windows Server 2025. | 24H2 | | Windows Information Protection | Windows Information Protection is removed starting in Windows 11, version 24H2. | 24H2 | | Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is deprecated for Microsoft Edge for Business and is no longer available starting with Windows 11, version 24H2. | 24H2 | diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index a348f85ad3..909814ca56 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -6,7 +6,7 @@ author: mestew ms.author: mstewart ms.service: windows-client ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.collection: - highpri - tier1