mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-24 06:43:38 +00:00
updates
This commit is contained in:
Paolo Matarazzo
@ -28,7 +28,7 @@ Devices running previous versions of Windows 11 will have to be reset with a cle
|
||||
|
||||
[!INCLUDE [learn-more](includes/learn-more.md)]
|
||||
|
||||
- [Smart App Control](/windows/apps/develop/smart-app-control/overview)
|
||||
- [Smart App Control][LINK-1]
|
||||
|
||||
## App Control for Business
|
||||
|
||||
@ -42,8 +42,8 @@ Customers can use some built-in options for App Control for Business or upload t
|
||||
|
||||
[!INCLUDE [learn-more](includes/learn-more.md)]
|
||||
|
||||
- [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac)
|
||||
- [Automatically allow apps deployed by a managed installer with App Control for Business](/windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer)
|
||||
- [Application Control for Windows][LINK-2]
|
||||
- [Automatically allow apps deployed by a managed installer with App Control for Business][LINK-3]
|
||||
|
||||
## User Account Control
|
||||
|
||||
@ -78,3 +78,9 @@ It is a Microsoft fully managed end-to-end signing solution that simplifies the
|
||||
|
||||
- [What is Trusted Signing](/azure/trusted-signing/overview)
|
||||
- [Public Preview Blog](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/trusted-signing-is-in-public-preview/ba-p/4103457)
|
||||
|
||||
<!--links-->
|
||||
|
||||
[LINK-1]: /windows/apps/develop/smart-app-control/overview
|
||||
[LINK-2]: /windows/security/application-security/application-control/windows-defender-application-control/wdac
|
||||
[LINK-3]: /windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer
|
||||
@ -33,7 +33,7 @@ When location services and *Find my device* settings are turned on, basic system
|
||||
|
||||
## OneDrive for personal
|
||||
|
||||
Microsoft OneDrive for personal<sup>[\[17\]](conclusion.md#footnote17)</sup> offers enhanced security, backup, and restore options for important personal files. Users can access their data from anywhere, since their files are stored and protected in the cloud. OneDrive provides an excellent solution for backing up folders, ensuring that:
|
||||
Microsoft OneDrive for personal<sup>[\[13\]](conclusion.md#footnote13)</sup> offers enhanced security, backup, and restore options for important personal files. Users can access their data from anywhere, since their files are stored and protected in the cloud. OneDrive provides an excellent solution for backing up folders, ensuring that:
|
||||
|
||||
- If a device is lost or stolen, users can quickly recover all their important files from the cloud
|
||||
- If a user is targeted by a ransomware attack, OneDrive enables recovery. With configured backups, users have more options to mitigate and recover from such attacks
|
||||
|
||||
@ -23,7 +23,7 @@ Windows 11 works with Microsoft Entra ID to provide secure access, identity mana
|
||||
|
||||
:::image type="content" source="images/access-work-or-school.png" alt-text="Screenshot of the add work or school account in Settings." border="false":::
|
||||
|
||||
When a device is Microsoft Entra ID joined and managed with Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, it receives the following security benefits:
|
||||
When a device is Microsoft Entra ID joined and managed with Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>, it receives the following security benefits:
|
||||
|
||||
- Default managed user and device settings and policies
|
||||
- Single sign-in to all Microsoft Online Services
|
||||
@ -67,7 +67,7 @@ Both Microsoft Entra Private Access and Microsoft Entra Internet Access use the
|
||||
|
||||
### Enterprise State Roaming
|
||||
|
||||
Available to any organization with a Microsoft Entra ID Premium<sup>[\[9\]](conclusion.md#footnote9)</sup> `license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
|
||||
Available to any organization with a Microsoft Entra ID Premium<sup>[\[7\]](conclusion.md#footnote7)</sup> `license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
|
||||
|
||||
[!INCLUDE [learn-more](includes/learn-more.md)]
|
||||
|
||||
@ -75,7 +75,7 @@ Available to any organization with a Microsoft Entra ID Premium<sup>[\[9\]](conc
|
||||
|
||||
## Microsoft Azure Attestation Service
|
||||
|
||||
Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they are allowed to access resources. Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> integrates with [Microsoft Azure Attestation Service](/azure/attestation/overview) to review Windows device health comprehensively and connect this information with Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> Conditional Access.
|
||||
Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they are allowed to access resources. Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup> integrates with [Microsoft Azure Attestation Service](/azure/attestation/overview) to review Windows device health comprehensively and connect this information with Microsoft Entra ID<sup>[\[7\]](conclusion.md#footnote7)</sup> Conditional Access.
