deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2024-04-23 16:28:33 -04:00
parent 597166fc1d
commit 7e20c82e96
12 changed files with 339 additions and 332 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/book/application-security-application-and-driver-control.md
View File

@ -29,7 +29,7 @@ Your organization is only as secure as the applications that run on your devices
Windows 10 and above include App Control for Business (previously called Windows Defender Application Control) as well as AppLocker. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
Customers using Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>> to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.
Customers using Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.
Customers can use some built-in options for App Control for Business or upload their own policy as an XML file for Intune to package and deploy.
@ -41,7 +41,7 @@ Customers can use some built-in options for App Control for Business or upload t
User Account Control (UAC) helps prevent malware from damaging a PC and enables organizations to deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
Organizations can use a modern device management (MDM) solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>> to remotely configure UAC settings. Organizations without MDM can change settings directly
Organizations can use a modern device management (MDM) solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to remotely configure UAC settings. Organizations without MDM can change settings directly
on the device.
Enabling UAC helps prevent malware from altering PC settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized

2
windows/security/book/application-security-application-isolation.md
View File

@ -48,4 +48,4 @@ Processes that run in app containers operate at a low integrity level, meaning t
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows and app container](https://learn.microsoft.com/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations)
- [Windows and app container](/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations)

6
windows/security/book/application-security.md
View File

@ -46,7 +46,7 @@ Your organization is only as secure as the applications that run on your devices
Windows 10 and above include App Control for Business (previously called Windows Defender Application Control) as well as AppLocker. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
Customers using Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>> to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.
Customers using Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.
Customers can use some built-in options for App Control for Business or upload their own policy as an XML file for Intune to package and deploy.
@ -58,7 +58,7 @@ Customers can use some built-in options for App Control for Business or upload t
User Account Control (UAC) helps prevent malware from damaging a PC and enables organizations to deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
Organizations can use a modern device management (MDM) solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>> to remotely configure UAC settings. Organizations without MDM can change settings directly
Organizations can use a modern device management (MDM) solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to remotely configure UAC settings. Organizations without MDM can change settings directly
on the device.
Enabling UAC helps prevent malware from altering PC settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized
@ -131,7 +131,7 @@ Processes that run in app containers operate at a low integrity level, meaning t
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows and app container](https://learn.microsoft.com/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations)
- [Windows and app container](/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations)
> [!div class="nextstepaction"]
> [Chapter 4: Identity protection >](identity-protection.md)

