Updates

windows/security/book/application-security-application-and-driver-control.md

@@ -36,7 +36,7 @@ Your organization is only as secure as the applications that run on your devices
 
 App Control for Business (previously called *Windows Defender Application Control*) and AppLocker are both included in Windows. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
 
-Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup> can configure App Control for Business in the admin console, including setting up Intune as a managed installer. Intune includes built-in options for App Control for Business and the possibility to upload policies as an XML file for Intune to package and deploy.
+Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> can configure App Control for Business in the admin console, including setting up Intune as a managed installer. Intune includes built-in options for App Control for Business and the possibility to upload policies as an XML file for Intune to package and deploy.
 
 [!INCLUDE [learn-more](includes/learn-more.md)]
 

windows/security/book/cloud-services-protect-your-work-information.md

@@ -23,7 +23,7 @@ Windows 11 works with Microsoft Entra ID to provide secure access, identity mana
 
 :::image type="content" source="images/access-work-or-school.png" alt-text="Screenshot of the add work or school account in Settings." border="false":::
 
-When a device is Microsoft Entra ID joined and managed with Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>, it receives the following security benefits:
+When a device is Microsoft Entra ID joined and managed with Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>, it receives the following security benefits:
 
 - Default managed user and device settings and policies
 - Single sign-in to all Microsoft Online Services
@@ -67,7 +67,7 @@ Both Microsoft Entra Private Access and Microsoft Entra Internet Access use the
 
 ### Enterprise State Roaming
 
-Available to any organization with a Microsoft Entra ID Premium<sup>[\[7\]](conclusion.md#footnote7)</sup> `license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
+Available to any organization with a Microsoft Entra ID Premium<sup>[\[4\]](conclusion.md#footnote4)</sup> `license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
 
 [!INCLUDE [learn-more](includes/learn-more.md)]
 
@@ -75,7 +75,7 @@ Available to any organization with a Microsoft Entra ID Premium<sup>[\[7\]](conc
 
 ## Microsoft Azure Attestation Service
 
-Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they're allowed to access resources. Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup> integrates with Microsoft Azure Attestation Service to review Windows device health comprehensively and connect this information with Microsoft Entra ID<sup>[\[7\]](conclusion.md#footnote7)</sup> Conditional Access.
+Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they're allowed to access resources. Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> integrates with Microsoft Azure Attestation Service to review Windows device health comprehensively and connect this information with Microsoft Entra ID<sup>[\[4\]](conclusion.md#footnote4)</sup> Conditional Access.
 
 **Attestation policies are configured in the Microsoft Azure Attestation Service which can then:**
 
@@ -91,7 +91,7 @@ Once this verification is complete, the attestation service returns a signed rep
 
 ## Cloud-native device management
 
-Microsoft recommends cloud-based device management so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With cloud-native device management solutions like Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>, IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate device management client.
+Microsoft recommends cloud-based device management so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With cloud-native device management solutions like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>, IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate device management client.
 
 Windows 11 built-in management features include:
 
@@ -196,7 +196,7 @@ The security baseline has been enhanced with over 70 new settings, enabling loca
 
 Windows Local Administrator Password Solution (LAPS) is a feature that automatically manages and backs up the password of a local administrator account on Microsoft Entra joined and Active Directory-joined devices. It helps enhance security by regularly rotating and managing local administrator account passwords, protecting against pass-the-hash and lateral-traversal attacks.
 
-Windows LAPS can be configured via group policy or with a device management solution like Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>.
+Windows LAPS can be configured via group policy or with a device management solution like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>.
 
 [!INCLUDE [new-24h2](includes/new-24h2.md)]
 
@@ -215,7 +215,7 @@ With Windows Autopilot, there's no need to reimage or manually set-up devices be
 Windows Autopilot enables you to:
 
 - Automatically join devices to Microsoft Entra ID or Active Directory via Microsoft Entra hybrid join
-- Autoenroll devices into a device management solution like Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup> (requires a Microsoft Entra ID Premium subscription for configuration)
+- Autoenroll devices into a device management solution like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> (requires a Microsoft Entra ID Premium subscription for configuration)
 - Create and autoassignment of devices to configuration groups based on a device's profile
 - Customize of the out-of-box experience (OOBE) content specific to your organization
 
@@ -230,7 +230,7 @@ Existing devices can also be quickly prepared for a new user with Windows Autopi
 
 Windows Update for Business empowers IT administrators to ensure that their organization's Windows client devices are consistently up to date with the latest security updates and features. By directly connecting these systems to the Windows Update service, administrators can maintain a high level of security and functionality.
 
