deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into security-book-24

Browse Source
This commit is contained in:
Paolo Matarazzo 2024-07-24 06:56:55 -04:00
commit 800060c773
12 changed files with 100 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
education/index.yml
View File

@ -8,7 +8,7 @@ metadata:
title: Microsoft 365 Education Documentation
description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers.
ms.topic: hub-page
ms.date: 11/06/2023
ms.date: 07/22/2024
productDirectory:
title: For IT admins

6
education/windows/index.yml
View File

@ -12,16 +12,16 @@ metadata:
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.date: 10/30/2023
ms.date: 07/22/2024
highlightedContent:
items:
- title: Get started with Windows 11 SE
itemType: get-started
url: windows-11-se-overview.md
- title: Windows 11, version 22H2
- title: Windows 11, version 23H2
itemType: whats-new
url: /windows/whats-new/whats-new-windows-11-version-22H2
url: /windows/whats-new/whats-new-windows-11-version-23h2
- title: Explore all Windows trainings and learning paths for IT pros
itemType: learn
url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator

20
windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md Normal file
View File

@ -0,0 +1,20 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 07/11/2024
ms.topic: include
---
### Hide entry points for Fast User Switching
With this policy setting you can prevent multiple users to sign in at the same time, using the Fast User Switching feature.
- If enabled, only one user can sign in at a time. The Fast User Switching entry points are hidden from the sign-in screen, the Start menu, and the Task Manager. If multiple users want to sign in, the current user must sign out first
- If disabled or not configured, multiple users can sign in at the same time. The Fast User Switching entry points are available from the sign-in screen, the Start menu, and the Task Manager. The current user doesn't have to sign out to allow another user to sign in
| | Path |
|--|--|
| **CSP** | `./Device/Vendor/MSFT/Policy/Config/WindowsLogon/`[HideFastUserSwitching](/windows/client-management/mdm/policy-csp-windowslogon#hidefastuserswitching) |
| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **Logon** > **Hide entry points for Fast User Switching** |
To learn more, see [Fast User Switching](/windows/win32/shell/fast-user-switching).

2
windows/configuration/start/includes/hide-lock.md
View File

@ -9,5 +9,5 @@ ms.topic: include
| | Path |
|--|--|
| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HideSignOut](/windows/client-management/mdm/policy-csp-start#hidelock) |
| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HideLock](/windows/client-management/mdm/policy-csp-start#hidelock) |
| **GPO** | Not available. |

7
windows/configuration/start/includes/hide-switch-account.md → windows/configuration/start/includes/hide-switch-user.md
View File

@ -5,7 +5,12 @@ ms.date: 04/10/2024
ms.topic: include
---
### Hide Switch account
### Hide Switch user
With this policy setting you can hide the **Switch user** option from the user tile in the start menu:
- If enabled, the **Switch user** option is hidden
- If disabled or not configured, the **Switch user** option is available
| | Path |
|--|--|