64
windows/security/book/cloud-services.md
View File

@ -17,7 +17,7 @@ From identity and device management to Office apps and data storage, Windows 11
## Microsoft Entra ID
[Microsoft Entra ID](https://www.microsoft.com/security/business/identity-access/azure-active-directory?rtc=1)[<sup>9</sup>](https://www.microsoft.com/security/business/identity-access/azure-active-directory?rtc=1) [(formerly Azure Active Directory)](https://www.microsoft.com/security/business/identity-access/azure-active-directory?rtc=1) is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies.
[Microsoft Entra ID](https://www.microsoft.com/security/business/identity-access/azure-active-directory?rtc=1)[<sup>[\[9\]](conclusion.md#footnote9)</sup>](https://www.microsoft.com/security/business/identity-access/azure-active-directory?rtc=1) [(formerly Azure Active Directory)](https://www.microsoft.com/security/business/identity-access/azure-active-directory?rtc=1) is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies.
Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. By registering devices with Microsoft Entra ID—also called Workplace joined—IT admins can support users in bring your own device (BYOD) or mobile device scenarios. Credentials are authenticated and bound to the joined device and cannot be copied to another device without explicit reverification.
@ -25,7 +25,7 @@ To provide more security and control for IT and a seamless experience for end us
Windows 11 works with Microsoft Entra ID to provide secure access, identity management, and single sign-on to apps and services from anywhere. Windows has built-in settings to add work or school accounts by syncing the device configuration to an Active Directory domain or Microsoft Entra ID tenant.
When a device is Microsoft Entra ID joined and managed with Microsoft Intune<sup>9</sup>, it receives the following security benefits:
When a device is Microsoft Entra ID joined and managed with Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, it receives the following security benefits:
- Default managed user and device settings and policies
@ -53,7 +53,7 @@ Every Windows device has a built-in local administrator account that must be sec
## Modern device management through (MDM)
Windows 11 supports modern device management through mobile device management (MDM) protocols so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions like Microsoft Intune<sup>9</sup>, IT can manage Windows 11 using industrystandard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
Windows 11 supports modern device management through mobile device management (MDM) protocols so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, IT can manage Windows 11 using industrystandard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
Windows 11 built-in management features include:
@ -63,7 +63,7 @@ Windows 11 built-in management features include:
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Mobile device management overview](https://learn.microsoft.com/windows/client-management/mdm-overview)[](https://learn.microsoft.com/windows/client-management/mdm-overview)
- [Mobile device management overview](/windows/client-management/mdm-overview)[](/windows/client-management/mdm-overview)
## Microsoft security baselines
@ -75,7 +75,7 @@ A security baseline is a group of Microsoft-recommended configuration settings t
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows security baselines you can deploy with Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/security-baselines)
- [Windows security baselines you can deploy with Microsoft Intune](/mem/intune/protect/security-baselines)
## MDM security baseline
@ -93,7 +93,7 @@ The security baseline includes policies for:
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [MDM security baseline](https://learn.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)
- [MDM security baseline](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)
## Microsoft Intune
@ -119,7 +119,7 @@ Finally, Config Refresh helps organizations move to cloud from on-premises by pr
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows LAPS overview](https://learn.microsoft.com/windows-server/identity/laps/laps-overview)
- [Windows LAPS overview](/windows-server/identity/laps/laps-overview)
Microsoft Intune also has policies and settings to configure and manage the flow of operating system updates to devices, working with WUfB and WUfB-DS and giving admins great control over their deployments
@ -127,13 +127,13 @@ With Intune, organizations can also extend MAM App Config, MAM App Protection, a
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [What is Microsoft Intune](https://learn.microsoft.com/mem/intune/fundamentals/what-is-intune)
- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune)
## Remote Wipe
When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user.
Windows 11 supports the Remote Wipe configuration service provider (CSP) so that MDM Solutions<sup>9</sup> can remotely initiate any of the following operations:
Windows 11 supports the Remote Wipe configuration service provider (CSP) so that MDM Solutions<sup>[\[9\]](conclusion.md#footnote9)</sup> can remotely initiate any of the following operations:
- Reset the device and remove user accounts and data.
@ -141,11 +141,11 @@ Windows 11 supports the Remote Wipe configuration service provider (CSP) so that
- Reset the device but persist user accounts and data.
Learn More: [Remote Wipe CSP](https://learn.microsoft.com/windows/client-management/mdm/remotewipe-csp)
Learn More: [Remote Wipe CSP](/windows/client-management/mdm/remotewipe-csp)
## Microsoft Azure Attestation Service
Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they are allowed to access resources. Microsoft Intune<sup>9</sup> integrates with [Microsoft Azure Attestation Service](https://docs.microsoft.com/azure/attestation/overview) to review Windows device health comprehensively and connect this information with Microsoft Entra ID<sup>9</sup> Conditional Access.
Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they are allowed to access resources. Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> integrates with [Microsoft Azure Attestation Service](/azure/attestation/overview) to review Windows device health comprehensively and connect this information with Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> Conditional Access.
**Attestation policies are configured in the Microsoft Azure Attestation Service which can then:**
@ -159,25 +159,25 @@ Once this verification is complete, the attestation service returns a signed rep
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Azure Attestation overview](https://learn.microsoft.com/azure/attestation/overview)
- [Azure Attestation overview](/azure/attestation/overview)
## Windows Update for Business deployment service
The Windows Update for Business deployment service, a core component of the Windows Update for Business product family, is a cloud-based solution that transforms the way update management is handled. Complementing existing [Windows Update for Business](https://learn.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) policies and [Windows Update for Business reports](https://learn.microsoft.com/windows/deployment/update/wufb-reports-overview)[,](https://learn.microsoft.com/windows/deployment/update/wufb-reports-overview) the service provides control over the approval, scheduling, and safeguarding of updates—delivered straight from Windows Update to managed devices.
The Windows Update for Business deployment service, a core component of the Windows Update for Business product family, is a cloud-based solution that transforms the way update management is handled. Complementing existing [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) policies and [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview)[,](/windows/deployment/update/wufb-reports-overview) the service provides control over the approval, scheduling, and safeguarding of updates—delivered straight from Windows Update to managed devices.
The Windows Update for Business deployment service powers Windows Update management via Microsoft Intune<sup>9</sup> and Autopatch. The deployment services currently allows the management of [drivers and firmware](https://learn.microsoft.com/graph/windowsupdates-manage-driver-update)[,](https://learn.microsoft.com/graph/windowsupdates-manage-driver-update) expedited [quality updates](https://learn.microsoft.com/graph/windowsupdates-deploy-expedited-update) [](https://learn.microsoft.com/graph/windowsupdates-deploy-expedited-update)and [feature updates](https://learn.microsoft.com/graph/windowsupdates-deploy-update)[.](https://learn.microsoft.com/graph/windowsupdates-deploy-update)
The Windows Update for Business deployment service powers Windows Update management via Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> and Autopatch. The deployment services currently allows the management of [drivers and firmware](/graph/windowsupdates-manage-driver-update)[,](/graph/windowsupdates-manage-driver-update) expedited [quality updates](/graph/windowsupdates-deploy-expedited-update) [](/graph/windowsupdates-deploy-expedited-update)and [feature updates](/graph/windowsupdates-deploy-update)[.](/graph/windowsupdates-deploy-update)
For an in-depth understanding of this service, including its benefits and prerequisites for use, practical guides on specific capabilities, Microsoft Graph training, and a behind-the-scenes look at how the deployment service functions, read [here](https://learn.microsoft.com/windows/deployment/update/waas-manage-updates-wufb)[.](https://learn.microsoft.com/windows/deployment/update/waas-manage-updates-wufb)
For an in-depth understanding of this service, including its benefits and prerequisites for use, practical guides on specific capabilities, Microsoft Graph training, and a behind-the-scenes look at how the deployment service functions, read [here](/windows/deployment/update/waas-manage-updates-wufb)[.](/windows/deployment/update/waas-manage-updates-wufb)
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows Update for Business - Windows Deployment](https://learn.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) **Windows Autopatch**
- [Windows Update for Business - Windows Deployment](/windows/deployment/update/waas-manage-updates-wufb) **Windows Autopatch**
Cybercriminals often target outdated or unpatched software to gain access to networks. Keeping endpoints up to date is critical in closing existing vulnerabilities, but planning, monitoring, and reporting on update compliance can take IT resources away from other important tasks.
Available as part of Windows Enterprise E3 and E5, Windows Autopatch automates update management for Windows, drivers, firmware, Microsoft 365, Edge, and Teams apps. The service can even manage the upgrade to Windows 11. While the service is designed to be simple by default, admins can customize the service to reflect their business organization with Autopatch groups. This allows custom content or deployment schedules to be applied to different populations of devices.
From a technical standpoint, Windows Autopatch configures the policies and deployment service of Windows Update for Business to deliver updates, all within Microsoft Intune.<sup>9</sup> The results for IT admins: up-to-date endpoints and detailed reports to demonstrate compliance or help identify issues. The goal is to help IT teams be more secure and update more efficiently with less effort.
