deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 12:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'public' into patch-1

Browse Source
This commit is contained in:
Blake Drumm
2024-12-13 11:14:10 -05:00
committed by GitHub
parent 3c614dbfbc 40d9352236
commit 261c604614
15 changed files with 325 additions and 164 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/client-management/images/9598546-copilot-key-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.0 MiB

104
windows/client-management/manage-windows-copilot.md
View File

@ -3,7 +3,7 @@ title: Updated Windows and Microsoft Copilot experience
description: Learn about changes to the Copilot in Windows experience for commercial environments and how to configure it for your organization.
ms.topic: overview
ms.subservice: windows-copilot
ms.date: 09/18/2024
ms.date: 12/12/2024
ms.author: mstewart
author: mestew
ms.collection:
@ -34,7 +34,7 @@ If your organization hasn't enabled Copilot in Windows (preview), your existing
## Copilot in Windows (preview) is enabled
If you had previously activated Copilot in Windows (in preview) for your workforce, we want to thank you for your enthusiasm. To provide the best Copilot experience for your employees moving forward, and support greater efficiency and productivity, we won't automatically pin the Microsoft 365 app to the taskbar in Windows. Rather, we'll ensure that you have control over how you enable the Copilot experience within your organization. Our focus remains on empowering IT to seamlessly manage AI experiences and adopt those experiences at a pace that suits your organizational needs.
If you had previously activated Copilot in Windows (in preview) for your workforce, we want to thank you for your enthusiasm. To provide the best Copilot experience for your users moving forward, and support greater efficiency and productivity, we won't automatically pin the Microsoft 365 app to the taskbar in Windows. Rather, we ensure that you have control over how you enable the Copilot experience within your organization. Our focus remains on empowering IT to seamlessly manage AI experiences and adopt those experiences at a pace that suits your organizational needs.
If you have already activated Copilot in Windows (preview) - and want your users to have uninterrupted access to Copilot on the taskbar after the update - use the [configuration options](/windows/configuration/taskbar/?pivots=windows-11) to pin the Microsoft 365 app to the taskbar as Copilot in Windows (preview) icon will be removed from the taskbar.
@ -43,32 +43,32 @@ If you have already activated Copilot in Windows (preview) - and want your users
For users signing in to new PCs with work or school accounts, the following experience occurs:
- The Microsoft 365 app is pinned to the taskbar - this is the app comes preinstalled with Windows and includes convenient access to Office apps such as Word, PowerPoint, etc.
- Users that have the Microsoft 365 Copilot license will have Microsoft Copilot pinned by default inside the Microsoft 365 app.
- Users that have the Microsoft 365 Copilot license have Microsoft Copilot pinned by default inside the Microsoft 365 app.
- Within the Microsoft 365 app, the Microsoft Copilot icon is situated next to the home button.
- Microsoft Copilot (`web` grounding chat) isn't the same as Microsoft 365 Copilot (`web` and `work` scope), which is a separate add-on license.
- Microsoft Copilot is available at no additional cost to customers with a Microsoft Entra account. Microsoft Copilot is the entry point for Copilot at work. While the Copilot chat experience helps users ground their conversations in web data, Microsoft 365 Copilot allows users to incorporate both web and work data they have access to into their conversations by switching between work and web modes in Business Chat.
- For users with the Microsoft 365 Copilot license, they can toggle between the web grounding-based chat capabilities of Microsoft Copilot and the work scoped chat capabilities of Microsoft 365 Copilot.
- Customers that don't have a license for Microsoft 365 Copilot are asked if they want to pin Microsoft Copilot to ensure they have easy access to Copilot. To set the default behavior, admins should [set Microsoft Copilot pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center.
- If admins elect not to pin Copilot and indicate that users may be asked, users will be asked to pin it themselves in the Microsoft 365 app, Outlook, and Teams.
- If admins elect not to pin Microsoft Copilot and indicate that users may not be asked, Microsoft Copilot won't be available via the Microsoft 365 app, Outlook, or Teams. Users will have access to Microsoft Copilot from <www.microsoft.com/copilot> unless that URL is blocked by the IT admin.
- If admins elect not to pin Copilot and indicate that users can be asked, users will be asked to pin it themselves in the Microsoft 365 app, Outlook, and Teams.
