Merge branch 'main' into v-smandalika-8858073-windows

.openpublishing.redirection.education.json

@@ -234,6 +234,78 @@
       "source_path": "education/windows/configure-windows-for-education.md",
       "redirect_url": "/education/windows",
       "redirect_document_id": false
+    },
+
+
+    {
+      "source_path": "education/windows/tutorial-school-deployment/configure-device-apps.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/configure-device-apps",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/configure-device-settings.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/configure-device-settings",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/configure-devices-overview.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/configure-devices-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/enroll-autopilot.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/enroll-autopilot",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/enroll-entra-join.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/enroll-entra-join",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/enroll-overview.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/enroll-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/enroll-package.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/enroll-package",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/index.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/introduction",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/manage-overview.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/manage-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/manage-surface-devices.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/manage-surface-devices",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/reset-wipe.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/reset-wipe",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/set-up-microsoft-entra-id",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/set-up-microsoft-intune.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/set-up-microsoft-intune",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/troubleshoot-overview.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/troubleshoot-overview",
+      "redirect_document_id": false
     }
   ]
 }

.openpublishing.redirection.windows-configuration.json

@@ -347,7 +347,12 @@
     },
     {
       "source_path": "windows/configuration/kiosk-prepare.md",
-      "redirect_url": "/windows/configuration/kiosk/recommendations",
+      "redirect_url": "/windows/configuration/assigned-access/recommendations",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/kiosk/recommendations.md",
+      "redirect_url": "/windows/configuration/assigned-access/recommendations",
       "redirect_document_id": false
     },
     {

.openpublishing.redirection.windows-security.json

@@ -9169,6 +9169,16 @@
       "source_path": "windows/security/threat-protection/security-policy-settings/user-rights-assignment.md",
       "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/cloud-security/index.md",
+      "redirect_url": "/windows/security/cloud-services",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/dual-enrollment",
+      "redirect_document_id": false
     }
   ]
 }

education/windows/change-home-to-edu.md

@@ -215,14 +215,6 @@ A multiple activation key activates either individual computers or a group of co
 
 | Scenario | Ownership | MAK | KMS | AD based activation | Subscription Activation |
 |-|-|:-:|:-:|:-:|:-:|
-| **Workplace join (add work or school account)** | Personal (or student-owned) | X | | | |
-| **Microsoft Entra join** | Organization | X | X | | X |
-| **Microsoft Entra hybrid join** | Organization | X | X | X | X |
-
-## Related links
-
-- [Windows 10 edition upgrade (Windows 10)](/windows/deployment/upgrade/windows-10-edition-upgrades)
-- [Windows 10/11 Subscription Activation](/windows/deployment/windows-10-subscription-activation)
-- [Equip Your Students with Windows 11 Education - Kivuto](https://kivuto.com/windows-11-student-use-benefit/)
-- [Upgrade Windows Home to Windows Pro (microsoft.com)](https://support.microsoft.com/windows/upgrade-windows-home-to-windows-pro-ef34d520-e73f-3198-c525-d1a218cc2818)
-- [Partner Center: Upgrade Education customers from Windows 10 Home to Windows 10 Education](/partner-center/upgrade-windows-to-education)
+| **Workplace join (add work or school account)** | Personal (or student-owned) | ✅ | | | |
+| **Microsoft Entra join** | Organization | ✅ | ✅ | | ✅ |
+| **Microsoft Entra hybrid join** | Organization | ✅ | ✅ | ✅ | ✅ |

education/windows/index.yml

@@ -63,10 +63,8 @@ productDirectory:
     - title: Learn how to manage Windows devices
       imageSrc: /media/common/i_management.svg
       links:
-        - url: tutorial-school-deployment/manage-overview.md
+        - url: /mem/intune/industry/education/tutorial-school-deployment/manage-overview
           text: Manage devices with Microsoft Intune
-        - url: tutorial-school-deployment/manage-surface-devices.md
-          text: Management functionalities for Surface devices
         - url: /education/windows/get-minecraft-for-education
           text: Get and deploy Minecraft Education
         - url: /windows/client-management