-Administrators can utilize group policy or a device management solution like Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>, to configure Windows Update for Business settings. These settings control the timing and manner in which updates are applied, allowing for thorough reliability and performance testing on a subset of devices before deploying updates across the entire organization.
+Administrators can utilize group policy or a device management solution like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>, to configure Windows Update for Business settings. These settings control the timing and manner in which updates are applied, allowing for thorough reliability and performance testing on a subset of devices before deploying updates across the entire organization.
 
 This approach not only provides control over the update process but also ensures a seamless and positive update experience for all users within the organization. By using Windows Update for Business, organizations can achieve a more secure and efficient operational environment.
 
@@ -278,14 +278,14 @@ Unlike traditional print solutions that rely on Windows print servers, Universal
 
 Universal Print supports Zero Trust security by requiring that:
 
-- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID<sup>[\[7\]](conclusion.md#footnote7)</sup>. A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service
+- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID<sup>[\[4\]](conclusion.md#footnote4)</sup>. A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service
 - Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data
 - Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data
 - Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it's highly recommended that only cloud applications use application authentication
 - Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant
 - Each authentication with Microsoft Entra ID from an acting application can't extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached
 
-Additionally, Windows 11 includes device management support to simplify printer setup for users. With support from Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>, admins can now configure policy settings to provision specific printers onto the user's Windows devices.
+Additionally, Windows 11 includes device management support to simplify printer setup for users. With support from Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>, admins can now configure policy settings to provision specific printers onto the user's Windows devices.
 
 Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft 365 products.
 

windows/security/book/identity-protection-advanced-credential-protection.md

@@ -70,7 +70,7 @@ VBS key protection enables developers to secure cryptographic keys using Virtual
 
 ## Token protection (preview)
 
-Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies<sup>[\[7\]](conclusion.md#footnote7)</sup> can be configured to require token protection when using sign-in tokens for specific services.
+Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies<sup>[\[4\]](conclusion.md#footnote4)</sup> can be configured to require token protection when using sign-in tokens for specific services.
 
 [!INCLUDE [learn-more](includes/learn-more.md)]
 

windows/security/book/identity-protection-passwordless-sign-in.md

@@ -89,7 +89,7 @@ Organizations with hybrid scenarios can eliminate the need for on-premises domai
 
 ### PIN reset
 
-The Microsoft PIN Reset Service allows users to reset their forgotten Windows Hello PINs without requiring re-enrollment. After registering the service in the Microsoft Entra ID tenant, the capability must be enabled on the Windwos devices using group policy or a device management solution like Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>.
+The Microsoft PIN Reset Service allows users to reset their forgotten Windows Hello PINs without requiring re-enrollment. After registering the service in the Microsoft Entra ID tenant, the capability must be enabled on the Windwos devices using group policy or a device management solution like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>.
 
 Users can initiate a PIN reset from the Windows lock screen or from the sign-in options in Settings. The process involves authenticating and completing multifactor authentication to reset the PIN.
 

windows/security/book/operating-system-security-network-security.md

@@ -44,7 +44,7 @@ Support for DNS encryption integrates with existing Windows DNS configurations s
 
 The number of Bluetooth devices connected to Windows 11 continues to increase. Windows users connect their Bluetooth headsets, mice, keyboards, and other accessories and improve their day-to-day PC experience by enjoying streaming, productivity, and gaming. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host-based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG) and Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that Bluetooth accessories' firmware and software are kept up to date.
 
-IT-managed environments have a number policy settings available via configuration service providers, group policy, and PowerShell. These settings can be managed through device management solutions like Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>. You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments.
+IT-managed environments have a number policy settings available via configuration service providers, group policy, and PowerShell. These settings can be managed through device management solutions like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>. You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments.
 