46
windows/configuration/start/policy-settings.md
View File

@ -2,7 +2,7 @@
title: Start policy settings
description: Learn about the policy settings to configure the Windows Start menu.
ms.topic: reference
ms.date: 04/10/2024
ms.date: 07/10/2024
appliesto:
zone_pivot_groups: windows-versions-11-10
---
@ -132,19 +132,37 @@ Select one of the tabs to see the list of available settings:
#### [:::image type="icon" source="../images/icons/user.svg"::: **Account options**](#tab/user)
::: zone pivot="windows-11"
|Policy name| CSP | GPO |
|-|-|-|
|[Hide **Change account settings**](#hide-change-account-settings)|✅|❌|
|[Hide **Sign out**](#hide-sign-out)|✅|✅|
|[Hide **Switch user**](#hide-switch-user)|✅|❌|
|[Hide entry points for Fast User Switching](#hide-entry-points-for-fast-user-switching)|✅|✅|
|[Hide user tile](#hide-user-tile)|✅|❌|
::: zone-end
::: zone pivot="windows-10"
|Policy name| CSP | GPO |
|-|-|-|
|[Hide **Change account settings**](#hide-change-account-settings)|✅|❌|
|[Hide **Lock**](#hide-lock)|✅|❌|
|[Hide **Sign out**](#hide-sign-out)|✅|✅|
|[Hide **Switch account**](#hide-switch-account)|✅|❌|
|[Hide **Switch user**](#hide-switch-user)|✅|❌|
|[Hide entry points for Fast User Switching](#hide-entry-points-for-fast-user-switching)|✅|✅|
|[Hide user tile](#hide-user-tile)|✅|❌|
::: zone-end
[!INCLUDE [hide-change-account-settings](includes/hide-change-account-settings.md)]
::: zone pivot="windows-10"
[!INCLUDE [hide-lock](includes/hide-lock.md)]
::: zone-end
[!INCLUDE [hide-signout](includes/hide-signout.md)]
[!INCLUDE [hide-switch-user](includes/hide-switch-account.md)]
[!INCLUDE [hide-switch-user](includes/hide-user-tile.md)]
[!INCLUDE [hide-switch-user](includes/hide-switch-user.md)]
[!INCLUDE [hide-lock](includes/hide-entry-points-for-fast-user-switching.md)]
[!INCLUDE [hide-user-tile](includes/hide-user-tile.md)]
#### [:::image type="icon" source="../images/icons/folder.svg"::: **Pinned folders**](#tab/folders)
@ -174,6 +192,21 @@ Select one of the tabs to see the list of available settings:
#### [:::image type="icon" source="../images/icons/power.svg"::: **Power options**](#tab/power)
::: zone pivot="windows-11"
|Policy name| CSP | GPO |
|-|-|-|
|[Hide **Hibernate** ](#hide-hibernate)|✅|❌|
|[Hide **Lock**](#hide-lock)|✅|❌|
|[Hide **Power** button](#hide-power-button)|✅|❌|
|[Hide **Restart**](#hide-restart)|✅|❌|
|[Hide **Shut down**](#hide-shut-down)|✅|❌|
|[Hide **Sleep**](#hide-sleep)|✅|❌|
|[Remove and prevent access to the shut down restart sleep and hibernate commands](#remove-and-prevent-access-to-the-shut-down-restart-sleep-and-hibernate-commands)|❌|✅|
::: zone-end
::: zone pivot="windows-10"
|Policy name| CSP | GPO |
|-|-|-|
|[Hide **Hibernate** ](#hide-hibernate)|✅|❌|
@ -183,7 +216,12 @@ Select one of the tabs to see the list of available settings:
|[Hide **Sleep**](#hide-sleep)|✅|❌|
|[Remove and prevent access to the shut down restart sleep and hibernate commands](#remove-and-prevent-access-to-the-shut-down-restart-sleep-and-hibernate-commands)|❌|✅|
::: zone-end
[!INCLUDE [hide-hibernate](includes/hide-hibernate.md)]
::: zone pivot="windows-11"
[!INCLUDE [hide-lock](includes/hide-lock.md)]
::: zone-end
[!INCLUDE [hide-power-button](includes/hide-power-button.md)]
[!INCLUDE [hide-restart](includes/hide-restart.md)]
[!INCLUDE [hide-shut-down](includes/hide-shut-down.md)]

2
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -425,7 +425,7 @@ To turn off Insider Preview builds for Windows 10 and Windows 11:
### <a href="" id="bkmk-ie"></a>8. Internet Explorer
> [!NOTE]
> When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by [Enhanced Security Configuration (ESC)](/troubleshoot/browsers/enhanced-security-configuration-faq). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings:
> When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by [Enhanced Security Configuration (ESC)](/previous-versions/troubleshoot/browsers/security-privacy/enhanced-security-configuration-faq). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings:
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|