- If admins elect not to pin Microsoft Copilot and indicate that users can't be asked, Microsoft Copilot won't be available via the Microsoft 365 app, Outlook, or Teams. Users have access to Microsoft Copilot from <www.microsoft.com/copilot> unless that URL is blocked by the IT admin.
- If the admins make no selection, users will be asked to pin Microsoft Copilot by themselves for easy access.
## When will this happen?
The update to Microsoft Copilot to offer enterprise data protection is rolling out now.
The shift to the Microsoft 365 app as the entry point for Microsoft Copilot is coming soon. Changes will be rolled out to managed PCs starting with the optional nonsecurity preview release on September 24, 2024, and following with the monthly security update release on October 8 for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience.
> [!IMPORTANT]
> Want to get started? You can enable the Microsoft Copilot experience for your users now by using the [TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) policy and pin the Microsoft 365 app using the existing policies for taskbar pinning.
The shift to the Microsoft 365 app as the entry point for Microsoft Copilot with enterprise data protection (EDP) is coming soon. Changes will be rolled out to managed PCs starting with the September 2024 optional nonsecurity preview release, and following with the October 2024 monthly security update for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience.
The Microsoft Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates.
Note that the Microsoft Copilot app doesn't support Microsoft Entra authentication and users trying to sing in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 app to enable easy access.
## Policy information
## Policy information for previous Copilot in Windows (preview) experience
Admins should configure the [pinning options](/copilot/microsoft-365/pin-copilot) to enable access to Microsoft Copilot within the Microsoft 365 app in the Microsoft 365 admin center.
The following policy to manage Copilot in Windows (preview) will be removed in the future:
The following policy to manage Copilot in Windows (preview) will be removed in the future and is considered a legacy policy:
| &nbsp; | Setting |
@ -76,3 +76,83 @@ The following policy to manage Copilot in Windows (preview) will be removed in t
| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) |
| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** |
## Remove or prevent installation of the Copilot app
You can remove or uninstall the Copilot app from your device by using one of the following methods:
1. Enterprise users can uninstall the Copilot app by going to **Settings** > **Apps** >**Installed Apps**. Select the three dots appearing on the right side of the app and select **Uninstall** from the dropdown list.
1. If you are an IT administrator, you can prevent installation of the app or remove the Copilot app using one of the following methods:
1. Prevent installation of the Copilot app:
- Configure [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) before installing Windows update. AppLocker helps you control which apps and files users can run. Note: AppLocker policy should be used instead of the [Turn Off Windows Copilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) legacy policy setting and its MDM equivalent, [TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot). The policy is subject to near-term deprecation.
- The Applocker policy can be configured by following one of the methods listed in [Edit an AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy) and adding the below text to the policy:
</br>**Publisher**: CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
</br> **Package name**: MICROSOFT.COPILOT
</br> **Package version**: * (and above)
1. Remove the Copilot app using PowerShell script:
1. Open a Windows PowerShell window. You can do this by opening the Start menu, typing `PowerShell`, and selecting **Windows PowerShell** from the results.
1. Once the PowerShell window is open, enter the following commands:
```powershell
# Get the package full name of the Microsoft Copilot app
$packageFullName = Get-AppxPackage -Name "Microsoft.Copilot" | Select-Object -ExpandProperty PackageFullName
# Remove the Microsoft Copilot app
Remove-AppxPackage -Package $packageFullName
```
## Implications for the Copilot hardware key
<!--9598546-->
The Microsoft Copilot app is now available only to consumer users authenticating with a Microsoft account and won't work for commercial users authenticating with a Microsoft Entra account. With this change, IT admins need to take steps to ensure users authenticating with a Microsoft Entra account can still access Copilot with the Copilot key. Users attempting to sign in to the Copilot app with their Microsoft Entra account will be redirected to the browser version of Microsoft Copilot with enterprise data protection (https://copilot.cloud.microsoft).