education/windows/toc.yml

@@ -4,8 +4,6 @@ items:
 - name: Tutorials
   expanded: true
   items:
-  - name: Deploy and manage Windows devices in a school
-    href: tutorial-school-deployment/toc.yml
   - name: Deploy applications to Windows 11 SE
     href: tutorial-deploy-apps-winse/toc.yml
 - name: Concepts

education/windows/tutorial-school-deployment/configure-device-apps.md

@@ -1,77 +0,0 @@
----
-title: Configure applications with Microsoft Intune
-description: Learn how to configure applications with Microsoft Intune in preparation for device deployment.
-ms.date: 01/16/2024
-ms.topic: tutorial
----
-
-# Configure applications with Microsoft Intune
-
-With Intune for Education, school IT administrators have access to diverse applications to help students unlock their learning potential. This section discusses tools and resources for adding apps to Intune for Education.
-
-Applications can be assigned to groups:
-
-- If you target apps to a **group of users**, the apps will be installed on any managed devices that the users sign into
-- If you target apps to a **group of devices**, the apps will be installed on those devices and available to any user who signs in
-
-> [!div class="checklist"]
->In this section you will:
->
-> - Add apps to Intune for Education
-> - Assign apps to groups
-> - Review some considerations for Windows 11 SE devices
-
-## Add apps to Intune for Education
-
-Intune for Education supports the deployment of two types of Windows applications: **web apps** and **desktop apps**.
-
-:::image type="content" source="./images/intune-education-apps.png" alt-text="Intune for Education - Apps" lightbox="./images/intune-education-apps.png" border="true":::
-
-### Desktop apps
-
-The addition of desktop applications to Intune should be carried out by repackaging the apps, and defining the commands to silently install them. The process is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1].
-
-### Web apps
-
-To create web applications in Intune for Education:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Apps**
-1. Select **New app** > **New web app**
-1. Provide a URL for the web app, a name and, optionally, an icon and description
-1. Select **Save**
-
-For more information, see [Add web apps][INT-2].
-
-## Assign apps to groups
-
-To assign applications to a group of users or devices:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Groups** > Pick a group to manage
-1. Select **Apps**
-1. Select either **Web apps** or **Windows apps**
-1. Select the apps you want to assign to the group > Save
-
-## Considerations for Windows 11 SE
-
-Windows 11 SE prevents the installation and execution of third party applications with a technology called **Windows Defender Application Control** (WDAC).
-WDAC applies an *allowlist* policy, which ensures that unwanted apps don't run or get installed. However, it also prevents IT admins from deploying apps to Windows 11 SE devices, unless they're included in the E Mode policy.
-
-To learn more about which apps are supported in Windows 11 SE, and how to deploy them, see the tutorial [Deploy applications to Windows 11 SE with Intune][EDU-1].
-
-## Next steps
-
-With the applications configured, you can now deploy students' and teachers' devices.
-
-> [!div class="nextstepaction"]
-> [Next: Deploy devices >](enroll-overview.md)
-
-<!-- Reference links in article -->
-
-[EDU-1]: ../tutorial-deploy-apps-winse/index.md
-
-[MEM-1]: /mem/intune/apps/apps-win32-add
-
-[INT-1]: /intune-education/express-configuration-intune-edu
-[INT-2]: /intune-education/add-web-apps-edu