From a technical standpoint, Windows Autopatch configures the policies and deployment service of Windows Update for Business to deliver updates, all within Microsoft Intune.<sup>[\[9\]](conclusion.md#footnote9)</sup> The results for IT admins: up-to-date endpoints and detailed reports to demonstrate compliance or help identify issues. The goal is to help IT teams be more secure and update more efficiently with less effort.
There's a lot more to learn about Windows Autopatch: this [Forrester study commissioned by](https://aka.ms/AutopatchProductivity) [Microsoft](https://aka.ms/AutopatchProductivity) analyzes the impact of Windows Autopatch on real customers, [regular IT pro blogs](https://aka.ms/MoreAboutAutopatch) provide updates and background on Autopatch features and the future of the service, and the [community](https://aka.ms/AutopatchCommunity) allows IT professionals to get answers to questions from their peers and the Autopatch team.
@ -195,7 +195,7 @@ Traditionally, IT professionals spend significant time building and customizing
Windows Autopilot enables you to:
- Automatically join devices to Microsoft Entra ID<sup>9</sup> or Active Directory<sup>9</sup> via hybrid Microsoft Entra ID Join. For more information about the differences between these two join options, see [Introduction to device management in Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/device-management-introduction)[.](https://docs.microsoft.com/azure/active-directory/device-management-introduction)
- Automatically join devices to Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> or Active Directory<sup>[\[9\]](conclusion.md#footnote9)</sup> via hybrid Microsoft Entra ID Join. For more information about the differences between these two join options, see [Introduction to device management in Microsoft Entra ID](/azure/active-directory/device-management-introduction)[.](/azure/active-directory/device-management-introduction)
- Auto-enroll devices into MDM services such as Microsoft Intune (requires an Microsoft Entra ID Premium subscription for configuration).
@ -207,7 +207,7 @@ Windows Autopilot enables you to:
- Customize Out of Box Experience (OOBE) content specific to the organization.
Existing devices can also be quickly prepared for a new user with [Windows Autopilot Reset](https://docs.microsoft.com/mem/autopilot/windows-autopilot-reset)[.](https://docs.microsoft.com/mem/autopilot/windows-autopilot-reset) The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state.
Existing devices can also be quickly prepared for a new user with [Windows Autopilot Reset](/mem/autopilot/windows-autopilot-reset)[.](/mem/autopilot/windows-autopilot-reset) The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
@ -215,23 +215,23 @@ Existing devices can also be quickly prepared for a new user with [Windows Autop
## Enterprise State Roaming with Azure
Available to any organization with a Microsoft Entra ID Premium<sup>9</sup> or Enterprise Mobility +
Available to any organization with a Microsoft Entra ID Premium<sup>[\[9\]](conclusion.md#footnote9)</sup> or Enterprise Mobility +
Security (EMS)<sup>9</sup> license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
Security (EMS)<sup>[\[9\]](conclusion.md#footnote9)</sup> license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Enterprise State Roaming FAQ](https://learn.microsoft.com/azure/active-directory/devices/enterprise-state-roaming-faqs)
- [Enterprise State Roaming FAQ](/azure/active-directory/devices/enterprise-state-roaming-faqs)
## Universal Print
Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models](https://learn.microsoft.com/universal-print/fundamentals/universal-print-partner-integrations). It also supports existing printers by using the connector software that comes with Universal Print.
Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models](/universal-print/fundamentals/universal-print-partner-integrations). It also supports existing printers by using the connector software that comes with Universal Print.
Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices do not need to be on the same local network as the printers or the Universal Print connector.
Universal Print supports Zero Trust security by requiring that:
- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID<sup>9</sup>. A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service.
- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup>. A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service.
- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data.
@ -243,13 +243,13 @@ Universal Print supports Zero Trust security by requiring that:
- Each authentication with Microsoft Entra ID from an acting application cannot extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached.
Additionally, Windows 11 and Windows 10 include MDM support to simplify printer setup for users. With initial support from Microsoft Intune<sup>9</sup>, admins can now configure policies to provision specific printers onto the user's Windows devices.
Additionally, Windows 11 and Windows 10 include MDM support to simplify printer setup for users. With initial support from Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, admins can now configure policies to provision specific printers onto the user's Windows devices.
Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft Office products. More information about Universal Print data residency and encryption can be found [here](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Funiversal-print%2Ffundamentals%2Funiversal-print-encryption&data=05%7C01%7Cnganguly%40microsoft.com%7C4cf654ec95f14b9b4bd408db558104cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638197784866029671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NHB%2FCEOs%2B%2F3kamLH631Too9zlItJBcLlAKVAtRkDnGc%3D&reserved=0)[.](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Funiversal-print%2Ffundamentals%2Funiversal-print-encryption&data=05%7C01%7Cnganguly%40microsoft.com%7C4cf654ec95f14b9b4bd408db558104cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638197784866029671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NHB%2FCEOs%2B%2F3kamLH631Too9zlItJBcLlAKVAtRkDnGc%3D&reserved=0)
More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fm365-dr-overview%3Fview%3Do365-worldwide&data=05%7C01%7Cnganguly%40microsoft.com%7C4cf654ec95f14b9b4bd408db558104cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638197784866029671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1iz%2BPywZ6mynk5ywld7sUdgeRFhWArmis9JYuMOZSNQ%3D&reserved=0)[.](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fm365-dr-overview%3Fview%3Do365-worldwide&data=05%7C01%7Cnganguly%40microsoft.com%7C4cf654ec95f14b9b4bd408db558104cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638197784866029671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1iz%2BPywZ6mynk5ywld7sUdgeRFhWArmis9JYuMOZSNQ%3D&reserved=0)
The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here](https://learn.microsoft.com/universal-print/fundamentals/universal-print-qrcode)[.](https://learn.microsoft.com/universal-print/fundamentals/universal-print-qrcode)
The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here](/universal-print/fundamentals/universal-print-qrcode)[.](/universal-print/fundamentals/universal-print-qrcode)
Universal Print has integrated with Administrative Units in Microsoft Entra ID to enable customers to assign a Printer Administrator role to their local IT team in the same way customers assign User Administrator or Groups Administrator roles. The local IT team can configure only the printers that are part of the same Administrative Unit. Detailed configuration information can be found [here](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Funiversal-print%2Fportal%2Fdelegated-admin&data=05%7C01%7Cnganguly%40microsoft.com%7C4cf654ec95f14b9b4bd408db558104cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638197784866029671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9wg1Ju2YMKS1IwkZr8ms2X6%2B7mPC4%2FFpZBEzAumJCvs%3D&reserved=0)[.](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Funiversal-print%2Fportal%2Fdelegated-admin&data=05%7C01%7Cnganguly%40microsoft.com%7C4cf654ec95f14b9b4bd408db558104cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638197784866029671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9wg1Ju2YMKS1IwkZr8ms2X6%2B7mPC4%2FFpZBEzAumJCvs%3D&reserved=0)
@ -261,7 +261,7 @@ For customers who want to stay on Print Servers, we recommend using the Microsof
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Print support app design guide](https://learn.microsoft.com/windows-hardware/drivers/devapps/print-support-app-design-guide)
- [Print support app design guide](/windows-hardware/drivers/devapps/print-support-app-design-guide)
## OneDrive for work or school
@ -273,7 +273,7 @@ Authenticated connections are not allowed over HTTP and instead redirect to HTTP
There are several ways that OneDrive for work or school is protected at rest:
- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](https://learn.microsoft.com/compliance/assurance/assurance-datacenter-physical-access-security)[.](https://learn.microsoft.com/compliance/assurance/assurance-datacenter-physical-access-security)
- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security)[.](/compliance/assurance/assurance-datacenter-physical-access-security)
- Network protection: The networks and identities are isolated from the corporate network. Firewalls limit traffic into the environment from unauthorized locations.
@ -291,7 +291,7 @@ When a device is enrolled into device management, the administrator assumes that
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Configuration Service Provider - Windows Client Management](https://learn.microsoft.com/windows/client-management/mdm/)
- [Configuration Service Provider - Windows Client Management](/windows/client-management/mdm/)
# Protecting your personal information
@ -325,13 +325,13 @@ Microsoft OneDrive17 for personal provides additional security, backup, and rest
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [OneDrive](https://docs.microsoft.com/onedrive/plan-onedrive-enterprise)
- [OneDrive](/onedrive/plan-onedrive-enterprise)
In the event of a ransomware attack, OneDrive can enable recovery. And if backups are configured in OneDrive, users have additional options to mitigate and recover from a ransomware attack.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [How to recover from a ransomware attack using Microsoft 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/recover-from-ransomware?view=o365-worldwide)
- [How to recover from a ransomware attack using Microsoft 365](/microsoft-365/security/office-365-security/recover-from-ransomware?view=o365-worldwide)
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
@ -339,7 +339,7 @@ In the event of a ransomware attack, OneDrive can enable recovery. And if backup
## OneDrive Personal Vault
OneDrive Personal Vault<sup>9</sup> also provides protection for the most important or sensitive files and photos without sacrificing the convenience of anywhere access. Protect digital copies of important documents in OneDrive Personal Vault. Files will be secured by identity verification yet are still easily accessible across devices.
OneDrive Personal Vault<sup>[\[9\]](conclusion.md#footnote9)</sup> also provides protection for the most important or sensitive files and photos without sacrificing the convenience of anywhere access. Protect digital copies of important documents in OneDrive Personal Vault. Files will be secured by identity verification yet are still easily accessible across devices.
Learn how to [set up a Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4) with a strong authentication method or a second step of identity verification, such as fingerprint, face, PIN, or a code sent via email or SMS.