For the optimal experience, enterprise customers should go to Windows client policies, such as Group Policy or Configuration Service Provider (CSP) policies to update the target of the key to the Microsoft 365 app so that users can access Copilot within the Microsoft 365 app. End users can also configure this from the **Settings** page.
The Microsoft 365 app comes preinstalled on all Windows 11 PCs. If your organization uninstalled the Microsoft 365 app, we suggest you reinstall it from the Microsoft Store or your preferred application management solution so that the Copilot key can be remapped to the Microsoft 365 app. We also suggest you [Pin Microsoft Copilot](/copilot/microsoft-365/pin-copilot) to the navigation bar of the Microsoft 365 app.
To avoid confusion for users as to which entry point for Microsoft Copilot to use, we recommend you uninstall the Copilot app.
Use the table below to help determine the experience for your managed organization:
| Configuration | Copilot experience | Copilot key invokes |
| ---| --- | --- |
| Copilot **not enabled** in environment | Neither Copilot in Windows (preview) nor the Microsoft Copilot app are present. | Windows Search |
| Copilot **enabled** + **do not authenticate** with Microsoft Entra | Copilot in Windows (preview) is removed and replaced by the Microsoft Copilot app, which is not pinned to the taskbar unless you elect to do so. | Microsoft Copilot app |
| Copilot **enabled** + **authenticate** with Microsoft Entra + **new device** | Copilot in Windows (preview) is not present. Microsoft Copilot is accessed through the Microsoft 365 app (after post-setup update). | Microsoft Copilot within the Microsoft 365 app (after post-setup update). |
| Copilot **enabled** + **authenticate** with Microsoft Entra + **existing device** | Copilot in Windows (preview) is removed. Existing users with Copilot enabled on their devices will still see the Microsoft Copilot app. | IT admins should use policy to remap the Copilot key to the Microsoft 365 app, or prompt users to choose. |
## Policies to manage the Copilot key
Policies are available to configure the target app of the Copilot hardware key. For more information, see [WindowsAI Policy CSP](mdm/policy-csp-windowsai.md).
To configure the Copilot key, use the following policy:
| &nbsp; | Setting |
|---|---|
| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetCopilotHardwareKey](mdm/policy-csp-windowsai.md#setcopilothardwarekey) |
| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Set Copilot Hardware Key** |
## End user settings for the Copilot key
If you choose to provide users in your organization with the choice to manage their own experience, a protocol to launch the **Settings** app remap the Copilot key is available. The following can be used by apps and scripts to bring the user to the setting so they can modify it to meet their needs:
`ms-settings:personalization-textinput-copilot-hardwarekey`
:::image type="content" border="true" source="./images/9598546-copilot-key-settings.png" alt-text="Screenshot of the text input page in Settings." lightbox="./images/9598546-copilot-key-settings.png":::
If a user signed in with their Microsoft Entra account doesn't already have the key mapped to the Microsoft 365 app, they can select the app by going to **Settings** > **Personalization** > **Text input**, then selecting from the dropdown menu in the setting called **Customize Copilot key on keyboard**. This dropdown has options for: **Search**, **Custom**, or a currently mapped app if one is selected.
To map the key to the Microsoft 365 app, the user should select **Custom** and then choose the Microsoft 365 app from the app picker. If this app picker is empty or doesn't include the Microsoft 365 app, they should reinstall it from the Microsoft Store.
Users can also choose to have the Copilot key launch an app that is MSIX packaged and signed, ensuring the app options the Copilot key can remap to meet security and privacy requirements.
## Copilot installation with Windows updates and controls
If you're an IT administrator and have enabled group policies to prevent the installation of Copilot, the Copilot app won't be installed on the configured devices. If you haven't enabled a group policy, you can remove the Copilot app by following one of the steps in the [Remove or prevent installation of the Copilot app](#remove-or-prevent-installation-of-the-copilot-app) section or configure the [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) before installing Windows updates. When the AppLocker policy for Copilot is enabled, it will:
- Prevent the app from being installed if it isn't already on the device.
- Block the app from being launched if it's already installed.

