diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index 21f0dab85e..d3a6d97411 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -33,14 +33,14 @@ Stickers aren't enabled by default. Follow the instructions below to configure y #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) -[!INCLUDE [intune-custom-settings-1](includes/configure/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] | Setting | |--------| |
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`**
  • Data type: **Integer**
  • Value: **1**
    • | -[!INCLUDE [intune-custom-settings-2](includes/configure/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](includes/configure/intune-custom-settings-info.md)] +[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)] > [!TIP] > Use the following Graph call to automatically create the custom policy in your tenant without assignments nor scope tags. [1](#footnote1) diff --git a/education/windows/edu-take-a-test-kiosk-mode.md b/education/windows/edu-take-a-test-kiosk-mode.md index d7dd5daa95..408976797e 100644 --- a/education/windows/edu-take-a-test-kiosk-mode.md +++ b/education/windows/edu-take-a-test-kiosk-mode.md @@ -53,7 +53,7 @@ To configure devices using Intune for Education, follow these steps: ### Configure Take a Test with a custom policy -[!INCLUDE [intune-custom-settings-1](includes/configure/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] | Setting | |--------| @@ -67,8 +67,8 @@ To configure devices using Intune for Education, follow these steps: :::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true"::: -[!INCLUDE [intune-custom-settings-2](includes/configure/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](includes/configure/intune-custom-settings-info.md)] +[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)] #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md index 39decf882d..0f8053524d 100644 --- a/education/windows/edu-themes.md +++ b/education/windows/edu-themes.md @@ -23,14 +23,14 @@ Education themes aren't enabled by default. Follow the instructions below to con #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) -[!INCLUDE [intune-custom-settings-1](includes/configure/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] | Setting | |--------| |
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`**
  • Data type: **Integer**
  • Value: **1**
    • | -[!INCLUDE [intune-custom-settings-2](includes/configure/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](includes/configure/intune-custom-settings-info.md)] +[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)] #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index 510772b7a1..915affe187 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -79,7 +79,7 @@ To use web sign-in with a federated identity provider, your devices must be conf To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings: -[!INCLUDE [intune-custom-settings-1](includes/configure/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] | Setting | |--------| @@ -121,7 +121,7 @@ To use web sign-in with a federated identity provider, your devices must be conf To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings: -[!INCLUDE [intune-custom-settings-1](includes/configure/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] | Setting | |--------| diff --git a/education/windows/includes/intune-custom-settings-1.md b/education/windows/includes/intune-custom-settings-1.md deleted file mode 100644 index d911751e75..0000000000 --- a/education/windows/includes/intune-custom-settings-1.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -ms.date: 02/22/2022 -ms.topic: include ---- - -To configure devices with Microsoft Intune, use a custom policy: - -1. Go to the Microsoft Intune admin center -2. Select **Devices > Configuration profiles > Create profile** -3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom** -4. Select **Create** -5. Specify a **Name** and, optionally, a **Description > Next** -6. Add the following settings: \ No newline at end of file diff --git a/education/windows/includes/intune-custom-settings-2.md b/education/windows/includes/intune-custom-settings-2.md deleted file mode 100644 index 1a601acaa7..0000000000 --- a/education/windows/includes/intune-custom-settings-2.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -ms.date: 11/08/2022 -ms.topic: include ---- - -7. Select **Next** -8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** -9. Under **Applicability Rules**, select **Next** -10. Review the policy configuration and select **Create** \ No newline at end of file diff --git a/education/windows/includes/intune-custom-settings-info.md b/education/windows/includes/intune-custom-settings-info.md deleted file mode 100644 index 8ff9da4294..0000000000 --- a/education/windows/includes/intune-custom-settings-info.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -ms.date: 11/08/2022 -ms.topic: include ---- - -For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10). \ No newline at end of file diff --git a/education/windows/index.old.yml b/education/windows/index.old.yml deleted file mode 100644 index 849e1d3e1d..0000000000 --- a/education/windows/index.old.yml +++ /dev/null @@ -1,73 +0,0 @@ - - title: Get started - linkLists: - - linkListType: tutorial - links: - - text: Deploy and manage Windows devices in a school - url: tutorial-school-deployment/index.md - - text: Prepare your tenant - url: tutorial-school-deployment/set-up-azure-ad.md - - text: Configure settings and applications with Microsoft Intune - url: tutorial-school-deployment/configure-devices-overview.md - - text: Manage devices with Microsoft Intune - url: tutorial-school-deployment/manage-overview.md - - text: Management functionalities for Surface devices - url: tutorial-school-deployment/manage-surface-devices.md - - - title: Learn about Windows 11 SE - linkLists: - - linkListType: concept - links: - - text: What is Windows 11 SE? - url: windows-11-se-overview.md - - text: Windows 11 SE settings - url: windows-11-se-settings-list.md - - linkListType: whats-new - links: - - text: Configure federated sign-in - url: federated-sign-in.md - - text: Configure education themes - url: edu-themes.md - - text: Configure Stickers - url: edu-stickers.md - - linkListType: video - links: - - text: Deploy Windows 11 SE using Set up School PCs - url: https://www.youtube.com/watch?v=Ql2fbiOop7c - - - title: Deploy devices with Set up School PCs - linkLists: - - linkListType: concept - links: - - text: What is Set up School PCs? - url: set-up-school-pcs-technical.md - - linkListType: how-to-guide - links: - - text: Use the Set up School PCs app - url: use-set-up-school-pcs-app.md - - linkListType: reference - links: - - text: Provisioning package settings - url: set-up-school-pcs-provisioning-package.md - - linkListType: video - links: - - text: Use the Set up School PCs App - url: https://www.youtube.com/watch?v=2ZLup_-PhkA - - - title: Configure devices - linkLists: - - linkListType: concept - links: - - text: Take tests and assessments in Windows - url: take-tests-in-windows.md - - text: Considerations for shared and guest devices - url: /windows/configuration/shared-devices-concepts?context=/education/context/context - - text: Change Windows editions - url: change-home-to-edu.md - - linkListType: how-to-guide - links: - - text: Configure Take a Test in kiosk mode - url: edu-take-a-test-kiosk-mode.md - - text: Configure Shared PC - url: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context - - text: Get and deploy Minecraft Education - url: get-minecraft-for-education.md \ No newline at end of file diff --git a/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md b/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md index 15c8a64f62..35ef8a1826 100644 --- a/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md @@ -61,7 +61,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic ![Verifying Secure Launch is running in the Windows Security settings.](images/secure-launch-msinfo.png) > [!NOTE] -> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). +> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../identity-protection/credential-guard/index.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). > [!NOTE] > For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/). diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md index 77709daeae..d91542146f 100644 --- a/windows/security/identity-protection/credential-guard/configure.md +++ b/windows/security/identity-protection/credential-guard/configure.md @@ -398,7 +398,7 @@ bcdedit /set vsmlaunchtype off ## Next steps - Review the advices and sample code for making your environment more secure and robust with Windows Defender Credential Guard in the [Additional mitigations](additional-mitigations.md) article -- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues) +- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues.md) diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md index 9a745822c0..dd259d1d2e 100644 --- a/windows/security/identity-protection/credential-guard/how-it-works.md +++ b/windows/security/identity-protection/credential-guard/how-it-works.md @@ -57,4 +57,4 @@ don't qualify as credentials because they can't be presented to another computer - Learn [how to configure Windows Defender Credential Guard](configure.md) - Review the advices and sample code for making your environment more secure and robust with Windows Defender Credential Guard in the [Additional mitigations](additional-mitigations.md) article -- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues) +- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues.md) diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md index 88e91291df..6ae7c634da 100644 --- a/windows/security/identity-protection/credential-guard/index.md +++ b/windows/security/identity-protection/credential-guard/index.md @@ -98,4 +98,4 @@ Services or protocols that rely on Kerberos, such as file shares or remote deskt - Learn [how Windows Defender Credential Guard works](how-it-works.md) - Learn [how to configure Windows Defender Credential Guard](configure.md) - Review the advices and sample code for making your environment more secure and robust with Windows Defender Credential Guard in the [Additional mitigations](additional-mitigations.md) article -- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues) \ No newline at end of file +- Review [considerations and known issues when using Windows Defender Credential Guard](considerations-known-issues.md) \ No newline at end of file diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md index 891ad65444..9defb85584 100644 --- a/windows/security/includes/sections/identity.md +++ b/windows/security/includes/sections/identity.md @@ -24,5 +24,5 @@ ms.topic: include | **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | Account Lockout Policy settings control the response threshold for failed logon attempts and the actions to be taken after the threshold is reached. | | **[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. | | **[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.

    Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. | -| **[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)** | Enabled by default in Windows 11 Enterprise, Windows Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Windows Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.

    By protecting the LSA process with Virtualization-based security, Windows Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. | +| **[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard)** | Enabled by default in Windows 11 Enterprise, Windows Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Windows Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.

    By protecting the LSA process with Virtualization-based security, Windows Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. | | **[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Window Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.

    Administrator credentials are highly privileged and must be protected. When you use Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. | diff --git a/windows/security/introduction.md b/windows/security/introduction.md index a87668dc0e..3de33d18b7 100644 --- a/windows/security/introduction.md +++ b/windows/security/introduction.md @@ -45,7 +45,7 @@ In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/d ### Secured identities -Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication. +Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](identity-protection/credential-guard/index.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication. ### Connecting to cloud services