27
windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
View File

@ -26,8 +26,8 @@ You can see how an employee would use standalone mode with Application Guard.
3. Wait for Application Guard to set up the isolated environment.
>[!NOTE]
>Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays.
> [!NOTE]
> Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays.
4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.
@ -47,19 +47,19 @@ Before you can use Application Guard in managed mode, you must install Windows 1
3. Set up the Network Isolation settings in Group Policy:
a. Select the **Windows** icon, type `Group Policy`, and then select **Edit Group Policy**.
1. Select the **Windows** icon, type `Group Policy`, and then select **Edit Group Policy**.
b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
1. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
c. For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box.
1. For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box.
![Group Policy editor with Enterprise cloud resources setting.](images/appguard-gp-network-isolation.png)
![Group Policy editor with Enterprise cloud resources setting.](images/appguard-gp-network-isolation.png)
d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting.
1. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting.
e. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box.
1. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box.
![Group Policy editor with Neutral resources setting.](images/appguard-gp-network-isolation-neutral.png)
![Group Policy editor with Neutral resources setting.](images/appguard-gp-network-isolation-neutral.png)
4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting.
@ -67,8 +67,8 @@ Before you can use Application Guard in managed mode, you must install Windows 1
![Group Policy editor with Turn On/Off setting.](images/appguard-gp-turn-on.png)
>[!NOTE]
>Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
> [!NOTE]
> Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
6. Start Microsoft Edge and type `https://www.microsoft.com`.
@ -230,10 +230,13 @@ Once a user has the extension and its companion app installed on their enterpris
1. Open either Firefox or Chrome, whichever browser you have the extension installed on.
2. Navigate to an organizational website. In other words, an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
![The evaluation page displayed while the page is being loaded, explaining that the user must wait.](images/app-guard-chrome-extension-evaluation-page.png)
3. Navigate to a nonenterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
![A non-enterprise website being redirected to an Application Guard container -- the text displayed explains that the page is being opened in Application Guard for Microsoft Edge.](images/app-guard-chrome-extension-launchIng-edge.png)
4. Open a new Application Guard window, by selecting the Microsoft Defender Application Guard icon, then **New Application Guard Window**
4. Open a new Application Guard window, by selecting the Microsoft Defender Application Guard icon, then **New Application Guard Window**.
![The "New Application Guard Window" option is highlighted in red](images/app-guard-chrome-extension-new-app-guard-page.png)

2
windows/security/book/cloud-services-protect-your-work-information.md
View File

@ -252,7 +252,7 @@ Universal Print has integrated with Administrative Units in Microsoft Entra ID t
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Universal Print](https://www.microsoft.com/microsoft-365/windows/universal-print)
- [Data storage in Universal Print](/universal-print/fundamentals/universal-print-encryption)
- [Data handling in Universal Print](/universal-print/data-handling)
- [Delegate Printer Administration with Administrative Units](/universal-print/portal/delegated-admin)
For customers who want to stay on Print Servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM.

19
windows/security/introduction.md
View File

@ -1,24 +1,17 @@
---
title: Introduction to Windows security
description: System security book.
ms.date: 09/01/2023
ms.topic: tutorial
ms.date: 07/22/2024
ms.topic: overview
ms.author: paoloma
ms.collection:
- essentials-security
content_well_notification:
- AI-contribution
author: paolomatarazzo
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
ai-usage: ai-assisted
---
# Introduction to Windows security
The acceleration of digital transformation and the expansion of both remote and hybrid work brings new opportunities to organizations, communities, and individuals. This expansion introduces new threats and risks.
Organizations worldwide are adopting a **Zero Trust** security model based on the premise that no person or device anywhere can have access until safety and integrity is proven. Windows 11 is built on Zero Trust principles to enable hybrid productivity and new experiences anywhere, without compromising security. Windows 11 raises the [security baselines](operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) with new requirements for advanced hardware and software protection that extends from chip to cloud.
Organizations worldwide are adopting a **Zero Trust** security model based on the premise that no person or device anywhere can have access until safety and integrity is proven. Windows 11 is built on Zero Trust principles to enable hybrid productivity and new experiences anywhere, without compromising security. Windows 11 raises the security baselines with new requirements for advanced hardware and software protection that extends from chip to cloud.
## How Windows 11 enables Zero Trust protection
@ -44,11 +37,11 @@ In Windows 11, hardware and software work together to protect the operating syst
To help keep personal and business information protected and private, Windows 11 has multiple layers of application security that safeguard critical data and code integrity. Application isolation and controls, code integrity, privacy controls, and least-privilege principles enable developers to build in security and privacy from the ground up. This integrated security protects against breaches and malware, helps keep data private, and gives IT administrators the controls they need.
In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/device-experiences/oem-app-guard) uses Hyper-V virtualization technology to isolate untrusted websites and Microsoft Office files in containers, separate from and unable to access the host operating system and enterprise data. To protect privacy, Windows 11 also provides more controls over which apps and features can collect and use data such as the device's location, or access resources like camera and microphone.
In Windows 11, [Microsoft Defender Application Guard](application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md) uses Hyper-V virtualization technology to isolate untrusted websites and Microsoft Office files in containers, separate from and unable to access the host operating system and enterprise data. To protect privacy, Windows 11 also provides more controls over which apps and features can collect and use data such as the device's location, or access resources like camera and microphone.
### Secured identities
Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Credential Guard](identity-protection/credential-guard/index.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Credential Guard](identity-protection/credential-guard/index.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) and [passkeys](identity-protection/passkeys/index.md) for passwordless authentication.
### Connecting to cloud services
@ -58,4 +51,4 @@ Microsoft offers comprehensive cloud services for identity, storage, and access
To learn more about the security features included in Windows 11, read the [Windows 11 Security Book](book/index.md).
<!--(https://aka.ms/Windows11SecurityBook).-->
<!--(https://aka.ms/Windows11SecurityBook) PDF version-->