71
windows/security/book/application-security-application-and-driver-control.md
View File

@ -1,77 +1,20 @@
---
title: Windows 11 security book - Application and driver control
title: Windows 11 Security Book - Application And Driver Control
description: Application and driver control.
ms.topic: overview
ms.date: 11/18/2024
ms.date: 12/11/2024
---
# Application and driver control
:::image type="content" source="images/application-security.png" alt-text="Diagram containing a list of application security features." lightbox="images/application-security.png" border="false":::
Windows 11 offers a rich application platform with layers of security like isolation and code integrity that help protect your valuable data. Developers can also take advantage of these
capabilities to build in security from the ground up to protect against breaches and malware.
[!INCLUDE [smart-app-control](includes/smart-app-control.md)]
## Smart App Control
[!INCLUDE [app-control-for-business](includes/app-control-for-business.md)]
Smart App Control prevents users from running malicious applications by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, Smart App Control only allows processes to run if they're predicted to be safe based on existing and new intelligence updated daily.
[!INCLUDE [administrator-protection](includes/administrator-protection.md)]
Smart App Control builds on top of the same cloud-based AI used in *App Control for Business* to predict the safety of an application, so that users can be confident that their applications are safe and reliable. Additionally, Smart App Control blocks unknown script files and macros from the web, greatly improving security for everyday users.
[!INCLUDE [microsoft-vulnerable-driver-blocklist](includes/microsoft-vulnerable-driver-blocklist.md)]
We've been making significant improvements to Smart App Control to increase the security, usability, and cloud intelligence response for apps in the Windows ecosystem. Users can get the latest and best experience with Smart App Control by keeping their devices up to date via Windows Update every month.
To ensure that users have a seamless experience with Smart App Control enabled, we ask developers to sign their applications with a code signing certificate from the Microsoft Trusted Root Program. Developers should include all binaries, such as exe, dll, temp installer files, and uninstallers. Trusted Signing makes the process of obtaining, maintaining, and signing with a trusted certificate simple and secure.
Smart App Control is disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to use *App Control for Business*.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Smart App Control][LINK-1]
## App Control for Business
Your organization is only as secure as the applications that run on your devices. With *application control*, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
App Control for Business (previously called *Windows Defender Application Control*) and AppLocker are both included in Windows. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Organizations that were using AppLocker on previous versions of Windows, can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> can configure App Control for Business in the admin console, including setting up Intune as a managed installer. Intune includes built-in options for App Control for Business and the possibility to upload policies as an XML file for Intune to package and deploy.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Application Control for Windows][LINK-2]
- [Automatically allow apps deployed by a managed installer with App Control for Business][LINK-3]
## :::image type="icon" source="images/soon-button-title.svg" border="false"::: Administrator protection
When users sign in with administrative rights to Windows, they have the power to make significant changes to the system, which can impact its overall security. These rights can be a target for malicious software.
Administrator protection is a new security feature in Windows 11 designed to safeguard these administrative rights. It allows administrators to perform all necessary functions with **just-in-time administrative rights**, while running most tasks without administrative privileges. The goal of administrator protection is to provide a secure and seamless experience, ensuring users operate with the least required privileges.
When administrator protection is enabled, if an app needs special permissions like administrative rights, the user is asked for approval. When an approval is needed, Windows Hello provides a secure and easy way to approve or deny these requests.
> [!NOTE]
> Administrator protection is currently in preview. For devices running previous versions of Windows, refer to [User Account Control (UAC)][LINK-5].
## Microsoft vulnerable driver blocklist
The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. To prevent vulnerable versions of drivers from running, Windows has a *block policy* turned on by default. Users can configure the policy from the Windows Security app.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Microsoft recommended driver block rules][LINK-4]
## :::image type="icon" source="images/new-button-title.svg" border="false"::: Trusted Signing
Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the signing process and empowers third-party developers to easily build and distribute applications.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [What is Trusted Signing](/azure/trusted-signing/overview)
<!--links-->
[LINK-1]: /windows/apps/develop/smart-app-control/overview
[LINK-2]: /windows/security/application-security/application-control/windows-defender-application-control/wdac
[LINK-3]: /windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer
[LINK-4]: /windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
[LINK-5]: /windows/security/identity-protection/user-account-control/how-user-account-control-works
[!INCLUDE [trusted-signing](includes/trusted-signing.md)]

