diff --git a/.openpublishing.redirection.windows-deployment.json b/.openpublishing.redirection.windows-deployment.json index 5d117ed99e..7efdfec5ae 100644 --- a/.openpublishing.redirection.windows-deployment.json +++ b/.openpublishing.redirection.windows-deployment.json @@ -1684,6 +1684,11 @@ "source_path": "windows/deployment/planning/windows-10-deployment-considerations.md", "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/planning/windows-10-deployment-considerations", "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report.md", + "redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview", + "redirect_document_id": false } ] } diff --git a/education/windows/suspcs/index.md b/education/windows/suspcs/index.md index 3e41143df7..34ae3b990a 100644 --- a/education/windows/suspcs/index.md +++ b/education/windows/suspcs/index.md @@ -2,7 +2,7 @@ title: Use Set up School PCs app description: Learn how to use the Set up School PCs app and apply the provisioning package. ms.topic: how-to -ms.date: 07/09/2024 +ms.date: 02/25/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/includes/licensing/assigned-access.md b/includes/licensing/assigned-access.md index 3a980896b0..30348f5e9d 100644 --- a/includes/licensing/assigned-access.md +++ b/includes/licensing/assigned-access.md @@ -20,13 +20,3 @@ The following table lists the Windows editions that support Assigned Access: |IoT Enterprise LTSC|✅| |Pro Education|✅| |Pro|✅| - - \ No newline at end of file diff --git a/includes/licensing/shell-launcher.md b/includes/licensing/shell-launcher.md index b44ad3f92b..07418aeb82 100644 --- a/includes/licensing/shell-launcher.md +++ b/includes/licensing/shell-launcher.md @@ -20,14 +20,4 @@ The following table lists the Windows editions that support Shell Launcher: |IoT Enterprise LTSC|✅| |Pro Education|❌| |Pro|❌| - - \ No newline at end of file +|Home|❌| diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md index c248120cff..6ddf688ccc 100644 --- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md @@ -1,7 +1,7 @@ --- title: Bulk enrollment description: Bulk enrollment is an efficient way to set up an MDM server to manage a large number of devices without the need to reimage the devices. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/client-management/certificate-authentication-device-enrollment.md b/windows/client-management/certificate-authentication-device-enrollment.md index 2cea712e44..fb2030f3b1 100644 --- a/windows/client-management/certificate-authentication-device-enrollment.md +++ b/windows/client-management/certificate-authentication-device-enrollment.md @@ -1,7 +1,7 @@ --- title: Certificate authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md index 66d42a4d90..8123971c28 100644 --- a/windows/client-management/certificate-renewal-windows-mdm.md +++ b/windows/client-management/certificate-renewal-windows-mdm.md @@ -1,7 +1,7 @@ --- title: Certificate Renewal description: Learn how to find all the resources that you need to provide continuous access to client certificates. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md index 725c23927a..dcc696bef2 100644 --- a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md @@ -2,7 +2,7 @@ title: Windows default media removal policy description: Manage default media removal policy in Windows. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to --- # Manage default media removal policy diff --git a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md index c08492c201..ec535d0f88 100644 --- a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md +++ b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md @@ -3,7 +3,7 @@ title: Connect to remote Microsoft Entra joined device description: Learn how to use Remote Desktop Connection to connect to a Microsoft Entra joined device. ms.localizationpriority: medium ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to ms.collection: - highpri - tier2 diff --git a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md index 052dc9e72a..8c545751a6 100644 --- a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md +++ b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md @@ -2,7 +2,7 @@ title: Manage Device Installation with Group Policy description: Find out how to manage Device Installation Restrictions with Group Policy. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to --- # Manage Device Installation with Group Policy diff --git a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md index fb091f005b..b96a1bb4ac 100644 --- a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md +++ b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md @@ -2,7 +2,7 @@ title: Manage the Settings app with Group Policy description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to --- # Manage the Settings app with Group Policy diff --git a/windows/client-management/client-tools/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md index 5e64dd2f66..6313cbca68 100644 --- a/windows/client-management/client-tools/mandatory-user-profile.md +++ b/windows/client-management/client-tools/mandatory-user-profile.md @@ -2,7 +2,7 @@ title: Create mandatory user profiles description: A mandatory user profile is a special type of preconfigured roaming user profile that administrators can use to specify settings for users. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to --- # Create mandatory user profiles diff --git a/windows/client-management/client-tools/quick-assist.md b/windows/client-management/client-tools/quick-assist.md index 91ab1b998a..2123212ab0 100644 --- a/windows/client-management/client-tools/quick-assist.md +++ b/windows/client-management/client-tools/quick-assist.md @@ -2,7 +2,7 @@ title: Use Quick Assist to help users description: Learn how IT Pros can use Quick Assist to help users. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to ms.collection: - highpri - tier1 diff --git a/windows/client-management/client-tools/windows-libraries.md b/windows/client-management/client-tools/windows-libraries.md index 65a263719f..9efea447c0 100644 --- a/windows/client-management/client-tools/windows-libraries.md +++ b/windows/client-management/client-tools/windows-libraries.md @@ -1,7 +1,7 @@ --- title: Windows Libraries description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. -ms.topic: conceptual +ms.topic: concept-article ms.date: 07/01/2024 --- diff --git a/windows/client-management/client-tools/windows-version-search.md b/windows/client-management/client-tools/windows-version-search.md index 2c34266131..579d7155d0 100644 --- a/windows/client-management/client-tools/windows-version-search.md +++ b/windows/client-management/client-tools/windows-version-search.md @@ -2,7 +2,7 @@ title: What version of Windows am I running? description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to --- # What version of Windows am I running? diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md index db0f36a085..39777e659b 100644 --- a/windows/client-management/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md @@ -1,7 +1,7 @@ --- title: Enable ADMX policies in MDM description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). -ms.topic: conceptual +ms.topic: how-to ms.localizationpriority: medium ms.date: 07/08/2024 --- diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index 409c283821..ea24cc6e80 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -1,7 +1,7 @@ --- title: Enroll a Windows device automatically using Group Policy description: Learn how to use a Group Policy to trigger autoenrollment to MDM for Active Directory (AD) domain-joined devices. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 ms.collection: - highpri diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md index f5969415ed..1e0c5d005e 100644 --- a/windows/client-management/implement-server-side-mobile-application-management.md +++ b/windows/client-management/implement-server-side-mobile-application-management.md @@ -1,7 +1,7 @@ --- title: Support for Windows Information Protection (WIP) on Windows description: Learn about implementing the Windows version of Windows Information Protection (WIP), which is a lightweight solution for managing company data access and security on personal devices. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/client-management/mdm-collect-logs.md b/windows/client-management/mdm-collect-logs.md index 0a3b883dcd..1a1d05ff3c 100644 --- a/windows/client-management/mdm-collect-logs.md +++ b/windows/client-management/mdm-collect-logs.md @@ -1,7 +1,7 @@ --- title: Collect MDM logs description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows devices managed by an MDM server. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 ms.collection: - highpri diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index f57170b82c..b8023a8c8f 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -1,7 +1,7 @@ --- title: MDM enrollment of Windows devices description: Learn about mobile device management (MDM) enrollment of Windows devices to simplify access to your organization's resources. -ms.topic: conceptual +ms.topic: how-to ms.collection: - highpri - tier2 diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md index bcb544c636..963ff93ebc 100644 --- a/windows/client-management/mdm/configuration-service-provider-ddf.md +++ b/windows/client-management/mdm/configuration-service-provider-ddf.md @@ -13,7 +13,7 @@ This article lists the OMA DM device description framework (DDF) files for vario As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download: -- [DDF v2 Files, September 2024](https://download.microsoft.com/download/a/a/a/aaadc008-67d4-4dcd-b864-70c479baf7d6/DDFv2September24.zip) +- [DDF v2 Files, February 2025](https://download.microsoft.com/download/a8922fbe-20a9-431d-b24f-9d5344dda25e/DDFv2Feb25.zip) ## DDF v2 schema @@ -574,6 +574,7 @@ DDF v2 XML schema definition is listed below along with the schema definition fo ## Older DDF files You can download the older DDF files for various CSPs from the links below: +- [Download all the DDF files for Windows 10 and 11 September 2024](https://download.microsoft.com/download/a/a/a/aaadc008-67d4-4dcd-b864-70c479baf7d6/DDFv2September24.zip) - [Download all the DDF files for Windows 10 and 11 May 2024](https://download.microsoft.com/download/f/6/1/f61445f7-1d38-45f7-bc8c-609b86e4aabc/DDFv2May24.zip) - [Download all the DDF files for Windows 10 and 11 September 2023](https://download.microsoft.com/download/0/e/c/0ec027e5-8971-49a2-9230-ec9352bc3ead/DDFv2September2023.zip) - [Download all the DDF files for Windows 10 and 11 December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index b3beaf7ff2..f03a64a586 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -2926,7 +2926,8 @@ This policy setting controls whether or not exclusions are visible to local admi > [!NOTE] -> Applying this setting won't remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in Get-MpPreference. +> Applying this setting won't remove exclusions from the device registry. They will be applied and enforced, but they will not be visible via the Defender manageability tools like Get-MpPreference nor by the registry editor to the Defender owned registry hive. + diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md index 480281a102..756376d2de 100644 --- a/windows/client-management/mdm/policy-csp-admx-kerberos.md +++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md @@ -174,7 +174,7 @@ This policy setting allows you to specify which DNS host names and which DNS suf > [!NOTE] -> The list of DNS host names and DNS suffixes has a 2048 character limit. This policy would not apply if you exceed this limit. +> The list of DNS host names and DNS suffixes has a 2048 character limit. This policy would not apply if you exceed this limit. For more information, see [Kerberos realm to host mapping policy string-length limitations](https://support.microsoft.com/topic/e86856c2-1e02-43fe-9c58-d7c9d6386f01). diff --git a/windows/client-management/push-notification-windows-mdm.md b/windows/client-management/push-notification-windows-mdm.md index e0842698e8..9d21cb1322 100644 --- a/windows/client-management/push-notification-windows-mdm.md +++ b/windows/client-management/push-notification-windows-mdm.md @@ -1,7 +1,7 @@ --- title: Push notification support for device management description: The DMClient CSP supports the ability to configure push-initiated device management sessions. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/client-management/structure-of-oma-dm-provisioning-files.md b/windows/client-management/structure-of-oma-dm-provisioning-files.md index a1fcf0777c..2079c53f5a 100644 --- a/windows/client-management/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/structure-of-oma-dm-provisioning-files.md @@ -1,7 +1,7 @@ --- title: Structure of OMA DM provisioning files description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/client-management/understanding-admx-backed-policies.md b/windows/client-management/understanding-admx-backed-policies.md index f327359fe3..26f9a581c9 100644 --- a/windows/client-management/understanding-admx-backed-policies.md +++ b/windows/client-management/understanding-admx-backed-policies.md @@ -1,7 +1,7 @@ --- title: Understanding ADMX policies description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices. -ms.topic: conceptual +ms.topic: concept-article ms.date: 07/08/2024 --- diff --git a/windows/configuration/assigned-access/configuration-file.md b/windows/configuration/assigned-access/configuration-file.md index 26cb548ff8..d7a0a30536 100644 --- a/windows/configuration/assigned-access/configuration-file.md +++ b/windows/configuration/assigned-access/configuration-file.md @@ -149,7 +149,7 @@ Example: - + diff --git a/windows/configuration/assigned-access/includes/example-restricted-experience.md b/windows/configuration/assigned-access/includes/example-restricted-experience.md index 7ee28b6761..e8653f5e2f 100644 --- a/windows/configuration/assigned-access/includes/example-restricted-experience.md +++ b/windows/configuration/assigned-access/includes/example-restricted-experience.md @@ -23,7 +23,7 @@ ms.topic: include - + @@ -81,7 +81,7 @@ ms.topic: include - + diff --git a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md index 7267d16e53..4238a97dad 100644 --- a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md +++ b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md @@ -11,7 +11,7 @@ ms.topic: include POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations Content-Type: application/json -{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 10", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n ]]>\n \n \n \n \n \n \n \n \n \n \n" } ] } +{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 10", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n ]]>\n \n \n \n \n \n \n \n \n \n \n" } ] } ``` ::: zone-end @@ -22,7 +22,7 @@ Content-Type: application/json POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations Content-Type: application/json -{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 11", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n" } ] } +{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 11", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n" } ] } ``` ::: zone-end \ No newline at end of file diff --git a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md index 35a15c446f..94bb914c0b 100644 --- a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md +++ b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md @@ -22,7 +22,7 @@ $assignedAccessConfiguration = @" - + @@ -88,7 +88,7 @@ $assignedAccessConfiguration = @" - + diff --git a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md index 514c6ab44c..52730d3c75 100644 --- a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md +++ b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md @@ -21,7 +21,7 @@ ms.topic: include - + @@ -79,7 +79,7 @@ ms.topic: include - + diff --git a/windows/configuration/assigned-access/policy-settings.md b/windows/configuration/assigned-access/policy-settings.md index 64518f0dca..41072ae848 100644 --- a/windows/configuration/assigned-access/policy-settings.md +++ b/windows/configuration/assigned-access/policy-settings.md @@ -2,7 +2,7 @@ title: Assigned Access policy settings description: Learn about the policy settings enforced on a device configured with Assigned Access. ms.topic: reference -ms.date: 10/31/2024 +ms.date: 02/25/2025 --- # Assigned Access policy settings @@ -20,6 +20,7 @@ The following policy settings are applied at the device level when you deploy a | Type | Path | Name/Description | |---------|----------------------------------------------------------------------------|---------------------------------------------------------------------------| +| **CSP** | `./Vendor/MSFT/Policy/Config/Settings/AllowOnlineTips` | Allow Online Tips | | **CSP** | `./Vendor/MSFT/Policy/Config/Experience/AllowCortana` | Disable Cortana | | **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDocuments` | Disable Start documents icon | | **CSP** | `./Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDownloads` | Disable Start downloads icon | @@ -45,8 +46,9 @@ The following policy settings are applied to targeted user accounts when you dep |---------|----------------------------------------------------------------------------------|-------------------------------------------------------------------| | **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/DisableContextMenus` | Disable Context Menu for Start menu apps | | **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HidePeopleBar` | Hide People Bar from appearing on taskbar | -| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HideRecentlyAddedApps` | Hide recently added apps from appearing on the Start menu | | **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HideRecentJumplists` | Hide recent jumplists from appearing on the Start menu/taskbar | +| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HideRecentlyAddedApps` | Hide recently added apps from appearing on the Start menu | +| **CSP** | User Configuration\Administrative Templates\Windows Components\Windows Copilot | Turn off Windows Copilot | | **GPO** | User Configuration\Administrative Templates\Desktop | Hide and disable all items on the desktop | | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Clear history of recently opened documents on exit | | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Disable showing balloon notifications as toasts | @@ -54,7 +56,7 @@ The following policy settings are applied to targeted user accounts when you dep | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not allow pinning programs to the Taskbar | | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not display or track items in Jump Lists from remote locations | | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Hide and disable all items on the desktop | -| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Hide the Task View button | +| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Hide the TaskView button | | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Lock all taskbar settings | | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Lock the Taskbar | | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Prevent users from adding or removing toolbars | @@ -81,6 +83,7 @@ The following policy settings are applied to targeted user accounts when you dep | **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer | Remove *Map network drive* and *Disconnect Network Drive* | | **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer | Remove File Explorer's default context menu | | **GPO** | User Configuration\Administrative Templates\Windows Components\Windows Copilot | Turn off Windows Copilot | +| **GPO** | User Configuration\Administrative Templates\WindowsComponents\File Explorer | Prevent access to drives from My Computer | The following policy settings are applied to the kiosk account when you configure a kiosk experience with Microsoft Edge: diff --git a/windows/configuration/shell-launcher/wedl-assignedaccess.md b/windows/configuration/shell-launcher/wedl-assignedaccess.md index 6203943578..acdd00a9df 100644 --- a/windows/configuration/shell-launcher/wedl-assignedaccess.md +++ b/windows/configuration/shell-launcher/wedl-assignedaccess.md @@ -1,14 +1,16 @@ --- -title: WEDL\_AssignedAccess -description: WEDL\_AssignedAccess -ms.date: 05/20/2024 +title: WEDL_AssignedAccess +description: WEDL_AssignedAccess +ms.date: 02/25/2025 ms.topic: reference --- -# WEDL\_AssignedAccess +# WEDL_AssignedAccess This Windows Management Instrumentation (WMI) provider class configures settings for assigned access. +[!INCLUDE [shell-launcher](../../../includes/licensing/assigned-access.md)] + ## Syntax ```powershell @@ -129,13 +131,3 @@ if ($AssignedAccessConfig) { "Could not set up assigned access account." } ``` - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | diff --git a/windows/configuration/shell-launcher/wesl-usersetting.md b/windows/configuration/shell-launcher/wesl-usersetting.md index 3d7851941e..ce3019dbf0 100644 --- a/windows/configuration/shell-launcher/wesl-usersetting.md +++ b/windows/configuration/shell-launcher/wesl-usersetting.md @@ -1,7 +1,7 @@ --- title: WESL_UserSetting description: WESL_UserSetting -ms.date: 05/02/2017 +ms.date: 02/25/2025 ms.topic: reference --- @@ -9,6 +9,8 @@ ms.topic: reference This class configures which application Shell Launcher starts based on the security identifier (SID) of the signed in user, and also configures the set of return codes and return actions that Shell Launcher performs when the application exits. +[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)] + ## Syntax ```powershell @@ -158,17 +160,3 @@ $ShellLauncherClass.RemoveCustomShell($Admins_SID) $ShellLauncherClass.RemoveCustomShell($Cashier_SID) ``` - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | - -## Related topics - -- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md b/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md index 5633e7df6e..6be4813c8c 100644 --- a/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md +++ b/windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md @@ -1,7 +1,7 @@ --- title: WESL_UserSetting.GetCustomShell description: WESL_UserSetting.GetCustomShell -ms.date: 05/20/2024 +ms.date: 02/25/2025 ms.topic: reference --- @@ -9,6 +9,8 @@ ms.topic: reference This method retrieves the Shell Launcher configuration for a specific user or group, based on the security identifier (SID). +[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)] + ## Syntax ```powershell @@ -60,18 +62,3 @@ Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-n Shell Launcher uses the *CustomReturnCodes* and *CustomReturnCodesAction* arrays to determine the system behavior when the shell application exits, based on the return value of the application. If the return value does not exist in *CustomReturnCodes*, or if the corresponding action defined in *CustomReturnCodesAction* is not a valid value, Shell Launcher uses *DefaultAction* to determine system behavior. If *DefaultAction* is not defined, or is not a valid value, Shell Launcher restarts the shell application. - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | - -## Related topics - -- [WESL_UserSetting](wesl-usersetting.md) -- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md b/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md index 9cabb200ab..c32948ad15 100644 --- a/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md +++ b/windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md @@ -1,7 +1,7 @@ --- title: WESL_UserSetting.GetDefaultShell description: WESL_UserSetting.GetDefaultShell -ms.date: 05/20/2024 +ms.date: 02/25/2025 ms.topic: reference --- @@ -9,6 +9,8 @@ ms.topic: reference This method retrieves the default Shell Launcher configuration. +[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)] + ## Syntax ```powershell @@ -40,18 +42,3 @@ Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-n ## Remarks Shell Launcher uses the default configuration when the security identifier (SID) of the user who is currently signed in does not match any custom defined Shell Launcher configurations. - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | - -## Related topics - -- [WESL_UserSetting](wesl-usersetting.md) -- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettingisenabled.md b/windows/configuration/shell-launcher/wesl-usersettingisenabled.md index fb4739ce37..1125bb1d92 100644 --- a/windows/configuration/shell-launcher/wesl-usersettingisenabled.md +++ b/windows/configuration/shell-launcher/wesl-usersettingisenabled.md @@ -1,7 +1,7 @@ --- title: WESL_UserSetting.IsEnabled description: WESL_UserSetting.IsEnabled -ms.date: 05/20/2024 +ms.date: 02/25/2025 ms.topic: reference --- @@ -9,6 +9,8 @@ ms.topic: reference This method retrieves a value that indicates if Shell Launcher is enabled or disabled. +[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)] + ## Syntax ```powershell @@ -24,18 +26,3 @@ This method retrieves a value that indicates if Shell Launcher is enabled or dis ## Return Value Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants). - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | - -## Related topics - -- [WESL_UserSetting](wesl-usersetting.md) -- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md b/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md index fb1df0e87f..e5058577a9 100644 --- a/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md +++ b/windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md @@ -1,7 +1,7 @@ --- title: WESL_UserSetting.RemoveCustomShell description: WESL_UserSetting.RemoveCustomShell -ms.date: 05/20/2024 +ms.date: 02/25/2025 ms.topic: reference --- @@ -9,6 +9,8 @@ ms.topic: reference This method removes a Shell Launcher configuration for a specific user or group, based on the security identifier (SID). +[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)] + ## Syntax ```powershell @@ -28,18 +30,3 @@ Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-n ## Remarks You must restart your device for the changes to take effect. - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | - -## Related topics - -- [WESL_UserSetting](wesl-usersetting.md) -- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md b/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md index a90450063c..5b788c9295 100644 --- a/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md +++ b/windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md @@ -1,7 +1,7 @@ --- title: WESL_UserSetting.SetCustomShell description: WESL_UserSetting.SetCustomShell -ms.date: 05/20/2024 +ms.date: 02/25/2025 ms.topic: reference --- @@ -9,6 +9,8 @@ ms.topic: reference This method configures Shell Launcher for a specific user or group, based on the security identifier (SID). +[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)] + ## Syntax ```powershell @@ -60,18 +62,3 @@ Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-n Shell Launcher uses the *CustomReturnCodes* and *CustomReturnCodesAction* arrays to determine the system behavior when the shell application exits, based on the return value of the shell application. If the return value does not exist in *CustomReturnCodes*, or if the corresponding action defined in *CustomReturnCodesAction* is not a valid value, Shell Launcher uses *DefaultAction* to determine system behavior. If *DefaultAction* is not defined, or is not a valid value, Shell Launcher restarts the shell application. - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | - -## Related topics - -- [WESL_UserSetting](wesl-usersetting.md) -- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md b/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md index ec89600f38..d829d7d717 100644 --- a/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md +++ b/windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md @@ -1,7 +1,7 @@ --- title: WESL_UserSetting.SetDefaultShell description: WESL_UserSetting.SetDefaultShell -ms.date: 05/20/2024 +ms.date: 02/25/2025 ms.topic: reference --- @@ -9,6 +9,8 @@ ms.topic: reference This method sets the default Shell Launcher configuration. +[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)] + ## Syntax ```powershell @@ -40,18 +42,3 @@ Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-n ## Remarks Shell Launcher uses the default configuration when the security identifier (SID) of the user who is currently signed in does not match any custom defined Shell Launcher configurations. - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | - -## Related topics - -- [WESL_UserSetting](wesl-usersetting.md) -- [Shell Launcher](index.md) diff --git a/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md b/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md index 43aff8b5a7..64d952bf88 100644 --- a/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md +++ b/windows/configuration/shell-launcher/wesl-usersettingsetenabled.md @@ -1,7 +1,7 @@ --- title: WESL_UserSetting.SetEnabled description: WESL_UserSetting.SetEnabled -ms.date: 05/20/2024 +ms.date: 02/25/2025 ms.topic: reference --- @@ -9,6 +9,8 @@ ms.topic: reference This method enables or disables Shell Launcher. +[!INCLUDE [shell-launcher](../../../includes/licensing/shell-launcher.md)] + ## Syntax ```powershell @@ -30,18 +32,3 @@ Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-n This method enables or disables Shell Launcher by modifying the **Shell** value in the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`. If Unified Write Filter (UWF) is enabled, you may need to disable UWF or commit this registry key by using [UWF_RegistryFilter.CommitRegistry](../unified-write-filter/uwf-registryfiltercommitregistry.md) in order to enable or disable Shell Launcher. Enabling or disabling Shell Launcher does not take effect until a user signs in. - -## Requirements - -| Windows Edition | Supported | -|:-----------------------|:---------:| -| Windows Home | No | -| Windows Pro | No | -| Windows Enterprise | Yes | -| Windows Education | Yes | -| Windows IoT Enterprise | Yes | - -## Related topics - -- [WESL_UserSetting](wesl-usersetting.md) -- [Shell Launcher](index.md) diff --git a/windows/configuration/start/includes/hide-recently-added-apps.md b/windows/configuration/start/includes/hide-recently-added-apps.md index 92a4d13c36..8dac911b1b 100644 --- a/windows/configuration/start/includes/hide-recently-added-apps.md +++ b/windows/configuration/start/includes/hide-recently-added-apps.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 04/10/2024 +ms.date: 02/25/2025 ms.topic: include --- @@ -9,14 +9,8 @@ ms.topic: include With this policy setting, you can prevent the Start menu from displaying a list of recently installed applications: -- If **enabled**, the Start menu doesn't display the **Recently added** list. The corresponding option in Settings can't be configured (grayed out). -- If **disabled** or **not configured**, the Start menu displays the **Recently added** list. The corresponding option in Settings can be configured. - -> [!IMPORTANT] -> Starting in Windows 11, version 22H2 with [KB5048685](https://support.microsoft.com/topic/4602-ea3736d3-6948-4fd7-9faf-8d732ac2ed59), the policy setting behavior changed. -> -> - If **enabled**, the corresponding option in Settings can't be configured (grayed out). The policy setting doesn't affect the display of recently installed applications in the Recommended section of the Start menu. -> - If **disabled** or **not configured**, the corresponding option in Settings can be configured. +- If **enabled**, the Start menu doesn't display the **Recently added** list. The corresponding option in Settings can't be configured (grayed out) +- If **disabled** or **not configured**, the Start menu displays the **Recently added** list. The corresponding option in Settings can be configured | | Path | |--|--| diff --git a/windows/configuration/start/policy-settings.md b/windows/configuration/start/policy-settings.md index 88ca88a0d4..08a7751472 100644 --- a/windows/configuration/start/policy-settings.md +++ b/windows/configuration/start/policy-settings.md @@ -2,7 +2,7 @@ title: Start policy settings description: Learn about the policy settings to configure the Windows Start menu. ms.topic: reference -ms.date: 07/10/2024 +ms.date: 02/25/2025 appliesto: zone_pivot_groups: windows-versions-11-10 --- diff --git a/windows/configuration/taskbar/includes/show-notification-bell-icon.md b/windows/configuration/taskbar/includes/show-notification-bell-icon.md new file mode 100644 index 0000000000..e6b888ea52 --- /dev/null +++ b/windows/configuration/taskbar/includes/show-notification-bell-icon.md @@ -0,0 +1,23 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 02/25/2025 +ms.topic: include +--- + +### Show notification bell icon + +This policy setting allows you to show the notification bell icon in the system tray: + +- If you enable this policy setting, the notification icon is always displayed +- If you disable or don't configure this policy setting, the notification icon is only displayed when there's a special status (for example, when *do not disturb* is turned on) + +> [!NOTE] +> A reboot is required for this policy setting to take effect. + +| | Path | +|--|--| +| **CSP** |- `./User/Vendor/MSFT/Policy/Config/Start/`[AlwaysShowNotificationIcon](/windows/client-management/mdm/policy-csp-start#AlwaysShowNotificationIcon) | +| **GPO** |- **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** | + + - -[LINK-1]: https://support.microsoft.com/topic/4a7c48e9-ff5a-e9c6-5a5c-1a57d66c3bfa -[LINK-2]: https://support.microsoft.com/topic/890bf25e-b8ba-d3fe-8253-e98a12f26316 -[LINK-3]: https://support.microsoft.com/topic/fa231298-759d-41cf-bcd0-25ac53eb8a15 -[LINK-4]: https://support.microsoft.com/topic/6540ef37-e9bf-4121-a773-56f98dce78c4 -[LINK-5]: https://support.microsoft.com/topic/585a71d7-2295-4878-aeac-a014984df856 -[LINK-6]: https://support.microsoft.com/onedrive -[LINK-7]: /microsoft-365/security/office-365-security/recover-from-ransomware +[!INCLUDE [personal-vault](includes/personal-vault.md)] diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index fee83dbe02..d29800ce98 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -9,375 +9,28 @@ ms.date: 11/04/2024 :::image type="content" source="images/cloud-security.png" alt-text="Diagram containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false"::: -## :::image type="icon" source="images/microsoft-entra-id.svg" border="false"::: Microsoft Entra ID +[!INCLUDE [microsoft-entra-id](includes/microsoft-entra-id.md)] -Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies. +[!INCLUDE [azure-attestation-service](includes/azure-attestation-service.md)] -Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. For the most seamless and delightful end to end single sign-on (SSO) experience, we recommend users configure Windows Hello for Business during the out of box experience for easy passwordless sign-in to Entra ID . +[!INCLUDE [microsoft-defender-for-endpoint](includes/microsoft-defender-for-endpoint.md)] -:::row::: - :::column::: - For users wanting to connect to Microsoft Entra on their personal devices, they can do so by adding their work or school account to Windows. This action registers the user's personal device with Microsoft Entra ID, allowing IT admins to support users in bring your own device (BYOD) scenarios. Credentials are authenticated and bound to the joined device, and can't be copied to another device without explicit reverification. - :::column-end::: - :::column::: -:::image type="content" source="images/device-registration.png" alt-text="Screenshot of the Entra account registration page." border="false" lightbox="images/device-registration.png"::: - :::column-end::: -:::row-end::: +[!INCLUDE [cloud-native-device-management](includes/cloud-native-device-management.md)] -To provide more security and control for IT and a seamless experience for users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management. +[!INCLUDE [microsoft-intune](includes/microsoft-intune.md)] -Windows 11 works with Microsoft Entra ID to provide secure access, identity management, and single sign-on to apps and services from anywhere. Windows has built-in settings to add work or school accounts by syncing the device configuration to an Active Directory domain or Microsoft Entra ID tenant. +[!INCLUDE [security-baselines](includes/security-baselines.md)] -:::image type="content" source="images/access-work-or-school.png" alt-text="Screenshot of the add work or school account in Settings." border="false"::: +[!INCLUDE [windows-laps](includes/windows-laps.md)] -When a device is Microsoft Entra ID joined and managed with Microsoft Intune[\[4\]](conclusion.md#footnote4), it receives the following security benefits: +[!INCLUDE [windows-autopilot](includes/windows-autopilot.md)] -- Default managed user and device settings and policies -- Single sign-in to all Microsoft Online Services -- Full suite of authentication management capabilities using Windows Hello for Business -- Single sign-on (SSO) to enterprise and SaaS applications -- No use of consumer Microsoft account identity +[!INCLUDE [windows-update-for-business](includes/windows-update-for-business.md)] -Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can set up Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication. +[!INCLUDE [windows-autopatch](includes/windows-autopatch.md)] -In combination with Microsoft Intune, Microsoft Entra ID offers powerful security control through Conditional Access to restrict access to organizational resources to healthy and compliant devices. Note that Microsoft Entra ID is only supported on Windows Pro and Enterprise editions. +[!INCLUDE [windows-hotpatch](includes/windows-hotpatch.md)] -Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID. +[!INCLUDE [onedrive-for-work-or-school](includes/onedrive-for-work-or-school.md)] -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Entra ID documentation][LINK-1] -- [Microsoft Entra plans and pricing][LINK-2] - -### Microsoft Entra Private Access - -Microsoft Entra Private Access provides organizations the ability to manage and give users access to private or internal fully qualified domain names (FQDNs) and IP addresses. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Entra Private Access][LINK-4] - -### Microsoft Entra Internet Access - -Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. - -> [!NOTE] -> Both Microsoft Entra Private Access and Microsoft Entra Internet Access requires Microsoft Entra ID and Microsoft Entra Joined devices for deployment. The two solutions use the Global Secure Access client for Windows, which secures and controls the features. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Entra Internet Access][LINK-3] -- [Global Secure Access client for Windows][LINK-6] -- [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept][LINK-5] - -### Enterprise State Roaming - -Available to any organization with a Microsoft Entra ID Premium[\[4\]](conclusion.md#footnote4) license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Enterprise State Roaming in Microsoft Entra ID][LINK-7] - -## :::image type="icon" source="images/azure-attestation.svg" border="false"::: Azure Attestation service - -Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they're allowed to access resources. Microsoft Intune[\[4\]](conclusion.md#footnote4) integrates with Azure Attestation service to review Windows device health comprehensively and connect this information with Microsoft Entra ID[\[4\]](conclusion.md#footnote4) Conditional Access. - -**Attestation policies are configured in the Azure Attestation service which can then:** - -- Verify the integrity of evidence provided by the Windows Attestation component by validating the signature and ensuring the Platform Configuration Registers (PCRs) match the values recomputed by replaying the measured boot log -- Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM -- Verify that security features are in the expected states - -Once this verification is complete, the attestation service returns a signed report with the security features state to the relying party - such as Microsoft Intune - to assess the trustworthiness of the platform relative to the admin-configured device compliance specifications. Conditional access is then granted or denied based on the device's compliance. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Azure Attestation overview][LINK-8] - -## :::image type="icon" source="images/defender-for-endpoint.svg" border="false"::: Microsoft Defender for Endpoint - -Microsoft Defender for Endpoint[\[4\]](conclusion.md#footnote4) is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. - -Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: - -- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated cloud instance of Microsoft Defender for Endpoint -- With Automatic Attack Disruption uses AI, machine learning, and Microsoft Security Intelligence to analyze the entire attack and respond at the incident level, where it's able to contain a device, and/or a user which reduces the impact of attacks such as ransomware, human-operated attacks, and other advanced attacks. -- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365[\[4\]](conclusion.md#footnote4), and online assets -- Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours, yielding a deep and broad view into the evolving threat landscape. Combined with our global team of security experts and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. This threat intelligence helps provide unparalleled protection for our customers. The protections built into our platforms and products blocked attacks that include 31 billion identity threats and 32 billion email threats -- Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate, remediate, and remote into machines to further investigate and stop active threats in their environment, as well as block files, network destinations, and create alerts for them. In addition, Automated Investigation and Remediation can help reduce the load on the SOC by automatically performing otherwise manual steps towards remediation and providing -detailed investigation outcomes - -Defender for Endpoint is also part of Microsoft Defender XDR, our end-to-end, cloud-native extended detection and response (XDR) solution that combines best-of-breed endpoint, email, and identity security products. It enables organizations to prevent, detect, investigate, and remediate attacks by delivering deep visibility, granular context, and actionable insights generated from raw signals harnessed across the Microsoft 365 environment and other -platforms, all synthesized into a single dashboard. This solution offers tremendous value to organizations of any size, especially those that are looking to break away from the added complexity of multiple point solutions, keeping them protected from sophisticated attacks and saving IT and security teams' time and resources. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint) -- [Microsoft 365 Defender](/defender-xdr/microsoft-365-defender) - -## Cloud-native device management - -Microsoft recommends cloud-based device management so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With cloud-native device management solutions like Microsoft Intune[\[4\]](conclusion.md#footnote4), IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate device management client. - -Windows 11 built-in management features include: - -- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server -- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Mobile device management overview][LINK-9] - -### Remote wipe - -When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user. - -Windows 11 supports the Remote Wipe configuration service provider (CSP) so that device management solutions can remotely initiate any of the following operations: - -- Reset the device and remove user accounts and data -- Reset the device and clean the drive -- Reset the device but persist user accounts and data - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Remote wipe CSP][LINK-10] - -## :::image type="icon" source="images/microsoft-intune.svg" border="false"::: Microsoft Intune - -Microsoft Intune[\[4\]](conclusion.md#footnote4) is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization. - -Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication and conditional access. - -Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies[\[11\]](conclusion.md#footnote11). For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot. - -Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices. - -Customers have asked for App Control for Business (previously called *Windows Defender Application Control*) to support manage installer for a long time. Now it's possible to enable allowlisting of Win32 apps to proactively reduce the number of malware infections. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [What is Microsoft Intune][LINK-12] - -### Windows enrollment attestation - -When a device enrolls into device management, the administrator expects it to receive the appropriate policies to secure and manage the PC. However, in some cases, malicious actors can remove enrollment certificates and use them on unmanaged PCs, making them appear enrolled but without the intended security and management policies. - -With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certificates are bound to a device using the Trusted Platform Module (TPM). This ensures that the certificates can't be transferred from one device to another, maintaining the integrity of the enrollment process. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows enrollment attestation][LINK-13] - -### Microsoft Cloud PKI - -Microsoft Cloud PKI is a cloud-based service included in the Microsoft Intune Suite[\[4\]](conclusion.md#footnote4) that simplifies and automates the management of a Public Key Infrastructure (PKI) for organizations. It eliminates the need for on-premises servers, hardware, and connectors, making it easier to set up and manage a PKI compared to, for instance, Microsoft Active Directory Certificate Services (AD CS) combined with the Certificate Connector for Microsoft Intune. - -Key features include: - -- Certificate lifecycle management: automates the lifecycle of certificates, including issuance, renewal, and revocation, for all devices managed by Intune -- Multi-platform support: supports certificate management for Windows, iOS/iPadOS, macOS, and Android devices -- Enhanced security: enables certificate-based authentication for Wi-Fi, VPN, and other scenarios, improving security over traditional password-based methods. All certificate requests leverage Simple Certificate Enrollment Protocol (SCEP), making sure that the private key never leaves the requesting client -- Simplified management: provides easy management of certification authorities (CAs), registration authorities (RAs), certificate revocation lists (CRLs), monitoring, and reporting - -With Microsoft Cloud PKI, organizations can accelerate their digital transformation and achieve a fully managed cloud PKI service with minimal effort. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Overview of Microsoft Cloud PKI for Microsoft Intune](/mem/intune/protect/microsoft-cloud-pki-overview) - -### Endpoint Privilege Management (EPM) - -Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run elevated tasks allowed by the organization to remain productive. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Endpoint Privilege Management][LINK-14] - -### Mobile application management (MAM) - -With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Data protection for Windows MAM][LINK-15] - -## Security baselines - -Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company might focus on protecting its internet-facing web apps, while a hospital on confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. - -A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Security baselines][LINK-11] - -### Security baseline for cloud-based device management solutions - -Windows 11 can be configured with Microsoft's security baseline, designed for cloud-based device management solutions like Microsoft Intune[\[4\]](conclusion.md#footnote4). These security baselines function similarly to group policy-based ones and can be easily integrated into existing device management tools. - -The security baseline includes policies for: - -- Microsoft inbox security technologies such as BitLocker, Microsoft Defender SmartScreen, Virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall -- Restricting remote access to devices -- Setting credential requirements for passwords and PINs -- Restricting the use of legacy technology - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Intune security baseline overview][LINK-16] -- [List of the settings in the Windows security baseline in Intune][LINK-17] - -## Windows Local Administrator Password Solution (LAPS) - -Windows Local Administrator Password Solution (LAPS) is a feature that automatically manages and backs up the password of a local administrator account on Microsoft Entra joined and Active Directory-joined devices. It helps enhance security by regularly rotating and managing local administrator account passwords, protecting against pass-the-hash and lateral-traversal attacks. - -Windows LAPS can be configured via group policy or with a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4). - -[!INCLUDE [new-24h2](includes/new-24h2.md)] - -Several enhancements have been made to improve manageability and security. Administrators can now configure LAPS to automatically create managed local accounts, integrating with existing policies to enhance security and efficiency. Policy settings have been updated to generate more readable passwords by ignoring certain characters and to support the generation of readable passphrases, with options to choose from three separate word source list and control passphrase length. Additionally, LAPS can detect when a computer rolls back to a previous image, ensuring password consistency between the computer and Active Directory. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows LAPS overview][LINK-18] - -## Windows Autopilot - -Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. If you're purchasing new devices or managing device refresh cycles, you can use Windows Autopilot to set up and preconfigure new devices, getting them ready for productive use. Autopilot helps you ensure your devices are delivered locked down and compliant with corporate security policies. The solution can also be used to reset, repurpose, and recover devices with zero touch by your IT team and no infrastructure to manage, enhancing efficiency with a process that's both easy and simple. - -With Windows Autopilot, there's no need to reimage or manually set-up devices before giving them to the users. Your hardware vendor can ship them, ready to go, directly to the users. From a user perspective, they turn on their device, go online, and Windows Autopilot delivers apps and settings. - -Windows Autopilot enables you to: - -- Automatically join devices to Microsoft Entra ID or Active Directory via Microsoft Entra hybrid join -- Autoenroll devices into a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4) (requires a Microsoft Entra ID Premium subscription for configuration) -- Create and autoassignment of devices to configuration groups based on a device's profile -- Customize of the out-of-box experience (OOBE) content specific to your organization - -Existing devices can also be quickly prepared for a new user with Windows Autopilot Reset. The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Autopilot][LINK-19] -- [Windows Autopilot Reset][LINK-20] - -## Windows Update client policies - - -Windows Update client policies empowers IT administrators to ensure that their organization's Windows client devices are consistently up to date with the latest security updates and features. By directly connecting these systems to the Windows Update service, administrators can maintain a high level of security and functionality. - -Administrators can utilize group policy or a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4), to configure Windows Update client policies. These settings control the timing and manner in which updates are applied, allowing for thorough reliability and performance testing on a subset of devices before deploying updates across the entire organization. - -This approach not only provides control over the update process but also ensures a seamless and positive update experience for all users within the organization. By using Windows Update client policies, organizations can achieve a more secure and efficient operational environment. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Update client policies documentation][LINK-21] - -## Windows Autopatch - -Cybercriminals commonly exploit obsolete or unpatched software to infiltrate networks. It's essential to maintain current updates to seal security gaps. Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates so your IT Admins can focus on other activities and tasks. - -There's a lot more to learn about Windows Autopatch: this [Forrester Consulting Total Economic Impact™ Study][LINK-22] commissioned by Microsoft, features insights from customers who deployed Windows Autopatch and its impact on their organizations. You can also find out more information about new Autopatch features and the future of the service in the regularly published Windows IT Pro Blog and Windows Autopatch community. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/) -- [Windows updates API overview](/graph/windowsupdates-concept-overview) -- [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows-ITPro-blog/label-name/Windows%20Autopatch) -- [Windows Autopatch community](https://techcommunity.microsoft.com/t5/windows-autopatch/bd-p/Windows-Autopatch) - -## :::image type="icon" source="images/soon-button-title.svg" border="false"::: Windows Hotpatch - -Windows Hotpatch is a feature designed to enhance security and minimize disruptions. With Windows Hotpatch, organizations can apply critical security updates without requiring a system restart, reducing the time to adopt a security update by 60% from the moment the update is offered. Hotpatch updates streamline the installation process, enhance compliance efficiency, and provide a per-policy level view of update statuses for all devices. - -By utilizing hotpatching through Windows Autopatch, the number of system restarts for Windows updates can be reduced from 12 times a year to just 4, ensuring consistent protection and uninterrupted productivity. This means less downtime, a streamlined experience for users, and a reduction in security risks. This technology, proven in the Azure Server environment, is now expanding to Windows 11, offering immediate security from day one without the need for a restart. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/) - -## :::image type="icon" source="images/onedrive.svg" border="false"::: OneDrive for work or school - -OneDrive for work or school is a cloud storage service that allows users to store, share, and collaborate on files. It's a part of Microsoft 365 and is designed to help organizations protect their data and comply with regulations. OneDrive for work or school is protected both in transit and at rest. - -When data transits either into the service from clients or between datacenters, it's protected using transport layer security (TLS) encryption. OneDrive only permits secure access. - -Authenticated connections aren't allowed over HTTP and instead redirect to HTTPS. - -There are several ways that OneDrive for work or school is protected at rest: - -- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security). -- Network protection: The networks and identities are isolated from the corporate network. Firewalls limit traffic into the environment from unauthorized locations -- Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The [Microsoft Security Response Center](https://technet.microsoft.com/security/dn440717.aspx) helps triage incoming vulnerability reports and evaluate mitigations. Through the [Microsoft Cloud Bug Bounty Terms](https://technet.microsoft.com/dn800983), people across the world can earn money by reporting vulnerabilities -- Content protection: Each file is encrypted at rest with a unique AES-256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/topic/23c6ea94-3608-48d7-8bf0-80e142edd1e1) - -## :::image type="icon" source="images/universal-print.svg" border="false"::: Universal Print - -Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models][LINK-23]. It also supports existing printers by using the connector software that comes with Universal Print. - -Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices don't need to be on the same local network as the printers or the Universal Print connector. - -Universal Print supports Zero Trust security by requiring that: - -- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID[\[4\]](conclusion.md#footnote4). A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service -- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data -- Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data -- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it's highly recommended that only cloud applications use application authentication -- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant -- Each authentication with Microsoft Entra ID from an acting application can't extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached - -Additionally, Windows 11 includes device management support to simplify printer setup for users. With support from Microsoft Intune[\[4\]](conclusion.md#footnote4), admins can now configure policy settings to provision specific printers onto the user's Windows devices. - -Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft 365 products. - -More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here][LINK-24]. - -The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here][LINK-25]. - -Universal Print supports Administrative Units in Microsoft Entra ID to enable the assignments of a *Printer Administrator* role to specific teams in the organization. The assigned team can configure only the printers that are part of the same Administrative Unit. - -For customers who want to stay on print servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Universal Print][LINK-26] -- [Data handling in Universal Print][LINK-27] -- [Delegate Printer Administration with Administrative Units][LINK-28] -- [Print support app design guide][LINK-29] - - - -[LINK-1]: /entra -[LINK-2]: https://www.microsoft.com/security/business/microsoft-entra-pricing -[LINK-3]: /entra/global-secure-access/concept-internet-access -[LINK-4]: /entra/global-secure-access/concept-private-access -[LINK-5]: /entra/architecture/sse-deployment-guide-internet-access -[LINK-6]: /entra/global-secure-access/how-to-install-windows-client -[LINK-7]: /entra/identity/devices/enterprise-state-roaming-enable -[LINK-8]: /azure/attestation/overview -[LINK-9]: /windows/client-management/mdm-overview -[LINK-10]: /windows/client-management/mdm/remotewipe-csp -[LINK-11]: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines -[LINK-12]: /mem/intune/fundamentals/what-is-intune -[LINK-13]: /mem/intune/enrollment/windows-enrollment-attestation -[LINK-14]: /mem/intune/protect/epm-overview?formCode=MG0AV3 -[LINK-15]: /mem/intune/apps/protect-mam-windows?formCode=MG0AV3 -[LINK-16]: /mem/intune/protect/security-baselines -[LINK-17]: /mem/intune/protect/security-baseline-settings-mdm-all -[LINK-18]: /windows-server/identity/laps/laps-overview -[LINK-19]: /autopilot/overview -[LINK-20]: /mem/autopilot/windows-autopilot-reset -[LINK-21]: /windows/deployment/update/waas-manage-updates-wufb -[LINK-22]: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW10vlw -[LINK-23]: /universal-print/fundamentals/universal-print-partner-integrations -[LINK-24]: /microsoft-365/enterprise/m365-dr-overview -[LINK-25]: /universal-print/fundamentals/universal-print-qrcode -[LINK-26]: https://www.microsoft.com/microsoft-365/windows/universal-print -[LINK-27]: /universal-print/data-handling -[LINK-28]: /universal-print/portal/delegated-admin -[LINK-29]: /windows-hardware/drivers/devapps/print-support-app-design-guide +[!INCLUDE [universal-print](includes/universal-print.md)] diff --git a/windows/security/book/hardware-security-hardware-root-of-trust.md b/windows/security/book/hardware-security-hardware-root-of-trust.md index 1b2345a22b..e7b5572e7f 100644 --- a/windows/security/book/hardware-security-hardware-root-of-trust.md +++ b/windows/security/book/hardware-security-hardware-root-of-trust.md @@ -9,39 +9,6 @@ ms.date: 11/18/2024 :::image type="content" source="images/hardware.png" alt-text="Diagram containing a list of security features." lightbox="images/hardware.png" border="false"::: -## Trusted Platform Module (TPM) +[!INCLUDE [trusted-platform-module](includes/trusted-platform-module.md)] -Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. These capabilities in turn help organizations strengthen the protection of their identities and data. The 2.0 version of TPM includes support for newer algorithms, which provides improvements like support for stronger cryptography. To upgrade to Windows 11, existing Windows 10 devices much meet minimum system requirements for CPU, RAM, storage, firmware, TPM, and more. All new Windows 11 devices come with TPM 2.0 built-in. With Windows 11, both new and upgraded devices must have TPM 2.0. The requirement strengthens the security posture across all Windows 11 devices and helps ensure that these devices can benefit from future security capabilities that depend on a hardware root-of-trust. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows 11 TPM specifications][LINK-1] -- [Enable TPM 2.0 on your PC][LINK-2] -- [Trusted Platform Module Technology Overview][LINK-3] - -## Microsoft Pluton security processor - -The Microsoft Pluton security processor is the result of Microsoft's close partnership with silicon partners. Pluton enhances the protection of Windows 11 devices with a hardware security processor that provides extra protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface by integrating the security chip directly into the processor. It can be used as a TPM 2.0 or as a standalone security processor. When a security processor is located on a separate, discrete chip on the motherboard, the communication path between the hardware root-of-trust and the CPU can be vulnerable to physical attack. Embedding Pluton into the CPU makes it harder to exploit the communication path. - -Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs, including BitLocker, Windows Hello, and System Guard. Pluton can also support other security functionality beyond what is possible with the TPM 2.0 specification. This extensibility allows for more Pluton firmware and OS features to be delivered over time via Windows Update. - -As with other TPMs, credentials, encryption keys, and other sensitive information can't be easily extracted from Pluton even if an attacker installed malware or has physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers can't access sensitive data - even if attackers use emerging techniques like speculative execution. - -Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive security firmware updates from different sources, which might make it difficult to get alerts about security updates, and keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs. - -Pluton aims to ensure long-term security resilience. With the rising threat landscape influenced by artificial intelligence, memory safety will become ever more critical. To meet these demands, in addition to facilitating reliable updates to security processor firmware, we chose the open-source Tock system as the Rust-based foundation to develop the Pluton security processor firmware and actively contribute back to the Tock community. This collaboration with an open community ensures rigorous security scrutiny, and using Rust mitigates memory safety threats. - -Ultimately, Pluton establishes the security backbone for Copilot + PC, thanks to tight partnerships with our silicon collaborators and OEMs. The Qualcomm Snapdragon X, AMD Ryzen AI, and Intel Core Ultra 200V mobile processors (codenamed Lunar Lake) processor platforms all incorporate Pluton as their security subsystem . - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Pluton processor - The security chip designed for the future of Windows PCs][LINK-4] -- [Microsoft Pluton security processor][LINK-5] - - - -[LINK-1]: https://www.microsoft.com/windows/windows-11-specifications -[LINK-2]: https://support.microsoft.com/topic/1fd5a332-360d-4f46-a1e7-ae6b0c90645c -[LINK-3]: /windows/security/hardware-security/tpm/trusted-platform-module-overview -[LINK-4]: https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/ -[LINK-5]: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor +[!INCLUDE [microsoft-pluton-security-processor](includes/microsoft-pluton-security-processor.md)] \ No newline at end of file diff --git a/windows/security/book/hardware-security-silicon-assisted-security.md b/windows/security/book/hardware-security-silicon-assisted-security.md index da7cf92de1..09f47b09a5 100644 --- a/windows/security/book/hardware-security-silicon-assisted-security.md +++ b/windows/security/book/hardware-security-silicon-assisted-security.md @@ -11,104 +11,8 @@ ms.date: 11/18/2024 In addition to a modern hardware root-of-trust, there are multiple capabilities in the latest chips that harden the operating system against threats. These capabilities protect the boot process, safeguard the integrity of memory, isolate security-sensitive compute logic, and more. -## Secured kernel +[!INCLUDE [secured-kernel](includes/secured-kernel.md)] -To secure the kernel, we have two key features: Virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices support HVCI and come with VBS and HVCI protection turned on by default on most/all devices. +[!INCLUDE [kernel-direct-memory-access-protection](includes/kernel-direct-memory-access-protection.md)] -### Virtualization-based security (VBS) - -:::row::: - :::column::: - Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel. - :::column-end::: - :::column::: -:::image type="content" source="images/vbs-diagram.png" alt-text="Diagram of VBS architecture." lightbox="images/vbs-diagram.png" border="false"::: - :::column-end::: -:::row-end::: - -Since more privileged virtual trust levels (VTLs) can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Virtualization-based security (VBS)][LINK-1] - -### Hypervisor-protected code integrity (HVCI) - -Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it's allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor uses processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that hasn't been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs. - -With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Enable virtualization-based protection of code integrity][LINK-2] - -### :::image type="icon" source="images/new-button-title.svg" border="false"::: Hypervisor-enforced Paging Translation (HVPT) - -Hypervisor-enforced Paging Translation (HVPT) is a security enhancement to enforce the integrity of guest virtual address to guest physical address translations. HVPT helps protect critical system data from write-what-where attacks where the attacker can write an arbitrary value to an arbitrary location often as the result of a buffer overflow. HVPT helps to protect page tables that configure critical system data structures. - -### Hardware-enforced stack protection - -Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats like memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. - -Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called *stack smashing*. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate *shadow stack* for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Understanding Hardware-enforced Stack Protection][LINK-3] -- [Developer Guidance for hardware-enforced stack protection][LINK-4] - -## Kernel direct memory access (DMA) protection - -Windows 11 protects against physical threats such as drive-by direct memory access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices, including Thunderbolt, USB4, and CFexpress, enable users to connect a wide variety of external peripherals to their PCs with the same plug-and-play convenience as USB. These devices encompass graphics cards and other PCI components. Since PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that don't require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Kernel direct memory access (DMA) protection][LINK-5] - -## Secured-core PC and Edge Secured-Core - -The March 2021 Security Signals report found that more than 80% of enterprises have experienced at least one firmware attack in the past two years. For customers in data-sensitive industries like financial services, government, and healthcare, Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs (SCPCs), and an equivalent category of embedded IoT devices called Edge Secured-Core (ESc). The devices ship with more security measures enabled at the firmware layer, or device core, that underpins Windows. - -Secured-core PCs and edge devices help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root-of-trust. Virtualization-based security comes enabled by default. Built-in hypervisor-protected code integrity (HVCI) shield system memory, ensuring that all kernel executable code is signed only by known and approved authorities. Secured-core PCs and edge devices also protect against physical threats such as drive-by direct memory access (DMA) attacks with kernel DMA protection. - -Secured-core PCs and edge devices provide multiple layers of robust protection against hardware and firmware attacks. Sophisticated malware attacks commonly attempt to install *bootkits* or *rootkits* on the system to evade detection and achieve persistence. This malicious software may run at the firmware level prior to Windows being loaded or during the Windows boot process itself, enabling the system to start with the highest level of privilege. Because critical subsystems in Windows use Virtualization-based security, protecting the hypervisor becomes increasingly important. To ensure that no unauthorized firmware or software can start before the Windows bootloader, Windows PCs rely on the Unified Extensible Firmware Interface (UEFI) Secure Boot standard, a baseline security feature of all Windows 11 PCs. Secure Boot helps ensure that only authorized firmware and software with trusted digital signatures can execute. In addition, measurements of all boot components are securely stored in the TPM to help establish a nonrepudiable audit log of the boot called the Static Root of Trust for Measurement (SRTM). - -Thousands of OEM vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements. - -### Dynamic Root of Trust for Measurement (DRTM) - -In secured-core PCs and edge devices, System Guard Secure Launch protects bootup with a technology known as the *Dynamic Root of Trust for Measurement (DRTM)*. With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU down a hardware-secured code path. If a malware rootkit or bootkit bypasses UEFI Secure Boot and resides in memory, DRTM prevents it from accessing secrets and critical code protected by the Virtualization-based security environment. Firmware Attack Surface Reduction (FASR) technology can be used instead of DRTM on supported devices, such as Microsoft Surface. - -System Management Mode (SMM) isolation is an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. SMM complements the protections provided by DRTM by helping to reduce the attack surface. Relying on capabilities provided by silicon providers like Intel and AMD, SMM isolation enforces policies that implement restrictions such as preventing SMM code from accessing OS memory. The SMM isolation policy is included as part of the DRTM measurements that can be sent to a verifier like Microsoft Azure Remote Attestation. - -:::image type="content" source="images/secure-launch.png" alt-text="Diagram of secure launch components." lightbox="images/secure-launch.png" border="false"::: - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [System Guard Secure Launch][LINK-6] -- [Firmware Attack Surface Reduction][LINK-7] -- [Windows 11 secured-core PCs][LINK-8] -- [Edge Secured-Core][LINK-9] - -### Configuration lock - -In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a noncompliant state can be vulnerable until the next sync, when configuration is reset with the device management solution. - -Configuration lock is a secured-core PC and edge device feature that prevents users from making unwanted changes to security settings. With configuration lock, Windows monitors supported registry keys and reverts to the IT-desired state in seconds after detecting a drift. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Secured-core PC configuration lock][LINK-10] - - - -[LINK-1]: /windows-hardware/design/device-experiences/oem-vbs -[LINK-2]: /windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity -[LINK-3]: https://techcommunity.microsoft.com/blog/windowsosplatform/understanding-hardware-enforced-stack-protection/1247815 -[LINK-4]: https://techcommunity.microsoft.com/blog/windowsosplatform/developer-guidance-for-hardware-enforced-stack-protection/2163340 -[LINK-5]: /windows/security/hardware-security/kernel-dma-protection-for-thunderbolt -[LINK-6]: /windows/security/hardware-security/system-guard-secure-launch-and-smm-protection -[LINK-7]: /windows-hardware/drivers/bringup/firmware-attack-surface-reduction -[LINK-8]: /windows-hardware/design/device-experiences/oem-highly-secure-11 -[LINK-9]: /en-us/azure/certification/overview -[LINK-10]: /windows/client-management/mdm/config-lock +[!INCLUDE [secured-core-pc-and-edge-secured-core](includes/secured-core-pc-and-edge-secured-core.md)] diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md index 0e35e41bc8..0a7d8cad1f 100644 --- a/windows/security/book/identity-protection-advanced-credential-protection.md +++ b/windows/security/book/identity-protection-advanced-credential-protection.md @@ -11,109 +11,16 @@ ms.date: 11/18/2024 In addition to adopting passwordless sign-in, organizations can strengthen security for user and domain credentials in Windows 11 with Credential Guard and Remote Credential Guard. -## Local Security Authority (LSA) protection +[!INCLUDE [local-security-authority-protection](includes/local-security-authority-protection.md)] -Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users, and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single sign-on to a Microsoft account and Entra ID account. +[!INCLUDE [credential-guard](includes/credential-guard.md)] -By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection supports configuration using group policy and other device management solutions. +[!INCLUDE [remote-credential-guard](includes/remote-credential-guard.md)] -[!INCLUDE [new-24h2](includes/new-24h2.md)] +[!INCLUDE [vbs-key-protection](includes/vbs-key-protection.md)] -To help keep these credentials safe, LSA protection is enabled by default on all devices (MSA, Microsoft Entra joined, hybrid, and local). For new installs, it is enabled immediately. For upgrades, it is enabled after rebooting after an evaluation period of 10 days. +[!INCLUDE [token-protection](includes/token-protection.md)] -Users have the ability to manage the LSA protection state in the Windows Security application under **Device Security** > **Core Isolation** > **Local Security Authority protection**. +[!INCLUDE [account-lockout-policies](includes/account-lockout-policies.md)] -To ensure a seamless transition and enhanced security for all users, the enterprise policy for LSA protection takes precedence over enablement on upgrade. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Configuring additional LSA protection][LINK-2] - -## Credential Guard - -:::row::: - :::column::: - Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. - -By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from user credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. - :::column-end::: - :::column::: -:::image type="content" source="images/credential-guard-architecture.png" alt-text="Diagram of the Credential Guard's architecture." lightbox="images/credential-guard-architecture.png" border="false"::: - :::column-end::: -:::row-end::: - -[!INCLUDE [new-24h2](includes/new-24h2.md)] - -Credential Guard protections are expanded to optionally include machine account passwords for Active Directory-joined devices. Administrators can enable audit mode or enforcement of this capability using Credential Guard policy settings. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Protect derived domain credentials with Credential Guard][LINK-3] - -## Remote Credential Guard - -Remote Credential Guard helps organizations protect credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. - -Administrator credentials are highly privileged and must be protected. When Remote Credential Guard is configured to connect during Remote Desktop sessions, the credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, the credentials aren't exposed. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Remote Credential Guard][LINK-4] - -## :::image type="icon" source="images/new-button-title.svg" border="false"::: VBS key protection - -VBS key protection enables developers to secure cryptographic keys using Virtualization-based security (VBS). VBS uses the virtualization extension capability of the CPU to create an isolated runtime outside of the normal OS. When in use, VBS keys are isolated in a secure process, allowing key operations to occur without ever exposing the private key material outside of this space. At rest, private key material is encrypted by a TPM key, which binds VBS keys to the device. Keys protected in this way can't be dumped from process memory or exported in plain text from a user's machine, preventing exfiltration attacks by any admin-level attacker. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Advancing key protection in Windows using VBS][LINK-8] - -## Token protection (preview) - -Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies[\[4\]](conclusion.md#footnote4) can be configured to require token protection when using sign-in tokens for specific services. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Token protection in Entra ID Conditional Access][LINK-5] - -### Sign-in session token protection policy - -This feature allows applications and services to cryptographically bind security tokens to the device, restricting attackers' ability to impersonate users on a different device if tokens are stolen. - -## Account lockout policies - -New devices with Windows 11 installed will have account lockout policies that are secure by default. These policies mitigate brute-force attacks such as hackers attempting to access Windows devices via the Remote Desktop Protocol (RDP). - -The account lockout threshold policy is now set to 10 failed sign-in attempts by default, with the account lockout duration set to 10 minutes. The *Allow Administrator account lockout* is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default as well. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Account lockout policy][LINK-6] - -## Access management and control - -Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage the access of users, groups, and computers to objects and assets on a network or computer. After a user is authenticated, Windows implements the second phase of protecting resources with built-in authorization and access control technologies. These technologies determine if an authenticated user has the correct permissions. - -Access Control Lists (ACLs) describe the permissions for a specific object and can also contain System Access Control Lists (SACLs). SACLs provide a way to audit specific system level events, such as when a user attempts to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. - -IT administrators can refine the application and management of access to: - -- Protect a greater number and variety of network resources from misuse -- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. Organizations can implement the principle of least-privilege access, which asserts that users should be granted access only to the data and operations they require to perform their jobs -- Update users' ability to access resources regularly, as an organization's policies change or as users' jobs change -- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and phones -- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Access control][LINK-7] - - - -[LINK-2]: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection -[LINK-3]: /windows/security/identity-protection/credential-guard -[LINK-4]: /windows/security/identity-protection/remote-credential-guard -[LINK-5]: /azure/active-directory/conditional-access/concept-token-protection -[LINK-6]: /windows/security/threat-protection/security-policy-settings/account-lockout-policy -[LINK-7]: /windows/security/identity-protection/access-control/access-control -[LINK-8]: https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-key-protection-in-windows-using-vbs/4050988 \ No newline at end of file +[!INCLUDE [access-management-and-control](includes/access-management-and-control.md)] diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md index 5187c49058..8c8b1efb2f 100644 --- a/windows/security/book/identity-protection-passwordless-sign-in.md +++ b/windows/security/book/identity-protection-passwordless-sign-in.md @@ -11,233 +11,22 @@ ms.date: 11/18/2024 Passwords are a fundamental part of digital security, but they're often inconvenient and vulnerable to cyberattacks. With Windows 11, users can enjoy passwordless protection, which offers a more secure and user-friendly alternative. After a secure authorization process, credentials are safeguarded by multiple layers of hardware and software security, providing users with seamless, passwordless access to their apps and cloud services. -## Windows Hello +[!INCLUDE [windows-hello](includes/windows-hello.md)] -Too often, passwords are weak, stolen, or forgotten. Organizations are moving toward passwordless sign-in to reduce the risk of breaches, lower the cost of managing passwords, and improve productivity and satisfaction for their users and customers. Microsoft is committed to helping organizations move toward a secure, passwordless future with Windows Hello, a cornerstone of Windows security and identity protection. +[!INCLUDE [windows-presence-sensing](includes/windows-presence-sensing.md)] -Windows Hello can enable passwordless sign-in using biometric or PIN verification and provides built-in support for the FIDO2 passwordless industry standard. As a result, people no longer need to carry external hardware like a security key for authentication. +[!INCLUDE [windows-hello-for-business](includes/windows-hello-for-business.md)] -The secure, convenient sign-in experience can augment or replace passwords with a stronger authentication model based on a PIN or biometric data such as facial or fingerprint recognition secured by the Trusted Platform Module (TPM). Step-by-step guidance makes setup easy. +[!INCLUDE [enhanced-sign-in-security](includes/enhanced-sign-in-security.md)] -Using asymmetric keys provisioned in the TPM, Windows Hello protects authentication by binding a user's credentials to their device. Windows Hello validates the user based on either a PIN or biometrics match and only then allows the use of cryptographic keys bound to that user in the TPM. +[!INCLUDE [fido2](includes/fido2.md)] -PIN and biometric data stay on the device and can't be stored or accessed externally. Since the data can't be accessed by anyone without physical access to the device, credentials are protected against replay attacks, phishing, and spoofing as well as password reuse and leaks. +[!INCLUDE [microsoft-authenticator](includes/microsoft-authenticator.md)] -Windows Hello can authenticate users to a Microsoft account (MSA), identity provider services, or the relying parties that also implement the FIDO2 or WebAuthn standards. +[!INCLUDE [web-sign-in](includes/web-sign-in.md)] -[!INCLUDE [learn-more](includes/learn-more.md)] +[!INCLUDE [federated-sign-in](includes/federated-sign-in.md)] -- [Configure Windows Hello][LINK-1] +[!INCLUDE [smart-cards](includes/smart-cards.md)] -### Windows Hello PIN - -The Windows Hello PIN, which can only be entered by someone with physical access to the device, can be used for strong multifactor authentication. The PIN is protected by the TPM and, like biometric data, never leaves the device. When a user enters their PIN, an authentication key is unlocked and used to sign a request sent to the authenticating server. - -The TPM protects against threats including PIN brute-force attacks on lost or stolen devices. After too many incorrect guesses, the device locks. IT admins can set security policies for PINs, such as complexity, length, and expiration requirements. - -[!INCLUDE [new-24h2](includes/new-24h2.md)] - -If your device doesn't have built-in biometrics, Windows Hello has been enhanced to use Virtualization-based Security (VBS) by default to isolate credentials. This added layer of protection helps guard against admin-level attacks. Even when you sign in with a PIN, your credentials are stored in a secure container, ensuring protection on devices with or without built-in biometric sensors. - -### Windows Hello biometric - -Windows Hello biometric sign-in enhances both security and productivity with a quick and convenient sign-in experience. There's no need to enter your PIN; just use your biometric data for an easy and delightful sign-in. - -Windows devices that support biometric hardware, such as fingerprint or facial recognition cameras, integrate directly with Windows Hello, enabling access to Windows client resources and services. Biometric readers for both face and fingerprint must comply with Windows Hello biometric requirements. Windows Hello facial recognition is designed to authenticate only from trusted cameras used at the time of enrollment. - -If a peripheral camera is attached to the device after enrollment, it can be used for facial authentication once validated by signing in with the internal camera. For added security, external cameras can be disabled for use with Windows Hello facial recognition. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Hello biometric requirements][LINK-4] - -## Windows presence sensing - -Windows presence sensing[\[9\]](conclusion.md#footnote9) provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment. - -Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers can customize and build extensions for the presence sensor. - -Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. The new app privacy settings enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup. - -Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We're also supporting developers with new APIs for presence sensing for third-party applications. Third-party applications can now access user presence information on devices with presence sensors. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Presence sensing][LINK-7] -- [Manage presence sensing settings in Windows 11][LINK-8] - -## Windows Hello for Business - -Windows Hello for Business extends Windows Hello to work with an organization's Active Directory and Microsoft Entra ID accounts. It provides single sign-on access to work or school resources such as OneDrive, work email, and other business apps. Windows Hello for Business also gives IT admins the ability to manage PIN and other sign-in requirements for devices connecting to work or school resources. - -After Windows Hello for Business is provisioned, users can use a PIN, face, or fingerprint to unlock credentials and sign into their Windows device. - -Provisioning methods include: - -- Passkeys (preview), which provide a seamless way for users to authenticate to Microsoft Entra ID without entering a username or password -- Temporary Access Pass (TAP), a time-limited passcode with strong authentication requirements issued through Microsoft Entra ID -- Existing multifactor authentication with Microsoft Entra ID, including the Microsoft Authenticator app - -Windows Hello for Business enhances security by replacing traditional usernames and passwords with a combination of a security key or certificate and a PIN or biometric data. This setup securely maps the credentials to a user account. - -There are various deployment models available for Windows Hello for Business, providing flexibility to meet the diverse needs of different organizations. Among these, the *Hybrid cloud Kerberos trust* model is recommended and considered the simplest for organizations operating in hybrid environments. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Hello for Business overview][LINK-2] -- [Enable passkeys (FIDO2) for your organization][LINK-9] - -### PIN reset - -The Microsoft PIN Reset Service allows users to reset their forgotten Windows Hello PINs without requiring re-enrollment. After registering the service in the Microsoft Entra ID tenant, the capability must be enabled on the Windows devices using group policy or a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4). - -Users can initiate a PIN reset from the Windows lock screen or from the sign-in options in Settings. The process involves authenticating and completing multifactor authentication to reset the PIN. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [PIN reset][LINK-15] - -### Multi-factor unlock - -For organizations that need an extra layer of sign-in security, multi-factor unlock enables IT admins to configure Windows to require a combination of two unique trusted signals to sign in. Trusted signal examples include a PIN or biometric data (face or fingerprint) combined with either a PIN, Bluetooth, IP configuration, or Wi-Fi. - -Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Multi-factor unlock][LINK-6] - -### Windows passwordless experience - -**Windows Hello for Business now support a fully passwordless experience.** - -IT admins can configure a policy on Microsoft Entra ID joined machines so users no longer see the option to enter a password when accessing company resources. Once the policy is configured, passwords are removed from the Windows user experience, both for device unlock and in-session authentication scenarios. However, passwords aren't eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can use passwordless recovery mechanisms such as Microsoft PIN reset service or web sign-in. - -Users authenticate directly with Microsoft Entra ID, helping speed access to on-premises applications and other resources. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows passwordless experience][LINK-3] - -## Enhanced Sign-in Security (ESS) - -Windows Hello supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in. - -Enhanced Sign-in Security biometrics uses Virtualization-based security (VBS) and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. - -These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent more attack classes. - -Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations - check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Reach out to specific OEMs for support details. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Hello Enhanced Sign-in Security][LINK-5] - -## FIDO2 - -The FIDO Alliance, the Fast Identity Online industry standards body, was established to promote authentication technologies and standards that reduce reliance on passwords. FIDO Alliance and World Wide Web Consortium (W3C) worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications. These specifications are the industry standard for providing strong, phishing-resistant, user friendly, and privacy preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets. - -Windows 11 can also use external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services. - -### Passkeys - -Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the cross-platform future of secure sign-in. Microsoft and other technology leaders are supporting passkeys across their platforms and services. - -A passkey is a unique, unguessable cryptographic secret that is securely stored on the device. Instead of using a username and password to sign in to a website or application, Windows 11 users can create and use a passkey with Windows Hello, a third-party passkey provider, an external FIDO2 security key, or their mobile device. Passkeys on Windows work in any browsers or apps that support them for sign in. - -Passkeys created and saved with Windows Hello are protected by Windows Hello or Windows Hello for Business. Users can sign in to the site or app using their face, fingerprint, or device PIN. Users can manage their passkeys from **Settings** > **Accounts** > **Passkeys**. - -:::row::: - :::column span="2"::: -[!INCLUDE [coming-soon](includes/coming-soon.md)] - -The plug-in model for third-party passkey providers enables users to manage their passkeys with third-party passkey managers. This model ensures a seamless platform experience, regardless of whether passkeys are managed directly by Windows or by a third-party authenticator. When a third-party passkey provider is used, the passkeys are securely protected and managed by the third-party provider. - :::column-end::: - :::column span="2"::: -:::image type="content" border="false" source="images/passkey-save-3p.png" alt-text="Screenshot of the save passkey dialog box showing third-party providers." lightbox="images/passkey-save-3p.png"::: - :::column-end::: -:::row-end::: - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Support for passkeys in Windows][LINK-10] -- [Enable passkeys (FIDO2) for your organization][LINK-9] - -## Microsoft Authenticator - -The Microsoft Authenticator app, which runs on iOS and Android devices, helps keeping Windows 11 users secure and productive. Microsoft Authenticator with Microsoft Entra passkeys can be used as a phish-resistant method to bootstrap Windows Hello for Business. - -Microsoft Authenticator also enables easy, secure sign-in for all online accounts using multifactor authentication, passwordless phone sign-in, phishing-resistant authentication (passkeys), or password autofill. The accounts in the Authenticator app are secured with a public/private key pair in hardware-backed storage such as the Keychain in iOS and Keystore on Android. IT admins can use different tools to nudge their users to set up the Authenticator app, provide them with extra context about where the authentication is coming from, and ensure that they're actively using it. - -Individual users can back up their credentials to the cloud by enabling the encrypted backup option in settings. They can also see their sign-in history and security settings for Microsoft personal, work, or school accounts. - -Using this secure app for authentication and authorization enables people to be in control of how, where, and when their credentials are used. To keep up with an ever-changing security landscape, the app is constantly updated, and new capabilities are added to stay ahead of emerging threat vectors. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Authentication methods in Microsoft Entra ID - Microsoft Authenticator app][LINK-11] - -## Web sign-in - -With the support of web sign-in, users can sign in without a password using the Microsoft Authenticator app or a Temporary Access Pass (TAP). Web sign in also enables federated sign in with a SAML-P identity provider. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Web sign-in for Windows][LINK-13] - -## Federated sign-in - -Windows 11 supports federated sign-in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign-in through methods like QR codes or pictures. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Configure federated sign-in for Windows devices][LINK-14] - -## Smart cards - -Organizations can also opt for smart cards, an authentication method that existed before biometric authentication. These tamper-resistant, portable storage devices enhance Windows security by authenticating users, signing code, securing e-mails, and signing in with Windows domain accounts. - -Smart cards provide: - -- Ease of use in scenarios such as healthcare, where users need to sign in and out quickly without using their hands or when sharing a workstation -- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card -- Portability of credentials and other private information between computers at work, home, or on the road - -Smart cards can only be used to sign in to domain accounts or Microsoft Entra ID accounts. - -When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Microsoft Entra ID certificate-based authentication. Smart cards can't be used with local accounts. - -Windows Hello for Business and FIDO2 security keys are modern, two-factor authentication methods for Windows. Customers using virtual smart cards are encouraged to move to Windows Hello for Business or FIDO2. For new Windows installations, we recommend Windows Hello for Business or FIDO2 security keys. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Smart Card technical reference][LINK-12] - -## Enhanced phishing protection in Microsoft Defender SmartScreen - -As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing is a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business. - -We know that people are in different parts of their passwordless journey. To help on that journey for people still using passwords, Windows 11 offers powerful credential protection. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Enhanced phishing protection in Microsoft Defender SmartScreen][LINK-16] - - - -[LINK-1]: https://support.microsoft.com/topic/dae28983-8242-bb2a-d3d1-87c9d265a5f0 -[LINK-2]: /windows/security/identity-protection/hello-for-business -[LINK-3]: /windows/security/identity-protection/passwordless-experience -[LINK-4]: /windows-hardware/design/device-experiences/windows-hello-biometric-requirements -[LINK-5]: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security -[LINK-6]: /windows/security/identity-protection/hello-for-business/feature-multifactor-unlock -[LINK-7]: /windows-hardware/design/device-experiences/sensors-presence-sensing -[LINK-8]: https://support.microsoft.com/topic/82285c93-440c-4e15-9081-c9e38c1290bb -[LINK-9]: /entra/identity/authentication/how-to-enable-passkey-fido2 -[LINK-10]: /windows/security/identity-protection/passkeys -[LINK-11]: /entra/identity/authentication/concept-authentication-authenticator-app -[LINK-12]: /windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference -[LINK-13]: /windows/security/identity-protection/web-sign-in -[LINK-14]: /education/windows/federated-sign-in -[LINK-15]: /windows/security/identity-protection/hello-for-business/pin-reset -[LINK-16]: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection +[!INCLUDE [enhanced-phishing-protection-in-microsoft-defender-smartscreen](includes/enhanced-phishing-protection-in-microsoft-defender-smartscreen.md)] diff --git a/windows/security/book/includes/5g-and-esim.md b/windows/security/book/includes/5g-and-esim.md new file mode 100644 index 0000000000..5fd47718b9 --- /dev/null +++ b/windows/security/book/includes/5g-and-esim.md @@ -0,0 +1,14 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## 5G and eSIM + +5G networks use stronger encryption and better network segmentation compared to previous generations of cellular protocols. Unlike Wi-Fi, 5G access is always mutually authenticated. Access credentials are stored in an EAL4-certified eSIM that is physically embedded in the device, making it much harder for attackers to tamper with. Together, 5G and eSIM provide a strong foundation for security. + +[!INCLUDE [learn-more](learn-more.md)] + +- [eSIM configuration of a download server](/mem/intune/configuration/esim-device-configuration-download-server) diff --git a/windows/security/book/includes/access-management-and-control.md b/windows/security/book/includes/access-management-and-control.md new file mode 100644 index 0000000000..9558f332b2 --- /dev/null +++ b/windows/security/book/includes/access-management-and-control.md @@ -0,0 +1,24 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Access management and control + +Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage the access of users, groups, and computers to objects and assets on a network or computer. After a user is authenticated, Windows implements the second phase of protecting resources with built-in authorization and access control technologies. These technologies determine if an authenticated user has the correct permissions. + +Access Control Lists (ACLs) describe the permissions for a specific object and can also contain System Access Control Lists (SACLs). SACLs provide a way to audit specific system level events, such as when a user attempts to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. + +IT administrators can refine the application and management of access to: + +- Protect a greater number and variety of network resources from misuse +- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. Organizations can implement the principle of least-privilege access, which asserts that users should be granted access only to the data and operations they require to perform their jobs +- Update users' ability to access resources regularly, as an organization's policies change or as users' jobs change +- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and phones +- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs + +[!INCLUDE [learn-more](learn-more.md)] + +- [Access control](/windows/security/identity-protection/access-control/access-control) diff --git a/windows/security/book/includes/account-lockout-policies.md b/windows/security/book/includes/account-lockout-policies.md new file mode 100644 index 0000000000..1ba4ef6d8b --- /dev/null +++ b/windows/security/book/includes/account-lockout-policies.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Account lockout policies + +New devices with Windows 11 installed will have account lockout policies that are secure by default. These policies mitigate brute-force attacks such as hackers attempting to access Windows devices via the Remote Desktop Protocol (RDP). + +The account lockout threshold policy is now set to 10 failed sign-in attempts by default, with the account lockout duration set to 10 minutes. The *Allow Administrator account lockout* is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default as well. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Account lockout policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy) diff --git a/windows/security/book/includes/administrator-protection.md b/windows/security/book/includes/administrator-protection.md index e993800f31..94e0654680 100644 --- a/windows/security/book/includes/administrator-protection.md +++ b/windows/security/book/includes/administrator-protection.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## :::image type="icon" source="../images/soon-button-title.svg" border="false"::: Administrator protection diff --git a/windows/security/book/includes/app-containers.md b/windows/security/book/includes/app-containers.md index 32e39cdd35..805fc850e7 100644 --- a/windows/security/book/includes/app-containers.md +++ b/windows/security/book/includes/app-containers.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## App containers diff --git a/windows/security/book/includes/app-control-for-business.md b/windows/security/book/includes/app-control-for-business.md index c6b63cb102..7f07d0c010 100644 --- a/windows/security/book/includes/app-control-for-business.md +++ b/windows/security/book/includes/app-control-for-business.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## App Control for Business diff --git a/windows/security/book/includes/attack-surface-reduction-rules.md b/windows/security/book/includes/attack-surface-reduction-rules.md new file mode 100644 index 0000000000..b5afd2b419 --- /dev/null +++ b/windows/security/book/includes/attack-surface-reduction-rules.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Attack surface reduction rules + +Attack surface reduction rules help prevent actions and applications or scripts that are often abused to compromise devices and networks. By controlling when and how executables and/or script can run, thereby reducing the attack surface, you can reduce the overall vulnerability of your organization. Administrators can configure specific attack surface reduction rules to help block certain behaviors, such as: + +- Launching executable files and scripts that attempt to download or run files +- Running obfuscated or otherwise suspicious scripts +- Performing behaviors that apps don't usually initiate during normal day-to-day work + +For example, an attacker might try to run an unsigned script from a USB drive or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve the defensive posture of the device. For comprehensive protection, follow steps for enabling hardware-based isolation + +[!INCLUDE [learn-more](learn-more.md)] + +- [Attack surface reduction](/defender-endpoint/overview-attack-surface-reduction) diff --git a/windows/security/book/includes/azure-attestation-service.md b/windows/security/book/includes/azure-attestation-service.md new file mode 100644 index 0000000000..a25cd36b5e --- /dev/null +++ b/windows/security/book/includes/azure-attestation-service.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/azure-attestation.svg" border="false"::: Azure Attestation service + +Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they're allowed to access resources. Microsoft Intune[\[4\]](../conclusion.md#footnote4) integrates with Azure Attestation service to review Windows device health comprehensively and connect this information with Microsoft Entra ID[\[4\]](../conclusion.md#footnote4) Conditional Access. + +**Attestation policies are configured in the Azure Attestation service which can then:** + +- Verify the integrity of evidence provided by the Windows Attestation component by validating the signature and ensuring the Platform Configuration Registers (PCRs) match the values recomputed by replaying the measured boot log +- Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM +- Verify that security features are in the expected states + +Once this verification is complete, the attestation service returns a signed report with the security features state to the relying party - such as Microsoft Intune - to assess the trustworthiness of the platform relative to the admin-configured device compliance specifications. Conditional access is then granted or denied based on the device's compliance. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Azure Attestation overview](/azure/attestation/overview) diff --git a/windows/security/book/includes/bitlocker.md b/windows/security/book/includes/bitlocker.md new file mode 100644 index 0000000000..1a4fe7f87e --- /dev/null +++ b/windows/security/book/includes/bitlocker.md @@ -0,0 +1,28 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## BitLocker + +BitLocker is a data protection feature that integrates with the operating system to address the threats of data theft or exposure from lost, stolen, or improperly decommissioned devices. It uses the AES algorithm in XTS or CBC mode with 128-bit or 256-bit key lengths to encrypt data on the volume. During the initial setup, when BitLocker is enabled during OOBE and the user signs into their Microsoft account for the first time, BitLocker automatically saves its recovery password to the Microsoft account for retrieval if needed. Users also have the option to export the recovery password if they manually enable BitLocker. Recovery key content can be saved to cloud storage on OneDrive or Azure[\[4\]](../conclusion.md#footnote4). + +For organizations, BitLocker can be managed via group policy or with a device management solution like Microsoft Intune[\[3\]](../conclusion.md#footnote3). It provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), using technologies such as Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. + +[!INCLUDE [new-24h2](new-24h2.md)] + +The BitLocker preboot recovery screen includes the Microsoft account (MSA) hint, if the recovery password is saved to an MSA. This hint helps the user to understand which MSA account was used to store recovery key information. + +[!INCLUDE [learn-more](learn-more.md)] + +- [BitLocker overview](/windows/security/operating-system-security/data-protection/bitlocker/index) + +### BitLocker To Go + +BitLocker To Go refers to BitLocker on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password. + +[!INCLUDE [learn-more](learn-more.md)] + +- [BitLocker FAQ](/windows/security/operating-system-security/data-protection/bitlocker/faq) diff --git a/windows/security/book/includes/bluetooth-protection.md b/windows/security/book/includes/bluetooth-protection.md new file mode 100644 index 0000000000..6ee4c77147 --- /dev/null +++ b/windows/security/book/includes/bluetooth-protection.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Bluetooth protection + +The number of Bluetooth devices connected to Windows 11 continues to increase. Windows users connect their Bluetooth headsets, mice, keyboards, and other accessories and improve their day-to-day PC experience by enjoying streaming, productivity, and gaming. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host-based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG) and Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that Bluetooth accessories' firmware and software are kept up to date. + +IT-managed environments have a number policy settings available via configuration service providers, group policy, and PowerShell. These settings can be managed through device management solutions like Microsoft Intune[\[4\]](../conclusion.md#footnote4). You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Policy CSP - Bluetooth](/windows/client-management/mdm/policy-csp-bluetooth) diff --git a/windows/security/book/includes/certificates.md b/windows/security/book/includes/certificates.md new file mode 100644 index 0000000000..baeffee1ce --- /dev/null +++ b/windows/security/book/includes/certificates.md @@ -0,0 +1,10 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Certificates + +To help safeguard and authenticate information, Windows provides comprehensive support for certificates and certificate management. The built-in certificate management command-line utility (certmgr.exe) or Microsoft Management Console (MMC) snap-in (certmgr.msc) can be used to view and manage certificates, certificate trust lists (CTLs), and certificate revocation lists (CRLs). Whenever a certificate is used in Windows, we validate that the leaf certificate and all the certificates in its chain of trust haven't been revoked or compromised. The trusted root and intermediate certificates and publicly revoked certificates on the machine are used as a reference for Public Key Infrastructure (PKI) trust and are updated monthly by the Microsoft Trusted Root program. If a trusted certificate or root is revoked, all global devices are updated, meaning users can trust that Windows will automatically protect against vulnerabilities in public key infrastructure. For cloud and enterprise deployments, Windows also offers users the ability to autoenroll and renew certificates in Active Directory with group policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. diff --git a/windows/security/book/includes/cloud-native-device-management.md b/windows/security/book/includes/cloud-native-device-management.md new file mode 100644 index 0000000000..9a41462bfa --- /dev/null +++ b/windows/security/book/includes/cloud-native-device-management.md @@ -0,0 +1,33 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Cloud-native device management + +Microsoft recommends cloud-based device management so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With cloud-native device management solutions like Microsoft Intune[\[4\]](../conclusion.md#footnote4), IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate device management client. + +Windows 11 built-in management features include: + +- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server +- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT + +[!INCLUDE [learn-more](learn-more.md)] + +- [Mobile device management overview](/windows/client-management/mdm-overview) + +### Remote wipe + +When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user. + +Windows 11 supports the Remote Wipe configuration service provider (CSP) so that device management solutions can remotely initiate any of the following operations: + +- Reset the device and remove user accounts and data +- Reset the device and clean the drive +- Reset the device but persist user accounts and data + +[!INCLUDE [learn-more](learn-more.md)] + +- [Remote wipe CSP](/windows/client-management/mdm/remotewipe-csp) diff --git a/windows/security/book/includes/code-signing-and-integrity.md b/windows/security/book/includes/code-signing-and-integrity.md new file mode 100644 index 0000000000..addb51e857 --- /dev/null +++ b/windows/security/book/includes/code-signing-and-integrity.md @@ -0,0 +1,12 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Code signing and integrity + +To ensure that Windows files haven't been tampered with, the Windows Code Integrity process verifies the signature of each file in Windows. Code signing is core to establishing the integrity of firmware, drivers, and software across the Windows platform. Code signing creates a digital signature by encrypting the hash of the file with the private key portion of a code-signing certificate and embedding the signature into the file. The Windows code integrity process verifies the signed file by decrypting the signature to check the integrity of the file and confirm that it is from a reputable publisher, ensuring that the file hasn't been tampered with. + +The digital signature is evaluated across the Windows environment on Windows boot code, Windows kernel code, and Windows user mode applications. Secure Boot and Code Integrity verify the signature on bootloaders, Option ROMs, and other boot components to ensure that it's trusted and from a reputable publisher. For drivers not published by Microsoft, Kernel Code Integrity verifies the signature on kernel drivers and requires that drivers be signed by Windows or certified by the [Windows Hardware Compatibility Program (WHCP)](/windows-hardware/design/compatibility/). This program ensures that third-party drivers are compatible with various hardware and Windows and that the drivers are from vetted driver developers. diff --git a/windows/security/book/includes/coming-soon.md b/windows/security/book/includes/coming-soon.md index 4122be1932..7a334c6765 100644 --- a/windows/security/book/includes/coming-soon.md +++ b/windows/security/book/includes/coming-soon.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 11/18/2024 ms.topic: include -ms.service: windows-client --- :::image type="icon" source="../images/soon-arrow.svg" border="false"::: **Coming soon[\[7\]](..\conclusion.md#footnote7)** diff --git a/windows/security/book/includes/common-criteria.md b/windows/security/book/includes/common-criteria.md new file mode 100644 index 0000000000..ce3d43a27b --- /dev/null +++ b/windows/security/book/includes/common-criteria.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Common Criteria (CC) + +Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. Common Criteria defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. + +Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria) diff --git a/windows/security/book/includes/config-refresh.md b/windows/security/book/includes/config-refresh.md new file mode 100644 index 0000000000..0840ffa1ed --- /dev/null +++ b/windows/security/book/includes/config-refresh.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Config Refresh + +With traditional group policy, policy settings are refreshed on a PC when a user signs in and every 90 minutes by default. Administrators can adjust that timing to be shorter to ensure that the policy settings are compliant with the management settings set by IT. + +By contrast, with a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4), policies are refreshed when a user signs in and then at eight-hours interval by default. But policy settings are migrated from GPO to a device management solution, one remaining gap is the longer period between the reapplication of a changed policy. + +Config Refresh allows settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to be reset to the value the administrator intended every 90 minutes by default. It's configurable to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that were traditionally set with group policy and are now set through Mobile Device Management (MDM) protocols. + +Config Refresh can also be paused for a configurable period of time, after which it will be reenabled. This is to support scenarios where a helpdesk technician might need to reconfigure a device for troubleshooting purposes. It can also be resumed at any time by an administrator. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Config Refresh](https://techcommunity.microsoft.com/blog/windows-itpro-blog/intro-to-config-refresh-%e2%80%93-a-refreshingly-new-mdm-feature/4176921) diff --git a/windows/security/book/includes/controlled-folder-access.md b/windows/security/book/includes/controlled-folder-access.md new file mode 100644 index 0000000000..ff63f852ba --- /dev/null +++ b/windows/security/book/includes/controlled-folder-access.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Controlled folder access + +You can protect your valuable information in specific folders by managing app access to them. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, and downloads, are included in the list of controlled folders. + +Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that aren't included in the trusted list are prevented from making any changes to files inside protected folders. + +Controlled folder access helps protect user's valuable data from malicious apps and threats such as ransomware. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Controlled folder access](/defender-endpoint/controlled-folders) diff --git a/windows/security/book/includes/credential-guard.md b/windows/security/book/includes/credential-guard.md new file mode 100644 index 0000000000..585a959e83 --- /dev/null +++ b/windows/security/book/includes/credential-guard.md @@ -0,0 +1,27 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Credential Guard + +:::row::: + :::column::: + Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. + +By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from user credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. + :::column-end::: + :::column::: +:::image type="content" source="../images/credential-guard-architecture.png" alt-text="Diagram of the Credential Guard's architecture." lightbox="../images/credential-guard-architecture.png" border="false"::: + :::column-end::: +:::row-end::: + +[!INCLUDE [new-24h2](new-24h2.md)] + +Credential Guard protections are expanded to optionally include machine account passwords for Active Directory-joined devices. Administrators can enable audit mode or enforcement of this capability using Credential Guard policy settings. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard) diff --git a/windows/security/book/includes/cryptography.md b/windows/security/book/includes/cryptography.md new file mode 100644 index 0000000000..afcd245f7d --- /dev/null +++ b/windows/security/book/includes/cryptography.md @@ -0,0 +1,33 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Cryptography + +Cryptography is designed to protect user and system data. The cryptography stack in Windows 11 extends from the chip to the cloud, enabling Windows, applications, and services to protect system and user secrets. For example, data can be encrypted so that only a specific reader with a unique key can read it. As a basis for data security, cryptography helps prevent anyone except the intended recipient from reading data, performs integrity checks to ensure data is free of tampering, and authenticates identity to ensure that communication is secure. Windows 11 cryptography is certified to meet the Federal Information Processing Standard (FIPS) 140. FIPS 140 certification ensures that US government-approved algorithms are correctly implemented. + +[!INCLUDE [learn-more](learn-more.md)] + +- FIPS 140 validation + +Windows cryptographic modules provide low-level primitives such as: + +- Random number generators (RNG) +- Support for AES 128/256 with XTS, ECB, CBC, CFB, CCM, and GCM modes of operation; RSA and DSA 2048, 3072, and 4,096 key sizes; ECDSA over curves P-256, P-384, P-521 +- Hashing (support for SHA1, SHA-256, SHA-384, and SHA-512) +- Signing and verification (padding support for OAEP, PSS, and PKCS1) +- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521 and HKDF) + +Application developers can use these cryptographic modules to perform low-level cryptographic operations (Bcrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG). + +[!INCLUDE [learn-more](learn-more.md)] + +- Cryptography and certificate management + +Developers can access the modules on Windows through the Cryptography Next Generation API (CNG), which is powered by Microsoft's open-source cryptographic library, SymCrypt. SymCrypt supports complete transparency through its open-source code. In addition, SymCrypt offers performance optimization for cryptographic operations by taking advantage of assembly and hardware acceleration when available. + +SymCrypt is part of Microsoft's commitment to transparency, which includes the global Microsoft Government Security Program that aims to provide the confidential security information and resources people need to trust Microsoft's products and services. The program offers controlled access to source code, threat and vulnerability information +exchange, opportunities to engage with technical content about Microsoft's products and services, and access to five globally distributed Transparency Centers. diff --git a/windows/security/book/includes/device-encryption.md b/windows/security/book/includes/device-encryption.md new file mode 100644 index 0000000000..90c1598aca --- /dev/null +++ b/windows/security/book/includes/device-encryption.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Device encryption + +Device encryption is a Windows feature that simplifies the process of enabling BitLocker encryption on certain devices. It ensures that only the OS drive and fixed drives are encrypted, while external/USB drives remain unencrypted. Additionally, devices with externally accessible ports that allow DMA access are not eligible for device encryption. Unlike standard BitLocker implementation, device encryption is enabled automatically to ensure continuous protection. Once a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use with encryption already in place. + +Organizations have the option to disable device encryption in favor of a full BitLocker implementation. This allows for more granular control over encryption policies and settings, ensuring that the organization's specific security requirements are met. + +[!INCLUDE [new-24h2](new-24h2.md)] + +The Device encryption prerequisites of DMA and HSTI/Modern Standby are removed. This change makes more devices eligible for both automatic and manual device encryption. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Device encryption](/windows/security/operating-system-security/data-protection/bitlocker#device-encryption) diff --git a/windows/security/book/includes/device-health-attestation.md b/windows/security/book/includes/device-health-attestation.md new file mode 100644 index 0000000000..f2e29c7df4 --- /dev/null +++ b/windows/security/book/includes/device-health-attestation.md @@ -0,0 +1,23 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Device Health Attestation + +The Windows Device Health Attestation process supports a Zero Trust paradigm that shifts the focus from static, network-based perimeters to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. These determinations are made with data stored in the TPM, which provides a secure root-of-trust. The information is sent to an attestation service such as Azure Attestation to verify that the device is in a trusted state. Then a cloud-native device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4) reviews device health and connects this information with Microsoft Entra ID[\[4\]](../conclusion.md#footnote4) for conditional access. + +Windows includes many security features to help protect users from malware and attacks. However, security components are trustworthy only if the platform boots as expected and isn't tampered with. As noted above, Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot, and other low-level hardware and firmware security features to protect your PC from attacks. From the moment you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configurations that help keep you safe. Measured Boot, implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to the TPM, that functions as a hardware root-of-trust. Remote attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper-resilient report. Remote attestation is the trusted auditor of your system's boot, allowing reliant parties to bind trust to the device and its security. + +A summary of the steps involved in attestation and Zero-Trust on a Windows device are as follows: + +- During each step of the boot process - such as a file load, update of special variables, and more - information such as file hashes and signature(s) are measured in the TPM Platform Configuration Register (PCRs). The measurements are bound by a Trusted Computing Group specification that dictates which events can be recorded and the format of each event. The data provides important information about device security from the moment it powers on +- Once Windows has booted, the attestor (or verifier) requests the TPM get the measurements stored in its PCRs alongside the Measured Boot log. Together, these form the attestation evidence that's sent to the Azure Attestation service +- The TPM is verified by using the keys or cryptographic material available on the chipset with an Azure Certificate Service +- The above information is sent to the Azure Attestation Service to verify that the device is in a trusted state. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Control the health of Windows devices](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices) diff --git a/windows/security/book/includes/domain-name-system-security.md b/windows/security/book/includes/domain-name-system-security.md new file mode 100644 index 0000000000..aab79775f9 --- /dev/null +++ b/windows/security/book/includes/domain-name-system-security.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Domain Name System (DNS) security + +In Windows 11, the Windows DNS client supports DNS over HTTPS and DNS over TLS, two encrypted DNS protocols. These allow administrators to ensure their devices protect their +name queries from on-path attackers, whether they're passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites. In a Zero Trust +model where no trust is placed in a network boundary, having a secure connection to a trusted name resolver is required. + +Windows 11 provides group policy and programmatic controls to configure DNS over HTTPS behavior. As a result, IT administrators can extend existing security to adopt new models such as Zero Trust. IT administrators can mandate DNS over HTTPS protocol, ensuring that devices that use insecure DNS will fail to connect to network resources. IT administrators also have the option not to use DNS over HTTPS or DNS over TLS for legacy deployments where network edge appliances are trusted to inspect plain-text DNS traffic. By default, Windows 11 will defer to the local administrator on which resolvers should use encrypted DNS. + +Support for DNS encryption integrates with existing Windows DNS configurations such as the Name Resolution Policy Table (NRPT), the system Hosts file, and resolvers specified per network adapter or network profile. The integration helps Windows 11 ensure that the benefits of greater DNS security do not regress existing DNS control mechanisms. diff --git a/windows/security/book/includes/email-encryption.md b/windows/security/book/includes/email-encryption.md new file mode 100644 index 0000000000..911c19fb82 --- /dev/null +++ b/windows/security/book/includes/email-encryption.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Email encryption + +Email encryption allows users to secure email messages and attachments so that only the intended recipients with a digital identification (ID), or certificate, can read them[\[8\]](../conclusion.md#footnote8). Users can also *digitally sign* a message, which verifies the sender's identity and ensures the message hasn't been tampered with. + +The new Outlook app included in Windows 11 supports various types of email encryption, including Microsoft Purview Message Encryption, S/MIME, and Information Rights Management (IRM). + +When using Secure/Multipurpose Internet Mail Extensions (S/MIME), users can send encrypted messages to people within their organization and to external contacts who have the proper encryption certificates. Recipients can only read encrypted messages if they have the corresponding decryption keys. If an encrypted message is sent to recipients whose encryption certificates aren't available, Outlook asks you to remove these recipients before sending the email. + +[!INCLUDE [learn-more](learn-more.md)] + +- [S/MIME for message signing and encryption in Exchange Online](/exchange/security-and-compliance/smime-exo/smime-exo) +- [Get started with the new Outlook for Windows](https://support.microsoft.com/topic/656bb8d9-5a60-49b2-a98b-ba7822bc7627) +- [Email encryption](/purview/email-encryption) diff --git a/windows/security/book/includes/encrypted-hard-drive.md b/windows/security/book/includes/encrypted-hard-drive.md new file mode 100644 index 0000000000..03fbd3f9c4 --- /dev/null +++ b/windows/security/book/includes/encrypted-hard-drive.md @@ -0,0 +1,23 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Encrypted hard drive + +Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level. They allow for full-disk hardware encryption and are transparent to the user. These drives combine the security and management benefits provided by BitLocker, with the power of self-encrypting drives. + +By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. + +Encrypted hard drives enable: + +- Smooth performance: encryption hardware integrated into the drive controller allows the drive to operate at full data rate without performance degradation +- Strong security based in hardware: encryption is always-on, and the keys for encryption never leave the hard drive. The drive authenticates the user independently from the operating system before it unlocks +- Ease of use: encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using an onboard encryption key. There's no need to re-encrypt data on the drive +- Lower cost of ownership: there's no need for new infrastructure to manage encryption keys since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process + +[!INCLUDE [learn-more](learn-more.md)] + +- [Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive) diff --git a/windows/security/book/includes/enhanced-phishing-protection-in-microsoft-defender-smartscreen.md b/windows/security/book/includes/enhanced-phishing-protection-in-microsoft-defender-smartscreen.md new file mode 100644 index 0000000000..28cd032482 --- /dev/null +++ b/windows/security/book/includes/enhanced-phishing-protection-in-microsoft-defender-smartscreen.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Enhanced phishing protection in Microsoft Defender SmartScreen + +As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing is a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business. + +We know that people are in different parts of their passwordless journey. To help on that journey for people still using passwords, Windows 11 offers powerful credential protection. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Enhanced phishing protection in Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection) diff --git a/windows/security/book/includes/enhanced-sign-in-security.md b/windows/security/book/includes/enhanced-sign-in-security.md new file mode 100644 index 0000000000..09b15d70c5 --- /dev/null +++ b/windows/security/book/includes/enhanced-sign-in-security.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Enhanced Sign-in Security (ESS) + +Windows Hello supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in. + +Enhanced Sign-in Security biometrics uses Virtualization-based security (VBS) and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. + +These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent more attack classes. + +Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations - check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Reach out to specific OEMs for support details. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) diff --git a/windows/security/book/includes/exploit-protection.md b/windows/security/book/includes/exploit-protection.md new file mode 100644 index 0000000000..aa573e5c43 --- /dev/null +++ b/windows/security/book/includes/exploit-protection.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Exploit Protection + +Exploit Protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit Protection works best with Microsoft Defender for Endpoint[\[4\]](../conclusion.md#footnote4), which gives organizations detailed reporting into Exploit Protection events and blocks as part of typical alert investigation scenarios. You can enable Exploit Protection on an individual device and then use policy settings to distribute the configuration XML file to multiple devices simultaneously. + +When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. + +You can use audit mode to evaluate how Exploit Protection would impact your organization if it were enabled. And go through safe deployment practices (SDP). + +Windows 11 provides configuration options for Exploit Protection. You can prevent users from modifying these specific options with device management solutions like Microsoft Intune or group policy. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Protecting devices from exploits](/defender-endpoint/enable-exploit-protection) diff --git a/windows/security/book/includes/federal-information-processing-standard.md b/windows/security/book/includes/federal-information-processing-standard.md new file mode 100644 index 0000000000..3968fa8c02 --- /dev/null +++ b/windows/security/book/includes/federal-information-processing-standard.md @@ -0,0 +1,14 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Federal Information Processing Standard (FIPS) + +The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that specifies the minimum security requirements for cryptographic modules in IT products. Microsoft is dedicated to adhering to the requirements in the FIPS 140 standard, consistently validating its cryptographic modules against FIPS 140 since the standard's inception. Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows FIPS 140 validation](/windows/security/security-foundations/certification/fips-140-validation) diff --git a/windows/security/book/includes/federated-sign-in.md b/windows/security/book/includes/federated-sign-in.md new file mode 100644 index 0000000000..51165aa8a2 --- /dev/null +++ b/windows/security/book/includes/federated-sign-in.md @@ -0,0 +1,14 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Federated sign-in + +Windows 11 supports federated sign-in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign-in through methods like QR codes or pictures. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) diff --git a/windows/security/book/includes/fido2.md b/windows/security/book/includes/fido2.md new file mode 100644 index 0000000000..24498aad60 --- /dev/null +++ b/windows/security/book/includes/fido2.md @@ -0,0 +1,36 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## FIDO2 + +The FIDO Alliance, the Fast Identity Online industry standards body, was established to promote authentication technologies and standards that reduce reliance on passwords. FIDO Alliance and World Wide Web Consortium (W3C) worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications. These specifications are the industry standard for providing strong, phishing-resistant, user friendly, and privacy preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets. + +Windows 11 can also use external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services. + +### Passkeys + +Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the cross-platform future of secure sign-in. Microsoft and other technology leaders are supporting passkeys across their platforms and services. + +A passkey is a unique, unguessable cryptographic secret that is securely stored on the device. Instead of using a username and password to sign in to a website or application, Windows 11 users can create and use a passkey with Windows Hello, a third-party passkey provider, an external FIDO2 security key, or their mobile device. Passkeys on Windows work in any browsers or apps that support them for sign in. + +Passkeys created and saved with Windows Hello are protected by Windows Hello or Windows Hello for Business. Users can sign in to the site or app using their face, fingerprint, or device PIN. Users can manage their passkeys from **Settings** > **Accounts** > **Passkeys**. + +:::row::: + :::column span="2"::: +[!INCLUDE [coming-soon](coming-soon.md)] + +The plug-in model for third-party passkey providers enables users to manage their passkeys with third-party passkey managers. This model ensures a seamless platform experience, regardless of whether passkeys are managed directly by Windows or by a third-party authenticator. When a third-party passkey provider is used, the passkeys are securely protected and managed by the third-party provider. + :::column-end::: + :::column span="2"::: +:::image type="content" border="false" source="../images/passkey-save-3p.png" alt-text="Screenshot of the save passkey dialog box showing third-party providers." lightbox="../images/passkey-save-3p.png"::: + :::column-end::: +:::row-end::: + +[!INCLUDE [learn-more](learn-more.md)] + +- [Support for passkeys in Windows](/windows/security/identity-protection/passkeys) +- [Enable passkeys (FIDO2) for your organization](/entra/identity/authentication/how-to-enable-passkey-fido2) diff --git a/windows/security/book/includes/find-my-device.md b/windows/security/book/includes/find-my-device.md new file mode 100644 index 0000000000..a39d698fa9 --- /dev/null +++ b/windows/security/book/includes/find-my-device.md @@ -0,0 +1,14 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Find my device + +When location services and *Find my device* settings are turned on, basic system services like time zone and Find my device are allowed to use the device's location. Find my device can be used to help recover lost or stolen Windows devices, reducing the security threats that rely on physical access. + +[!INCLUDE [learn-more](learn-more.md)] + +- [How to set up, find, and lock a lost Windows device using a Microsoft account](https://support.microsoft.com/topic/890bf25e-b8ba-d3fe-8253-e98a12f26316) \ No newline at end of file diff --git a/windows/security/book/includes/kernel-direct-memory-access-protection.md b/windows/security/book/includes/kernel-direct-memory-access-protection.md new file mode 100644 index 0000000000..de343c3873 --- /dev/null +++ b/windows/security/book/includes/kernel-direct-memory-access-protection.md @@ -0,0 +1,14 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Kernel direct memory access (DMA) protection + +Windows 11 protects against physical threats such as drive-by direct memory access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices, including Thunderbolt, USB4, and CFexpress, enable users to connect a wide variety of external peripherals to their PCs with the same plug-and-play convenience as USB. These devices encompass graphics cards and other PCI components. Since PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that don't require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Kernel direct memory access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt) diff --git a/windows/security/book/includes/kiosk-mode.md b/windows/security/book/includes/kiosk-mode.md new file mode 100644 index 0000000000..cfd97b6215 --- /dev/null +++ b/windows/security/book/includes/kiosk-mode.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Kiosk mode + +:::row::: + :::column span="2"::: + Windows allows you to restrict functionality to specific applications using built-in features, making it ideal for public-facing or shared devices like kiosks. You can set up Windows as a kiosk either locally on the device, or through a cloud-based device management solution like Microsoft Intune[\[7\]](../conclusion.md#footnote7). Kiosk mode can be configured to run a single app, multiple apps, or a full-screen web browser. You can also configure the device to automatically sign in and launch the designated kiosk app at startup. + :::column-end::: + :::column span="2"::: +:::image type="content" source="../images/kiosk.png" alt-text="Screenshot of a Windows kiosk." border="false" lightbox="../images/kiosk.png" ::: + :::column-end::: +:::row-end::: + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows kiosks and restricted user experiences](/windows/configuration/assigned-access) diff --git a/windows/security/book/includes/learn-more.md b/windows/security/book/includes/learn-more.md index 7ed46da843..22dcad82dc 100644 --- a/windows/security/book/includes/learn-more.md +++ b/windows/security/book/includes/learn-more.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 11/18/2024 ms.topic: include -ms.service: windows-client --- :::image type="icon" source="../images/information.svg" border="false"::: **Learn more** diff --git a/windows/security/book/includes/local-security-authority-protection.md b/windows/security/book/includes/local-security-authority-protection.md new file mode 100644 index 0000000000..fac74d5553 --- /dev/null +++ b/windows/security/book/includes/local-security-authority-protection.md @@ -0,0 +1,24 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Local Security Authority (LSA) protection + +Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users, and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single sign-on to a Microsoft account and Entra ID account. + +By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection supports configuration using group policy and other device management solutions. + +[!INCLUDE [new-24h2](new-24h2.md)] + +To help keep these credentials safe, LSA protection is enabled by default on all devices (MSA, Microsoft Entra joined, hybrid, and local). For new installs, it is enabled immediately. For upgrades, it is enabled after rebooting after an evaluation period of 10 days. + +Users have the ability to manage the LSA protection state in the Windows Security application under **Device Security** > **Core Isolation** > **Local Security Authority protection**. + +To ensure a seamless transition and enhanced security for all users, the enterprise policy for LSA protection takes precedence over enablement on upgrade. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Configuring additional LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection) \ No newline at end of file diff --git a/windows/security/book/includes/microsoft-account.md b/windows/security/book/includes/microsoft-account.md new file mode 100644 index 0000000000..3d91117714 --- /dev/null +++ b/windows/security/book/includes/microsoft-account.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Microsoft account + +Your Microsoft account (MSA) provides seamless access to Microsoft products and services with just one sign-in, allowing you to manage everything in one place. You can easily keep track of your subscriptions and order history, update your privacy and security settings, monitor the health and safety of your devices, and earn rewards. Your information stays with you in the cloud, accessible across devices and operating systems, including iOS and Android. + +You can even go passwordless with your Microsoft account by removing the password from your MSA: + +- Use Windows Hello to eliminate the password sign-in method for an even more secure experience +- Use the Microsoft Authenticator app on your Android or iOS device + +[!INCLUDE [learn-more](learn-more.md)] + +- [What is a Microsoft account?](https://support.microsoft.com/topic/4a7c48e9-ff5a-e9c6-5a5c-1a57d66c3bfa) +- [Go passwordless with your Microsoft account](https://support.microsoft.com/topic/585a71d7-2295-4878-aeac-a014984df856) \ No newline at end of file diff --git a/windows/security/book/includes/microsoft-authenticator.md b/windows/security/book/includes/microsoft-authenticator.md new file mode 100644 index 0000000000..3343772fe9 --- /dev/null +++ b/windows/security/book/includes/microsoft-authenticator.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Microsoft Authenticator + +The Microsoft Authenticator app, which runs on iOS and Android devices, helps keeping Windows 11 users secure and productive. Microsoft Authenticator with Microsoft Entra passkeys can be used as a phish-resistant method to bootstrap Windows Hello for Business. + +Microsoft Authenticator also enables easy, secure sign-in for all online accounts using multifactor authentication, passwordless phone sign-in, phishing-resistant authentication (passkeys), or password autofill. The accounts in the Authenticator app are secured with a public/private key pair in hardware-backed storage such as the Keychain in iOS and Keystore on Android. IT admins can use different tools to nudge their users to set up the Authenticator app, provide them with extra context about where the authentication is coming from, and ensure that they're actively using it. + +Individual users can back up their credentials to the cloud by enabling the encrypted backup option in settings. They can also see their sign-in history and security settings for Microsoft personal, work, or school accounts. + +Using this secure app for authentication and authorization enables people to be in control of how, where, and when their credentials are used. To keep up with an ever-changing security landscape, the app is constantly updated, and new capabilities are added to stay ahead of emerging threat vectors. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Authentication methods in Microsoft Entra ID - Microsoft Authenticator app](/entra/identity/authentication/concept-authentication-authenticator-app) diff --git a/windows/security/book/includes/microsoft-defender-antivirus.md b/windows/security/book/includes/microsoft-defender-antivirus.md new file mode 100644 index 0000000000..838e3f57c6 --- /dev/null +++ b/windows/security/book/includes/microsoft-defender-antivirus.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Microsoft Defender Antivirus + +Microsoft Defender Antivirus is a next-generation protection solution included in all versions of Windows 10 and Windows 11. From the moment you turn on Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. In addition to real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus turns off automatically. If you uninstall the other app, Microsoft Defender Antivirus turns back on. + +Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection. This combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA), applications deemed to negatively impact your device but aren't considered malware. + +Microsoft Defender Antivirus always-on protection is integrated with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats. This combination of local and cloud-delivered technologies including advanced memory scanning, behavior monitoring, and machine learning, provides award-winning protection at home and at work. + +:::image type="content" source="../images/defender-antivirus.png" alt-text="Diagram of the Microsoft Defender Antivirus components." border="false"::: + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Defender Antivirus in Windows Overview](/defender-endpoint/microsoft-defender-antivirus-windows) diff --git a/windows/security/book/includes/microsoft-defender-for-endpoint.md b/windows/security/book/includes/microsoft-defender-for-endpoint.md new file mode 100644 index 0000000000..53de82c725 --- /dev/null +++ b/windows/security/book/includes/microsoft-defender-for-endpoint.md @@ -0,0 +1,27 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/defender-for-endpoint.svg" border="false"::: Microsoft Defender for Endpoint + +Microsoft Defender for Endpoint[\[4\]](../conclusion.md#footnote4) is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. + +Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: + +- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated cloud instance of Microsoft Defender for Endpoint +- With Automatic Attack Disruption uses AI, machine learning, and Microsoft Security Intelligence to analyze the entire attack and respond at the incident level, where it's able to contain a device, and/or a user which reduces the impact of attacks such as ransomware, human-operated attacks, and other advanced attacks. +- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365[\[4\]](../conclusion.md#footnote4), and online assets +- Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours, yielding a deep and broad view into the evolving threat landscape. Combined with our global team of security experts and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. This threat intelligence helps provide unparalleled protection for our customers. The protections built into our platforms and products blocked attacks that include 31 billion identity threats and 32 billion email threats +- Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate, remediate, and remote into machines to further investigate and stop active threats in their environment, as well as block files, network destinations, and create alerts for them. In addition, Automated Investigation and Remediation can help reduce the load on the SOC by automatically performing otherwise manual steps towards remediation and providing +detailed investigation outcomes + +Defender for Endpoint is also part of Microsoft Defender XDR, our end-to-end, cloud-native extended detection and response (XDR) solution that combines best-of-breed endpoint, email, and identity security products. It enables organizations to prevent, detect, investigate, and remediate attacks by delivering deep visibility, granular context, and actionable insights generated from raw signals harnessed across the Microsoft 365 environment and other +platforms, all synthesized into a single dashboard. This solution offers tremendous value to organizations of any size, especially those that are looking to break away from the added complexity of multiple point solutions, keeping them protected from sophisticated attacks and saving IT and security teams' time and resources. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint) +- [Microsoft 365 Defender](/defender-xdr/microsoft-365-defender) diff --git a/windows/security/book/includes/microsoft-defender-smartscreen.md b/windows/security/book/includes/microsoft-defender-smartscreen.md new file mode 100644 index 0000000000..a0de2dec1e --- /dev/null +++ b/windows/security/book/includes/microsoft-defender-smartscreen.md @@ -0,0 +1,28 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Microsoft Defender SmartScreen + +Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. + +SmartScreen determines whether a site is potentially malicious by: + +- Analyzing visited webpages to find indications of suspicious behavior. If it determines a page is suspicious, it will show a warning page advising caution +- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen warns that the site might be malicious + +SmartScreen also determines whether a downloaded app or app installer is potentially malicious by: + +- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen warns that the file might be malicious +- Checking downloaded files against a list of well-known files. If the file is of a dangerous type and not well-known, SmartScreen displays a caution alert + +With enhanced phishing protection in Windows 11, SmartScreen also alerts people when they're entering their Microsoft credentials into a potentially risky location, regardless of which application or browser is used. IT can customize which notifications appear through Microsoft Intune[\[4\]](../conclusion.md#footnote4). This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. + +Because Windows 11 comes with these enhancements already built in and enabled, users have extra security from the moment they turn on their device. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Defender SmartScreen documentation library](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/) \ No newline at end of file diff --git a/windows/security/book/includes/microsoft-entra-id.md b/windows/security/book/includes/microsoft-entra-id.md new file mode 100644 index 0000000000..a3be65569d --- /dev/null +++ b/windows/security/book/includes/microsoft-entra-id.md @@ -0,0 +1,83 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/microsoft-entra-id.svg" border="false"::: Microsoft Entra ID + +Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies. + +Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. For the most seamless and delightful end to end single sign-on (SSO) experience, we recommend users configure Windows Hello for Business during the out of box experience for easy passwordless sign-in to Entra ID . + +:::row::: + :::column::: + For users wanting to connect to Microsoft Entra on their personal devices, they can do so by adding their work or school account to Windows. This action registers the user's personal device with Microsoft Entra ID, allowing IT admins to support users in bring your own device (BYOD) scenarios. Credentials are authenticated and bound to the joined device, and can't be copied to another device without explicit reverification. + :::column-end::: + :::column::: +:::image type="content" source="../images/device-registration.png" alt-text="Screenshot of the Entra account registration page." border="false" lightbox="../images/device-registration.png"::: + :::column-end::: +:::row-end::: + +To provide more security and control for IT and a seamless experience for users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management. + +Windows 11 works with Microsoft Entra ID to provide secure access, identity management, and single sign-on to apps and services from anywhere. Windows has built-in settings to add work or school accounts by syncing the device configuration to an Active Directory domain or Microsoft Entra ID tenant. + +:::image type="content" source="../images/access-work-or-school.png" alt-text="Screenshot of the add work or school account in Settings." border="false"::: + +When a device is Microsoft Entra ID joined and managed with Microsoft Intune[\[4\]](../conclusion.md#footnote4), it receives the following security benefits: + +- Default managed user and device settings and policies +- Single sign-in to all Microsoft Online Services +- Full suite of authentication management capabilities using Windows Hello for Business +- Single sign-on (SSO) to enterprise and SaaS applications +- No use of consumer Microsoft account identity + +Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can set up Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication. + +In combination with Microsoft Intune, Microsoft Entra ID offers powerful security control through Conditional Access to restrict access to organizational resources to healthy and compliant devices. Note that Microsoft Entra ID is only supported on Windows Pro and Enterprise editions. + +Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Entra ID documentation][LINK-1] +- [Microsoft Entra plans and pricing][LINK-2] + +### Microsoft Entra Private Access + +Microsoft Entra Private Access provides organizations the ability to manage and give users access to private or internal fully qualified domain names (FQDNs) and IP addresses. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Entra Private Access][LINK-4] + +### Microsoft Entra Internet Access + +Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. + +> [!NOTE] +> Both Microsoft Entra Private Access and Microsoft Entra Internet Access requires Microsoft Entra ID and Microsoft Entra Joined devices for deployment. The two solutions use the Global Secure Access client for Windows, which secures and controls the features. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Entra Internet Access][LINK-3] +- [Global Secure Access client for Windows][LINK-6] +- [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept][LINK-5] + +### Enterprise State Roaming + +Available to any organization with a Microsoft Entra ID Premium[\[4\]](../conclusion.md#footnote4) license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Enterprise State Roaming in Microsoft Entra ID][LINK-7] + +[LINK-1]: /entra +[LINK-2]: https://www.microsoft.com/security/business/microsoft-entra-pricing +[LINK-3]: /entra/global-secure-access/concept-internet-access +[LINK-4]: /entra/global-secure-access/concept-private-access +[LINK-5]: /entra/architecture/sse-deployment-guide-internet-access +[LINK-6]: /entra/global-secure-access/how-to-install-windows-client +[LINK-7]: /entra/identity/devices/enterprise-state-roaming-enable diff --git a/windows/security/book/includes/microsoft-intune.md b/windows/security/book/includes/microsoft-intune.md new file mode 100644 index 0000000000..37580c57b1 --- /dev/null +++ b/windows/security/book/includes/microsoft-intune.md @@ -0,0 +1,65 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/microsoft-intune.svg" border="false"::: Microsoft Intune + +Microsoft Intune[\[4\]](../conclusion.md#footnote4) is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization. + +Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication and conditional access. + +Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies[\[11\]](../conclusion.md#footnote11). For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot. + +Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices. + +Customers have asked for App Control for Business (previously called *Windows Defender Application Control*) to support manage installer for a long time. Now it's possible to enable allowlisting of Win32 apps to proactively reduce the number of malware infections. + +[!INCLUDE [learn-more](learn-more.md)] + +- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) + +### Windows enrollment attestation + +When a device enrolls into device management, the administrator expects it to receive the appropriate policies to secure and manage the PC. However, in some cases, malicious actors can remove enrollment certificates and use them on unmanaged PCs, making them appear enrolled but without the intended security and management policies. + +With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certificates are bound to a device using the Trusted Platform Module (TPM). This ensures that the certificates can't be transferred from one device to another, maintaining the integrity of the enrollment process. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows enrollment attestation](/mem/intune/enrollment/windows-enrollment-attestation) + +### Microsoft Cloud PKI + +Microsoft Cloud PKI is a cloud-based service included in the Microsoft Intune Suite[\[4\]](../conclusion.md#footnote4) that simplifies and automates the management of a Public Key Infrastructure (PKI) for organizations. It eliminates the need for on-premises servers, hardware, and connectors, making it easier to set up and manage a PKI compared to, for instance, Microsoft Active Directory Certificate Services (AD CS) combined with the Certificate Connector for Microsoft Intune. + +Key features include: + +- Certificate lifecycle management: automates the lifecycle of certificates, including issuance, renewal, and revocation, for all devices managed by Intune +- Multi-platform support: supports certificate management for Windows, iOS/iPadOS, macOS, and Android devices +- Enhanced security: enables certificate-based authentication for Wi-Fi, VPN, and other scenarios, improving security over traditional password-based methods. All certificate requests leverage Simple Certificate Enrollment Protocol (SCEP), making sure that the private key never leaves the requesting client +- Simplified management: provides easy management of certification authorities (CAs), registration authorities (RAs), certificate revocation lists (CRLs), monitoring, and reporting + +With Microsoft Cloud PKI, organizations can accelerate their digital transformation and achieve a fully managed cloud PKI service with minimal effort. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Overview of Microsoft Cloud PKI for Microsoft Intune](/mem/intune/protect/microsoft-cloud-pki-overview) + +### Endpoint Privilege Management (EPM) + +Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run elevated tasks allowed by the organization to remain productive. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Endpoint Privilege Management](/mem/intune/protect/epm-overview?formCode=MG0AV3) + +### Mobile application management (MAM) + +With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Data protection for Windows MAM](/mem/intune/apps/protect-mam-windows?formCode=MG0AV3) diff --git a/windows/security/book/includes/microsoft-offensive-research-and-security-engineering.md b/windows/security/book/includes/microsoft-offensive-research-and-security-engineering.md new file mode 100644 index 0000000000..75c37b8a7a --- /dev/null +++ b/windows/security/book/includes/microsoft-offensive-research-and-security-engineering.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Microsoft Offensive Research and Security Engineering + +Microsoft Offensive Research and Security Engineering (MORSE) performs targeted design reviews, audits, and deep penetration testing of Windows features using Microsoft's open-source OneFuzz platform as part of their development and testing cycle. + +[!INCLUDE [learn-more](learn-more.md)] + +- [MORSE security team takes proactive approach to finding bugs](https://news.microsoft.com/source/features/innovation/morse-microsoft-offensive-research-security-engineering) +- [MORSE Blog](https://www.microsoft.com/security/blog/author/microsoft-offensive-research-security-engineering-team) diff --git a/windows/security/book/includes/microsoft-pluton-security-processor.md b/windows/security/book/includes/microsoft-pluton-security-processor.md new file mode 100644 index 0000000000..fe93c04335 --- /dev/null +++ b/windows/security/book/includes/microsoft-pluton-security-processor.md @@ -0,0 +1,25 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Microsoft Pluton security processor + +The Microsoft Pluton security processor is the result of Microsoft's close partnership with silicon partners. Pluton enhances the protection of Windows 11 devices with a hardware security processor that provides extra protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface by integrating the security chip directly into the processor. It can be used as a TPM 2.0 or as a standalone security processor. When a security processor is located on a separate, discrete chip on the motherboard, the communication path between the hardware root-of-trust and the CPU can be vulnerable to physical attack. Embedding Pluton into the CPU makes it harder to exploit the communication path. + +Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs, including BitLocker, Windows Hello, and System Guard. Pluton can also support other security functionality beyond what is possible with the TPM 2.0 specification. This extensibility allows for more Pluton firmware and OS features to be delivered over time via Windows Update. + +As with other TPMs, credentials, encryption keys, and other sensitive information can't be easily extracted from Pluton even if an attacker installed malware or has physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers can't access sensitive data - even if attackers use emerging techniques like speculative execution. + +Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive security firmware updates from different sources, which might make it difficult to get alerts about security updates, and keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs. + +Pluton aims to ensure long-term security resilience. With the rising threat landscape influenced by artificial intelligence, memory safety will become ever more critical. To meet these demands, in addition to facilitating reliable updates to security processor firmware, we chose the open-source Tock system as the Rust-based foundation to develop the Pluton security processor firmware and actively contribute back to the Tock community. This collaboration with an open community ensures rigorous security scrutiny, and using Rust mitigates memory safety threats. + +Ultimately, Pluton establishes the security backbone for Copilot + PC, thanks to tight partnerships with our silicon collaborators and OEMs. The Qualcomm Snapdragon X, AMD Ryzen AI, and Intel Core Ultra 200V mobile processors (codenamed Lunar Lake) processor platforms all incorporate Pluton as their security subsystem . + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Pluton processor - The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/) +- [Microsoft Pluton security processor](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor) diff --git a/windows/security/book/includes/microsoft-privacy-dashboard.md b/windows/security/book/includes/microsoft-privacy-dashboard.md new file mode 100644 index 0000000000..4046ba5fb2 --- /dev/null +++ b/windows/security/book/includes/microsoft-privacy-dashboard.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Microsoft Privacy Dashboard + +Customers can use the Microsoft Privacy Dashboard to view, export, and delete their information, giving them further transparency and control. They can also use the Microsoft Privacy Report to learn more about Windows data collection and how to manage it. For organizations, we provide a guide for Windows Privacy Compliance that includes more details on the available controls and transparency. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Privacy Dashboard](https://account.microsoft.com/privacy) +- [Microsoft Privacy Report](https://privacy.microsoft.com/privacy-report) diff --git a/windows/security/book/includes/microsoft-security-development-lifecycle.md b/windows/security/book/includes/microsoft-security-development-lifecycle.md new file mode 100644 index 0000000000..687e9a1b80 --- /dev/null +++ b/windows/security/book/includes/microsoft-security-development-lifecycle.md @@ -0,0 +1,10 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Microsoft Security Development Lifecycle (SDL) + +The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. diff --git a/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md b/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md index 73ddeba96b..dd34d489ee 100644 --- a/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md +++ b/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## Microsoft vulnerable driver blocklist diff --git a/windows/security/book/includes/network-protection.md b/windows/security/book/includes/network-protection.md new file mode 100644 index 0000000000..ce1c9d0173 --- /dev/null +++ b/windows/security/book/includes/network-protection.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Network protection + +While Microsoft Defender Smartscreen works with Microsoft Edge, for third-party browsers and processes, Windows 11 has Network protection that protects against phishing scams, malware websites, and the downloading of potentially malicious files. + +When using Network Protection with Microsoft Defender for Endpoint, you can use *Indicators of Compromise* to block specific URLs and/or ip addresses. +Also integrates with Microsoft Defender for Cloud Apps to block unsactioned web apps in your organization. Allow or block access to websites based on category with Microsoft Defender for Endpoint's Web Content Filtering. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Network Protection library](/defender-endpoint/network-protection) +- [Web protection library](/defender-endpoint/web-protection-overview) diff --git a/windows/security/book/includes/new-24h2.md b/windows/security/book/includes/new-24h2.md index b90019f189..8d1dcba478 100644 --- a/windows/security/book/includes/new-24h2.md +++ b/windows/security/book/includes/new-24h2.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 11/18/2024 ms.topic: include -ms.service: windows-client --- :::image type="icon" source="../images/new-button.svg" border="false"::: **New in Windows 11, version 24H2** diff --git a/windows/security/book/includes/onedrive-for-personal.md b/windows/security/book/includes/onedrive-for-personal.md new file mode 100644 index 0000000000..912f163c57 --- /dev/null +++ b/windows/security/book/includes/onedrive-for-personal.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## OneDrive for personal + +Microsoft OneDrive for personal[\[10\]](../conclusion.md#footnote10) offers enhanced security, backup, and restore options for important personal files. Users can access their data from anywhere, since their files are stored and protected in the cloud. OneDrive provides an excellent solution for backing up folders, ensuring that: + +- If a device is lost or stolen, users can quickly recover all their important files from the cloud +- If a user is targeted by a ransomware attack, OneDrive enables recovery. With configured backups, users have more options to mitigate and recover from such attacks + +[!INCLUDE [learn-more](learn-more.md)] + +- [Get started with OneDrive](https://support.microsoft.com/onedrive) +- [How to recover from a ransomware attack using Microsoft 365](/microsoft-365/security/office-365-security/recover-from-ransomware) +- [How to restore from OneDrive](https://support.microsoft.com/topic/fa231298-759d-41cf-bcd0-25ac53eb8a15) \ No newline at end of file diff --git a/windows/security/book/includes/onedrive-for-work-or-school.md b/windows/security/book/includes/onedrive-for-work-or-school.md new file mode 100644 index 0000000000..77069d92a2 --- /dev/null +++ b/windows/security/book/includes/onedrive-for-work-or-school.md @@ -0,0 +1,25 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/onedrive.svg" border="false"::: OneDrive for work or school + +OneDrive for work or school is a cloud storage service that allows users to store, share, and collaborate on files. It's a part of Microsoft 365 and is designed to help organizations protect their data and comply with regulations. OneDrive for work or school is protected both in transit and at rest. + +When data transits either into the service from clients or between datacenters, it's protected using transport layer security (TLS) encryption. OneDrive only permits secure access. + +Authenticated connections aren't allowed over HTTP and instead redirect to HTTPS. + +There are several ways that OneDrive for work or school is protected at rest: + +- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security). +- Network protection: The networks and identities are isolated from the corporate network. Firewalls limit traffic into the environment from unauthorized locations +- Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The [Microsoft Security Response Center](https://technet.microsoft.com/security/dn440717.aspx) helps triage incoming vulnerability reports and evaluate mitigations. Through the [Microsoft Cloud Bug Bounty Terms](https://technet.microsoft.com/dn800983), people across the world can earn money by reporting vulnerabilities +- Content protection: Each file is encrypted at rest with a unique AES-256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault + +[!INCLUDE [learn-more](learn-more.md)] + +- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/topic/23c6ea94-3608-48d7-8bf0-80e142edd1e1) diff --git a/windows/security/book/includes/onefuzz-service.md b/windows/security/book/includes/onefuzz-service.md new file mode 100644 index 0000000000..d8a11df8c5 --- /dev/null +++ b/windows/security/book/includes/onefuzz-service.md @@ -0,0 +1,10 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## OneFuzz service + +A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code is released. diff --git a/windows/security/book/includes/personal-data-encryption.md b/windows/security/book/includes/personal-data-encryption.md new file mode 100644 index 0000000000..df921aa6a5 --- /dev/null +++ b/windows/security/book/includes/personal-data-encryption.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Personal Data Encryption + +Personal Data Encryption is a user-authenticated encryption mechanism designed to protect user's content. Personal Data Encryption uses Windows Hello for Business as its modern authentication scheme, with PIN or biometric authentication methods. The encryption keys used by Personal Data Encryption are securely stored within the Windows Hello container. When a user signs in with Windows Hello, the container is unlocked, making the keys available to decrypt the user's content. + +The initial release of Personal Data Encryption in Windows 11, version 22H2, introduced a set of public APIs that applications can adopt to safeguard content. + +[!INCLUDE [new-24h2](new-24h2.md)] + +Personal Data Encryption is further enhanced with *Personal Data Encryption for known folders*, which extends protection to the Windows folders: Documents, Pictures, and Desktop. + +:::image type="content" source="../images/pde.png" alt-text="Screenshot of files encrypted with Personal Data Encryption showing a padlock." border="false"::: + +[!INCLUDE [learn-more](learn-more.md)] + +- [Personal Data Encryption](/windows/security/operating-system-security/data-protection/personal-data-encryption) diff --git a/windows/security/book/includes/personal-vault.md b/windows/security/book/includes/personal-vault.md new file mode 100644 index 0000000000..2dde8778f3 --- /dev/null +++ b/windows/security/book/includes/personal-vault.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Personal Vault + +Personal Vault offers robust protection for the most important or sensitive files, without sacrificing the convenience of anywhere access. Secure digital copies of crucial documents in Personal Vault, where they're protected by identity verification and are easily accessible across devices. + +Once the Personal Vault is configured, users can access it using a strong authentication method or a second step of identity verification. The second steps of verification include fingerprint, face recognition, PIN, or a code sent via email or text. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Protect your OneDrive files in Personal Vault](https://support.microsoft.com/topic/6540ef37-e9bf-4121-a773-56f98dce78c4) \ No newline at end of file diff --git a/windows/security/book/includes/privacy-resource-usage.md b/windows/security/book/includes/privacy-resource-usage.md new file mode 100644 index 0000000000..80e2023a9e --- /dev/null +++ b/windows/security/book/includes/privacy-resource-usage.md @@ -0,0 +1,12 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Privacy resource usage + +Every Microsoft customer should be able to use our products secure in the knowledge that we protect their privacy, and give them the information and tools they need to easily make privacy decisions with confidence. From Settings, the app usage history feature provides users with a seven-day history of resource access for Location, Camera, Microphone, Phone Calls, Messaging, Contacts, Pictures, Videos, Music library, Screenshots, and other apps. + +This information helps you determine if an app is behaving as expected so that you can change the app's access to resources as desired. diff --git a/windows/security/book/includes/privacy-transparency-and-controls.md b/windows/security/book/includes/privacy-transparency-and-controls.md new file mode 100644 index 0000000000..310dfda7b3 --- /dev/null +++ b/windows/security/book/includes/privacy-transparency-and-controls.md @@ -0,0 +1,10 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Privacy transparency and controls + +Prominent system tray icons show users when resources and apps like microphones and location are in use. A description of the app and its activity are presented in a simple tooltip that appears when you hover over an icon with your cursor. Apps can also make use of new Windows APIs to support Quick Mute functionality and more. diff --git a/windows/security/book/includes/remote-credential-guard.md b/windows/security/book/includes/remote-credential-guard.md new file mode 100644 index 0000000000..1f3048a2bd --- /dev/null +++ b/windows/security/book/includes/remote-credential-guard.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Remote Credential Guard + +Remote Credential Guard helps organizations protect credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. + +Administrator credentials are highly privileged and must be protected. When Remote Credential Guard is configured to connect during Remote Desktop sessions, the credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, the credentials aren't exposed. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) diff --git a/windows/security/book/includes/rust-for-windows.md b/windows/security/book/includes/rust-for-windows.md new file mode 100644 index 0000000000..85428c1b32 --- /dev/null +++ b/windows/security/book/includes/rust-for-windows.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Rust for Windows + +Rust is a modern programming language known for its focus on safety, performance, and concurrency. It was designed to prevent common programming errors such as null pointer dereferencing and buffer overflows, which can lead to security vulnerabilities and crashes. Rust achieves this through its unique ownership system, which ensures memory safety without needing a garbage collector. +We're expanding the integration of Rust into the Windows kernel to enhance the safety and reliability of Windows' codebase. This strategic move underscores our commitment to adopting modern technologies to improve the quality and security of Windows. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Rust for Windows, and the windows crate](/windows/dev-environment/rust/rust-for-windows) diff --git a/windows/security/book/includes/secure-future-initiative.md b/windows/security/book/includes/secure-future-initiative.md new file mode 100644 index 0000000000..cb14affd1d --- /dev/null +++ b/windows/security/book/includes/secure-future-initiative.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Secure Future Initiative (SFI) + +Launched in November 2023, the Microsoft Secure Future Initiative (SFI) is a multiyear commitment dedicated to advancing the way we design, build, test, and operate our technology. Our goal is to ensure that our solutions meet the highest possible standards for security. + +The increasing scale and high stakes of cyberattacks prompted the launch of SFI. This program brings together every part of Microsoft to enhance cybersecurity protection across our company and products. We carefully considered our internal observations and feedback from customers, governments, and partners to identify the greatest opportunities to impact the future of security. + +To maintain accountability and keep our customers, partners, and the security community informed, Microsoft provides regular updates on the progress of SFI. + +:::image type="content" source="../images/sfi.png" alt-text="Diagram of the SFI initiative." lightbox="../images/sfi.png" border="false"::: + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Secure Future Initiative](https://www.microsoft.com/security/blog/2024/09/23/securing-our-future-september-2024-progress-update-on-microsofts-secure-future-initiative-sfi/) +- [September 2024 progress update on SFI](https://www.microsoft.com/trust-center/security/secure-future-initiative) diff --git a/windows/security/book/includes/secured-core-pc-and-edge-secured-core.md b/windows/security/book/includes/secured-core-pc-and-edge-secured-core.md new file mode 100644 index 0000000000..0255043353 --- /dev/null +++ b/windows/security/book/includes/secured-core-pc-and-edge-secured-core.md @@ -0,0 +1,41 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Secured-core PC and Edge Secured-Core + +The March 2021 Security Signals report found that more than 80% of enterprises have experienced at least one firmware attack in the past two years. For customers in data-sensitive industries like financial services, government, and healthcare, Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs (SCPCs), and an equivalent category of embedded IoT devices called Edge Secured-Core (ESc). The devices ship with more security measures enabled at the firmware layer, or device core, that underpins Windows. + +Secured-core PCs and edge devices help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root-of-trust. Virtualization-based security comes enabled by default. Built-in hypervisor-protected code integrity (HVCI) shield system memory, ensuring that all kernel executable code is signed only by known and approved authorities. Secured-core PCs and edge devices also protect against physical threats such as drive-by direct memory access (DMA) attacks with kernel DMA protection. + +Secured-core PCs and edge devices provide multiple layers of robust protection against hardware and firmware attacks. Sophisticated malware attacks commonly attempt to install *bootkits* or *rootkits* on the system to evade detection and achieve persistence. This malicious software may run at the firmware level prior to Windows being loaded or during the Windows boot process itself, enabling the system to start with the highest level of privilege. Because critical subsystems in Windows use Virtualization-based security, protecting the hypervisor becomes increasingly important. To ensure that no unauthorized firmware or software can start before the Windows bootloader, Windows PCs rely on the Unified Extensible Firmware Interface (UEFI) Secure Boot standard, a baseline security feature of all Windows 11 PCs. Secure Boot helps ensure that only authorized firmware and software with trusted digital signatures can execute. In addition, measurements of all boot components are securely stored in the TPM to help establish a nonrepudiable audit log of the boot called the Static Root of Trust for Measurement (SRTM). + +Thousands of OEM vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements. + +### Dynamic Root of Trust for Measurement (DRTM) + +In secured-core PCs and edge devices, System Guard Secure Launch protects bootup with a technology known as the *Dynamic Root of Trust for Measurement (DRTM)*. With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU down a hardware-secured code path. If a malware rootkit or bootkit bypasses UEFI Secure Boot and resides in memory, DRTM prevents it from accessing secrets and critical code protected by the Virtualization-based security environment. Firmware Attack Surface Reduction (FASR) technology can be used instead of DRTM on supported devices, such as Microsoft Surface. + +System Management Mode (SMM) isolation is an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. SMM complements the protections provided by DRTM by helping to reduce the attack surface. Relying on capabilities provided by silicon providers like Intel and AMD, SMM isolation enforces policies that implement restrictions such as preventing SMM code from accessing OS memory. The SMM isolation policy is included as part of the DRTM measurements that can be sent to a verifier like Microsoft Azure Remote Attestation. + +:::image type="content" source="../images/secure-launch.png" alt-text="Diagram of secure launch components." lightbox="../images/secure-launch.png" border="false"::: + +[!INCLUDE [learn-more](learn-more.md)] + +- [System Guard Secure Launch](/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection) +- [Firmware Attack Surface Reduction](/windows-hardware/drivers/bringup/firmware-attack-surface-reduction) +- [Windows 11 secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure-11) +- [Edge Secured-Core](/azure/certification/overview) + +### Configuration lock + +In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a noncompliant state can be vulnerable until the next sync, when configuration is reset with the device management solution. + +Configuration lock is a secured-core PC and edge device feature that prevents users from making unwanted changes to security settings. With configuration lock, Windows monitors supported registry keys and reverts to the IT-desired state in seconds after detecting a drift. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Secured-core PC configuration lock](/windows/client-management/mdm/config-lock) diff --git a/windows/security/book/includes/secured-kernel.md b/windows/security/book/includes/secured-kernel.md new file mode 100644 index 0000000000..e375041c7c --- /dev/null +++ b/windows/security/book/includes/secured-kernel.md @@ -0,0 +1,52 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Secured kernel + +To secure the kernel, we have two key features: Virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices support HVCI and come with VBS and HVCI protection turned on by default on most/all devices. + +### Virtualization-based security (VBS) + +:::row::: + :::column::: + Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel. + :::column-end::: + :::column::: +:::image type="content" source="../images/vbs-diagram.png" alt-text="Diagram of VBS architecture." lightbox="../images/vbs-diagram.png" border="false"::: + :::column-end::: +:::row-end::: + +Since more privileged virtual trust levels (VTLs) can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) + +### Hypervisor-protected code integrity (HVCI) + +Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it's allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor uses processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that hasn't been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs. + +With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Enable virtualization-based protection of code integrity](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity) + +### :::image type="icon" source="../images/new-button-title.svg" border="false"::: Hypervisor-enforced Paging Translation (HVPT) + +Hypervisor-enforced Paging Translation (HVPT) is a security enhancement to enforce the integrity of guest virtual address to guest physical address translations. HVPT helps protect critical system data from write-what-where attacks where the attacker can write an arbitrary value to an arbitrary location often as the result of a buffer overflow. HVPT helps to protect page tables that configure critical system data structures. + +### Hardware-enforced stack protection + +Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats like memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. + +Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called *stack smashing*. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate *shadow stack* for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Understanding Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/blog/windowsosplatform/understanding-hardware-enforced-stack-protection/1247815) +- [Developer Guidance for hardware-enforced stack protection](https://techcommunity.microsoft.com/blog/windowsosplatform/developer-guidance-for-hardware-enforced-stack-protection/2163340) diff --git a/windows/security/book/includes/security-baselines.md b/windows/security/book/includes/security-baselines.md new file mode 100644 index 0000000000..7b505a86c4 --- /dev/null +++ b/windows/security/book/includes/security-baselines.md @@ -0,0 +1,32 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Security baselines + +Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company might focus on protecting its internet-facing web apps, while a hospital on confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. + +A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines) + +### Security baseline for cloud-based device management solutions + +Windows 11 can be configured with Microsoft's security baseline, designed for cloud-based device management solutions like Microsoft Intune[\[4\]](../conclusion.md#footnote4). These security baselines function similarly to group policy-based ones and can be easily integrated into existing device management tools. + +The security baseline includes policies for: + +- Microsoft inbox security technologies such as BitLocker, Microsoft Defender SmartScreen, Virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall +- Restricting remote access to devices +- Setting credential requirements for passwords and PINs +- Restricting the use of legacy technology + +[!INCLUDE [learn-more](learn-more.md)] + +- [Intune security baseline overview](/mem/intune/protect/security-baselines) +- [List of the settings in the Windows security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all) diff --git a/windows/security/book/includes/server-message-block-file-services.md b/windows/security/book/includes/server-message-block-file-services.md new file mode 100644 index 0000000000..c1786ce7d5 --- /dev/null +++ b/windows/security/book/includes/server-message-block-file-services.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Server Message Block file services + +Server Message Block (SMB) and file services are the most common Windows workloads in the commercial and public sector ecosystem. Users and applications rely on SMB to access the files that run organizations of all sizes. + +Windows 11 introduced significant security updates to meet today's threats, including AES-256 SMB encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. + +[!INCLUDE [new-24h2](new-24h2.md)] + +New security options include mandatory SMB signing by default, NTLM blocking, authentication rate limiting, and several other enhancements. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Server Message Block (SMB) protocol changes in Windows 11, version 24H2](/windows/whats-new/whats-new-windows-11-version-24h2#server-message-block-smb-protocol-changes) +- [File sharing using the SMB 3 protocol](/windows-server/storage/file-server/file-server-smb-overview) diff --git a/windows/security/book/includes/smart-app-control.md b/windows/security/book/includes/smart-app-control.md index 9d3548d40f..b5ac53b02f 100644 --- a/windows/security/book/includes/smart-app-control.md +++ b/windows/security/book/includes/smart-app-control.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## Smart App Control diff --git a/windows/security/book/includes/smart-cards.md b/windows/security/book/includes/smart-cards.md new file mode 100644 index 0000000000..99e1902345 --- /dev/null +++ b/windows/security/book/includes/smart-cards.md @@ -0,0 +1,26 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Smart cards + +Organizations can also opt for smart cards, an authentication method that existed before biometric authentication. These tamper-resistant, portable storage devices enhance Windows security by authenticating users, signing code, securing e-mails, and signing in with Windows domain accounts. + +Smart cards provide: + +- Ease of use in scenarios such as healthcare, where users need to sign in and out quickly without using their hands or when sharing a workstation +- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card +- Portability of credentials and other private information between computers at work, home, or on the road + +Smart cards can only be used to sign in to domain accounts or Microsoft Entra ID accounts. + +When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Microsoft Entra ID certificate-based authentication. Smart cards can't be used with local accounts. + +Windows Hello for Business and FIDO2 security keys are modern, two-factor authentication methods for Windows. Customers using virtual smart cards are encouraged to move to Windows Hello for Business or FIDO2. For new Windows installations, we recommend Windows Hello for Business or FIDO2 security keys. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Smart Card technical reference](/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference) diff --git a/windows/security/book/includes/software-bill-of-materials.md b/windows/security/book/includes/software-bill-of-materials.md new file mode 100644 index 0000000000..2313e00800 --- /dev/null +++ b/windows/security/book/includes/software-bill-of-materials.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Software bill of materials (SBOM) + +In the Windows ecosystem, ensuring the integrity and authenticity of software components is paramount. To achieve this, we utilize Software Bill of Materials (SBOMs) and COSE (CBOR Object Signing and Encryption) sign all evidence. SBOMs provide a comprehensive inventory of software components, including their dependencies and associated metadata. Transparency is crucial for vulnerability management and compliance with security standards. + +The COSE signing process enhances the trustworthiness of SBOMs by providing cryptographic signatures that verify the integrity and authenticity of the SBOM content. The CoseSignTool, a platform-agnostic command line application, is employed to apply and verify these digital signatures. This tool ensures that all SBOMs and other build evidence are signed and validated, maintaining a high level of security within the software supply chain. + +By integrating SBOMs and COSE signing evidence, we offer stakeholders visibility into the components they use, ensuring that all software artifacts are trustworthy and secure. This approach aligns with our commitment to end-to-end supply chain security, providing a robust framework for managing and verifying software components across the Windows ecosystem. + +[!INCLUDE [learn-more](learn-more.md)] + +- [SBOM tool](https://github.com/microsoft/sbom-tool) +- [Code Sign Tool](https://github.com/microsoft/CoseSignTool) diff --git a/windows/security/book/includes/tamper-protection.md b/windows/security/book/includes/tamper-protection.md new file mode 100644 index 0000000000..86c6148c0b --- /dev/null +++ b/windows/security/book/includes/tamper-protection.md @@ -0,0 +1,26 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Tamper protection + +Attacks like ransomware attempt to disable security features, such as anti-virus protection. Bad actors like to disable security features to get easier access to user's data, to install malware, or otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities. + +With tamper protection, malware is prevented from taking actions such as: + +- Disabling real-time protection +- Turning off behavior monitoring +- Disabling antivirus protection, such as Scan all downloaded files and attachments (IOfficeAntivirus (IOAV)) +- Disabling cloud-delivered protection +- Removing security intelligence updates +- Disabling automatic actions on detected threats +- Disabling archived files +- Altering exclusions +- Disabling notifications in the Windows Security app + +[!INCLUDE [learn-more](learn-more.md)] + +- [Tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) diff --git a/windows/security/book/includes/token-protection.md b/windows/security/book/includes/token-protection.md new file mode 100644 index 0000000000..17d3df3d13 --- /dev/null +++ b/windows/security/book/includes/token-protection.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Token protection (preview) + +Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies[\[4\]](../conclusion.md#footnote4) can be configured to require token protection when using sign-in tokens for specific services. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Token protection in Entra ID Conditional Access](/azure/active-directory/conditional-access/concept-token-protection) + +### Sign-in session token protection policy + +This feature allows applications and services to cryptographically bind security tokens to the device, restricting attackers' ability to impersonate users on a different device if tokens are stolen. diff --git a/windows/security/book/includes/transport-layer-security.md b/windows/security/book/includes/transport-layer-security.md new file mode 100644 index 0000000000..765bf1db96 --- /dev/null +++ b/windows/security/book/includes/transport-layer-security.