94
windows/security/book/identity-protection-advanced-credential-protection.md Normal file
View File

@ -0,0 +1,94 @@
---
title: Identity protection - Advanced credential protection
description: Windows 11 security book -Identity protection chapter.
ms.topic: overview
ms.date: 04/09/2024
---
# Advanced credential protection
In addition to adopting passwordless sign-in, organizations can strengthen security for user and domain credentials in Windows 11 with Credential Guard and Remote Credential Guard. **Enhanced phishing protection with Microsoft Defender SmartScreen**
As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing has emerged as a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business.
However, people who are still using passwords can also benefit from powerful credential protection in Windows 11. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Enhanced phishing protection in Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)
## Local Security Authority (LSA) protection
Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single signon to a Microsoft account and Azure services.<sup>[\[9\]](conclusion.md#footnote9)</sup>
To help keep these credentials safe, additional LSA protection will be enabled by default on new, enterprise-joined Windows 11 devices. By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection also now supports configuration using Group Policy and modern device management.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Configuring additional LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)
## Credential Guard
Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-backed, virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
By protecting the LSA process with virtualization-based security, Credential Guard shields systems from credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)
## Remote Credential Guard
Remote Credential Guard helps organizations protect credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
Administrator credentials are highly privileged and must be protected. When Remote Credential Guard is configured and enabled to connect during Remote Desktop sessions, the credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, the credentials are not exposed.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Remote Credential Guard - Windows Security | Microsoft Learn](/windows/security/identity-protection/remote-credential-guard?tabs=intune)
The following diagram shows how a standard Remote Desktop session to a server without Remote Credential Guard works:
The following diagrams help demonstrate how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) [mode option](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx):
Token protection attempts to reduce attacks using Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policy can be configured to require token protection when using sign-in tokens for specific services.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Token protection in Entra ID Conditional Access](/azure/active-directory/conditional-access/concept-token-protection)
## Sign-in session token protection policy
At the inaugural Microsoft Secure event in March 2023, we announced the public preview of token protection for sign-ins. This feature allows applications and services to cryptographically bind security tokens to the device, restricting attackers' ability to impersonate users on a different device if tokens are stolen.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Conditional Access: Token protection (preview)](/azure/active-directory/conditional-access/concept-token-protection)
## Account lockout policies
New devices with Windows 11 installed will have account lockout policies that are secure by default. These policies will mitigate brute-force attacks such as hackers attempting to access Windows devices via the Remote Desktop Protocol (RDP).
The account lockout threshold policy is now set to 10 failed sign-in attempts by default, with the account lockout duration set to 10 minutes. The Allow Administrator account lockout is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default as well.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Account lockout policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)
## Access management and control
Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.
Access Control Lists (ACLs) describe the permissions for a specific object and can also contain System Access Control Lists (SACLs). SACLs provide a way to audit specific system level events, such as when a user attempts to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack.
IT administrators can refine the application and management of access to:
- Protect a greater number and variety of network resources from misuse
- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. Organizations can implement the principle of least-privilege access, which asserts that users should be granted access only to the data and operations they require to perform their jobs
- Update users' ability to access resources on a regular basis as an organization's policies change or as users' jobs change
- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and mobile phones
- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Access control](/windows/security/identity-protection/access-control/access-control)

176
windows/security/book/identity-protection-passwordless-sign-in.md Normal file
View File