education/windows/tutorial-school-deployment/configure-device-settings.md

@@ -1,133 +0,0 @@
----
-title: Configure and secure devices with Microsoft Intune
-description: Learn how to configure policies with Microsoft Intune in preparation for device deployment.
-ms.date: 01/16/2024
-ms.topic: tutorial
-ms.collection: essentials-manage
----
-
-# Configure and secure devices with Microsoft Intune
-
-With Intune for Education, you can configure settings for devices in the school, to ensure that they comply with specific policies.
-For example, you may need to secure your devices, ensuring that they are kept up to date. Or you may need to configure all the devices with the same look and feel.
-
-Settings can be assigned to groups:
-
-- If you target settings to a **group of users**, those settings will apply, regardless of what managed devices the targeted users sign in to
-- If you target settings to a **group of devices**, those settings will apply regardless of who is using the devices
-
-There are two ways to manage settings in Intune for Education:
-
-- **Express Configuration.** This option is used to configure a selection of settings that are commonly used in school environments
-- **Group settings.** This option is used to configure all settings that are offered by Intune for Education
-
-> [!NOTE]
-> Express Configuration is ideal when you are getting started. Settings are pre-configured to Microsoft-recommended values, but can be changed to fit your school's needs. It is recommended to use Express Configuration to initially set up your Windows devices.
-
-
-> [!div class="checklist"]
->In this section you will:
->
-> - Configure settings with Express Configuration
-> - Configure group settings
-> - Create Windows Update policies
-> - Configure security policies
-
-## Configure settings with Express Configuration
-
-With Express Configuration, you can get Intune for Education up and running in just a few steps. You can select a group of devices or users, select applications to distribute, and choose settings from the most commonly used in schools.
-
-> [!TIP]
-> To learn more, and practice step-by-step Express Configuration in Intune for Education, try <a href="https://www.microsoft.com/en-us/education/interactive-demos/deploy-apps-and-policies" target="_blank"><u>this interactive demo</u></a>.
-
-## Configure group settings
-
-Groups are used to manage users and devices with similar management needs, allowing you to apply changes to many devices or users at once. To review the available group settings:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Groups** > Pick a group to manage
-1. Select **Windows device settings**
-1. Expand the different categories and review information about individual settings
-
-Settings that are commonly configured for student devices include:
-
-- Wallpaper and lock screen background. See: [Lock screen and desktop][INT-7]
-- Wi-Fi connections. See: [Add Wi-Fi profiles][INT-8]
-- Enablement of the integrated testing and assessment solution *Take a Test*. See: [Add Take a Test profile][INT-9]
-
-For more information, see [Windows device settings in Intune for Education][INT-3].
-
-## Create Windows Update policies
-
-It is important to keep Windows devices up to date with the latest security updates. You can create Windows Update policies using Intune for Education.
-
-To create a Windows Update policy:
-
-1. Select **Groups** > Pick a group to manage
-1. Select **Windows device settings**
-1. Expand the category **Update and upgrade**
-1. Configure the required settings as needed
-
-For more information, see [Updates and upgrade][INT-6].
-
-> [!NOTE]
-> If you require a more complex Windows Update policy, you can create it in Microsoft Intune. For more information:
-> - [<u>What is Windows Update for Business?</u>][WIN-1]
-> - [<u>Manage Windows software updates in Intune</u>][MEM-1]
-
-## Configure security policies
-
-It is critical to ensure that the devices you manage are secured using the different security technologies available in Windows.
-Intune for Education provides different settings to secure devices.
-
-To create a security policy:
-
-1. Select **Groups** > Pick a group to manage
-1. Select **Windows device settings**
-1. Expand the category **Security**
-1. Configure the required settings as needed, including
-    - Windows Defender
-    - Windows Encryption
-    - Windows SmartScreen
-
-For more information, see [Security][INT-4].
-
-> [!NOTE]
-> If you require more sophisticated security policies, you can create them in Microsoft Intune. For more information:
-> - [<u>Antivirus</u>][MEM-2]
-> - [<u>Disk encryption</u>][MEM-3]
-> - [<u>Firewall</u>][MEM-4]
-> - [<u>Endpoint detection and response</u>][MEM-5]
-> - [<u>Attack surface reduction</u>][MEM-6]
-> - [<u>Account protection</u>][MEM-7]
-
----
-
-## Next steps
-
-With the Intune service configured, you can configure policies and applications to deploy to your students' and teachers' devices.
-
-> [!div class="nextstepaction"]
-> [Next: Configure applications >](configure-device-apps.md)
-
-<!-- Reference links in article -->
-
-[EDU-1]: /education/windows/windows-11-se-overview
-
-[INT-2]: /intune-education/express-configuration-intune-edu
-[INT-3]: /intune-education/all-edu-settings-windows
-[INT-4]: /intune-education/all-edu-settings-windows#security
-[INT-6]: /intune-education/all-edu-settings-windows#updates-and-upgrade
-[INT-7]: /intune-education/all-edu-settings-windows#lock-screen-and-desktop
-[INT-8]: /intune-education/add-wi-fi-profile
-[INT-9]: /intune-education/take-a-test-profiles
-
-[WIN-1]: /windows/deployment/update/waas-manage-updates-wufb
-
-[MEM-1]: /mem/intune/protect/windows-update-for-business-configure
-[MEM-2]: /mem/intune/protect/endpoint-security-antivirus-policy
-[MEM-3]: /mem/intune/protect/encrypt-devices
-[MEM-4]: /mem/intune/protect/endpoint-security-firewall-policy
-[MEM-5]: /mem/intune/protect/endpoint-security-edr-policy
-[MEM-6]: /mem/intune/protect/endpoint-security-asr-policy
-[MEM-7]: /mem/intune/protect/endpoint-security-account-protection-policy