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Transport Layer Security (TLS) + +Transport Layer Security (TLS) is a popular security protocol, encrypting data in transit to help provide a more secure communication channel between two endpoints. Windows enables the latest protocol versions and strong cipher suites by default and offers a full suite of extensions such as client authentication for enhanced server security, or session resumption for improved application performance. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows. This version helps to eliminate obsolete cryptographic algorithms, enhance security over older versions, and aim to encrypt as much of the TLS handshake as possible. The handshake is more performant with one less round trip per connection on average and supports only strong cipher suites which provide perfect forward secrecy and less operational risk. Using TLS 1.3 provides more privacy and lower latencies for encrypted online connections. If the client or server application on either side of the connection doesn't support TLS 1.3, the connection falls back to TLS 1.2. Windows uses the latest Datagram Transport Layer Security (DTLS) 1.2 for UDP communications. + +[!INCLUDE [learn-more](learn-more.md)] + +- [TLS/SSL overview (Schannel SSP)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview) +- [TLS 1.0 and TLS 1.1 soon to be disabled in Windows](https://techcommunity.microsoft.com/blog/windows-itpro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/3887947) diff --git a/windows/security/book/includes/trusted-boot.md b/windows/security/book/includes/trusted-boot.md new file mode 100644 index 0000000000..275e3da5b3 --- /dev/null +++ b/windows/security/book/includes/trusted-boot.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Trusted Boot (Secure Boot + Measured Boot) + +Windows 11 requires all PCs to use Unified Extensible Firmware Interface (UEFI)'s Secure Boot feature. When a Windows 11 device starts, Secure Boot and Trusted Boot work together to prevent malware and corrupted components from loading. Secure Boot provides initial protection, then Trusted Boot picks up the process. + +Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments. + +To mitigate the risk of firmware rootkits, the PC verifies the digital signature of the firmware at the start of the boot process. Secure Boot then checks the digital signature of the OS bootloader and all code that runs before the operating system starts, ensuring that the signature and code are uncompromised and trusted according to the Secure Boot policy. + +Trusted Boot picks up the process that begins with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and any anti-malware product's early-launch anti-malware (ELAM) driver. If any of these files have been tampered with, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Secure the Windows boot process](/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process) +- [Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot) diff --git a/windows/security/book/includes/trusted-platform-module.md b/windows/security/book/includes/trusted-platform-module.md new file mode 100644 index 0000000000..54688ee765 --- /dev/null +++ b/windows/security/book/includes/trusted-platform-module.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Trusted Platform Module (TPM) + +Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. These capabilities in turn help organizations strengthen the protection of their identities and data. The 2.0 version of TPM includes support for newer algorithms, which provides improvements like support for stronger cryptography. To upgrade to Windows 11, existing Windows 10 devices much meet minimum system requirements for CPU, RAM, storage, firmware, TPM, and more. All new Windows 11 devices come with TPM 2.0 built-in. With Windows 11, both new and upgraded devices must have TPM 2.0. The requirement strengthens the security posture across all Windows 11 devices and helps ensure that these devices can benefit from future security capabilities that depend on a hardware root-of-trust. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows 11 TPM specifications](https://www.microsoft.com/windows/windows-11-specifications) +- [Enable TPM 2.0 on your PC](https://support.microsoft.com/topic/1fd5a332-360d-4f46-a1e7-ae6b0c90645c) +- [Trusted Platform Module Technology Overview](/windows/security/hardware-security/tpm/trusted-platform-module-overview) diff --git a/windows/security/book/includes/trusted-signing.md b/windows/security/book/includes/trusted-signing.md index 123195a9cc..3d0d8437ed 100644 --- a/windows/security/book/includes/trusted-signing.md +++ b/windows/security/book/includes/trusted-signing.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Trusted Signing diff --git a/windows/security/book/includes/universal-print.md b/windows/security/book/includes/universal-print.md new file mode 100644 index 0000000000..e7c33679f1 --- /dev/null +++ b/windows/security/book/includes/universal-print.md @@ -0,0 +1,50 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/universal-print.svg" border="false"::: Universal Print + +Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models][LINK-23]. It also supports existing printers by using the connector software that comes with Universal Print. + +Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices don't need to be on the same local network as the printers or the Universal Print connector. + +Universal Print supports Zero Trust security by requiring that: + +- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID[\[4\]](../conclusion.md#footnote4). A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service +- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data +- Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data +- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it's highly recommended that only cloud applications use application authentication +- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant +- Each authentication with Microsoft Entra ID from an acting application can't extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached + +Additionally, Windows 11 includes device management support to simplify printer setup for users. With support from Microsoft Intune[\[4\]](../conclusion.md#footnote4), admins can now configure policy settings to provision specific printers onto the user's Windows devices. + +Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft 365 products. + +More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here][LINK-24]. + +The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here][LINK-25]. + +Universal Print supports Administrative Units in Microsoft Entra ID to enable the assignments of a *Printer Administrator* role to specific teams in the organization. The assigned team can configure only the printers that are part of the same Administrative Unit. + +For customers who want to stay on print servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Universal Print][LINK-26] +- [Data handling in Universal Print][LINK-27] +- [Delegate Printer Administration with Administrative Units][LINK-28] +- [Print support app design guide][LINK-29] + + + +[LINK-23]: /universal-print/fundamentals/universal-print-partner-integrations +[LINK-24]: /microsoft-365/enterprise/m365-dr-overview +[LINK-25]: /universal-print/fundamentals/universal-print-qrcode +[LINK-26]: https://www.microsoft.com/microsoft-365/windows/universal-print +[LINK-27]: /universal-print/data-handling +[LINK-28]: /universal-print/portal/delegated-admin +[LINK-29]: /windows-hardware/drivers/devapps/print-support-app-design-guide diff --git a/windows/security/book/includes/vbs-key-protection.md b/windows/security/book/includes/vbs-key-protection.md new file mode 100644 index 0000000000..9e7d9a6b4b --- /dev/null +++ b/windows/security/book/includes/vbs-key-protection.md @@ -0,0 +1,14 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/new-button-title.svg" border="false"::: VBS key protection + +VBS key protection enables developers to secure cryptographic keys using Virtualization-based security (VBS). VBS uses the virtualization extension capability of the CPU to create an isolated runtime outside of the normal OS. When in use, VBS keys are isolated in a secure process, allowing key operations to occur without ever exposing the private key material outside of this space. At rest, private key material is encrypted by a TPM key, which binds VBS keys to the device. Keys protected in this way can't be dumped from process memory or exported in plain text from a user's machine, preventing exfiltration attacks by any admin-level attacker. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Advancing key protection in Windows using VBS](https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-key-protection-in-windows-using-vbs/4050988) diff --git a/windows/security/book/includes/virtual-private-networks.md b/windows/security/book/includes/virtual-private-networks.md new file mode 100644 index 0000000000..e12da89a32 --- /dev/null +++ b/windows/security/book/includes/virtual-private-networks.md @@ -0,0 +1,24 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Virtual private networks (VPN) + +Organizations have long relied on Windows to provide reliable, secured, and manageable virtual private network (VPN) solutions. The Windows VPN client platform includes built-in VPN +protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and +consumer VPNs, including apps for the most popular enterprise VPN gateways. + +In Windows 11, we've integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane, users can verify the status of their VPN, start and stop the connection, and easily open Settings for more controls. + +The Windows VPN platform connects to Microsoft Entra ID[\[4\]](../conclusion.md#footnote4) and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune[\[4\]](../conclusion.md#footnote4) and other device management solutions. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites. + +With Universal Windows Platform (UWP) VPN apps, end users never get stuck on an old version of their VPN client. VPN apps from the store will be automatically updated as needed. Naturally, the updates are in the control of your IT admins. + +The Windows VPN platform is tuned and hardened for cloud-based VPN providers like Azure VPN. Features like Microsoft Entra ID authentication, Windows user interface integration, plumbing IKE traffic selectors, and server support are all built into the Windows VPN platform. The integration into the Windows VPN platform leads to a simpler IT admin experience. User authentication is more consistent, and users can easily find and control their VPN. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows VPN technical guide](/windows/security/operating-system-security/network-security/vpn/vpn-guide) diff --git a/windows/security/book/includes/virtualization-based-security-enclaves.md b/windows/security/book/includes/virtualization-based-security-enclaves.md index 238c1d1681..ac2c868d50 100644 --- a/windows/security/book/includes/virtualization-based-security-enclaves.md +++ b/windows/security/book/includes/virtualization-based-security-enclaves.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Virtualization-based security enclaves diff --git a/windows/security/book/includes/web-sign-in.md b/windows/security/book/includes/web-sign-in.md new file mode 100644 index 0000000000..0bdcc9906e --- /dev/null +++ b/windows/security/book/includes/web-sign-in.md @@ -0,0 +1,14 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Web sign-in + +With the support of web sign-in, users can sign in without a password using the Microsoft Authenticator app or a Temporary Access Pass (TAP). Web sign in also enables federated sign in with a SAML-P identity provider. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Web sign-in for Windows](/windows/security/identity-protection/web-sign-in) diff --git a/windows/security/book/includes/wi-fi-connections.md b/windows/security/book/includes/wi-fi-connections.md new file mode 100644 index 0000000000..3af4c8a6f8 --- /dev/null +++ b/windows/security/book/includes/wi-fi-connections.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Wi-Fi connections + +Windows Wi-Fi supports industry-standard authentication and encryption methods when connecting to Wi-Fi networks. WPA (Wi-Fi Protected Access) is a security standard defined by the Wi-Fi Alliance (WFA) to provide sophisticated data encryption and better user authentication. + +The current security standard for Wi-Fi authentication is WPA3, which provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes - WPA3 Personal, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B. + +Windows 11 includes WPA3 Personal with the new H2E protocol and WPA3 Enterprise 192-bit Suite B. Windows 11 also supports WPA3 Enterprise, which includes enhanced server certificate validation and TLS 1.3 for authentication using EAP-TLS authentication. + +Opportunistic Wireless Encryption (OWE), a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots, is also included. diff --git a/windows/security/book/includes/win32-app-isolation.md b/windows/security/book/includes/win32-app-isolation.md index 88ab8625b0..cdf174203e 100644 --- a/windows/security/book/includes/win32-app-isolation.md +++ b/windows/security/book/includes/win32-app-isolation.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Win32 app isolation diff --git a/windows/security/book/includes/windows-autopatch.md b/windows/security/book/includes/windows-autopatch.md new file mode 100644 index 0000000000..fd24c75902 --- /dev/null +++ b/windows/security/book/includes/windows-autopatch.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Autopatch + +Cybercriminals commonly exploit obsolete or unpatched software to infiltrate networks. It's essential to maintain current updates to seal security gaps. Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates so your IT Admins can focus on other activities and tasks. + +There's a lot more to learn about Windows Autopatch: this [Forrester Consulting Total Economic Impact™ Study](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW10vlw) commissioned by Microsoft, features insights from customers who deployed Windows Autopatch and its impact on their organizations. You can also find out more information about new Autopatch features and the future of the service in the regularly published Windows IT Pro Blog and Windows Autopatch community. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/) +- [Windows updates API overview](/graph/windowsupdates-concept-overview) +- [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows-ITPro-blog/label-name/Windows%20Autopatch) +- [Windows Autopatch community](https://techcommunity.microsoft.com/t5/windows-autopatch/bd-p/Windows-Autopatch) diff --git a/windows/security/book/includes/windows-autopilot.md b/windows/security/book/includes/windows-autopilot.md new file mode 100644 index 0000000000..e46a1a1982 --- /dev/null +++ b/windows/security/book/includes/windows-autopilot.md @@ -0,0 +1,26 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Autopilot + +Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. If you're purchasing new devices or managing device refresh cycles, you can use Windows Autopilot to set up and preconfigure new devices, getting them ready for productive use. Autopilot helps you ensure your devices are delivered locked down and compliant with corporate security policies. The solution can also be used to reset, repurpose, and recover devices with zero touch by your IT team and no infrastructure to manage, enhancing efficiency with a process that's both easy and simple. + +With Windows Autopilot, there's no need to reimage or manually set-up devices before giving them to the users. Your hardware vendor can ship them, ready to go, directly to the users. From a user perspective, they turn on their device, go online, and Windows Autopilot delivers apps and settings. + +Windows Autopilot enables you to: + +- Automatically join devices to Microsoft Entra ID or Active Directory via Microsoft Entra hybrid join +- Autoenroll devices into a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4) (requires a Microsoft Entra ID Premium subscription for configuration) +- Create and autoassignment of devices to configuration groups based on a device's profile +- Customize of the out-of-box experience (OOBE) content specific to your organization + +Existing devices can also be quickly prepared for a new user with Windows Autopilot Reset. The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Autopilot](/autopilot/overview) +- [Windows Autopilot Reset](/mem/autopilot/windows-autopilot-reset) diff --git a/windows/security/book/includes/windows-diagnostic-data-processor-configuration.md b/windows/security/book/includes/windows-diagnostic-data-processor-configuration.md new file mode 100644 index 0000000000..c8dfa0b2d3 --- /dev/null +++ b/windows/security/book/includes/windows-diagnostic-data-processor-configuration.md @@ -0,0 +1,14 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows diagnostic data processor configuration + +The Windows diagnostic data processor configuration enables the user to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that meet the configuration requirements. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration) diff --git a/windows/security/book/includes/windows-firewall.md b/windows/security/book/includes/windows-firewall.md new file mode 100644 index 0000000000..6e75d17aae --- /dev/null +++ b/windows/security/book/includes/windows-firewall.md @@ -0,0 +1,30 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Firewall + +Windows Firewall is an important part of a layered security model. It provides host-based, two-way network traffic +filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks the device is connected to. + +Windows Firewall offers the following benefits: + +- Reduces the risk of network security threats: Windows Firewall reduces the attack surface of a device with rules that restrict or allow traffic by many properties, such as IP addresses, ports, or program paths. This functionality increases manageability and decreases the likelihood of a successful attack +- Safeguards sensitive data and intellectual property: By integrating with Internet Protocol Security (IPSec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data +- Extends the value of existing investments: Because Windows Firewall is a host-based firewall that is included with the operating system, there's no extra hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API) + +Windows 11 makes the Windows Firewall easier to analyze and debug. IPSec behavior is integrated with Packet Monitor, an in-box, cross-component network diagnostic tool for Windows. Additionally, the Windows Firewall event logs are enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on third-party tools. + +Admins can configure more settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune[\[4\]](../conclusion.md#footnote4), using the platform support from the Firewall configuration service provider (CSP) and applying these settings to Windows endpoints. + +[!INCLUDE [new-24h2](new-24h2.md)] + +The Firewall Configuration Service Provider (CSP) in Windows now enforces an all-or-nothing approach to applying firewall rules within each atomic block. Previously, if the CSP encountered an issue with any rule in a block, it would not only stop processing that rule but also cease processing subsequent rules, potentially leaving a security gap with partially deployed rule blocks. Now, if any rule in the block cannot be successfully applied, the CSP stops processing subsequent rules and roll back all rules from that atomic block, eliminating the ambiguity of partially deployed rule blocks. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Firewall overview](/windows/security/operating-system-security/network-security/windows-firewall) +- [Firewall CSP](/windows/client-management/mdm/firewall-csp) diff --git a/windows/security/book/includes/windows-hello-for-business.md b/windows/security/book/includes/windows-hello-for-business.md new file mode 100644 index 0000000000..fa1f376c9d --- /dev/null +++ b/windows/security/book/includes/windows-hello-for-business.md @@ -0,0 +1,59 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Hello for Business + +Windows Hello for Business extends Windows Hello to work with an organization's Active Directory and Microsoft Entra ID accounts. It provides single sign-on access to work or school resources such as OneDrive, work email, and other business apps. Windows Hello for Business also gives IT admins the ability to manage PIN and other sign-in requirements for devices connecting to work or school resources. + +After Windows Hello for Business is provisioned, users can use a PIN, face, or fingerprint to unlock credentials and sign into their Windows device. + +Provisioning methods include: + +- Passkeys (preview), which provide a seamless way for users to authenticate to Microsoft Entra ID without entering a username or password +- Temporary Access Pass (TAP), a time-limited passcode with strong authentication requirements issued through Microsoft Entra ID +- Existing multifactor authentication with Microsoft Entra ID, including the Microsoft Authenticator app + +Windows Hello for Business enhances security by replacing traditional usernames and passwords with a combination of a security key or certificate and a PIN or biometric data. This setup securely maps the credentials to a user account. + +There are various deployment models available for Windows Hello for Business, providing flexibility to meet the diverse needs of different organizations. Among these, the *Hybrid cloud Kerberos trust* model is recommended and considered the simplest for organizations operating in hybrid environments. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Hello for Business overview](/windows/security/identity-protection/hello-for-business) +- [Enable passkeys (FIDO2) for your organization](/entra/identity/authentication/how-to-enable-passkey-fido2) + +### PIN reset + +The Microsoft PIN Reset Service allows users to reset their forgotten Windows Hello PINs without requiring re-enrollment. After registering the service in the Microsoft Entra ID tenant, the capability must be enabled on the Windows devices using group policy or a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4). + +Users can initiate a PIN reset from the Windows lock screen or from the sign-in options in Settings. The process involves authenticating and completing multifactor authentication to reset the PIN. + +[!INCLUDE [learn-more](learn-more.md)] + +- [PIN reset](/windows/security/identity-protection/hello-for-business/pin-reset) + +### Multi-factor unlock + +For organizations that need an extra layer of sign-in security, multi-factor unlock enables IT admins to configure Windows to require a combination of two unique trusted signals to sign in. Trusted signal examples include a PIN or biometric data (face or fingerprint) combined with either a PIN, Bluetooth, IP configuration, or Wi-Fi. + +Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Multi-factor unlock](/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock) + +### Windows passwordless experience + +**Windows Hello for Business now support a fully passwordless experience.** + +IT admins can configure a policy on Microsoft Entra ID joined machines so users no longer see the option to enter a password when accessing company resources. Once the policy is configured, passwords are removed from the Windows user experience, both for device unlock and in-session authentication scenarios. However, passwords aren't eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can use passwordless recovery mechanisms such as Microsoft PIN reset service or web sign-in. + +Users authenticate directly with Microsoft Entra ID, helping speed access to on-premises applications and other resources. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows passwordless experience](/windows/security/identity-protection/passwordless-experience) diff --git a/windows/security/book/includes/windows-hello.md b/windows/security/book/includes/windows-hello.md new file mode 100644 index 0000000000..806ed4ee22 --- /dev/null +++ b/windows/security/book/includes/windows-hello.md @@ -0,0 +1,46 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Hello + +Too often, passwords are weak, stolen, or forgotten. Organizations are moving toward passwordless sign-in to reduce the risk of breaches, lower the cost of managing passwords, and improve productivity and satisfaction for their users and customers. Microsoft is committed to helping organizations move toward a secure, passwordless future with Windows Hello, a cornerstone of Windows security and identity protection. + +Windows Hello can enable passwordless sign-in using biometric or PIN verification and provides built-in support for the FIDO2 passwordless industry standard. As a result, people no longer need to carry external hardware like a security key for authentication. + +The secure, convenient sign-in experience can augment or replace passwords with a stronger authentication model based on a PIN or biometric data such as facial or fingerprint recognition secured by the Trusted Platform Module (TPM). Step-by-step guidance makes setup easy. + +Using asymmetric keys provisioned in the TPM, Windows Hello protects authentication by binding a user's credentials to their device. Windows Hello validates the user based on either a PIN or biometrics match and only then allows the use of cryptographic keys bound to that user in the TPM. + +PIN and biometric data stay on the device and can't be stored or accessed externally. Since the data can't be accessed by anyone without physical access to the device, credentials are protected against replay attacks, phishing, and spoofing as well as password reuse and leaks. + +Windows Hello can authenticate users to a Microsoft account (MSA), identity provider services, or the relying parties that also implement the FIDO2 or WebAuthn standards. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Configure Windows Hello](https://support.microsoft.com/topic/dae28983-8242-bb2a-d3d1-87c9d265a5f0) + +### Windows Hello PIN + +The Windows Hello PIN, which can only be entered by someone with physical access to the device, can be used for strong multifactor authentication. The PIN is protected by the TPM and, like biometric data, never leaves the device. When a user enters their PIN, an authentication key is unlocked and used to sign a request sent to the authenticating server. + +The TPM protects against threats including PIN brute-force attacks on lost or stolen devices. After too many incorrect guesses, the device locks. IT admins can set security policies for PINs, such as complexity, length, and expiration requirements. + +[!INCLUDE [new-24h2](new-24h2.md)] + +If your device doesn't have built-in biometrics, Windows Hello has been enhanced to use Virtualization-based Security (VBS) by default to isolate credentials. This added layer of protection helps guard against admin-level attacks. Even when you sign in with a PIN, your credentials are stored in a secure container, ensuring protection on devices with or without built-in biometric sensors. + +### Windows Hello biometric + +Windows Hello biometric sign-in enhances both security and productivity with a quick and convenient sign-in experience. There's no need to enter your PIN; just use your biometric data for an easy and delightful sign-in. + +Windows devices that support biometric hardware, such as fingerprint or facial recognition cameras, integrate directly with Windows Hello, enabling access to Windows client resources and services. Biometric readers for both face and fingerprint must comply with Windows Hello biometric requirements. Windows Hello facial recognition is designed to authenticate only from trusted cameras used at the time of enrollment. + +If a peripheral camera is attached to the device after enrollment, it can be used for facial authentication once validated by signing in with the internal camera. For added security, external cameras can be disabled for use with Windows Hello facial recognition. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) diff --git a/windows/security/book/includes/windows-hotpatch.md b/windows/security/book/includes/windows-hotpatch.md new file mode 100644 index 0000000000..a417cec5fd --- /dev/null +++ b/windows/security/book/includes/windows-hotpatch.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/soon-button-title.svg" border="false"::: Windows Hotpatch + +Windows Hotpatch is a feature designed to enhance security and minimize disruptions. With Windows Hotpatch, organizations can apply critical security updates without requiring a system restart, reducing the time to adopt a security update by 60% from the moment the update is offered. Hotpatch updates streamline the installation process, enhance compliance efficiency, and provide a per-policy level view of update statuses for all devices. + +By utilizing hotpatching through Windows Autopatch, the number of system restarts for Windows updates can be reduced from 12 times a year to just 4, ensuring consistent protection and uninterrupted productivity. This means less downtime, a streamlined experience for users, and a reduction in security risks. This technology, proven in the Azure Server environment, is now expanding to Windows 11, offering immediate security from day one without the need for a restart. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/) diff --git a/windows/security/book/includes/windows-insider-and-microsoft-bug-bounty-programs.md b/windows/security/book/includes/windows-insider-and-microsoft-bug-bounty-programs.md new file mode 100644 index 0000000000..ef4cf44951 --- /dev/null +++ b/windows/security/book/includes/windows-insider-and-microsoft-bug-bounty-programs.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Insider and Microsoft Bug Bounty Programs + +As part of our secure development process, the Windows Insider Preview Program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. + +The goal of the Windows Insider Preview Program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows. + +Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities and quickly fix the issues before releasing our final Windows. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Insider Program](/windows-insider/get-started) +- [Microsoft Bug Bounty Programs](https://www.microsoft.com/msrc/bounty) diff --git a/windows/security/book/includes/windows-laps.md b/windows/security/book/includes/windows-laps.md new file mode 100644 index 0000000000..9b4d12e98b --- /dev/null +++ b/windows/security/book/includes/windows-laps.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Local Administrator Password Solution (LAPS) + +Windows Local Administrator Password Solution (LAPS) is a feature that automatically manages and backs up the password of a local administrator account on Microsoft Entra joined and Active Directory-joined devices. It helps enhance security by regularly rotating and managing local administrator account passwords, protecting against pass-the-hash and lateral-traversal attacks. + +Windows LAPS can be configured via group policy or with a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4). + +[!INCLUDE [new-24h2](new-24h2.md)] + +Several enhancements have been made to improve manageability and security. Administrators can now configure LAPS to automatically create managed local accounts, integrating with existing policies to enhance security and efficiency. Policy settings have been updated to generate more readable passwords by ignoring certain characters and to support the generation of readable passphrases, with options to choose from three separate word source list and control passphrase length. Additionally, LAPS can detect when a computer rolls back to a previous image, ensuring password consistency between the computer and Active Directory. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows LAPS overview](/windows-server/identity/laps/laps-overview) diff --git a/windows/security/book/includes/windows-presence-sensing.md b/windows/security/book/includes/windows-presence-sensing.md new file mode 100644 index 0000000000..c0a2c00c41 --- /dev/null +++ b/windows/security/book/includes/windows-presence-sensing.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows presence sensing + +Windows presence sensing[\[9\]](../conclusion.md#footnote9) provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment. + +Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers can customize and build extensions for the presence sensor. + +Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. The new app privacy settings enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup. + +Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We're also supporting developers with new APIs for presence sensing for third-party applications. Third-party applications can now access user presence information on devices with presence sensors. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Presence sensing](/windows-hardware/design/device-experiences/sensors-presence-sensing) +- [Manage presence sensing settings in Windows 11](https://support.microsoft.com/topic/82285c93-440c-4e15-9081-c9e38c1290bb) diff --git a/windows/security/book/includes/windows-protected-print.md b/windows/security/book/includes/windows-protected-print.md new file mode 100644 index 0000000000..4dc9cda421 --- /dev/null +++ b/windows/security/book/includes/windows-protected-print.md @@ -0,0 +1,23 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Windows protected print + +Windows protected print is built to provide a more modern and secure print system that maximizes compatibility and puts users first. It simplifies the printing experience by allowing devices to exclusively print using the Windows modern print stack. + +The benefits of Windows protected print include: + +- Increased PC security +- Simplified and consistent printing experience, regardless of PC architecture +- Removes the need to manage print drivers + +Windows protected print is designed to work with Mopria certified printers only. Many existing printers are already compatible. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows protected print](/windows-hardware/drivers/print/modern-print-platform) +- [New, modern, and secure print experience from Windows](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645) diff --git a/windows/security/book/includes/windows-sandbox.md b/windows/security/book/includes/windows-sandbox.md index d8d6385b3f..c219cb8339 100644 --- a/windows/security/book/includes/windows-sandbox.md +++ b/windows/security/book/includes/windows-sandbox.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## Windows Sandbox diff --git a/windows/security/book/includes/windows-security-policy-settings-and-auditing.md b/windows/security/book/includes/windows-security-policy-settings-and-auditing.md new file mode 100644 index 0000000000..82787e2e83 --- /dev/null +++ b/windows/security/book/includes/windows-security-policy-settings-and-auditing.md @@ -0,0 +1,30 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows security policy settings and auditing + +Security policy settings are a critical part of your overall security strategy. Windows provides a robust set of security setting policies that IT administrators can use to help protect Windows devices and other resources in your organization. Security policies settings are rules you can configure on a device, or multiple devices, to control: + +- User authentication to a network or device +- Resources that users are permitted to access +- Whether to record a user or group's actions in the event log +- Membership in a group + +Security auditing is one of the most powerful tools that you can use to maintain the integrity of your network and assets. Auditing can help identify attacks, network vulnerabilities, and attacks against high-value targets. You can specify categories of security-related events to create an audit policy tailored to the needs of your organization using configuration service providers (CSP) or group policies. + +All auditing categories are disabled when Windows is first installed. Before enabling them, follow these steps to create an effective security auditing policy: + +1. Identify your most critical resources and activities. +1. Identify the audit settings you need to track them. +1. Assess the advantages and potential costs associated with each resource or setting. +1. Test these settings to validate your choices. +1. Develop plans for deploying and managing your audit policy. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Security policy settings](/windows/security/threat-protection/security-policy-settings/security-policy-settings) +- [Security auditing](/windows/security/threat-protection/auditing/security-auditing-overview) diff --git a/windows/security/book/includes/windows-security.md b/windows/security/book/includes/windows-security.md new file mode 100644 index 0000000000..5372df0ece --- /dev/null +++ b/windows/security/book/includes/windows-security.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Security + +:::row::: + :::column span="2"::: + Visibility and awareness of device security and health are key to any action taken. The Windows Security app provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and act to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more. + :::column-end::: + :::column span="2"::: +:::image type="content" source="../images/windows-security.png" alt-text="Screenshot of the Windows Security app." border="false" lightbox="../images/windows-security.png" ::: + :::column-end::: +:::row-end::: + +[!INCLUDE [learn-more](learn-more.md)] + +- [Stay Protected With the Windows Security App](https://support.microsoft.com/topic/2ae0363d-0ada-c064-8b56-6a39afb6a963) +- [Windows Security](/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center) diff --git a/windows/security/book/includes/windows-software-development-kit.md b/windows/security/book/includes/windows-software-development-kit.md new file mode 100644 index 0000000000..81a15b2dc8 --- /dev/null +++ b/windows/security/book/includes/windows-software-development-kit.md @@ -0,0 +1,15 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Software Development Kit (SDK) + +Developers can design highly secure applications that benefit from the latest Windows 11 safeguards using the Windows SDK. The SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows 11 and Windows 10. To help create apps that are up to date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows application development - best practices](/windows/apps/get-started/best-practices) +- [Windows SDK samples on GitHub](https://github.com/microsoft/WindowsAppSDK-Samples) diff --git a/windows/security/book/includes/windows-subsystem-for-linux.md b/windows/security/book/includes/windows-subsystem-for-linux.md index 957410b0fb..ae408bb558 100644 --- a/windows/security/book/includes/windows-subsystem-for-linux.md +++ b/windows/security/book/includes/windows-subsystem-for-linux.md @@ -3,7 +3,6 @@ author: paolomatarazzo ms.author: paoloma ms.date: 12/11/2024 ms.topic: include -ms.service: windows-client --- ## Windows Subsystem for Linux (WSL) diff --git a/windows/security/book/includes/windows-update-for-business.md b/windows/security/book/includes/windows-update-for-business.md new file mode 100644 index 0000000000..1cf9b9731b --- /dev/null +++ b/windows/security/book/includes/windows-update-for-business.