@ -0,0 +1,176 @@
---
title: Identity protection - Passwordless sign-in
description: Windows 11 security book -Identity protection chapter.
ms.topic: overview
ms.date: 04/09/2024
---
# Passwordless sign-in
Passwords are inconvenient to use and prime targets for cybercriminals—and they've been an important part of digital security for years. That changes with the passwordless protection available with Windows 11. After a secure authorization process, credentials are protected behind layers of hardware and software security, giving users secure, passwordless access to their apps and cloud services.
## Windows Hello
Too often, passwords are weak, stolen, or forgotten. Organizations are moving toward passwordless sign-in to reduce the risk of breaches, lower the cost of managing passwords, and improve productivity and satisfaction for their employees and customers. Microsoft is committed to helping customers move toward a secure, passwordless future with Windows Hello, a cornerstone of Windows security and identity protection.
[Windows Hello](/windows/security/identity-protection/hello-for-business/passwordless-strategy) can enable passwordless sign-in using biometric or PIN verification and provides built-in support for the FIDO2 passwordless industry standard. As a result, people no longer need to carry external hardware like a security key for authentication.
The secure, convenient sign-in experience can augment or replace passwords with a stronger authentication model based on a PIN or biometric data such as facial or fingerprint recognition secured by the Trusted Platform Module (TPM). Step-by-step guidance makes setup easy.
Using asymmetric keys provisioned in the TPM, Windows Hello protects authentication by binding a user's credentials to their device. Windows Hello validates the user based on either a PIN or biometrics match and only then allows the use of cryptographic keys bound to that user in the TPM.
PIN and biometric data stay on the device and cannot be stored or accessed externally. Since the data cannot be accessed by anyone without physical access to the device, credentials are protected against replay attacks, phishing, and spoofing as well as password reuse and leaks.
Windows Hello can authenticate users to a Microsoft account (MSA), identity provider services, or the relying parties that also implement the FIDO2 or WebAuthn standards.
## Windows Hello for Business
Windows Hello for Business extends Windows Hello to work with an organization's Active Directory<sup>[\[9\]](conclusion.md#footnote9)</sup> and Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> accounts. It provides single sign-on access to work or school resources such as OneDrive for Business, work email, and other business apps. Windows Hello for Business also give IT admins the ability to manage PIN and other sign-in requirements for devices connecting to work or school resources.
## Windows Hello for Business Passwordless
Windows 11 devices with Windows Hello for Business can protect user identities by removing the need to use passwords from day one.
IT can now set a policy for Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> joined machines so users no longer see the option to enter a password when accessing company resources.12 Once the policy is set, passwords are removed from the Windows user experience, both for device unlock as well as in-session authentication scenarios via CredUI. However, passwords are not eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can leverage passwordless recovery mechanisms such as Windows Hello for Business PIN reset or Web Sign-in.
During a device's lifecycle, a password may only need to be used once during the provisioning process. After that, people can use a PIN, face, or fingerprint to unlock credentials and sign into the device.
Provisioning methods include:
- Temporary Access Pass (TAP), a time-limited passcode with strong authentication requirements issued through Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup>
- Existing multifactor authentication with Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup>, including authentication methods like the Microsoft Authenticator app
Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometric data and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business depending on an organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers.
Organizations with hybrid scenarios can eliminate the need for on-premises domain controllers and simplify passwordless adoption by using Windows Hello for Business cloud Kerberos trust.13 This solution uses security keys and replaces on-premises domain controllers with a cloud-based root-of-trust. As a result, organizations can take advantage of Windows Hello for Business and deploy passwordless security keys with minimal additional setup or infrastructure.
Users will authenticate directly with Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup>, helping speed access to on- premises applications and other resources.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows Hello for Business overview](/windows/security/identity-protection/hello-for-business/)
## Windows Hello PIN
The Windows Hello PIN, which can only be entered by someone with physical access to the device, can be used for strong multifactor authentication. The PIN is protected by the TPM and, like biometric data, never leaves the device. When a user enters their PIN, an authentication key is unlocked and used to sign a request sent to the authenticating server.
The TPM protects against threats including PIN brute-force attacks on lost or stolen devices. After too many incorrect guesses, the device locks. IT admins can set security policies for PINs, such as complexity, length, and expiration requirements.
## Windows Hello biometric sign-in
Windows Hello biometric sign-in enhances both security and productivity with a quick, convenient sign-in experience. There's no need to enter a password every time when a face or fingerprint is the credential.
Windows devices that support biometric hardware such as fingerprint or facial recognition cameras integrate directly with Windows Hello, enabling access to Windows client resources and services. Biometric readers for both face and fingerprint must comply with [Microsoft](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements). Windows Hello facial recognition is designed to only authenticate from trusted cameras used at the time of enrollment.
If a peripheral camera is attached to the device after enrollment, that camera will only be allowed for facial authentication after it has been validated by signing in with the internal camera. For additional security, external cameras can be disabled for use with Windows Hello facial recognition.
## Windows Hello Enhanced Sign-in Security
Windows Hello biometrics also supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in.
Enhanced Sign-in Security biometrics uses virtualization-based security (VBS) and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated.
These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional attack classes.
Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in Secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations—please check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Please reach out to specific OEMs for support details.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
## Windows Hello for Business multi-factor unlock
For organizations that need an extra layer of sign-in security, multi-factor unlock enables IT admins to configure Windows by requiring a combination of two unique trusted signals to sign in. Trusted signal examples include a PIN or biometric data (face or fingerprint) combined with either a PIN, Bluetooth, IP configuration, or Wi-Fi.
Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Multi-factor unlock](/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock)
## Windows presence sensing
Windows presence sensing14 provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment.
Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers will be able to customize and build extensions for the presence sensor.
## Developer APIs and app privacy support for presence sensing
Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. We are pleased to announce new app privacy settings that enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup.
Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We are also supporting developers with new APIs for presence sensing for thirdparty applications. Third-party applications can now access user presence information on devices with modern presence sensors.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Presence sensing](/windows-hardware/design/device-experiences/sensors-presence-sensing)
- [Managing presence sensing settings in Windows 11](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)
## FIDO support
The FIDO Alliance, the Fast Identity Online industry standards body, was established to promote authentication technologies and standards that reduce reliance on passwords. FIDO Alliance and World Wide Web Consortium (W3C) have worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications, which are the industry standard for providing strong, phishing-resistant, user friendly, and privacy preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
Windows 11 can also use passkeys from external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Passwordless security key sign-in](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
## Passkeys
Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the crossplatform future of secure sign-in. Microsoft and other technology leaders are supporting passkeys across their platforms and services.
A passkey is a unique, unguessable cryptographic secret that is securely stored on the device.
Instead of using a username and password to sign in to a website or application, Windows
11 users will be able to create and use a passkey from Windows Hello, an external security provider, or their mobile device.
Passkeys on Windows 11 will be protected by Windows Hello or Windows Hello for Business.
This enables users to sign in to the site or app using their face, fingerprint, or device PIN. Passkeys on Windows work in any browser or app that supports them for sign in. Users will be able to manage passkeys on their device on Windows 11 account settings.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Passkeys (passkey authentication)](https://fidoalliance.org/passkeys/)
## Microsoft Authenticator
The Microsoft Authenticator app, which runs on iOS and Android devices, helps keep
Windows 11 users secure and productive. Microsoft Authenticator can be used to bootstrap Windows Hello for Business, which removes the need for a password to get started on Windows 11.
Microsoft Authenticator also enables easy, secure sign-in for all online accounts using multifactor authentication, passwordless phone sign-in, or password autofill. The accounts in the Authenticator app are secured with a public/private key pair in hardware-backed storage such as the Keychain in iOS and Keystore on Android. IT admins can leverage different tools to nudge their users to setup the Authenticator app, provide them with extra context about where the authentication is coming from, and ensure that they are actively using it.
Individual users can back up their credentials to the cloud by enabling the encrypted backup option in settings. They can also see their sign-in history and security settings for Microsoft personal, work, or school accounts.
Using this secure app for authentication and authorization enables people to be in control of how, where, and when their credentials are used. To keep up with an ever-changing security landscape, the app is constantly updated, and new capabilities are added to stay ahead of emerging threat vectors.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Microsoft Authenticator](/azure/active-directory/authentication/concept-authentication-authenticator-app)
## Smart cards for Windows service
Organizations also have the option of using smart cards, an authentication method that predates biometric authentication. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating users, signing code, securing e-mail, and signing in with Windows domain accounts.
**Smart cards provide:**
- Ease of use in scenarios such as healthcare where employees need to sign in and out quickly without using their hands or when sharing a workstation
- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card
- Portability of credentials and other private information between computers at work, home, or on the road
Smart cards can only be used to sign in to domain accounts or Microsoft Entra ID accounts.
When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Entra ID certificate-based authentication. Smart cards cannot be used with local accounts.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Smart Card technical reference](/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference)
## Federated sign-in
Windows 11 supports federated sign-in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign-in through methods like QR codes or pictures. Additionally, we have added shared device support. It allows multiple students (one at a time) to use the device throughout the school day.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in)