education/windows/tutorial-school-deployment/configure-devices-overview.md

@@ -1,61 +0,0 @@
----
-title: Configure devices with Microsoft Intune
-description: Learn how to configure policies and applications in preparation for device deployment.
-ms.date: 11/09/2023
-ms.topic: tutorial
-ms.collection: essentials-manage
----
-
-# Configure settings and applications with Microsoft Intune
-
-Before distributing devices to your users, you must ensure that the devices will be configured with the required policies, settings, and applications as they get enrolled in Intune.
-Microsoft Intune uses Microsoft Entra groups to assign policies and applications to devices.
-With Microsoft Intune for Education, you can conveniently create groups and assign policies and applications to them.
-
-
-> [!div class="checklist"]
->In this section you will:
->
-> - Create groups
-> - Create and assign policies to groups
-> - Create and assign applications to groups
-
-## Create groups
-
-By organizing devices, students, classrooms, or learning curricula into groups, you can provide students with the resources and configurations they need.
-
-By default, Intune for Education creates two default groups: *All devices* and *All users*.
-Two additional groups are pre-created if you use **Microsoft School Data Sync (SDS)**: *All teachers* and *All students*. SDS can also be configured to automatically create and maintain groups of students and teachers for each school.
-
-:::image type="content" source="./images/intune-education-groups.png" alt-text="Intune for Education - Groups blade" border="true":::
-
-Beyond the defaults, groups can be customized to suit various needs. For example, if you have both *Windows 10* and *Windows 11 SE* devices in your school, you can create groups, such as *Windows 10 devices* and *Windows 11 SE devices*, to assign different policies and applications to.
-
-Two group types can be created:
-
-- **Assigned groups** are used when you want to manually add users or devices to a group
-- **Dynamic groups** reference rules that you create to assign students or devices to groups, which automate the membership's maintenance of those groups
-
-> [!TIP]
-> If you target applications and policies to a *device dynamic group*, they will be applied to the devices as soon as they are enrolled in Intune, before users signs in. This can be useful in bulk enrollment scenarios, where devices are enrolled without requiring users to sign in. Devices can be configured and prepared in advance, before distribution.
-
-For more information, see:
-
-- [Create groups in Intune for Education][EDU-1]
-- [Manually add or remove users and devices to an existing assigned group][EDU-2]
-- [Edit dynamic group rules to accommodate for new devices, locations, or school years][EDU-3]
-
-________________________________________________________
-
-## Next steps
-
-With the groups created, you can configure policies and applications to deploy to your groups.
-
-> [!div class="nextstepaction"]
-> [Next: Configure policies >](configure-device-settings.md)
-
-<!-- Reference links in article -->
-
-[EDU-1]: /intune-education/create-groups
-[EDU-2]: /intune-education/edit-groups-intune-for-edu
-[EDU-3]: /intune-education/edit-groups-intune-for-edu#edit-dynamic-group-rules