 [!INCLUDE [learn-more](includes/learn-more.md)]
 
@@ -81,7 +81,7 @@ Windows Firewall offers the following benefits:
 
 Windows 11 makes the Windows Firewall easier to analyze and debug. IPSec behavior is integrated with Packet Monitor, an in-box, cross-component network diagnostic tool for Windows. Additionally, the Windows Firewall event logs are enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on third-party tools.
 
-Admins can configure more settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>, using the platform support from the Firewall configuration service provider (CSP) and applying these settings to Windows endpoints.
+Admins can configure more settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>, using the platform support from the Firewall configuration service provider (CSP) and applying these settings to Windows endpoints.
 
 [!INCLUDE [new-24h2](includes/new-24h2.md)]
 
@@ -100,7 +100,7 @@ consumer VPNs, including apps for the most popular enterprise VPN gateways.
 
 In Windows 11, we've integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane, users can verify the status of their VPN, start and stop the connection, and easily open Settings for more controls.
 
-The Windows VPN platform connects to Microsoft Entra ID<sup>[\[7\]](conclusion.md#footnote7)</sup> and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup> and other device management solutions. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites.
+The Windows VPN platform connects to Microsoft Entra ID<sup>[\[4\]](conclusion.md#footnote4)</sup> and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> and other device management solutions. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites.
 
 With Universal Windows Platform (UWP) VPN apps, end users never get stuck on an old version of their VPN client. VPN apps from the store will be automatically updated as needed. Naturally, the updates are in the control of your IT admins.
 

windows/security/book/operating-system-security-virus-and-threat-protection.md

@@ -25,7 +25,7 @@ SmartScreen also determines whether a downloaded app or app installer is potenti
 - Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen warns that the file might be malicious
 - Checking downloaded files against a list of well-known files. If the file is of a dangerous type and not well-known, SmartScreen displays a caution alert
 
-With enhanced phishing protection in Windows 11, SmartScreen also alerts people when they're entering their Microsoft credentials into a potentially risky location, regardless of which application or browser is used. IT can customize which notifications appear through Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>. This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement.
+With enhanced phishing protection in Windows 11, SmartScreen also alerts people when they're entering their Microsoft credentials into a potentially risky location, regardless of which application or browser is used. IT can customize which notifications appear through Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>. This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement.
 
 Because Windows 11 comes with these enhancements already built in and enabled, users have extra security from the moment they turn on their device.
 
@@ -106,13 +106,13 @@ Controlled folder access helps protect user's valuable data from malicious apps
 
 ## Microsoft Defender for Endpoint
 
-Microsoft Defender for Endpoint<sup>[\[7\]](conclusion.md#footnote7)</sup> is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats.
+Microsoft Defender for Endpoint<sup>[\[4\]](conclusion.md#footnote4)</sup> is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats.
 
 Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents:
 
 - Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated cloud instance of Microsoft Defender for Endpoint
 - With Automatic Attack Disruption uses AI, machine learning, and Microsoft Security Intelligence to analyze the entire attack and respond at the incident level, where it's able to contain a device, and/or a user which reduces the impact of attacks such as ransomware, human-operated attacks, and other advanced attacks.
-- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365<sup>[\[7\]](conclusion.md#footnote7)</sup>, and online assets
+- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365<sup>[\[4\]](conclusion.md#footnote4)</sup>, and online assets
 - Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours, yielding a deep and broad view into the evolving threat landscape. Combined with our global team of security experts and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. This threat intelligence helps provide unparalleled protection for our customers. The protections built into our platforms and products blocked attacks that include 31 billion identity threats and 32 billion email threats
 - Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate, remediate, and remote into machines to further investigate and stop active threats in their environment, as well as block files, network destinations, and create alerts for them. In addition, Automated Investigation and Remediation can help reduce the load on the SOC by automatically performing otherwise manual steps towards remediation and providing
 detailed investigation outcomes
@@ -127,7 +127,7 @@ platforms, all synthesized into a single dashboard. This solution offers tremend
 
 ## Exploit protection
 
-Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint<sup>[\[7\]](conclusion.md#footnote7)</sup>, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device and then use Group Policy in Active Directory or Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup> to distribute the configuration XML file to multiple devices simultaneously.
+Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint<sup>[\[4\]](conclusion.md#footnote4)</sup>, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device and then use Group Policy in Active Directory or Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> to distribute the configuration XML file to multiple devices simultaneously.
 
 When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.