4
windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
View File

@ -2,7 +2,7 @@
title: BitLocker recovery process
description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive.
ms.topic: how-to
ms.date: 07/08/2024
ms.date: 07/18/2024
---
# BitLocker recovery process
@ -72,7 +72,7 @@ The following list can be used as a template for creating a recovery process for
There are a few Microsoft Entra ID roles that allow a delegated administrator to read BitLocker recovery passwords from the devices in the tenant. While it's common for organizations to use the existing Microsoft Entra ID *[Cloud Device Administrator][ENTRA-2]* or *[Helpdesk Administrator][ENTRA-3]* built-in roles, you can also [create a custom role][ENTRA-5], delegating access to BitLocker keys using the `microsoft.directory/bitlockerKeys/key/read` permission. Roles can be delegated to access BitLocker recovery passwords for devices in specific Administrative Units.
> [!NOTE]
> When devices including [Windows Autopilot](/mem/autopilot/windows-autopilot) are reused to join to Entra, **and there is a new device owner**, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Custom role or administrative unit scoped administrators will lose access to BitLocker recovery keys for those devices that have undergone device ownership changes. These scoped administrators will need to contact a non-scoped administrator for the recovery keys. For more information, see the article [Find the primary user of an Intune device](/mem/intune/remote-actions/find-primary-user#change-a-devices-primary-user).
> When devices that utilize [Windows Autopilot](/mem/autopilot/windows-autopilot) are reused to join to Entra, **and there is a new device owner**, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Custom role or administrative unit scoped administrators will lose access to BitLocker recovery keys for those devices that have undergone device ownership changes. These scoped administrators will need to contact a non-scoped administrator for the recovery keys. For more information, see the article [Find the primary user of an Intune device](/mem/intune/remote-actions/find-primary-user#change-a-devices-primary-user).
The [Microsoft Entra admin center][ENTRA] allows administrators to retrieve BitLocker recovery passwords. To learn more about the process, see [View or copy BitLocker keys][ENTRA-4]. Another option to access BitLocker recovery passwords is to use the Microsoft Graph API, which might be useful for integrated or scripted solutions. For more information about this option, see [Get bitlockerRecoveryKey][GRAPH-1].

4
windows/security/operating-system-security/data-protection/encrypted-hard-drive.md
View File

@ -1,7 +1,7 @@
---
title: Encrypted hard drives
description: Learn how encrypted hard drives use the rapid encryption that is provided by BitLocker to enhance data security and management.
ms.date: 10/18/2023
ms.date: 07/22/2024
ms.topic: concept-article
---
@ -75,7 +75,7 @@ To configure encrypted hard drives as startup drives, use the same methods as st
There are three policy settings to manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings aren't configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption:
- [Configure use of hardware-based encryption for fixed data drives](bitlocker/configure.md?tabs=fixed#configure-use-of-hardware-based-encryption-for-fixed-data-drives)
- [Configure use of hardware-based encryption for fixed data drives](bitlocker/configure.md?tabs=fixed#configure-use-of-hardware-based-encryption-for-fixed-data-drives)
- [Configure use of hardware-based encryption for removable data drives](bitlocker/configure.md?tabs=removable#configure-use-of-hardware-based-encryption-for-removable-data-drives)
- [Configure use of hardware-based encryption for operating system drives](bitlocker/configure.md?tabs=os#configure-use-of-hardware-based-encryption-for-operating-system-drives)