94
windows/security/book/application-security-application-isolation.md
View File

@ -1,100 +1,20 @@
---
title: Windows 11 security book - Application isolation
title: Windows 11 Security Book - Application Isolation
description: Application isolation.
ms.topic: overview
ms.date: 11/18/2024
ms.date: 12/11/2024
---
# Application isolation
:::image type="content" source="images/application-security.png" alt-text="Diagram containing a list of application security features." lightbox="images/application-security.png" border="false":::
## :::image type="icon" source="images/new-button-title.svg" border="false"::: Win32 app isolation
[!INCLUDE [win32-app-isolation](includes/win32-app-isolation.md)]
Win32 app isolation is a security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer][LINK-1], and offers several added security features to help the Windows platform defend against attacks that use vulnerabilities in applications or third-party libraries. To isolate their applications, developers can update them using Visual Studio.
[!INCLUDE [app-containers](includes/app-containers.md)]
Win32 app isolation follows a two-step process:
[!INCLUDE [windows-sandbox](includes/windows-sandbox.md)]
- In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Windows. The process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level
- In the second step, least privilege is enforced by granting authorized access to Windows securable objects. This access is determined by capabilities that are added to the application manifest through MSIX packaging. *Securable objects* in this context refers to Windows resources whose access is safeguarded by capabilities. These capabilities enable the implantation of a [Discretionary Access Control List][LINK-2] on Windows
[!INCLUDE [windows-subsystem-for-linux](includes/windows-subsystem-for-linux.md)]
To help ensuring that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. The *Application Capability Profiler (ACP)* simplifies the entire process by allowing the application to run in *learn mode* with low privileges. Instead of denying access if the capability isn't present, ACP allows access and logs additional capabilities required for access if the application were to run isolated.
To create a smooth user experience that aligns with nonisolated, native Win32 applications, two key factors should be taken into consideration:
- Approaches for accessing data and privacy information
- Integrating Win32 apps for compatibility with other Windows interfaces
The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary AppContainer. The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Win32 app isolation overview][LINK-4]
- [Application Capability Profiler (ACP)][LINK-5]
- [Packaging a Win32 app isolation application with Visual Studio][LINK-6]
- [Sandboxing Python with Win32 app isolation][LINK-7]
## App containers
In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP) applications run in Windows containers known as *app containers*. App containers act as process and resource isolation boundaries, but unlike Docker containers, these are special containers designed to run Windows applications.
Processes that run in app containers operate at a low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the file system, registry, and other resources. The app container also enforces restrictions on network connectivity. For example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Windows and app container][LINK-8]
## Windows Sandbox
Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based virtualization technology as Hyper-V. Any untrusted Win32 app installed in Windows Sandbox stays only in the sandbox and can't affect the host.
Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Windows Sandbox][LINK-9]
## Windows Subsystem for Linux (WSL)
With Windows Subsystem for Linux (WSL) you can run a Linux environment on a Windows device, without the need for a separate virtual machine or dual booting. WSL is designed to provide a seamless and productive experience for developers who want to use both Windows and Linux at the same time.
[!INCLUDE [new-24h2](includes/new-24h2.md)]
- **Hyper-V Firewall** is a network firewall solution that enables filtering of inbound and outbound traffic to/from WSL containers hosted by Windows
- **DNS Tunneling** is a networking setting that improves compatibility in different networking environments, making use of virtualization features to obtain DNS information rather than a networking packet
- **Auto proxy** is a networking setting that enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it makes that proxy automatically apply to WSL distributions
These features can be set up using a device management solution such as Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>. Microsoft Defender for Endpoint (MDE) integrates with WSL, allowing it to monitor activities within a WSL distro and report them to the MDE dashboards.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Hyper-V Firewall][LINK-10]
- [DNS Tunneling][LINK-11]
- [Auto proxy][LINK-12]
- [Intune setting for WSL][LINK-13]
- [Microsoft Defender for Endpoint plug-in for WSL][LINK-14]
## :::image type="icon" source="images/new-button-title.svg" border="false"::: Virtualization-based security enclaves
A **Virtualization-based security enclave** is a software-based trusted execution environment (TEE) inside a host application. VBS enclaves enable developers to use VBS to protect their application's secrets from admin-level attacks. VBS enclaves are available on Windows 10 onwards on both x64 and ARM64.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Virtualization-based security enclave][LINK-15]
<!--links-->
[LINK-1]: /windows/win32/secauthz/implementing-an-appcontainer
[LINK-2]: /windows/win32/secauthz/access-control-lists
[LINK-4]: /windows/win32/secauthz/app-isolation-overview
[LINK-5]: /windows/win32/secauthz/app-isolation-capability-profiler
[LINK-6]: /windows/win32/secauthz/app-isolation-packaging-with-vs
[LINK-7]: https://blogs.windows.com/windowsdeveloper/2024/03/06/sandboxing-python-with-win32-app-isolation/
[LINK-8]: /windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations
[LINK-9]: /windows/security/threat-protection/windows-sandbox/windows-sandbox-overview
[LINK-10]: /windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall
[LINK-11]: /windows/wsl/networking#dns-tunneling
[LINK-12]: /windows/wsl/networking#auto-proxy
[LINK-13]: /windows/wsl/intune
[LINK-14]: /defender-endpoint/mde-plugin-wsl
[LINK-15]: /windows/win32/trusted-execution/vbs-enclaves
[!INCLUDE [virtualization-based-security-enclaves](includes/virtualization-based-security-enclaves.md)]