|
||||
|
||||
**Attestation policies are configured in the Microsoft Azure Attestation Service which can then:**
|
||||
|
||||
@ -91,7 +91,7 @@ Once this verification is complete, the attestation service returns a signed rep
|
||||
|
||||
## Cloud-native device management
|
||||
|
||||
Microsoft recommends cloud-based device management so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With cloud-native device management solutions like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate device management client.
|
||||
Microsoft recommends cloud-based device management so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With cloud-native device management solutions like Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>, IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate device management client.
|
||||
|
||||
Windows 11 built-in management features include:
|
||||
|
||||
@ -128,11 +128,11 @@ A security baseline is a group of Microsoft-recommended configuration settings t
|
||||
|
||||
## Microsoft Intune
|
||||
|
||||
Microsoft Intune<sup>[\[15\]](conclusion.md#footnote15)</sup> is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
|
||||
Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup> is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
|
||||
|
||||
Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication and conditional access.
|
||||
|
||||
Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies<sup>[\[16\]](conclusion.md#footnote16)</sup>. For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot.
|
||||
Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies<sup>[\[12\]](conclusion.md#footnote12)</sup>. For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot.
|
||||
|
||||
Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
|
||||
|
||||
@ -269,14 +269,14 @@ Unlike traditional print solutions that rely on Windows print servers, Universal
|
||||
|
||||
Universal Print supports Zero Trust security by requiring that:
|
||||
|
||||
- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup>. A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service
|
||||
- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID<sup>[\[7\]](conclusion.md#footnote7)</sup>. A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service
|
||||
- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data
|
||||
- Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data
|
||||
- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it is highly recommended that only cloud applications use application authentication
|
||||
- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant
|
||||
- Each authentication with Microsoft Entra ID from an acting application cannot extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached
|
||||
|
||||
Additionally, Windows 11 and Windows 10 include MDM support to simplify printer setup for users. With initial support from Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, admins can now configure policies to provision specific printers onto the user's Windows devices.
|
||||
Additionally, Windows 11 and Windows 10 include MDM support to simplify printer setup for users. With initial support from Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>, admins can now configure policies to provision specific printers onto the user's Windows devices.
|
||||
|
||||
Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft Office products.
|
||||
|
||||
|
||||
@ -59,18 +59,14 @@ Enhanced:
|
||||
|**<sup><a name="footnote4"></a>4</sup>**| Based on Monthly Active Device data. *Earnings Release FY23 Q3* - Microsoft, April 2023.|
|
||||
|**<sup><a name="footnote5"></a>5</sup>**| Windows 11 results are in comparison with Windows 10 devices. *Windows 11 Survey Report*, Techaisle, February 2022.|
|
||||
|**<sup><a name="footnote6"></a>6</sup>**| Requires developer enablement.|
|
||||
|**<sup><a name="footnote7"></a>7</sup>**| Requires Microsoft Entra ID and Microsoft Intune, or other device management solution product required; sold separately.|
|
||||
|**<sup><a name="footnote8"></a>8</sup>**| Commissioned study delivered by Forrester Consulting. "The Total Economic Impact™ of Windows 11 Pro Devices", December 2022. Note: quantified benefits reflect results over three years combined into a single composite organization that generates $1 billion in annual revenue, has 2,000 employees, refreshes hardware on a four-year cycle, and migrates the entirety of its workforce to Windows 11 devices.|
|
||||
|**<sup><a name="footnote9"></a>9</sup>**| Sold separately.|
|
||||
|**<sup><a name="footnote7"></a>7</sup>**| Sold separately.|
|
||||
|**<sup><a name="footnote8"></a>8</sup>**| Commissioned study delivered by Forrester Consulting. *The Total Economic Impact™ of Windows 11 Pro Devices*, December 2022. Note: quantified benefits reflect results over three years combined into a single composite organization that generates $1 billion in annual revenue, has 2,000 employees, refreshes hardware on a four-year cycle, and migrates the entirety of its workforce to Windows 11 devices.|
|
||||