14
windows/security/book/identity-protection-root.md Normal file
View File

@ -0,0 +1,14 @@
---
title: Identity protection
description: Windows 11 security book -Identity protection chapter.
ms.topic: overview
ms.date: 04/09/2024
---
# Identity protection
:::image type="content" source="images\identity-protection-on.png" alt-text="Diagram of containng a list of security features." lightbox="images\identity-protection.png" border="false":::
Today's flexible workstyles and the security of your organization depend on secure access to corporate resources, including strong identity protection. Weak or reused passwords, password spraying, social engineering, and phishing are some of the top attack vectors. In the last 12 months, we saw an average of more than 4,000 password attacks per second.11 And phishing threats have increased, making identity a continuous battleground. As Bret Arsenault, Chief Information Security Officer at Microsoft says, *Hackers don't break in, they log in.*
Because threats are constantly evolving and often difficult for employees to detect, organizations need proactive protection, including effortlessly secure authentication and features that defend users in real time while they work. Windows 11 is designed with powerful identity protection from chip to cloud, keeping identities and personal and business data safe anywhere people work.

283
windows/security/book/identity-protection.md
View File

@ -1,283 +0,0 @@
---
title: Identity protection
description: Windows 11 security book -Identity protection chapter.
ms.topic: overview
ms.date: 04/09/2024
---
# Identity protection
:::image type="content" source="images\identity-protection-on.png" alt-text="Diagram of containng a list of security features." lightbox="images\identity-protection.png" border="false":::
Today's flexible workstyles and the security of your organization depend on secure access to corporate resources, including strong identity protection. Weak or reused passwords, password spraying, social engineering, and phishing are some of the top attack vectors. In the last 12 months, we saw an average of more than 4,000 password attacks per second.11 And phishing threats have increased, making identity a continuous battleground. As Bret Arsenault, Chief Information Security Officer at Microsoft says, "Hackers don't break in, they log in."
Because threats are constantly evolving and often difficult for employees to detect, organizations need proactive protection, including effortlessly secure authentication and features that defend users in real time while they work. Windows 11 is designed with powerful identity protection from chip to cloud, keeping identities and personal and business data safe anywhere people work.
# Enabling passwordless sign-in
Passwords are inconvenient to use and prime targets for cybercriminals—and they've been an important part of digital security for years. That changes with the passwordless protection available with Windows 11. After a secure authorization process, credentials are protected behind layers of hardware and software security, giving users secure, passwordless access to their apps and cloud services.
## Windows Hello
Too often, passwords are weak, stolen, or forgotten. Organizations are moving toward passwordless sign-in to reduce the risk of breaches, lower the cost of managing passwords, and improve productivity and satisfaction for their employees and customers. Microsoft is committed to helping customers move toward a secure, passwordless future with Windows Hello, a cornerstone of Windows security and identity protection.
[Windows Hello](https://learn.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) [](https://learn.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy)can enable passwordless sign-in using biometric or PIN verification and provides built-in support for the FIDO2 passwordless industry standard. As a result, people no longer need to carry external hardware like a security key for authentication.
The secure, convenient sign-in experience can augment or replace passwords with a stronger authentication model based on a PIN or biometric data such as facial or fingerprint recognition secured by the Trusted Platform Module (TPM). Step-by-step guidance makes setup easy.
Using asymmetric keys provisioned in the TPM, Windows Hello protects authentication by binding a user's credentials to their device. Windows Hello validates the user based on either a PIN or biometrics match and only then allows the use of cryptographic keys bound to that user in the TPM.
PIN and biometric data stay on the device and cannot be stored or accessed externally. Since the data cannot be accessed by anyone without physical access to the device, credentials are protected against replay attacks, phishing, and spoofing as well as password reuse and leaks.
Windows Hello can authenticate users to a Microsoft account (MSA), identity provider services, or the relying parties that also implement the FIDO2 or WebAuthn standards.
## Windows Hello for Business
Windows Hello for Business extends Windows Hello to work with an organization's Active Directory<sup>9</sup> and Microsoft Entra ID<sup>9</sup> accounts. It provides single sign-on access to work or school resources such as OneDrive for Business, work email, and other business apps. Windows Hello for Business also give IT admins the ability to manage PIN and other sign-in requirements for devices connecting to work or school resources.
## Windows Hello for Business Passwordless
Windows 11 devices with Windows Hello for Business can protect user identities by removing the need to use passwords from day one.
IT can now set a policy for Microsoft Entra ID<sup>9</sup> joined machines so users no longer see the option to enter a password when accessing company resources.12 Once the policy is set, passwords are removed from the Windows user experience, both for device unlock as well as in-session authentication scenarios via CredUI. However, passwords are not eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can leverage passwordless recovery mechanisms such as Windows Hello for Business PIN reset or Web Sign-in.
During a device's lifecycle, a password may only need to be used once during the provisioning process. After that, people can use a PIN, face, or fingerprint to unlock credentials and sign into the device.
Provisioning methods include:
- Temporary Access Pass (TAP), a time-limited passcode with strong authentication requirements issued through Microsoft Entra ID<sup>9</sup>.
- Existing multifactor authentication with Microsoft Entra ID<sup>9</sup>, including authentication methods like the Microsoft Authenticator app.
Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometric data and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business depending on an organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers.
Organizations with hybrid scenarios can eliminate the need for on-premises domain controllers and simplify passwordless adoption by using Windows Hello for Business cloud Kerberos trust.13 This solution uses security keys and replaces on-premises domain controllers
with a cloud-based root-of-trust. As a result, organizations can take advantage of Windows Hello for Business and deploy passwordless security keys with minimal additional setup or infrastructure.
Users will authenticate directly with Microsoft Entra ID<sup>9</sup>, helping speed access to on- premises applications and other resources.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows Hello for Business overview](https://learn.microsoft.com/windows/security/identity-protection/hello-for-business/)
## Windows Hello PIN
The Windows Hello PIN, which can only be entered by someone with physical access to the device, can be used for strong multifactor authentication. The PIN is protected by the TPM and, like biometric data, never leaves the device. When a user enters their PIN, an authentication key is unlocked and used to sign a request sent to the authenticating server.
The TPM protects against threats including PIN brute-force attacks on lost or stolen devices. After too many incorrect guesses, the device locks. IT admins can set security policies for PINs, such as complexity, length, and expiration requirements.
## Windows Hello biometric sign-in
Windows Hello biometric sign-in enhances both security and productivity with a quick, convenient sign-in experience. There's no need to enter a password every time when a face or fingerprint is the credential.
Windows devices that support biometric hardware such as fingerprint or facial recognition cameras integrate directly with Windows Hello, enabling access to Windows client resources and services. Biometric readers for both face and fingerprint must comply with [Microsoft](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) [Windows Hello biometric requirements](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements)[.](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) Windows Hello facial recognition is designed to only authenticate from trusted cameras used at the time of enrollment.
If a peripheral camera is attached to the device after enrollment, that camera will only be allowed for facial authentication after it has been validated by signing in with the internal camera. For additional security, external cameras can be disabled for use with Windows Hello facial recognition.
## Windows Hello Enhanced Sign-in Security
Windows Hello biometrics also supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in.
Enhanced Sign-in Security biometrics uses virtualization-based security (VBS) and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated.
These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional attack classes.
Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in Secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations—please check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Please reach out to specific OEMs for support details.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows Hello Enhanced Sign-in Security](https://learn.microsoft.com/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
## Windows Hello for Business multi-factor unlock
For organizations that need an extra layer of sign-in security, multi-factor unlock enables IT admins to configure Windows by requiring a combination of two unique trusted signals to sign in. Trusted signal examples include a PIN or biometric data (face or fingerprint) combined with either a PIN, Bluetooth, IP configuration, or Wi-Fi.
Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Multi-factor unlock](https://learn.microsoft.com/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock)
## Windows presence sensing
Windows presence sensing14 provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment.
Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers will be able to customize and build extensions for the presence sensor.