2
windows/security/book/application-security.md
View File

@ -1,5 +1,5 @@
---
title: Windows 11 security book - Application security
title: Windows 11 Security Book - Application Security
description: Application security chapter.
ms.topic: overview
ms.date: 11/18/2024

18
windows/security/book/includes/administrator-protection.md Normal file
View File

@ -0,0 +1,18 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 12/11/2024
ms.topic: include
ms.service: windows-client
---
## :::image type="icon" source="../images/soon-button-title.svg" border="false"::: Administrator protection
When users sign in with administrative rights to Windows, they have the power to make significant changes to the system, which can impact its overall security. These rights can be a target for malicious software.
Administrator protection is a new security feature in Windows 11 designed to safeguard these administrative rights. It allows administrators to perform all necessary functions with **just-in-time administrative rights**, while running most tasks without administrative privileges. The goal of administrator protection is to provide a secure and seamless experience, ensuring users operate with the least required privileges.
When administrator protection is enabled, if an app needs special permissions like administrative rights, the user is asked for approval. When an approval is needed, Windows Hello provides a secure and easy way to approve or deny these requests.
> [!NOTE]
> Administrator protection is currently in preview. For devices running previous versions of Windows, refer to [User Account Control (UAC)](/windows/security/identity-protection/user-account-control/how-user-account-control-works).

17
windows/security/book/includes/app-containers.md Normal file
View File

@ -0,0 +1,17 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 12/11/2024
ms.topic: include
ms.service: windows-client
---
## App containers
In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP) applications run in Windows containers known as *app containers*. App containers act as process and resource isolation boundaries, but unlike Docker containers, these are special containers designed to run Windows applications.
Processes that run in app containers operate at a low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the file system, registry, and other resources. The app container also enforces restrictions on network connectivity. For example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape.
[!INCLUDE [learn-more](learn-more.md)]
- [Windows and app container](/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations)

20
windows/security/book/includes/app-control-for-business.md Normal file
View File