education/windows/tutorial-school-deployment/enroll-autopilot.md

@@ -1,148 +0,0 @@
----
-title: Enrollment in Intune with Windows Autopilot
-description: Learn how to join Microsoft Entra ID and enroll in Intune using Windows Autopilot.
-ms.date: 01/16/2024
-ms.topic: tutorial
----
-
-# Windows Autopilot
-
-Windows Autopilot is designed to simplify all parts of Windows devices lifecycle, from initial deployment through end of life. Using cloud-based services, Windows Autopilot can reduce the overall costs for deploying, managing, and retiring devices.
-
-Traditionally, IT pros spend a significant amount of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new, simplified approach. Devices don't need to be reimaged, rather they can be deployed with the OEM image, and customized using cloud-based services.
-
-From the user's perspective, it only takes a few simple operations to make their device ready to use. The only interaction required from the end user is to set their language and regional settings, connect to a network, and verify their credentials. Everything beyond that is automated.
-
-## Prerequisites
-
-Before setting up Windows Autopilot, consider these prerequisites:
-
-- **Software requirements.** Ensure your school and devices meet the [software, networking, licensing, and configuration requirements][WIN-1] for Windows Autopilot
-- **Devices ordered and registered.** Ensure your school IT administrator or Microsoft partner has ordered the devices from an original equipment manufacturer (OEM) and registered them for the Autopilot deployment service. To connect with a partner, you can use the [Microsoft Partner Center][MSFT-1] and work with them to register your devices
-- **Networking requirements.** Ensure students know to connect to the school network during OOBE setup. For more information on managing devices behind firewalls and proxy servers, see [Network endpoints for Microsoft Intune][MEM-1]
-
-> [!NOTE]
-> Where not explicitly specified, both HTTPS (443) and HTTP (80) must be accessible. If you are auto-enrolling your devices into Microsoft Intune or deploying Microsoft Office, follow the networking guidelines for [<u>Microsoft Intune</u>][INT-1] and [<u>Microsoft 365</u>][M365-1].
-
-## Register devices to Windows Autopilot
-
-Before deployment, devices must be registered in the Windows Autopilot service. Each device's unique hardware identity (known as a *hardware hash*) must be uploaded to the Autopilot service. In this way, the Autopilot service can recognize which tenant devices belong to, and which OOBE experience it should present. There are three main ways to register devices to Autopilot:
-
-- **OEM registration process.** When you purchase devices from an OEM or Reseller, that company can automatically register devices to Windows Autopilot and associate them to your tenant. Before this registration can happen, a *Global Administrator* must grant the OEM/Reseller permissions to register devices. For more information, see [OEM registration][MEM-2]
-    > [!NOTE]
-    > For **Microsoft Surface registration**, collect the details shown in this [<u>documentation table</u>][SURF-1] and follow the instruction to submit the request form to Microsoft Support.
-- **Cloud Solution Provider (CSP) registration process.** As with OEMs, CSP partners must be granted permission to register devices for a school. For more information, see [Partner registration][MEM-5]
-    > [!TIP]
-    > Try the <a href="https://cloudpartners.transform.microsoft.com/resources/autopilot-in-edu-setup-english" target="_blank"><u>Microsoft Partner Center clickable demo</u></a>, which provides detailed steps to establish a partner relationship and register devices.
-- **Manual registration.** To manually register a device, you must first capture its hardware hash. Once this process has been completed, the hardware hash can be uploaded to the Windows Autopilot service using [Microsoft Intune][MEM-6]
-    > [!IMPORTANT]
-    > **Windows 11 SE** devices do not support the use of Windows PowerShell or Microsoft Configuration Manager to capture hardware hashes. Hardware hashes can only be captured manually. We recommend working with an OEM, partner, or device reseller to register devices.
-
-## Create groups for Autopilot devices
-
-**Windows Autopilot deployment profiles** determine the Autopilot *deployment mode* and define the out-of-box experience of your devices. A device group is required to assign a Windows Autopilot deployment profile to the devices.
-For this task, it's recommended to create dynamic device groups using Autopilot attributes.
-
-Here are the steps for creating a dynamic group for the devices that have an assigned Autopilot group tag:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Groups** > **Create group**
-1. Specify a **Group name** and select **Dynamic**
-1. Under **Rules**, select **I want to manage: Devices** and use the clause **Where: Device group tag starts with**, specifying the required tag value
-1. Select **Create group**