## Developer APIs and app privacy support for presence sensing
Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. We are pleased to announce new app privacy settings that enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup.
Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We are also supporting developers with new APIs for presence sensing for thirdparty applications. Third-party applications can now access user presence information on devices with modern presence sensors.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Presence sensing](https://learn.microsoft.com/windows-hardware/design/device-experiences/sensors-presence-sensing)
- [Managing presence sensing settings in Windows 11](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)
### FIDO support
The FIDO Alliance, the Fast Identity Online industry standards body, was established to promote authentication technologies and standards that reduce reliance on passwords. FIDO Alliance and World Wide Web Consortium (W3C) have worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications, which are the industry standard for providing strong, phishing-resistant, user friendly, and privacy preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
Windows 11 can also use passkeys from external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Passwordless security key sign-in](https://learn.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
### Passkeys
Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the crossplatform future of secure sign-in. Microsoft and other technology leaders are supporting passkeys across their platforms and services.
A passkey is a unique, unguessable cryptographic secret that is securely stored on the device.
Instead of using a username and password to sign in to a website or application, Windows
11 users will be able to create and use a passkey from Windows Hello, an external security provider, or their mobile device.
Passkeys on Windows 11 will be protected by Windows Hello or Windows Hello for Business.
This enables users to sign in to the site or app using their face, fingerprint, or device PIN. Passkeys on Windows work in any browser or app that supports them for sign in. Users will be able to manage passkeys on their device on Windows 11 account settings.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Passkeys (passkey authentication)](https://fidoalliance.org/passkeys/)
### Microsoft Authenticator
The Microsoft Authenticator app, which runs on iOS and Android devices, helps keep
Windows 11 users secure and productive. Microsoft Authenticator can be used to bootstrap Windows Hello for Business, which removes the need for a password to get started on Windows 11.
Microsoft Authenticator also enables easy, secure sign-in for all online accounts using multifactor authentication, passwordless phone sign-in, or password autofill. The accounts in the Authenticator app are secured with a public/private key pair in hardware-backed storage such as the Keychain in iOS and Keystore on Android. IT admins can leverage different tools to nudge their users to setup the Authenticator app, provide them with extra context about where the authentication is coming from, and ensure that they are actively using it.
Individual users can back up their credentials to the cloud by enabling the encrypted backup option in settings. They can also see their sign-in history and security settings for Microsoft personal, work, or school accounts.
Using this secure app for authentication and authorization enables people to be in control of how, where, and when their credentials are used. To keep up with an ever-changing security landscape, the app is constantly updated, and new capabilities are added to stay ahead of emerging threat vectors.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Microsoft Authenticator](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-authenticator-app)
### Smart cards for Windows service
Organizations also have the option of using smart cards, an authentication method that predates biometric authentication. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating users, signing code, securing e-mail, and signing in with Windows domain accounts.
**Smart cards provide:**
- Ease of use in scenarios such as healthcare where employees need to sign in and out quickly without using their hands or when sharing a workstation.
- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card.
- Portability of credentials and other private information between computers at work, home, or on the road
Smart cards can only be used to sign in to domain accounts or Microsoft Entra ID accounts.
When a password is used to sign in to a domain account, Windows uses the Kerberos
Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Entra ID certificate-based authentication. Smart cards cannot be used with local accounts.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Smart Card technical reference](https://learn.microsoft.com/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference)
### Federated sign-in
Windows 11 supports federated sign-in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign-in through methods like QR codes or pictures. Additionally, we have added shared device support. It allows multiple students (one at a time) to use the device throughout the school day.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Configure federated sign-in for Windows devices](https://learn.microsoft.com/education/windows/federated-sign-in?tabs=intune)
# Advanced credential protection
In addition to adopting passwordless sign-in, organizations can strengthen security for user and domain credentials in Windows 11 with Credential Guard and Remote Credential Guard. **Enhanced phishing protection with Microsoft Defender SmartScreen**
As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing has emerged as a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business.
However, people who are still using passwords can also benefit from powerful credential protection in Windows 11. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Enhanced phishing protection in Microsoft Defender SmartScreen](https://learn.microsoft.com/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection?tabs=intune)
## Local Security Authority (LSA) protection
Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single signon to a Microsoft account and Azure services.<sup>9</sup>
To help keep these credentials safe, additional LSA protection will be enabled by default on new, enterprise-joined Windows 11 devices. By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection also now supports configuration using Group Policy and modern device management.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Configuring additional LSA protection](https://learn.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)
## Credential Guard
Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-backed, virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
By protecting the LSA process with virtualization-based security, Credential Guard shields systems from credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Protect derived domain credentials with Credential Guard](https://learn.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard)
## Remote Credential Guard
Remote Credential Guard helps organizations protect credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
Administrator credentials are highly privileged and must be protected. When Remote Credential Guard is configured and enabled to connect during Remote Desktop sessions, the credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, the credentials are not exposed.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Remote Credential Guard - Windows Security | Microsoft Learn](https://learn.microsoft.com/windows/security/identity-protection/remote-credential-guard?tabs=intune)
The following diagram shows how a standard Remote Desktop session to a server without Remote Credential Guard works:
The following diagrams help demonstrate how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) [mode option](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx):
Token protection attempts to reduce attacks using Microsoft Entra ID<sup>9</sup> token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policy can be configured to require token protection when using sign-in tokens for specific services.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Token protection in Entra ID Conditional Access](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-token-protection)
## Sign-in session token protection policy
At the inaugural Microsoft Secure event in March 2023, we announced the public preview of token protection for sign-ins. This feature allows applications and services to cryptographically bind security tokens to the device, restricting attackers' ability to impersonate users on a different device if tokens are stolen.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Conditional Access: Token protection (preview)](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-token-protection)
### Account lockout policies
New devices with Windows 11 installed will have account lockout policies that are secure by default. These policies will mitigate brute-force attacks such as hackers attempting to access Windows devices via the Remote Desktop Protocol (RDP).
The account lockout threshold policy is now set to 10 failed sign-in attempts by default, with the account lockout duration set to 10 minutes. The Allow Administrator account lockout is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default as well.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Account lockout policy](https://learn.microsoft.com/windows/security/threat-protection/security-policy-settings/account-lockout-policy)
### Access management and control
Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.
Access Control Lists (ACLs) describe the permissions for a specific object and can also contain System Access Control Lists (SACLs). SACLs provide a way to audit specific system level events, such as when a user attempts to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack.
IT administrators can refine the application and management of access to:
- Protect a greater number and variety of network resources from misuse.
- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. Organizations can implement the principle of least-privilege access, which asserts that users should be granted access only to the data and operations they require to perform their jobs.
- Update users' ability to access resources on a regular basis as an organization's policies change or as users' jobs change.
- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and mobile phones.
- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Access control](https://docs.microsoft.com/windows/security/identity-protection/access-control/access-control)