@ -0,0 +1,20 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 12/11/2024
ms.topic: include
ms.service: windows-client
---
## App Control for Business
Your organization is only as secure as the applications that run on your devices. With *application control*, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
App Control for Business (previously called *Windows Defender Application Control*) and AppLocker are both included in Windows. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Organizations that were using AppLocker on previous versions of Windows, can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
Microsoft Intune<sup>[\[4\]](..\conclusion.md#footnote4)</sup> can configure App Control for Business in the admin console, including setting up Intune as a managed installer. Intune includes built-in options for App Control for Business and the possibility to upload policies as an XML file for Intune to package and deploy.
[!INCLUDE [learn-more](learn-more.md)]
- [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac)
- [Automatically allow apps deployed by a managed installer with App Control for Business](/windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer)

15
windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md Normal file
View File

@ -0,0 +1,15 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 12/11/2024
ms.topic: include
ms.service: windows-client
---
## Microsoft vulnerable driver blocklist
The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. To prevent vulnerable versions of drivers from running, Windows has a *block policy* turned on by default. Users can configure the policy from the Windows Security app.
[!INCLUDE [learn-more](learn-more.md)]
- [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)

23
windows/security/book/includes/smart-app-control.md Normal file
View File

@ -0,0 +1,23 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 12/11/2024
ms.topic: include
ms.service: windows-client
---
## Smart App Control
Smart App Control prevents users from running malicious applications by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, Smart App Control only allows processes to run if they're predicted to be safe based on existing and new intelligence updated daily.
Smart App Control builds on top of the same cloud-based AI used in *App Control for Business* to predict the safety of an application, so that users can be confident that their applications are safe and reliable. Additionally, Smart App Control blocks unknown script files and macros from the web, greatly improving security for everyday users.
We've been making significant improvements to Smart App Control to increase the security, usability, and cloud intelligence response for apps in the Windows ecosystem. Users can get the latest and best experience with Smart App Control by keeping their devices up to date via Windows Update every month.
To ensure that users have a seamless experience with Smart App Control enabled, we ask developers to sign their applications with a code signing certificate from the Microsoft Trusted Root Program. Developers should include all binaries, such as exe, dll, temp installer files, and uninstallers. Trusted Signing makes the process of obtaining, maintaining, and signing with a trusted certificate simple and secure.
Smart App Control is disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to use *App Control for Business*.
[!INCLUDE [learn-more](learn-more.md)]
- [Smart App Control](/windows/apps/develop/smart-app-control/overview)

15
windows/security/book/includes/trusted-signing.md Normal file
View File

@ -0,0 +1,15 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 12/11/2024
ms.topic: include
ms.service: windows-client
---
## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Trusted Signing
Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the signing process and empowers third-party developers to easily build and distribute applications.
[!INCLUDE [learn-more](learn-more.md)]
- [What is Trusted Signing](/azure/trusted-signing/overview)

17
windows/security/book/includes/virtualization-based-security-enclaves.md Normal file
View File

@ -0,0 +1,17 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 12/11/2024
ms.topic: include
ms.service: windows-client
---
## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Virtualization-based security enclaves
A **Virtualization-based security enclave** is a software-based trusted execution environment (TEE) inside a host application. VBS enclaves enable developers to use VBS to protect their application's secrets from admin-level attacks.
VBS enclaves are available starting in Windows 11, version 24H2, and Windows Server 2025 on both x64 and ARM64.
[!INCLUDE [learn-more](learn-more.md)]
- [Virtualization-based security enclave](/windows/win32/trusted-execution/vbs-enclaves)