|**<sup><a name="footnote9"></a>9</sup>**|Feature or functionality delivered using [servicing technology](https://support.microsoft.com/topic/b0aa0a27-ea9a-4365-9224-cb155e517f12).|
|
||||
|**<sup><a name="footnote10"></a>10</sup>**| Email encryption is supported on products such as Microsoft Exchange Server and Microsoft Exchange Online.|
|
||||
|**<sup><a name="footnote11"></a>11</sup>**| Microsoft internal data.|
|
||||
|**<sup><a name="footnote12"></a>12</sup>**| Microsoft Entra ID Basic is included with Microsoft Azure and Microsoft 365 subscriptions, and other commercial services subscriptions.|
|
||||
|**<sup><a name="footnote13"></a>13</sup>**| Requires Microsoft Entra ID Premium; sold separately.|
|
||||
|**<sup><a name="footnote12"></a>12</sup>**| *The Total Economic Impact™ of Windows Pro Device*, Forrester study commissioned by Microsoft, June 2020.|
|
||||
|**<sup><a name="footnote13"></a>13</sup>**|All users with a Microsoft Account get 5GB of OneDrive storage free, and all Microsoft 365 subscriptions include 1TB of OneDrive storage. Additional OneDrive storage is sold separately.|
|
||||
|**<sup><a name="footnote14"></a>14</sup>**| Hardware dependent.|
|
||||
|**<sup><a name="footnote15"></a>15</sup>**| Microsoft 365 E3 or E5 required; sold separately.|
|
||||
|**<sup><a name="footnote16"></a>16</sup>**| The Total Economic Impact™ of Windows Pro Device, Forrester study commissioned by Microsoft, June 2020.|
|
||||
|**<sup><a name="footnote17"></a>17</sup>**|All users with a Microsoft Account get 5GB of OneDrive storage free, and all Microsoft 365 subscriptions include 1TB of OneDrive storage. Additional OneDrive storage is sold separately.|
|
||||
|**<sup><a name="footnote18"></a>17</sup>**|Feature or functionality delivered using [servicing technology](https://support.microsoft.com/topic/b0aa0a27-ea9a-4365-9224-cb155e517f12).|
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Identity protection - Advanced credential protection
|
||||
description: Windows 11 security book -Identity protection chapter.
|
||||
description: Windows 11 security book - Identity protection chapter.
|
||||
ms.topic: overview
|
||||
ms.date: 09/06/2024
|
||||
---
|
||||
@ -62,7 +62,7 @@ VBS key protection enables developers to secure cryptographic keys using Virtual
|
||||
|
||||
## Token protection
|
||||
|
||||
Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies<sup>[\[9\]](conclusion.md#footnote9)</sup> can be configured to require token protection when using sign-in tokens for specific services.
|
||||
Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies<sup>[\[7\]](conclusion.md#footnote7)</sup> can be configured to require token protection when using sign-in tokens for specific services.
|
||||
|
||||
[!INCLUDE [learn-more](includes/learn-more.md)]
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Identity protection - Passwordless sign-in
|
||||
description: Windows 11 security book -Identity protection chapter.
|
||||
description: Windows 11 security book - Identity protection chapter.
|
||||
ms.topic: overview
|
||||
ms.date: 09/06/2024
|
||||
---
|
||||
@ -76,7 +76,7 @@ Provisioning methods include:
|
||||
|
||||
Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometric data and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business depending on an organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers.
|
||||
|
||||
Organizations with hybrid scenarios can eliminate the need for on-premises domain controllers and simplify passwordless adoption by using Windows Hello for Business cloud Kerberos trust<sup>[\[13\]](conclusion.md#footnote13)</sup>. This solution uses security keys and replaces on-premises domain controllers with a cloud-based root-of-trust. As a result, organizations can take advantage of Windows Hello for Business and deploy security keys with minimal extra setup or infrastructure.
|
||||
Organizations with hybrid scenarios can eliminate the need for on-premises domain controllers and simplify passwordless adoption by using Windows Hello for Business cloud Kerberos trust. This solution uses security keys and replaces on-premises domain controllers with a cloud-based root-of-trust. As a result, organizations can take advantage of Windows Hello for Business and deploy security keys with minimal extra setup or infrastructure.
|
||||
|
||||
[!INCLUDE [learn-more](includes/learn-more.md)]
|
||||
|
||||
@ -107,7 +107,7 @@ Multi-factor unlock is useful for organizations who need to prevent information
|
||||
|
||||
**Windows Hello for Business now support a fully passwordless experience.**
|
||||
|
||||
IT admins can configure a policy on Microsoft Entra ID joined machines so users no longer see the option to enter a password when accessing company resources<sup>[\[12\]](conclusion.md#footnote12)</sup>. Once the policy is configured, passwords are removed from the Windows user experience, both for device unlock and in-session authentication scenarios. However, passwords aren't eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can use passwordless recovery mechanisms such as Microsoft PIN reset service or web sign-in.