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +--- + +## Windows Update for Business + +Windows Update for Business empowers IT administrators to ensure that their organization's Windows client devices are consistently up to date with the latest security updates and features. By directly connecting these systems to the Windows Update service, administrators can maintain a high level of security and functionality. + +Administrators can utilize group policy or a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4), to configure Windows Update for Business settings. These settings control the timing and manner in which updates are applied, allowing for thorough reliability and performance testing on a subset of devices before deploying updates across the entire organization. + +This approach not only provides control over the update process but also ensures a seamless and positive update experience for all users within the organization. By using Windows Update for Business, organizations can achieve a more secure and efficient operational environment. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Update for Business documentation](/windows/deployment/update/waas-manage-updates-wufb) diff --git a/windows/security/book/operating-system-security-encryption-and-data-protection.md b/windows/security/book/operating-system-security-encryption-and-data-protection.md index d9ab85a02b..045bef6f75 100644 --- a/windows/security/book/operating-system-security-encryption-and-data-protection.md +++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md @@ -11,85 +11,12 @@ ms.date: 11/18/2024 When people travel with their PCs, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. -## BitLocker +[!INCLUDE [bitlocker](includes/bitlocker.md)] -BitLocker is a data protection feature that integrates with the operating system to address the threats of data theft or exposure from lost, stolen, or improperly decommissioned devices. It uses the AES algorithm in XTS or CBC mode with 128-bit or 256-bit key lengths to encrypt data on the volume. During the initial setup, when BitLocker is enabled during OOBE and the user signs into their Microsoft account for the first time, BitLocker automatically saves its recovery password to the Microsoft account for retrieval if needed. Users also have the option to export the recovery password if they manually enable BitLocker. Recovery key content can be saved to cloud storage on OneDrive or Azure[\[4\]](conclusion.md#footnote4). +[!INCLUDE [device-encryption](includes/device-encryption.md)] -For organizations, BitLocker can be managed via group policy or with a device management solution like Microsoft Intune[\[3\]](conclusion.md#footnote3). It provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), using technologies such as Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. +[!INCLUDE [encrypted-hard-drive](includes/encrypted-hard-drive.md)] -[!INCLUDE [new-24h2](includes/new-24h2.md)] +[!INCLUDE [personal-data-encryption](includes/personal-data-encryption.md)] -The BitLocker preboot recovery screen includes the Microsoft account (MSA) hint, if the recovery password is saved to an MSA. This hint helps the user to understand which MSA account was used to store recovery key information. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [BitLocker overview](../operating-system-security/data-protection/bitlocker/index.md) - -### BitLocker To Go - -BitLocker To Go refers to BitLocker on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [BitLocker FAQ](../operating-system-security/data-protection/bitlocker/faq.yml) - -## Device encryption - -Device encryption is a Windows feature that simplifies the process of enabling BitLocker encryption on certain devices. It ensures that only the OS drive and fixed drives are encrypted, while external/USB drives remain unencrypted. Additionally, devices with externally accessible ports that allow DMA access are not eligible for device encryption. Unlike standard BitLocker implementation, device encryption is enabled automatically to ensure continuous protection. Once a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use with encryption already in place. - -Organizations have the option to disable device encryption in favor of a full BitLocker implementation. This allows for more granular control over encryption policies and settings, ensuring that the organization's specific security requirements are met. - -[!INCLUDE [new-24h2](includes/new-24h2.md)] - -The Device encryption prerequisites of DMA and HSTI/Modern Standby are removed. This change makes more devices eligible for both automatic and manual device encryption. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Device encryption](../operating-system-security/data-protection/bitlocker/index.md#device-encryption) - -## Encrypted hard drive - -Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level. They allow for full-disk hardware encryption and are transparent to the user. These drives combine the security and management benefits provided by BitLocker, with the power of self-encrypting drives. - -By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. - -Encrypted hard drives enable: - -- Smooth performance: encryption hardware integrated into the drive controller allows the drive to operate at full data rate without performance degradation -- Strong security based in hardware: encryption is always-on, and the keys for encryption never leave the hard drive. The drive authenticates the user independently from the operating system before it unlocks -- Ease of use: encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using an onboard encryption key. There's no need to re-encrypt data on the drive -- Lower cost of ownership: there's no need for new infrastructure to manage encryption keys since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Encrypted hard drive](../operating-system-security/data-protection/encrypted-hard-drive.md) - -## Personal Data Encryption - -Personal Data Encryption is a user-authenticated encryption mechanism designed to protect user's content. Personal Data Encryption uses Windows Hello for Business as its modern authentication scheme, with PIN or biometric authentication methods. The encryption keys used by Personal Data Encryption are securely stored within the Windows Hello container. When a user signs in with Windows Hello, the container is unlocked, making the keys available to decrypt the user's content. - -The initial release of Personal Data Encryption in Windows 11, version 22H2, introduced a set of public APIs that applications can adopt to safeguard content. - -[!INCLUDE [new-24h2](includes/new-24h2.md)] - -Personal Data Encryption is further enhanced with *Personal Data Encryption for known folders*, which extends protection to the Windows folders: Documents, Pictures, and Desktop. - -:::image type="content" source="images/pde.png" alt-text="Screenshot of files encrypted with Personal Data Encryption showing a padlock." border="false"::: - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Personal Data Encryption](../operating-system-security/data-protection/personal-data-encryption/index.md) - -## Email encryption - -Email encryption allows users to secure email messages and attachments so that only the intended recipients with a digital identification (ID), or certificate, can read them[\[8\]](conclusion.md#footnote8). Users can also *digitally sign* a message, which verifies the sender's identity and ensures the message hasn't been tampered with. - -The new Outlook app included in Windows 11 supports various types of email encryption, including Microsoft Purview Message Encryption, S/MIME, and Information Rights Management (IRM). - -When using Secure/Multipurpose Internet Mail Extensions (S/MIME), users can send encrypted messages to people within their organization and to external contacts who have the proper encryption certificates. Recipients can only read encrypted messages if they have the corresponding decryption keys. If an encrypted message is sent to recipients whose encryption certificates aren't available, Outlook asks you to remove these recipients before sending the email. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [S/MIME for message signing and encryption in Exchange Online](/exchange/security-and-compliance/smime-exo/smime-exo) -- [Get started with the new Outlook for Windows](https://support.microsoft.com/topic/656bb8d9-5a60-49b2-a98b-ba7822bc7627) -- [Email encryption](/purview/email-encryption) +[!INCLUDE [email-encryption](includes/email-encryption.md)] diff --git a/windows/security/book/operating-system-security-network-security.md b/windows/security/book/operating-system-security-network-security.md index fff427b5b2..3ef8199a90 100644 --- a/windows/security/book/operating-system-security-network-security.md +++ b/windows/security/book/operating-system-security-network-security.md @@ -19,121 +19,20 @@ In enterprise environments, network protection works best with Microsoft Defende [!INCLUDE [learn-more](includes/learn-more.md)] -- [How to protect your network][LINK-1] +- [How to protect your network](/defender-endpoint/network-protection) -## Transport Layer Security (TLS) +[!INCLUDE [transport-layer-security](includes/transport-layer-security.md)] -Transport Layer Security (TLS) is a popular security protocol, encrypting data in transit to help provide a more secure communication channel between two endpoints. Windows enables the latest protocol versions and strong cipher suites by default and offers a full suite of extensions such as client authentication for enhanced server security, or session resumption for improved application performance. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows. This version helps to eliminate obsolete cryptographic algorithms, enhance security over older versions, and aim to encrypt as much of the TLS handshake as possible. The handshake is more performant with one less round trip per connection on average and supports only strong cipher suites which provide perfect forward secrecy and less operational risk. Using TLS 1.3 provides more privacy and lower latencies for encrypted online connections. If the client or server application on either side of the connection doesn't support TLS 1.3, the connection falls back to TLS 1.2. Windows uses the latest Datagram Transport Layer Security (DTLS) 1.2 for UDP communications. +[!INCLUDE [domain-name-system-security](includes/domain-name-system-security.md)] -[!INCLUDE [learn-more](includes/learn-more.md)] +[!INCLUDE [bluetooth-protection](includes/bluetooth-protection.md)] -- [TLS/SSL overview (Schannel SSP)][LINK-2] -- [TLS 1.0 and TLS 1.1 soon to be disabled in Windows][LINK-3] +[!INCLUDE [wi-fi-connections](includes/wi-fi-connections.md)] -## Domain Name System (DNS) security +[!INCLUDE [5g-and-esim](includes/5g-and-esim.md)] -In Windows 11, the Windows DNS client supports DNS over HTTPS and DNS over TLS, two encrypted DNS protocols. These allow administrators to ensure their devices protect their -name queries from on-path attackers, whether they're passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites. In a Zero Trust -model where no trust is placed in a network boundary, having a secure connection to a trusted name resolver is required. +[!INCLUDE [windows-firewall](includes/windows-firewall.md)] -Windows 11 provides group policy and programmatic controls to configure DNS over HTTPS behavior. As a result, IT administrators can extend existing security to adopt new models such as Zero Trust. IT administrators can mandate DNS over HTTPS protocol, ensuring that devices that use insecure DNS will fail to connect to network resources. IT administrators also have the option not to use DNS over HTTPS or DNS over TLS for legacy deployments where network edge appliances are trusted to inspect plain-text DNS traffic. By default, Windows 11 will defer to the local administrator on which resolvers should use encrypted DNS. +[!INCLUDE [virtual-private-networks](includes/virtual-private-networks.md)] -Support for DNS encryption integrates with existing Windows DNS configurations such as the Name Resolution Policy Table (NRPT), the system Hosts file, and resolvers specified per network adapter or network profile. The integration helps Windows 11 ensure that the benefits of greater DNS security do not regress existing DNS control mechanisms. - -## Bluetooth protection - -The number of Bluetooth devices connected to Windows 11 continues to increase. Windows users connect their Bluetooth headsets, mice, keyboards, and other accessories and improve their day-to-day PC experience by enjoying streaming, productivity, and gaming. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host-based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG) and Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that Bluetooth accessories' firmware and software are kept up to date. - -IT-managed environments have a number policy settings available via configuration service providers, group policy, and PowerShell. These settings can be managed through device management solutions like Microsoft Intune[\[4\]](conclusion.md#footnote4). You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Policy CSP - Bluetooth][LINK-4] - -## Wi-Fi connections - -Windows Wi-Fi supports industry-standard authentication and encryption methods when connecting to Wi-Fi networks. WPA (Wi-Fi Protected Access) is a security standard defined by the Wi-Fi Alliance (WFA) to provide sophisticated data encryption and better user authentication. - -The current security standard for Wi-Fi authentication is WPA3, which provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes - WPA3 Personal, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B. - -Windows 11 includes WPA3 Personal with the new H2E protocol and WPA3 Enterprise 192-bit Suite B. Windows 11 also supports WPA3 Enterprise, which includes enhanced server certificate validation and TLS 1.3 for authentication using EAP-TLS authentication. - -Opportunistic Wireless Encryption (OWE), a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots, is also included. - -## 5G and eSIM - -5G networks use stronger encryption and better network segmentation compared to previous generations of cellular protocols. Unlike Wi-Fi, 5G access is always mutually authenticated. Access credentials are stored in an EAL4-certified eSIM that is physically embedded in the device, making it much harder for attackers to tamper with. Together, 5G and eSIM provide a strong foundation for security. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [eSIM configuration of a download server][LINK-5] - -## Windows Firewall - -Windows Firewall is an important part of a layered security model. It provides host-based, two-way network traffic -filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks the device is connected to. - -Windows Firewall offers the following benefits: - -- Reduces the risk of network security threats: Windows Firewall reduces the attack surface of a device with rules that restrict or allow traffic by many properties, such as IP addresses, ports, or program paths. This functionality increases manageability and decreases the likelihood of a successful attack -- Safeguards sensitive data and intellectual property: By integrating with Internet Protocol Security (IPSec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data -- Extends the value of existing investments: Because Windows Firewall is a host-based firewall that is included with the operating system, there's no extra hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API) - -Windows 11 makes the Windows Firewall easier to analyze and debug. IPSec behavior is integrated with Packet Monitor, an in-box, cross-component network diagnostic tool for Windows. Additionally, the Windows Firewall event logs are enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on third-party tools. - -Admins can configure more settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune[\[4\]](conclusion.md#footnote4), using the platform support from the Firewall configuration service provider (CSP) and applying these settings to Windows endpoints. - -[!INCLUDE [new-24h2](includes/new-24h2.md)] - -The Firewall Configuration Service Provider (CSP) in Windows now enforces an all-or-nothing approach to applying firewall rules within each atomic block. Previously, if the CSP encountered an issue with any rule in a block, it would not only stop processing that rule but also cease processing subsequent rules, potentially leaving a security gap with partially deployed rule blocks. Now, if any rule in the block cannot be successfully applied, the CSP stops processing subsequent rules and roll back all rules from that atomic block, eliminating the ambiguity of partially deployed rule blocks. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Firewall overview][LINK-6] -- [Firewall CSP][LINK-7] - -## Virtual private networks (VPN) - -Organizations have long relied on Windows to provide reliable, secured, and manageable virtual private network (VPN) solutions. The Windows VPN client platform includes built-in VPN -protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and -consumer VPNs, including apps for the most popular enterprise VPN gateways. - -In Windows 11, we've integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane, users can verify the status of their VPN, start and stop the connection, and easily open Settings for more controls. - -The Windows VPN platform connects to Microsoft Entra ID[\[4\]](conclusion.md#footnote4) and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune[\[4\]](conclusion.md#footnote4) and other device management solutions. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites. - -With Universal Windows Platform (UWP) VPN apps, end users never get stuck on an old version of their VPN client. VPN apps from the store will be automatically updated as needed. Naturally, the updates are in the control of your IT admins. - -The Windows VPN platform is tuned and hardened for cloud-based VPN providers like Azure VPN. Features like Microsoft Entra ID authentication, Windows user interface integration, plumbing IKE traffic selectors, and server support are all built into the Windows VPN platform. The integration into the Windows VPN platform leads to a simpler IT admin experience. User authentication is more consistent, and users can easily find and control their VPN. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows VPN technical guide][LINK-8] - -## Server Message Block file services - -Server Message Block (SMB) and file services are the most common Windows workloads in the commercial and public sector ecosystem. Users and applications rely on SMB to access the files that run organizations of all sizes. - -Windows 11 introduced significant security updates to meet today's threats, including AES-256 SMB encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. - -[!INCLUDE [new-24h2](includes/new-24h2.md)] - -New security options include mandatory SMB signing by default, NTLM blocking, authentication rate limiting, and several other enhancements. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Server Message Block (SMB) protocol changes in Windows 11, version 24H2][LINK-9] -- [File sharing using the SMB 3 protocol][LINK-10] - - - -[LINK-1]: /defender-endpoint/network-protection -[LINK-2]: /windows-server/security/tls/tls-ssl-schannel-ssp-overview -[LINK-3]: https://techcommunity.microsoft.com/blog/windows-itpro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/3887947 -[LINK-4]: /windows/client-management/mdm/policy-csp-bluetooth -[LINK-5]: /mem/intune/configuration/esim-device-configuration-download-server -[LINK-6]: /windows/security/operating-system-security/network-security/windows-firewall -[LINK-7]: /windows/client-management/mdm/firewall-csp -[LINK-8]: /windows/security/operating-system-security/network-security/vpn/vpn-guide -[LINK-9]: /windows/whats-new/whats-new-windows-11-version-24h2#server-message-block-smb-protocol-changes -[LINK-10]: /windows-server/storage/file-server/file-server-smb-overview \ No newline at end of file +[!INCLUDE [server-message-block-file-services](includes/server-message-block-file-services.md)] diff --git a/windows/security/book/operating-system-security-system-security.md b/windows/security/book/operating-system-security-system-security.md index dd056f219e..6d8c6adc24 100644 --- a/windows/security/book/operating-system-security-system-security.md +++ b/windows/security/book/operating-system-security-system-security.md @@ -9,181 +9,24 @@ ms.date: 11/18/2024 :::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false"::: -## Trusted Boot (Secure Boot + Measured Boot) +[!INCLUDE [trusted-boot](includes/trusted-boot.md)] -Windows 11 requires all PCs to use Unified Extensible Firmware Interface (UEFI)'s Secure Boot feature. When a Windows 11 device starts, Secure Boot and Trusted Boot work together to prevent malware and corrupted components from loading. Secure Boot provides initial protection, then Trusted Boot picks up the process. +[!INCLUDE [cryptography](includes/cryptography.md)] -Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments. +[!INCLUDE [certificates](includes/certificates.md)] -To mitigate the risk of firmware rootkits, the PC verifies the digital signature of the firmware at the start of the boot process. Secure Boot then checks the digital signature of the OS bootloader and all code that runs before the operating system starts, ensuring that the signature and code are uncompromised and trusted according to the Secure Boot policy. +[!INCLUDE [code-signing-and-integrity](includes/code-signing-and-integrity.md)] -Trusted Boot picks up the process that begins with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and any anti-malware product's early-launch anti-malware (ELAM) driver. If any of these files have been tampered with, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally. +[!INCLUDE [device-health-attestation](includes/device-health-attestation.md)] -[!INCLUDE [learn-more](includes/learn-more.md)] +[!INCLUDE [windows-security-policy-settings-and-auditing](includes/windows-security-policy-settings-and-auditing.md)] -- [Secure the Windows boot process][LINK-1] -- [Secure Boot and Trusted Boot][LINK-2] +[!INCLUDE [windows-security](includes/windows-security.md)] -## Cryptography +[!INCLUDE [config-refresh](includes/config-refresh.md)] -Cryptography is designed to protect user and system data. The cryptography stack in Windows 11 extends from the chip to the cloud, enabling Windows, applications, and services to protect system and user secrets. For example, data can be encrypted so that only a specific reader with a unique key can read it. As a basis for data security, cryptography helps prevent anyone except the intended recipient from reading data, performs integrity checks to ensure data is free of tampering, and authenticates identity to ensure that communication is secure. Windows 11 cryptography is certified to meet the Federal Information Processing Standard (FIPS) 140. FIPS 140 certification ensures that US government-approved algorithms are correctly implemented. +[!INCLUDE [kiosk-mode](includes/kiosk-mode.md)] -[!INCLUDE [learn-more](includes/learn-more.md)] +[!INCLUDE [windows-protected-print](includes/windows-protected-print.md)] -- FIPS 140 validation - -Windows cryptographic modules provide low-level primitives such as: - -- Random number generators (RNG) -- Support for AES 128/256 with XTS, ECB, CBC, CFB, CCM, and GCM modes of operation; RSA and DSA 2048, 3072, and 4,096 key sizes; ECDSA over curves P-256, P-384, P-521 -- Hashing (support for SHA1, SHA-256, SHA-384, and SHA-512) -- Signing and verification (padding support for OAEP, PSS, and PKCS1) -- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521 and HKDF) - -Application developers can use these cryptographic modules to perform low-level cryptographic operations (Bcrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG). - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- Cryptography and certificate management - -Developers can access the modules on Windows through the Cryptography Next Generation API (CNG), which is powered by Microsoft's open-source cryptographic library, SymCrypt. SymCrypt supports complete transparency through its open-source code. In addition, SymCrypt offers performance optimization for cryptographic operations by taking advantage of assembly and hardware acceleration when available. - -SymCrypt is part of Microsoft's commitment to transparency, which includes the global Microsoft Government Security Program that aims to provide the confidential security information and resources people need to trust Microsoft's products and services. The program offers controlled access to source code, threat and vulnerability information -exchange, opportunities to engage with technical content about Microsoft's products and services, and access to five globally distributed Transparency Centers. - -## Certificates - -To help safeguard and authenticate information, Windows provides comprehensive support for certificates and certificate management. The built-in certificate management command-line utility (certmgr.exe) or Microsoft Management Console (MMC) snap-in (certmgr.msc) can be used to view and manage certificates, certificate trust lists (CTLs), and certificate revocation lists (CRLs). Whenever a certificate is used in Windows, we validate that the leaf certificate and all the certificates in its chain of trust haven't been revoked or compromised. The trusted root and intermediate certificates and publicly revoked certificates on the machine are used as a reference for Public Key Infrastructure (PKI) trust and are updated monthly by the Microsoft Trusted Root program. If a trusted certificate or root is revoked, all global devices are updated, meaning users can trust that Windows will automatically protect against vulnerabilities in public key infrastructure. For cloud and enterprise deployments, Windows also offers users the ability to autoenroll and renew certificates in Active Directory with group policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. - -## Code signing and integrity - -To ensure that Windows files haven't been tampered with, the Windows Code Integrity process verifies the signature of each file in Windows. Code signing is core to establishing the integrity of firmware, drivers, and software across the Windows platform. Code signing creates a digital signature by encrypting the hash of the file with the private key portion of a code-signing certificate and embedding the signature into the file. The Windows code integrity process verifies the signed file by decrypting the signature to check the integrity of the file and confirm that it is from a reputable publisher, ensuring that the file hasn't been tampered with. - -The digital signature is evaluated across the Windows environment on Windows boot code, Windows kernel code, and Windows user mode applications. Secure Boot and Code Integrity verify the signature on bootloaders, Option ROMs, and other boot components to ensure that it's trusted and from a reputable publisher. For drivers not published by Microsoft, Kernel Code Integrity verifies the signature on kernel drivers and requires that drivers be signed by Windows or certified by the [Windows Hardware Compatibility Program (WHCP)][LINK-3]. This program ensures that third-party drivers are compatible with various hardware and Windows and that the drivers are from vetted driver developers. - -## Device Health Attestation - -The Windows Device Health Attestation process supports a Zero Trust paradigm that shifts the focus from static, network-based perimeters to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. These determinations are made with data stored in the TPM, which provides a secure root-of-trust. The information is sent to an attestation service such as Azure Attestation to verify that the device is in a trusted state. Then a cloud-native device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4) reviews device health and connects this information with Microsoft Entra ID[\[4\]](conclusion.md#footnote4) for conditional access. - -Windows includes many security features to help protect users from malware and attacks. However, security components are trustworthy only if the platform boots as expected and isn't tampered with. As noted above, Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot, and other low-level hardware and firmware security features to protect your PC from attacks. From the moment you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configurations that help keep you safe. Measured Boot, implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to the TPM, that functions as a hardware root-of-trust. Remote attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper-resilient report. Remote attestation is the trusted auditor of your system's boot, allowing reliant parties to bind trust to the device and its security. - -A summary of the steps involved in attestation and Zero-Trust on a Windows device are as follows: - -- During each step of the boot process - such as a file load, update of special variables, and more - information such as file hashes and signature(s) are measured in the TPM Platform Configuration Register (PCRs). The measurements are bound by a Trusted Computing Group specification that dictates which events can be recorded and the format of each event. The data provides important information about device security from the moment it powers on -- Once Windows has booted, the attestor (or verifier) requests the TPM get the measurements stored in its PCRs alongside the Measured Boot log. Together, these form the attestation evidence that's sent to the Azure Attestation service -- The TPM is verified by using the keys or cryptographic material available on the chipset with an Azure Certificate Service -- The above information is sent to the Azure Attestation Service to verify that the device is in a trusted state. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Control the health of Windows devices][LINK-4] - -## Windows security policy settings and auditing - -Security policy settings are a critical part of your overall security strategy. Windows provides a robust set of security setting policies that IT administrators can use to help protect Windows devices and other resources in your organization. Security policies settings are rules you can configure on a device, or multiple devices, to control: - -- User authentication to a network or device -- Resources that users are permitted to access -- Whether to record a user or group's actions in the event log -- Membership in a group - -Security auditing is one of the most powerful tools that you can use to maintain the integrity of your network and assets. Auditing can help identify attacks, network vulnerabilities, and attacks against high-value targets. You can specify categories of security-related events to create an audit policy tailored to the needs of your organization using configuration service providers (CSP) or group policies. - -All auditing categories are disabled when Windows is first installed. Before enabling them, follow these steps to create an effective security auditing policy: - -1. Identify your most critical resources and activities. -1. Identify the audit settings you need to track them. -1. Assess the advantages and potential costs associated with each resource or setting. -1. Test these settings to validate your choices. -1. Develop plans for deploying and managing your audit policy. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Security policy settings][LINK-5] -- [Security auditing][LINK-6] - -## Windows Security - -:::row::: - :::column span="2"::: - Visibility and awareness of device security and health are key to any action taken. The Windows Security app provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and act to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more. - :::column-end::: - :::column span="2"::: -:::image type="content" source="images/windows-security.png" alt-text="Screenshot of the Windows Security app." border="false" lightbox="images/windows-security.png" ::: - :::column-end::: -:::row-end::: - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Stay protected with Windows Security][LINK-7] -- [Windows Security][LINK-8] - -## :::image type="icon" source="images/new-button-title.svg" border="false"::: Config Refresh - -With traditional group policy, policy settings are refreshed on a PC when a user signs in and every 90 minutes by default. Administrators can adjust that timing to be shorter to ensure that the policy settings are compliant with the management settings set by IT. - -By contrast, with a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4), policies are refreshed when a user signs in and then at eight-hours interval by default. But policy settings are migrated from GPO to a device management solution, one remaining gap is the longer period between the reapplication of a changed policy. - -Config Refresh allows settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to be reset to the value the administrator intended every 90 minutes by default. It's configurable to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that were traditionally set with group policy and are now set through Mobile Device Management (MDM) protocols. - -Config Refresh can also be paused for a configurable period of time, after which it will be reenabled. This is to support scenarios where a helpdesk technician might need to reconfigure a device for troubleshooting purposes. It can also be resumed at any time by an administrator. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Config Refresh][LINK-9] - -## Kiosk mode - -:::row::: - :::column span="2"::: - Windows allows you to restrict functionality to specific applications using built-in features, making it ideal for public-facing or shared devices like kiosks. You can set up Windows as a kiosk either locally on the device, or through a cloud-based device management solution like Microsoft Intune[\[7\]](conclusion.md#footnote7). Kiosk mode can be configured to run a single app, multiple apps, or a full-screen web browser. You can also configure the device to automatically sign in and launch the designated kiosk app at startup. - :::column-end::: - :::column span="2"::: -:::image type="content" source="images/kiosk.png" alt-text="Screenshot of a Windows kiosk." border="false" lightbox="images/kiosk.png" ::: - :::column-end::: -:::row-end::: - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows kiosks and restricted user experiences](/windows/configuration/assigned-access) - -## :::image type="icon" source="images/new-button-title.svg" border="false"::: Windows protected print - -Windows protected print is built to provide a more modern and secure print system that maximizes compatibility and puts users first. It simplifies the printing experience by allowing devices to exclusively print using the Windows modern print stack. - -The benefits of Windows protected print include: - -- Increased PC security -- Simplified and consistent printing experience, regardless of PC architecture -- Removes the need to manage print drivers - -Windows protected print is designed to work with Mopria certified printers only. Many existing printers are already compatible. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows protected print][LINK-10] -- [New, modern, and secure print experience from Windows][LINK-11] - -## :::image type="icon" source="images/new-button-title.svg" border="false"::: Rust for Windows - -Rust is a modern programming language known for its focus on safety, performance, and concurrency. It was designed to prevent common programming errors such as null pointer dereferencing and buffer overflows, which can lead to security vulnerabilities and crashes. Rust achieves this through its unique ownership system, which ensures memory safety without needing a garbage collector. -We're expanding the integration of Rust into the Windows kernel to enhance the safety and reliability of Windows' codebase. This strategic move underscores our commitment to adopting modern technologies to improve the quality and security of Windows. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Rust for Windows, and the windows crate][LINK-12] - - - -[LINK-1]: /windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process -[LINK-2]: /windows/security/operating-system-security/system-security/trusted-boot -[LINK-3]: /windows-hardware/design/compatibility/ -[LINK-4]: /windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices -[LINK-5]: /windows/security/threat-protection/security-policy-settings/security-policy-settings -[LINK-6]: /windows/security/threat-protection/auditing/security-auditing-overview -[LINK-7]: https://support.microsoft.com/topic/2ae0363d-0ada-c064-8b56-6a39afb6a963 -[LINK-8]: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center -[LINK-9]: https://techcommunity.microsoft.com/blog/windows-itpro-blog/intro-to-config-refresh-%e2%80%93-a-refreshingly-new-mdm-feature/4176921 -[LINK-10]: /windows-hardware/drivers/print/modern-print-platform -[LINK-11]: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645 -[LINK-12]: /windows/dev-environment/rust/rust-for-windows +[!INCLUDE [rust-for-windows](includes/rust-for-windows.md)] diff --git a/windows/security/book/operating-system-security-virus-and-threat-protection.md b/windows/security/book/operating-system-security-virus-and-threat-protection.md index cb69b30617..fcc31121e8 100644 --- a/windows/security/book/operating-system-security-virus-and-threat-protection.md +++ b/windows/security/book/operating-system-security-virus-and-threat-protection.md @@ -11,109 +11,16 @@ ms.date: 11/18/2024 Today's threat landscape is more complex than ever. This new world requires a new approach to threat prevention, detection, and response. Microsoft Defender Antivirus, along with many other features that are built into Windows 11, is at the frontlines, protecting customers against current and emerging threats. -## Microsoft Defender SmartScreen +[!INCLUDE [microsoft-defender-smartscreen](includes/microsoft-defender-smartscreen.md)] -Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. +[!INCLUDE [network-protection](includes/network-protection.md)] -SmartScreen determines whether a site is potentially malicious by: +[!INCLUDE [tamper-protection](includes/tamper-protection.md)] -- Analyzing visited webpages to find indications of suspicious behavior. If it determines a page is suspicious, it will show a warning page advising caution -- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen warns that the site might be malicious +[!INCLUDE [microsoft-defender-antivirus](includes/microsoft-defender-antivirus.md)] -SmartScreen also determines whether a downloaded app or app installer is potentially malicious by: +[!INCLUDE [attack-surface-reduction-rules](includes/attack-surface-reduction-rules.md)] -- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen warns that the file might be malicious -- Checking downloaded files against a list of well-known files. If the file is of a dangerous type and not well-known, SmartScreen displays a caution alert +[!INCLUDE [controlled-folder-access](includes/controlled-folder-access.md)] -With enhanced phishing protection in Windows 11, SmartScreen also alerts people when they're entering their Microsoft credentials into a potentially risky location, regardless of which application or browser is used. IT can customize which notifications appear through Microsoft Intune[\[4\]](conclusion.md#footnote4). This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. - -Because Windows 11 comes with these enhancements already built in and enabled, users have extra security from the moment they turn on their device. - -The app and browser control section contains information and settings for Microsoft Defender SmartScreen. IT administrators and IT pros can get configuration guidance in the [Microsoft Defender SmartScreen documentation library](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/). - -## Network protection - -While Microsoft Defender Smartscreen works with Microsoft Edge, for third-party browsers and processes, Windows 11 has Network protection that protects against phishing scams, malware websites, and the downloading of potentially malicious files. - -When using Network Protection with Microsoft Defender for Endpoint, you'll be able to use Indicators of Compromise to block specific URL's and/or ip addresses. -Also integrates with Microsoft Defender for Cloud Apps to block unsactioned web apps in your organization. Allow or block access to websites based on category with Microsoft Defender for Endpoint's Web Content Filtering. - -[Network Protection library](/defender-endpoint/network-protection) -[Web protection library](/defender-endpoint/web-protection-overview) - -## Tamper protection - -Attacks like ransomware attempt to disable security features, such as anti-virus protection. Bad actors like to disable security features to get easier access to user's data, to install malware, or otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities. - -With tamper protection, malware is prevented from taking actions such as: - -- Disabling real-time protection -- Turning off behavior monitoring -- Disabling antivirus protection, such as Scan all downloaded files and attachments (IOfficeAntivirus (IOAV)) -- Disabling cloud-delivered protection -- Removing security intelligence updates -- Disabling automatic actions on detected threats -- Disabling archived files -- Altering exclusions -- Disabling notifications in the Windows Security app - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) - -## Microsoft Defender Antivirus - -Microsoft Defender Antivirus is a next-generation protection solution included in all versions of Windows 10 and Windows 11. From the moment you turn on Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. In addition to real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus turns off automatically. If you uninstall the other app, Microsoft Defender Antivirus turns back on. - -Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection. This combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA), applications deemed to negatively impact your device but aren't considered malware. - -Microsoft Defender Antivirus always-on protection is integrated with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats. This combination of local and cloud-delivered technologies including advanced memory scanning, behavior monitoring, and machine learning, provides award-winning protection at home and at work. - -:::image type="content" source="images/defender-antivirus.png" alt-text="Diagram of the Microsoft Defender Antivirus components." border="false"::: - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Defender Antivirus in Windows Overview](/defender-endpoint/microsoft-defender-antivirus-windows). - -## Attack surface reduction rules - -Attack surface reduction rules help prevent actions and applications or scripts that are often abused to compromise devices and networks. By controlling when and how executables and/or script can run, thereby reducing the attack surface, you can reduce the overall vulnerability of your organization. Administrators can configure specific attack surface reduction rules to help block certain behaviors, such as: - -- Launching executable files and scripts that attempt to download or run files -- Running obfuscated or otherwise suspicious scripts -- Performing behaviors that apps don't usually initiate during normal day-to-day work - -For example, an attacker might try to run an unsigned script from a USB drive or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve the defensive posture of the device. For comprehensive protection, follow steps for enabling hardware-based isolation - -For Microsoft Edge and reducing the attack surface across applications, folders, device, -network, and firewall. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Attack surface reduction](/defender-endpoint/overview-attack-surface-reduction) - -## Controlled folder access - -You can protect your valuable information in specific folders by managing app access to them. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, and downloads, are included in the list of controlled folders. - -Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that aren't included in the trusted list are prevented from making any changes to files inside protected folders. - -Controlled folder access helps protect user's valuable data from malicious apps and threats such as ransomware. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Controlled folder access](/defender-endpoint/controlled-folders) - -## Exploit Protection - -Exploit Protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit Protection works best with Microsoft Defender for Endpoint[\[4\]](conclusion.md#footnote4), which gives organizations detailed reporting into Exploit Protection events and blocks as part of typical alert investigation scenarios. You can enable Exploit Protection on an individual device and then use policy settings to distribute the configuration XML file to multiple devices simultaneously. - -When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. - -You can use audit mode to evaluate how Exploit Protection would impact your organization if it were enabled. And go through safe deployment practices (SDP). - -Windows 11 provides configuration options for Exploit Protection. You can prevent users from modifying these specific options with device management solutions like Microsoft Intune or group policy. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Protecting devices from exploits](/defender-endpoint/enable-exploit-protection) \ No newline at end of file +[!INCLUDE [exploit-protection](includes/exploit-protection.md)] diff --git a/windows/security/book/privacy-controls.md b/windows/security/book/privacy-controls.md index 9aa5d2bd86..217043c134 100644 --- a/windows/security/book/privacy-controls.md +++ b/windows/security/book/privacy-controls.md @@ -7,29 +7,10 @@ ms.date: 11/18/2024 # Privacy controls -## Microsoft Privacy Dashboard +[!INCLUDE [microsoft-privacy-dashboard](includes/microsoft-privacy-dashboard.md)] -Customers can use the Microsoft Privacy Dashboard to view, export, and delete their information, giving them further transparency and control. They can also use the Microsoft Privacy Report to learn more about Windows data collection and how to manage it. For organizations, we provide a guide for Windows Privacy Compliance that includes more details on the available controls and transparency. +[!INCLUDE [privacy-transparency-and-controls](includes/privacy-transparency-and-controls.md)] -[!INCLUDE [learn-more](includes/learn-more.md)] +[!INCLUDE [privacy-resource-usage](includes/privacy-resource-usage.md)] -- [Microsoft Privacy Dashboard](https://account.microsoft.com/privacy) -- [Microsoft Privacy Report](https://privacy.microsoft.com/privacy-report) - -## Privacy transparency and controls - -Prominent system tray icons show users when resources and apps like microphones and location are in use. A description of the app and its activity are presented in a simple tooltip that appears when you hover over an icon with your cursor. Apps can also make use of new Windows APIs to support Quick Mute functionality and more. - -## Privacy resource usage - -Every Microsoft customer should be able to use our products secure in the knowledge that we protect their privacy, and give them the information and tools they need to easily make privacy decisions with confidence. From Settings, the app usage history feature provides users with a seven-day history of resource access for Location, Camera, Microphone, Phone Calls, Messaging, Contacts, Pictures, Videos, Music library, Screenshots, and other apps. - -This information helps you determine if an app is behaving as expected so that you can change the app's access to resources as desired. - -## Windows diagnostic data processor configuration - -The Windows diagnostic data processor configuration enables the user to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that meet the configuration requirements. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration) +[!INCLUDE [windows-diagnostic-data-processor-configuration](includes/windows-diagnostic-data-processor-configuration.md)] diff --git a/windows/security/book/security-foundation-certification.md b/windows/security/book/security-foundation-certification.md index 1f8c8c878d..2cc0aad27e 100644 --- a/windows/security/book/security-foundation-certification.md +++ b/windows/security/book/security-foundation-certification.md @@ -11,25 +11,6 @@ ms.date: 11/18/2024 Microsoft is committed to supporting product security standards and certifications, including FIPS 140 and Common Criteria, as an external validation of security assurance. -## Federal Information Processing Standard (FIPS) +[!INCLUDE [federal-information-processing-standard](includes/federal-information-processing-standard.md)] -The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that specifies the minimum security requirements for cryptographic modules in IT products. Microsoft is dedicated to adhering to the requirements in the FIPS 140 standard, consistently validating its cryptographic modules against FIPS 140 since the standard's inception. Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows FIPS 140 validation][LINK-1] - -## Common Criteria (CC) - -Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. Common Criteria defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. - -Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Common Criteria certifications][LINK-2] - - - -[LINK-1]: /windows/security/security-foundations/certification/fips-140-validation -[LINK-2]: /windows/security/threat-protection/windows-platform-common-criteria \ No newline at end of file +[!INCLUDE [common-criteria](includes/common-criteria.md)] diff --git a/windows/security/book/security-foundation-offensive-research.md b/windows/security/book/security-foundation-offensive-research.md index f40f549653..ce6cfae794 100644 --- a/windows/security/book/security-foundation-offensive-research.md +++ b/windows/security/book/security-foundation-offensive-research.md @@ -9,56 +9,12 @@ ms.date: 11/18/2024 :::image type="content" source="images/security-foundation.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false"::: -## Secure Future Initiative (SFI) +[!INCLUDE [secure-future-initiative](includes/secure-future-initiative.md)] -Launched in November 2023, the Microsoft Secure Future Initiative (SFI) is a multiyear commitment dedicated to advancing the way we design, build, test, and operate our technology. Our goal is to ensure that our solutions meet the highest possible standards for security. +[!INCLUDE [microsoft-security-development-lifecycle](includes/microsoft-security-development-lifecycle.md)] -The increasing scale and high stakes of cyberattacks prompted the launch of SFI. This program brings together every part of Microsoft to enhance cybersecurity protection across our company and products. We carefully considered our internal observations and feedback from customers, governments, and partners to identify the greatest opportunities to impact the future of security. +[!INCLUDE [onefuzz-service](includes/onefuzz-service.md)] -To maintain accountability and keep our customers, partners, and the security community informed, Microsoft provides regular updates on the progress of SFI. +[!INCLUDE [microsoft-offensive-research-and-security-engineering](includes/microsoft-offensive-research-and-security-engineering.md)] -:::image type="content" source="images/sfi.png" alt-text="Diagram of the SFI initiative." lightbox="images/sfi.png" border="false"::: - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Secure Future Initiative][LINK-6] -- [September 2024 progress update on SFI][LINK-5] - -## Microsoft Security Development Lifecycle (SDL) - -The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. - -## OneFuzz service - -A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code is released. - -## Microsoft Offensive Research and Security Engineering - -Microsoft Offensive Research and Security Engineering (MORSE) performs targeted design reviews, audits, and deep penetration testing of Windows features using Microsoft's open-source OneFuzz platform as part of their development and testing cycle. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [MORSE security team takes proactive approach to finding bugs][LINK-1] -- [MORSE Blog][LINK-2] - -## Windows Insider and Microsoft Bug Bounty Programs - -As part of our secure development process, the Windows Insider Preview Program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. - -The goal of the Windows Insider Preview Program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows. - -Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities and quickly fix the issues before releasing our final Windows. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Insider Program][LINK-3] -- [Microsoft Bug Bounty Programs][LINK-4] - - - -[LINK-1]: https://news.microsoft.com/source/features/innovation/morse-microsoft-offensive-research-security-engineering -[LINK-2]: https://www.microsoft.com/security/blog/author/microsoft-offensive-research-security-engineering-team -[LINK-3]: /windows-insider/get-started -[LINK-4]: https://www.microsoft.com/msrc/bounty -[LINK-5]: https://www.microsoft.com/security/blog/2024/09/23/securing-our-future-september-2024-progress-update-on-microsofts-secure-future-initiative-sfi/ -[LINK-6]: https://www.microsoft.com/trust-center/security/secure-future-initiative +[!INCLUDE [windows-insider-and-microsoft-bug-bounty-programs](includes/windows-insider-and-microsoft-bug-bounty-programs.md)] diff --git a/windows/security/book/security-foundation-secure-supply-chain.md b/windows/security/book/security-foundation-secure-supply-chain.md index 9e638bfbc5..aff2c2efad 100644 --- a/windows/security/book/security-foundation-secure-supply-chain.md +++ b/windows/security/book/security-foundation-secure-supply-chain.md @@ -51,24 +51,6 @@ Microsoft requires the Windows 11 supply chain to comply with controls including - Warehouse & storage - Logistics management -## Software bill of materials (SBOM) +[!INCLUDE [software-bill-of-materials](includes/software-bill-of-materials.md)] -In the Windows ecosystem, ensuring the integrity and authenticity of software components is paramount. To achieve this, we utilize Software Bill of Materials (SBOMs) and COSE (CBOR Object Signing and Encryption) sign all evidence. SBOMs provide a comprehensive inventory of software components, including their dependencies and associated metadata. Transparency is crucial for vulnerability management and compliance with security standards. - -The COSE signing process enhances the trustworthiness of SBOMs by providing cryptographic signatures that verify the integrity and authenticity of the SBOM content. The CoseSignTool, a platform-agnostic command line application, is employed to apply and verify these digital signatures. This tool ensures that all SBOMs and other build evidence are signed and validated, maintaining a high level of security within the software supply chain. - -By integrating SBOMs and COSE signing evidence, we offer stakeholders visibility into the components they use, ensuring that all software artifacts are trustworthy and secure. This approach aligns with our commitment to end-to-end supply chain security, providing a robust framework for managing and verifying software components across the Windows ecosystem. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [SBOM tool](https://github.com/microsoft/sbom-tool) -- [Code Sign Tool](https://github.com/microsoft/CoseSignTool) - -## Windows Software Development Kit (SDK) - -Developers can design highly secure applications that benefit from the latest Windows 11 safeguards using the Windows SDK. The SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows 11 and Windows 10. To help create apps that are up to date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows application development - best practices](/windows/apps/get-started/best-practices) -- [Windows SDK samples on GitHub](https://github.com/microsoft/WindowsAppSDK-Samples) \ No newline at end of file +[!INCLUDE [windows-software-development-kit](includes/windows-software-development-kit.md)] diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md index f89ec506b2..928f69bd65 100644 --- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md @@ -1,7 +1,7 @@ --- title: Enable memory integrity description: This article explains the steps to opt in to using memory integrity on Windows devices. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/10/2024 appliesto: - "✅ Windows 11" diff --git a/windows/security/hardware-security/tpm/manage-tpm-commands.md b/windows/security/hardware-security/tpm/manage-tpm-commands.md index fc2bcfb404..f65591233c 100644 --- a/windows/security/hardware-security/tpm/manage-tpm-commands.md +++ b/windows/security/hardware-security/tpm/manage-tpm-commands.md @@ -1,7 +1,7 @@ --- title: Manage TPM commands description: This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/10/2024 --- diff --git a/windows/security/hardware-security/tpm/manage-tpm-lockout.md b/windows/security/hardware-security/tpm/manage-tpm-lockout.md index 7dfa150354..070cfc617b 100644 --- a/windows/security/hardware-security/tpm/manage-tpm-lockout.md +++ b/windows/security/hardware-security/tpm/manage-tpm-lockout.md @@ -1,7 +1,7 @@ --- title: Manage TPM lockout description: This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/10/2024 --- diff --git a/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index c3cd7b4d47..d33b3d16c9 100644 --- a/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -1,7 +1,7 @@ --- title: Understand PCR banks on TPM 2.0 devices description: Learn about what happens when you switch PCR banks on TPM 2.0 devices. -ms.topic: conceptual +ms.topic: concept-article ms.date: 07/10/2024 --- diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md index 372d8ad9ee..65628f0704 100644 --- a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md +++ b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md @@ -1,7 +1,7 @@ --- title: Trusted Platform Module Technology Overview description: Learn about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. -ms.topic: conceptual +ms.topic: concept-article ms.date: 07/10/2024 ms.collection: - tier1 diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index dde02e443a..72b234fa55 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -1,5 +1,5 @@ --- -ms.date: 06/20/2024 +ms.date: 02/25/2025 title: Additional mitigations description: Learn how to improve the security of your domain environment with additional mitigations for Credential Guard and sample code. ms.topic: reference diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md index 192b60aca0..84a8a1ab89 100644 --- a/windows/security/identity-protection/credential-guard/configure.md +++ b/windows/security/identity-protection/credential-guard/configure.md @@ -1,5 +1,5 @@ --- -ms.date: 06/20/2024 +ms.date: 02/25/2025 title: Configure Credential Guard description: Learn how to configure Credential Guard using MDM, Group Policy, or the registry. ms.topic: how-to diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md index e4531d1f84..61c3a2f4ad 100644 --- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md +++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md @@ -1,5 +1,5 @@ --- -ms.date: 06/20/2024 +ms.date: 02/25/2025 title: Considerations and known issues when using Credential Guard description: Considerations, recommendations, and known issues when using Credential Guard. ms.topic: troubleshooting diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md index beedce6046..57b7f1812e 100644 --- a/windows/security/identity-protection/credential-guard/how-it-works.md +++ b/windows/security/identity-protection/credential-guard/how-it-works.md @@ -1,5 +1,5 @@ --- -ms.date: 06/20/2024 +ms.date: 02/25/2025 title: How Credential Guard works description: Learn how Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them. ms.topic: concept-article diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md index 386e6883e1..ed560fd572 100644 --- a/windows/security/identity-protection/credential-guard/index.md +++ b/windows/security/identity-protection/credential-guard/index.md @@ -1,5 +1,5 @@ --- -ms.date: 06/20/2024 +ms.date: 02/25/2025 title: Credential Guard overview description: Learn about Credential Guard and how it isolates secrets so that only privileged system software can access them. ms.topic: overview diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md index f2c4e29919..3d39fd5952 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md +++ b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business cloud-only deployment guide description: Learn how to deploy Windows Hello for Business in a cloud-only deployment scenario. -ms.date: 11/22/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md index d17d8078a4..3e243e7804 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md @@ -1,7 +1,7 @@ --- title: Configure Active Directory Federation Services in a hybrid certificate trust model description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business hybrid certificate trust model. -ms.date: 06/23/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md index 436f28fe2d..62058ca259 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md @@ -1,7 +1,7 @@ --- title: Configure and enroll in Windows Hello for Business in hybrid certificate trust model description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario. -ms.date: 09/26/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md index ff9434bc73..201dcb360e 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md @@ -1,7 +1,7 @@ --- title: Configure and validate the PKI in a hybrid certificate trust model description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model. -ms.date: 06/23/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md index 8b2347f411..ae5c58048b 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business hybrid certificate trust deployment guide description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario. -ms.date: 06/23/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md index e4312d8684..c5415b75d6 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business cloud Kerberos trust deployment guide description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario. -ms.date: 11/22/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- @@ -45,7 +45,7 @@ When Microsoft Entra Kerberos is enabled in an Active Directory domain, an *Azur - Is only used by Microsoft Entra ID to generate TGTs for the Active Directory domain > [!NOTE] - > Similar rules and restrictions used for RODCs apply to the AzureADKerberos computer object. For example, users that are direct or indirect members of priviliged built-in security groups won't be able to use cloud Kerberos trust. + > Similar rules and restrictions used for RODCs apply to the AzureADKerberos computer object. For example, users that are direct or indirect members of privileged built-in security groups won't be able to use cloud Kerberos trust. :::image type="content" source="images/azuread-kerberos-object.png" alt-text="Screenshot of the Active Directory Users and Computers console, showing the computer object representing the Microsoft Entra Kerberos server." lightbox="images/azuread-kerberos-object.png"::: diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md index 742939bf9d..fb1fca3ac8 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md @@ -1,7 +1,7 @@ --- title: Configure and enroll in Windows Hello for Business in a hybrid key trust model description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario. -ms.date: 11/22/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md index ce6526f4a7..6c4e14aced 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business hybrid key trust deployment guide description: Learn how to deploy Windows Hello for Business in a hybrid key trust scenario. -ms.date: 11/22/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/index.md b/windows/security/identity-protection/hello-for-business/deploy/index.md index fb262a5ee4..22fb26e965 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/index.md +++ b/windows/security/identity-protection/hello-for-business/deploy/index.md @@ -1,7 +1,7 @@ --- title: Plan a Windows Hello for Business Deployment description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. -ms.date: 10/30/2024 +ms.date: 02/25/2025 ms.topic: concept-article --- @@ -251,7 +251,7 @@ Here are some considerations regarding licensing requirements for cloud services ### Windows requirements -All supported Windows versions can be used with Windows Hello for Business. However, cloud Kerberos trust requires minimum versions: +All supported Windows (client) versions can be used with Windows Hello for Business. However, cloud Kerberos trust requires minimum versions: || Deployment model | Trust type | Windows version| |--|--|--|--| diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md index 73dd0d6cbf..2c00e42350 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md @@ -1,7 +1,7 @@ --- title: Configure Active Directory Federation Services in an on-premises certificate trust model description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business on-premises certificate trust model. -ms.date: 06/23/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md index 3a9200db54..d718cd9fc4 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md @@ -1,5 +1,5 @@ --- -ms.date: 06/23/2024 +ms.date: 02/25/2025 ms.topic: tutorial title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md index 0240088385..7967a0cd35 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business on-premises certificate trust deployment guide description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust scenario. -ms.date: 06/23/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md index 123d35b434..32a928a19c 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md @@ -1,7 +1,7 @@ --- title: Configure Active Directory Federation Services in an on-premises key trust model description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business key trust model. -ms.date: 11/22/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md index 41cea6946f..c8081dd141 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md @@ -1,5 +1,5 @@ --- -ms.date: 06/23/2024 +ms.date: 02/25/2025 ms.topic: tutorial title: Configure Windows Hello for Business Policy settings in an on-premises key trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md index 347471eeef..3fb4866bff 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business on-premises key trust deployment guide description: Learn how to deploy Windows Hello for Business in an on-premises, key trust scenario. -ms.date: 06/24/2024 +ms.date: 02/25/2025 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md index efbea47423..8bdef8c5ea 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md +++ b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md @@ -1,7 +1,7 @@ --- title: Prepare users to provision and use Windows Hello for Business description: Learn how to prepare users to enroll and to use Windows Hello for Business. -ms.date: 11/22/2024 +ms.date: 02/25/2025 ms.topic: end-user-help --- diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md index 2b1e13953b..c6807e111b 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/index.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md @@ -146,4 +146,4 @@ For more information about device encryption, see [BitLocker device encryption h [WIN-1]: /windows/deployment/mbr-to-gpt [WIN-2]: /windows-server/administration/windows-commands/bdehdcfg [WIN-3]: /windows-hardware/design/device-experiences/modern-standby -[WIN-4]: /windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption \ No newline at end of file +[WIN-4]: /windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption diff --git a/windows/security/operating-system-security/data-protection/configure-s-mime.md b/windows/security/operating-system-security/data-protection/configure-s-mime.md index ef44453923..8005268fd0 100644 --- a/windows/security/operating-system-security/data-protection/configure-s-mime.md +++ b/windows/security/operating-system-security/data-protection/configure-s-mime.md @@ -2,7 +2,7 @@ title: Configure S/MIME For Windows description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. Learn how to configure S/MIME for Windows. ms.topic: how-to -ms.date: 12/02/2024 +ms.date: 02/25/2025 --- diff --git a/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md b/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md index 61a6b9a820..625c644314 100644 --- a/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md +++ b/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md @@ -1,7 +1,7 @@ --- title: Encrypted hard drives description: Learn how encrypted hard drives use the rapid encryption that is provided by BitLocker to enhance data security and management. -ms.date: 07/22/2024 +ms.date: 02/25/2025 ms.topic: concept-article --- diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md index 08bb94eda4..1d9af2fdd1 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md @@ -3,7 +3,7 @@ title: Guide to removing Microsoft Baseline Security Analyzer (MBSA) description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions. ms.localizationpriority: medium ms.date: 07/10/2024 -ms.topic: conceptual +ms.topic: concept-article --- # What is Microsoft Baseline Security Analyzer and its uses? diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md index 3556919a26..704206929a 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -1,7 +1,7 @@ --- title: Microsoft Security Compliance Toolkit Guide description: This article describes how to use Security Compliance Toolkit in your organization. -ms.topic: conceptual +ms.topic: concept-article ms.date: 10/01/2024 --- diff --git a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index 1c997805c4..f25f5692a9 100644 --- a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -2,7 +2,7 @@ title: Control the health of Windows devices description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows devices. ms.date: 07/10/2024 -ms.topic: conceptual +ms.topic: how-to --- # Control the health of Windows devices diff --git a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md index c931ca2dcb..39e6da5648 100644 --- a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md +++ b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md @@ -1,7 +1,7 @@ --- title: Secure the Windows boot process description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/10/2024 ms.collection: - tier1 diff --git a/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md b/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md index 392c293fd2..d41e015648 100644 --- a/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md +++ b/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md @@ -1,7 +1,7 @@ --- title: Common Criteria certifications for previous Windows Server releases description: Learn about the completed Common Criteria certifications for previous Windows Server releases. -ms.date: 2/1/2024 +ms.date: 2/24/2025 ms.topic: reference --- @@ -28,16 +28,16 @@ The following tables list the completed Common Criteria certifications for Windo |Product details |Date |Scope |Documents | |---------|---------|---------|---------| -|Validated editions: Standard, Enterprise, Datacenter, Itanium. |March 24, 2011 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Administrative Guide][admin-guide-march-2011]; [Certification Report][certification-report-march-2011] | +|Validated editions: Standard, Enterprise, Datacenter, Itanium. |March 24, 2011 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Certification Report][certification-report-march-2011] | |Server Core 2008 R2: Hyper-V Server Role|July 24, 2009 |(Hyper-V certification.) Common Criteria for Information Technology Security Evaluation Version 3.1 Revision 3. It is CC Part 2 extended and Part 3 conformant, with a claimed Evaluation Assurance Level of EAL4, augmented by ALC_FLR.3. |[Security Target][security-target-july-2009]; [Administrative Guide][admin-guide-july-2009]; [Certification Report][certification-report-july-2009] | ## Windows Server 2008 |Product details |Date |Scope |Documents | |---------|---------|---------|---------| -|Validated edition: Standard, Enterprise, Datacenter. |August 15, 2009 |Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 4. |[Security Target][security-target-august-2009]; [Administrative Guide][admin-guide-august-2009]; [Certification Report][certification-report-august-2009] | +|Validated edition: Standard, Enterprise, Datacenter. |August 15, 2009 |Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 4. |[Security Target][security-target-august-2009]; [Certification Report][certification-report-august-2009] | |Microsoft Windows Server Core 2008: Hyper-V Server Role. |July 24, 2009 |CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 4. |[Security Target][security-target-july-2009-hyperv]; [Administrative Guide][admin-guide-july-2009-hyperv]; [Certification Report][certification-report-july-2009-hyperv] | -|Validated edition: Standard, Enterprise, Datacenter. |September 17, 2008 |CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 1. |[Security Target][security-target-september-2008]; [Administrative Guide][admin-guide-september-2008]; [Certification Report][certification-report-september-2008] | +|Validated edition: Standard, Enterprise, Datacenter. |September 17, 2008 |CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 1. |[Security Target][security-target-september-2008]; [Certification Report][certification-report-september-2008] | ## Windows Server 2003 Certificate Server @@ -77,11 +77,8 @@ The following tables list the completed Common Criteria certifications for Windo [admin-guide-january-2015-pro]: https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx [admin-guide-april-2014]: https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf [admin-guide-january-2014]: https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx -[admin-guide-march-2011]: https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00 [admin-guide-july-2009]: https://www.microsoft.com/download/en/details.aspx?id=29308 [admin-guide-july-2009-hyperv]: https://www.microsoft.com/en-us/download/details.aspx?id=14252 -[admin-guide-august-2009]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567 -[admin-guide-september-2008]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567 diff --git a/windows/security/security-foundations/certification/validations/fips-140-windows10.md b/windows/security/security-foundations/certification/validations/fips-140-windows10.md index 9bf64e0084..e7cecf69e6 100644 --- a/windows/security/security-foundations/certification/validations/fips-140-windows10.md +++ b/windows/security/security-foundations/certification/validations/fips-140-windows10.md @@ -1,7 +1,7 @@ --- title: FIPS 140 validated modules for Windows 10 description: This topic lists the completed FIPS 140 cryptographic module validations for Windows 10. -ms.date: 11/13/2024 +ms.date: 2/24/2025 ms.topic: reference --- @@ -339,6 +339,6 @@ Build: 10.0.10240. Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, M [sp-4515]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4515.pdf [sp-4536]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4536.pdf [sp-4537]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf -[sp-4538]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf +[sp-4538]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4538.pdf [sp-4766]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4766.pdf [sp-4825]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4825.pdf diff --git a/windows/whats-new/extended-security-updates.md b/windows/whats-new/extended-security-updates.md index e5f8535abe..0a74721232 100644 --- a/windows/whats-new/extended-security-updates.md +++ b/windows/whats-new/extended-security-updates.md @@ -7,7 +7,7 @@ ms.author: mstewart author: mestew manager: aaroncz ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 02/19/2025 ms.collection: - highpri diff --git a/windows/whats-new/removed-features.md b/windows/whats-new/removed-features.md index 991c787969..0c7e01a1bf 100644 --- a/windows/whats-new/removed-features.md +++ b/windows/whats-new/removed-features.md @@ -8,7 +8,7 @@ ms.author: mstewart manager: aaroncz ms.topic: reference ms.subservice: itpro-fundamentals -ms.date: 12/09/2024 +ms.date: 02/25/2025 ms.collection: - highpri - tier1 @@ -38,6 +38,7 @@ The following features and functionalities have been removed from the installed |Feature | Details and mitigation | Support removed | | ----------- | --------------------- | ------ | +| Data Encryption Standard (DES) | DES, the symmetric-key block encryption cipher, is considered nonsecure against modern cryptographic attacks, and replaced by more robust encryption algorithms. DES was disabled by default starting with Windows 7 and Windows Server 2008 R2. It's removed from Windows 11, version 24H2 and later, and [Windows Server 2025](/windows-server/get-started/removed-deprecated-features-windows-server-2025) and later.| September 2025 | | NTLMv1 | NTLMv1 is removed starting in Windows 11, version 24H2 and Windows Server 2025. | 24H2 | | Windows Information Protection | Windows Information Protection is removed starting in Windows 11, version 24H2. | 24H2 | | Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is deprecated for Microsoft Edge for Business and is no longer available starting with Windows 11, version 24H2. | 24H2 | diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index a348f85ad3..909814ca56 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -6,7 +6,7 @@ author: mestew ms.author: mstewart ms.service: windows-client ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.collection: - highpri - tier1