41
windows/security/book/includes/win32-app-isolation.md Normal file
View File

@ -0,0 +1,41 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 12/11/2024
ms.topic: include
ms.service: windows-client
---
## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Win32 app isolation
Win32 app isolation is a security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer][LINK-1], and offers several added security features to help the Windows platform defend against attacks that use vulnerabilities in applications or third-party libraries. To isolate their applications, developers can update them using Visual Studio.
Win32 app isolation follows a two-step process:
- In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Windows. The process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level
- In the second step, least privilege is enforced by granting authorized access to Windows securable objects. This access is determined by capabilities that are added to the application manifest through MSIX packaging. *Securable objects* in this context refers to Windows resources whose access is safeguarded by capabilities. These capabilities enable the implantation of a [Discretionary Access Control List][LINK-2] on Windows
To help ensuring that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. The *Application Capability Profiler (ACP)* simplifies the entire process by allowing the application to run in *learn mode* with low privileges. Instead of denying access if the capability isn't present, ACP allows access and logs additional capabilities required for access if the application were to run isolated.
To create a smooth user experience that aligns with nonisolated, native Win32 applications, two key factors should be taken into consideration:
- Approaches for accessing data and privacy information
- Integrating Win32 apps for compatibility with other Windows interfaces
The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary AppContainer. The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts.
[!INCLUDE [learn-more](learn-more.md)]
- [Win32 app isolation overview][LINK-4]
- [Application Capability Profiler (ACP)][LINK-5]
- [Packaging a Win32 app isolation application with Visual Studio][LINK-6]
- [Sandboxing Python with Win32 app isolation][LINK-7]
<!--links-->
[LINK-1]: /windows/win32/secauthz/implementing-an-appcontainer
[LINK-2]: /windows/win32/secauthz/access-control-lists
[LINK-4]: /windows/win32/secauthz/app-isolation-overview
[LINK-5]: /windows/win32/secauthz/app-isolation-capability-profiler
[LINK-6]: /windows/win32/secauthz/app-isolation-packaging-with-vs
[LINK-7]: https://blogs.windows.com/windowsdeveloper/2024/03/06/sandboxing-python-with-win32-app-isolation/

17
windows/security/book/includes/windows-sandbox.md Normal file
View File

@ -0,0 +1,17 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 12/11/2024
ms.topic: include
ms.service: windows-client
---
## Windows Sandbox
Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based virtualization technology as Hyper-V. Any untrusted Win32 app installed in Windows Sandbox stays only in the sandbox and can't affect the host.
Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed.
[!INCLUDE [learn-more](learn-more.md)]
- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)

35
windows/security/book/includes/windows-subsystem-for-linux.md Normal file
View File

@ -0,0 +1,35 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 12/11/2024
ms.topic: include
ms.service: windows-client
---
## Windows Subsystem for Linux (WSL)
With Windows Subsystem for Linux (WSL) you can run a Linux environment on a Windows device, without the need for a separate virtual machine or dual booting. WSL is designed to provide a seamless and productive experience for developers who want to use both Windows and Linux at the same time.
[!INCLUDE [new-24h2](new-24h2.md)]
- **Hyper-V Firewall** is a network firewall solution that enables filtering of inbound and outbound traffic to/from WSL containers hosted by Windows
- **DNS Tunneling** is a networking setting that improves compatibility in different networking environments, making use of virtualization features to obtain DNS information rather than a networking packet
- **Auto proxy** is a networking setting that enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it makes that proxy automatically apply to WSL distributions
These features can be set up using a device management solution such as Microsoft Intune<sup>[\[7\]](../conclusion.md#footnote7)</sup>. Microsoft Defender for Endpoint (MDE) integrates with WSL, allowing it to monitor activities within a WSL distro and report them to the MDE dashboards.
[!INCLUDE [learn-more](learn-more.md)]
- [Hyper-V Firewall][LINK-1]
- [DNS Tunneling][LINK-2]
- [Auto proxy][LINK-3]
- [Intune setting for WSL][LINK-4]
- [Microsoft Defender for Endpoint plug-in for WSL][LINK-5]
<!--links-->
[LINK-1]: /windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall
[LINK-2]: /windows/wsl/networking#dns-tunneling
[LINK-3]: /windows/wsl/networking#auto-proxy
[LINK-4]: /windows/wsl/intune
[LINK-5]: /defender-endpoint/mde-plugin-wsl