|
||||
IT admins can configure a policy on Microsoft Entra ID joined machines so users no longer see the option to enter a password when accessing company resources. Once the policy is configured, passwords are removed from the Windows user experience, both for device unlock and in-session authentication scenarios. However, passwords aren't eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can use passwordless recovery mechanisms such as Microsoft PIN reset service or web sign-in.
|
||||
|
||||
Users authenticate directly with Microsoft Entra ID, helping speed access to on-premises applications and other resources.
|
||||
|
||||
@ -139,7 +139,7 @@ Passkeys created and saved with Windows Hello are protected by Windows Hello or
|
||||
|
||||
[!INCLUDE [coming-soon](includes/coming-soon.md)]
|
||||
|
||||
A plug-in model for 3rd party passkey providers allows users to manage their passkeys with third-party passkey managers. This model is designed to provide a seamless platform experience, whether passkeys are managed directly by Windows or by a third-party authenticator. When a third-party passkey provider is used, passkeys are protected and managed by the third-party.
|
||||
The plug-in model for third-party passkey providers enables users to manage their passkeys with third-party passkey managers. This model ensures a seamless platform experience, regardless of whether passkeys are managed directly by Windows or by a third-party authenticator. When a third-party passkey provider is used, the passkeys are securely protected and managed by the third-party provider.
|
||||
|
||||
[!INCLUDE [learn-more](includes/learn-more.md)]
|
||||
|
||||
@ -152,7 +152,6 @@ The FIDO Alliance, the Fast Identity Online industry standards body, was establi
|
||||
|
||||
Windows 11 can also use external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services.
|
||||
|
||||
|
||||
## Microsoft Authenticator
|
||||
|
||||
The Microsoft Authenticator app, which runs on iOS and Android devices, helps keeping Windows 11 users secure and productive. Microsoft Authenticator with Entra Passkeys can be used as a phish-resistant method to bootstrap Windows Hello for Business.
|
||||
@ -197,7 +196,7 @@ Smart cards can only be used to sign in to domain accounts or Microsoft Entra ID
|
||||
|
||||
When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Microsoft Entra ID certificate-based authentication. Smart cards can't be used with local accounts.
|
||||
|
||||
[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/) and FIDO2 security keys are modern, two-factor authentication methods for Windows. Customers using virtual smart cards are encouraged to move to Windows Hello for Business or FIDO2. For new Windows installations, we recommend Windows Hello for Business or FIDO2 security keys.
|
||||
Windows Hello for Business and FIDO2 security keys are modern, two-factor authentication methods for Windows. Customers using virtual smart cards are encouraged to move to Windows Hello for Business or FIDO2. For new Windows installations, we recommend Windows Hello for Business or FIDO2 security keys.
|
||||
|
||||
[!INCLUDE [learn-more](includes/learn-more.md)]
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Identity protection
|
||||
description: Windows 11 security book -Identity protection chapter.
|
||||
description: Windows 11 security book - Identity protection chapter.
|
||||
ms.topic: overview
|
||||
ms.date: 09/06/2024
|
||||
---
|
||||
|
||||
@ -6,4 +6,4 @@ ms.topic: include
|
||||
ms.service: windows-client
|
||||
---
|
||||
|
||||
:::image type="icon" source="../images/soon-arrow.svg" border="false"::: **Coming soon<sup>[\[18\]](..\conclusion.md#footnote18)</sup>:**
|
||||
:::image type="icon" source="../images/soon-arrow.svg" border="false"::: **Coming soon<sup>[\[9\]](..\conclusion.md#footnote9)</sup>:**
|
||||
|
||||
@ -13,7 +13,7 @@ When people travel with their PCs, their confidential information travels with t
|
||||
|
||||
## BitLocker
|
||||
|
||||
BitLocker is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker uses the AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. BitLocker can save its recovery password to a Microsoft account for retrieval if needed. This happens automatically during the initial setup when BitLocker is enabled in OOE (Out of Box Experience) on modern devices and the user signs into their Microsoft account for the first time. Additionally, users have the option to export the recovery password if they have manually enabled BitLocker. Cloud storage on Microsoft OneDrive or Azure<sup>[\[9\]](conclusion.md#footnote9)</sup> can be used to save recovery key content. BitLocker can be managed by a device management solution like Microsoft Intune<sup>[\[6\]](conclusion.md#footnote6)</sup> using a configuration service provider (CSP)<sup>[\[9\]](conclusion.md#footnote9)</sup>. BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), using technologies like Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
|
||||