2
windows/security/book/index.md
View File

@ -52,5 +52,5 @@ In Windows 11, hardware and software work together to protect sensitive data fro
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows security features licensing and edition requirements](https://learn.microsoft.com/windows/security/licensing-and-edition-requirements?tabs=edition)
- [Windows security features licensing and edition requirements](/windows/security/licensing-and-edition-requirements?tabs=edition)

2
windows/security/book/privacy.md
View File

@ -33,5 +33,5 @@ The Windows diagnostic data processor configuration enables the user to be the c
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows diagnostic data processor configuration](https://learn.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration)
- [Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration)

10
windows/security/book/security-foundation.md
View File

@ -29,7 +29,7 @@ Microsoft is dedicated to working with the community and our customers to contin
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Project OneFuzz framework, an open source developer tool to find and fix bugs](https://www.microsoft.com/en-us/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/) [at scale](https://www.microsoft.com/en-us/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)
- [Project OneFuzz framework, an open source developer tool to find and fix bugs](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/) [at scale](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)
- [OneFuzz on GitHub](https://github.com/microsoft/onefuzz)
## Microsoft Offensive Research and Security Engineering
@ -46,8 +46,8 @@ Through this collaboration with researchers across the globe, our teams identify
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows Insider Program](https://learn.microsoft.com/en-us/windows-insider/get-started)
- [Microsoft bounty programs](https://www.microsoft.com/en-us/msrc/bounty)
- [Windows Insider Program](/windows-insider/get-started)
- [Microsoft bounty programs](https://www.microsoft.com/msrc/bounty)
# Certification
@ -63,7 +63,7 @@ Common Criteria (CC) is an international standard currently maintained by nation
Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products.
Microsoft publishes the list of FIPS 140 and Common Criteria certified products at [Federal](https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation) [Information Processing Standard (FIPS)](https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation) 140 Validation and [Common Criteria Certifications.](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-platform-common-criteria)
Microsoft publishes the list of FIPS 140 and Common Criteria certified products at [Federal](/windows/security/security-foundations/certification/fips-140-validation) [Information Processing Standard (FIPS)](/windows/security/security-foundations/certification/fips-140-validation) 140 Validation and [Common Criteria Certifications.](/windows/security/threat-protection/windows-platform-common-criteria)
# Secure supply chain
@ -121,4 +121,4 @@ Traditionally, code signing has been a difficult undertaking due to the complexi
Developers can design highly secure applications that benefit from the latest Windows 11 safeguards using the Windows App SDK. The SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows 11 and Windows 10. To help create apps that are up to date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system.
If you are a developer, you can find security best practices and information at [Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-platform-common-criteria#security-and-privacy) [application development—best practices](https://docs.microsoft.com/windows/security/threat-protection/windows-platform-common-criteria#security-and-privacy). You can get started with [Windows App SDK](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation#windows-app-sdk-samples) [](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation#windows-app-sdk-samples)[Samples on GitHub](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation#windows-app-sdk-samples)[.](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation#windows-app-sdk-samples) For an example of the continuous security process in action with the Windows App SDK, see the [most recent release](https://insider.windows.com/#version-11).
If you are a developer, you can find security best practices and information at [Windows](/windows/security/threat-protection/windows-platform-common-criteria#security-and-privacy) [application development—best practices](/windows/security/threat-protection/windows-platform-common-criteria#security-and-privacy). You can get started with [Windows App SDK](/windows/security/threat-protection/fips-140-validation#windows-app-sdk-samples) [](/windows/security/threat-protection/fips-140-validation#windows-app-sdk-samples)[Samples on GitHub](/windows/security/threat-protection/fips-140-validation#windows-app-sdk-samples)[.](/windows/security/threat-protection/fips-140-validation#windows-app-sdk-samples) For an example of the continuous security process in action with the Windows App SDK, see the [most recent release](https://insider.windows.com/#version-11).

14
windows/security/book/toc.yml
View File

@ -32,7 +32,13 @@ items:
- name: Application isolation
href: application-security-application-isolation.md
- name: 4. Identity protection
href: identity-protection.md
items:
- name: Overview
href: identity-protection-root.md
- name: Passwordless sign-in
href: identity-protection-passwordless-sign-in.md
- name: Advanced credential protection
href: identity-protection-advanced-credential-protection.md
- name: 5. Privacy
href: privacy.md
- name: 6. Cloud services
@ -55,9 +61,9 @@ items:
href: identity-protection.md
- name: 5. Privacy
href: privacy.md
- name: 6. Cloud security
href: cloud-security.md
- name: 6. Cloud services
href: cloud-services.md
- name: 7. Security foundations
href: security-foundations.md
href: security-foundation.md
- name: Conclusion
href: conclusion.md