BitLocker is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker uses the AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. BitLocker can save its recovery password to a Microsoft account for retrieval if needed. This happens automatically during the initial setup when BitLocker is enabled in OOE (Out of Box Experience) on modern devices and the user signs into their Microsoft account for the first time. Additionally, users have the option to export the recovery password if they have manually enabled BitLocker. Cloud storage on Microsoft OneDrive or Azure<sup>[\[7\]](conclusion.md#footnote7)</sup> can be used to save recovery key content. BitLocker can be managed by a device management solution like Microsoft Intune<sup>[\[6\]](conclusion.md#footnote6)</sup> using a configuration service provider (CSP)<sup>[\[7\]](conclusion.md#footnote7)</sup>. BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), using technologies like Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
|
||||
|
||||
[!INCLUDE [learn-more](includes/learn-more.md)]
|
||||
|
||||
|
||||
@ -44,7 +44,7 @@ Support for DNS encryption integrates with existing Windows DNS configurations s
|
||||
|
||||
The number of Bluetooth devices connected to Windows 11 continues to increase. Windows users connect their Bluetooth headsets, mice, keyboards, and other accessories and improve their day-to-day PC experience by enjoying streaming, productivity, and gaming. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host-based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG) and Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that Bluetooth accessories' firmware and software are kept up to date.
|
||||
|
||||
IT-managed environments have a number policy settings available via configuration service providers, group policy, and PowerShell. These settings can be managed through device management solutions like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>. You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments.
|
||||
IT-managed environments have a number policy settings available via configuration service providers, group policy, and PowerShell. These settings can be managed through device management solutions like Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>. You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments.
|
||||
|
||||
[!INCLUDE [learn-more](includes/learn-more.md)]
|
||||
|
||||
@ -82,7 +82,7 @@ ports, or program paths. This functionality increases manageability and decrease
|
||||
|
||||
Windows 11 makes the Windows Firewall easier to analyze and debug. IPSec behavior is integrated with Packet Monitor, an in-box, cross-component network diagnostic tool for Windows. Additionally, the Windows Firewall event logs are enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on third-party tools.
|
||||
|
||||
Admins can now configure more settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, using the platform
|
||||
Admins can now configure more settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>, using the platform
|
||||
support from the Firewall configuration service provider (CSP) and applying these settings to Windows endpoints.
|
||||
|
||||
Firewal. rule configuration with Package Family Name (PFN) is a new security feature introduced with the 22H2 release of Windows 11. PFN based rules enforced on an app will include processes request by the app to run on its behalf.
|
||||
@ -100,7 +100,7 @@ consumer VPNs, including apps for the most popular enterprise VPN gateways.
|
||||
|
||||
In Windows 11, we've integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane, users can verify the status of their VPN, start and stop the connection, and easily open Settings for more controls.
|
||||
|
||||
The Windows VPN platform connects to Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune and other device management solutions. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites.
|
||||
The Windows VPN platform connects to Microsoft Entra ID<sup>[\[7\]](conclusion.md#footnote7)</sup> and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune and other device management solutions. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites.
|
||||
|
||||
With Universal Windows Platform (UWP) VPN apps, end users never get stuck on an old version of their VPN client. VPN apps from the store will be automatically updated as needed. Naturally, the updates are in the control of your IT admins.
|
||||
|
||||
|
||||
@ -67,7 +67,7 @@ The digital signature is evaluated across the Windows environment on Windows boo
|
||||
## Device health attestation
|
||||
|
||||
The Windows device health attestation process supports a Zero Trust paradigm that shifts the focus from static, network-based perimeters to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. These
|
||||
determinations are made with data stored in the TPM, which provides a secure root-of-trust. The information is sent to an attestation service such as Azure Attestation to verify that the device is in a trusted state. Then a cloud-native device management solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> reviews device health and connects this information with Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> for conditional access.
|
||||
determinations are made with data stored in the TPM, which provides a secure root-of-trust. The information is sent to an attestation service such as Azure Attestation to verify that the device is in a trusted state. Then a cloud-native device management solution like Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup> reviews device health and connects this information with Microsoft Entra ID<sup>[\[7\]](conclusion.md#footnote7)</sup> for conditional access.
|
||||
|
||||
Windows includes many security features to help protect users from malware and attacks. However, security components are trustworthy only if the platform boots as expected and isn't tampered with. As noted above, Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot, and other low-level hardware and firmware security features to protect your PC from attacks. From the moment you power on your PC until your antimalware starts, Windows is backed with the appropriate hardware configurations that help keep you safe. Measured Boot, implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to the TPM, that functions as a hardware root-of-trust. Remote attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper-resilient report. Remote attestation is the trusted auditor of your system's boot, allowing reliant parties to bind trust to the device and its security.
|
||||
|
||||
@ -119,7 +119,7 @@ Visibility and awareness of device security and health are key to any action tak
|
||||
|
||||
With traditional group policy, policy settings are refreshed on a PC when a user signs in and every 90 minutes by default. Administrators can adjust that timing to be shorter to ensure that the policy settings are compliant with the management settings set by IT.
|
||||
|
||||
By contrast, with a device management solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, policies are refreshed when a user signs in and then at eight-hours interval by default. But policy settings are migrated from GPO to a device management solution, one remaining gap is the longer period between the reapplication of a changed policy.
|
||||
By contrast, with a device management solution like Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>, policies are refreshed when a user signs in and then at eight-hours interval by default. But policy settings are migrated from GPO to a device management solution, one remaining gap is the longer period between the reapplication of a changed policy.
|
||||
|
||||
Config Refresh allows settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to be reset to the value the administrator intended every 90 minutes by default. It's configurable to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that were traditionally set with group policy and are now set through Mobile Device Management (MDM) protocols.
|
||||
|
||||
|
||||
@ -25,7 +25,7 @@ SmartScreen also determines whether a downloaded app or app installer is potenti
|
||||
- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen warns that the file might be malicious
|
||||
- Checking downloaded files against a list of well-known files. If the file is of a dangerous type and not well-known, SmartScreen displays a caution alert
|
||||
|
||||
With enhanced phishing protection in Windows 11, SmartScreen also alerts people when they're entering their Microsoft credentials into a potentially risky location, regardless of which application or browser is used. IT can customize which notifications appear through Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>. This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement.
|
||||
With enhanced phishing protection in Windows 11, SmartScreen also alerts people when they're entering their Microsoft credentials into a potentially risky location, regardless of which application or browser is used. IT can customize which notifications appear through Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>. This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement.
|
||||
|
||||
Because Windows 11 comes with these enhancements already built in and enabled, users have extra security from the moment they turn on their device.
|
||||
|
||||
@ -106,13 +106,13 @@ Controlled folder access helps protect user's valuable data from malicious apps
|
||||
|
||||
## Microsoft Defender for Endpoint
|
||||
|
||||
Microsoft Defender for Endpoint<sup>[\[9\]](conclusion.md#footnote9)</sup> is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats.
|
||||
Microsoft Defender for Endpoint<sup>[\[7\]](conclusion.md#footnote7)</sup> is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats.
|
||||
|
||||
Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents:
|
||||
|
||||
- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated cloud instance of Microsoft Defender for Endpoint
|
||||
- With Automatic Attack Disruption uses AI, machine learning, and Microsoft Security Intelligence to analyze the entire attack and respond at the incident level, where it's able to contain a device, and/or a user which reduces the impact of attacks such as ransomware, human-operated attacks, and other advanced attacks.
|
||||
- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365<sup>[\[9\]](conclusion.md#footnote9)</sup>, and online assets
|
||||
- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365<sup>[\[7\]](conclusion.md#footnote7)</sup>, and online assets
|
||||
- Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours, yielding a deep and broad view into the evolving threat landscape. Combined with our global team of security experts and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. This threat intelligence helps provide unparalleled protection for our customers. The protections built into our platforms and products blocked attacks that include 31 billion identity threats and 32 billion email threats
|
||||
- Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate, remediate, and remote into machines to further investigate and stop active threats in their environment, as well as block files, network destinations, and create alerts for them. In addition, Automated Investigation and Remediation can help reduce the load on the SOC by automatically performing otherwise manual steps towards remediation and providing
|
||||
detailed investigation outcomes
|
||||
@ -127,7 +127,7 @@ platforms, all synthesized into a single dashboard. This solution offers tremend
|
||||
|
||||
## Exploit protection
|
||||
|
||||
Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint<sup>[\[9\]](conclusion.md#footnote9)</sup>, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device and then use Group Policy in Active Directory or Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to distribute the configuration XML file to multiple devices simultaneously.
|
||||
Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint<sup>[\[7\]](conclusion.md#footnote7)</sup>, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device and then use Group Policy in Active Directory or Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup> to distribute the configuration XML file to multiple devices simultaneously.
|
||||
|
||||
When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user