-    :::image type="content" source="./images/intune-education-autopilot-group.png" alt-text="Intune for Education - creation of a dynamic group for Autopilot devices" border="true":::
-
-More advanced dynamic membership rules can be created from Microsoft Intune admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3].
-
-> [!TIP]
-> You can use these dynamic groups not only to assign Autopilot profiles, but also to target applications and settings.
-
-## Create Autopilot deployment profiles
-
-For Autopilot devices to offer a customized OOBE experience, you must create **Windows Autopilot deployment profiles** and assign them to a group containing the devices.
-A deployment profile is a collection of settings that determine the behavior of the device during OOBE. Among other settings, a deployment profile specifies a **deployment mode**, which can either be:
-
-1. **User-driven:** devices with this profile are associated with the user enrolling the device. User credentials are required to complete the Microsoft Entra join process during OOBE
-1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Microsoft Entra join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode
-
-To create an Autopilot deployment profile:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Groups** > Select a group from the list
-1. Select **Windows device settings**
-1. Expand the **Enrolment** category
-1. From **Configure Autopilot deployment profile for device** select **User-driven**
-1. Ensure that **User account type** is configured as **Standard**
-1. Select **Save**
-
-While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Intune admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4].
-
-### Configure an Enrollment Status Page
-
-An Enrollment Status Page (ESP) is a greeting page displayed to users while enrolling or signing in for the first time to Windows devices. The ESP displays provisioning progress, showing applications and profiles installation status.
-
-:::image type="content" source="./images/win11-oobe-esp.gif" alt-text="Windows OOBE - enrollment status page animation." border="false":::
-
-> [!NOTE]
-> Some Windows Autopilot deployment profiles **require** the ESP to be configured.
-
-To deploy the ESP to devices, you need to create an ESP profile in Microsoft Intune.
-
-> [!TIP]
-> While testing the deployment process, you can configure the ESP to:
-> - allow the reset of the devices in case the installation fails
-> - allow the use of the  device if installation error occurs
->
-> This enables you to troubleshoot the installation process in case any issues arise and to easily reset the OS. You can turn these settings off once you are done testing.
-
-For more information, see [Set up the Enrollment Status Page][MEM-3].
-
-> [!CAUTION]
-> The Enrollment Status Page (ESP) is compatible with Windows 11 SE. However, due to the E Mode policy, devices may not complete the enrollment. For more information, see [Enrollment Status Page][EDU-3].
-
-### Autopilot end-user experience
-
-Once configuration is complete and devices are distributed, students and teachers are able to complete the out-of-box experience with Autopilot. They can set up their devices at home, at school, or wherever there's a reliable Internet connection.
-When a Windows device is turned on for the first time, the end-user experience with Windows Autopilot is as follows:
-
-1. Identify the language and region
-1. Select the keyboard layout and decide on the option for a second keyboard layout
-1. Connect to the internet: if connecting through Wi-Fi, the user will be prompted to connect to a wireless network. If the device is connected through an ethernet cable, Windows will skip this step
-1. Apply updates: the device will look for and apply required updates
-1. Windows will detect if the device has an Autopilot profile assigned to it. If so, it will proceed with the customized OOBE experience. If the Autopilot profile specifies a naming convention for the device, the device will be renamed, and a reboot will occur
-1. The user authenticates to Microsoft Entra ID, using the school account
-1. The device joins Microsoft Entra ID, enrolls in Intune and all the settings and applications are configured
-
-> [!NOTE]
-> Some of these steps may be skipped, depending on the Autopilot profile configuration and if the device is using a wired connection.
-
-:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
-
-________________________________________________________
-## Next steps
-
-With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
-
-> [!div class="nextstepaction"]
-> [Next: Manage devices >](manage-overview.md)
-
-<!-- Reference links in article -->
-
-[MEM-1]: /mem/intune/fundamentals/intune-endpoints
-[MEM-2]: /mem/autopilot/oem-registration
-[MEM-3]: /mem/autopilot/enrollment-autopilot#create-an-autopilot-device-group-using-intune
-[MEM-4]: /mem/autopilot/profiles
-[MEM-5]: /mem/autopilot/partner-registration
-[MEM-6]: /mem/autopilot/add-devices
-
-[WIN-1]: /windows/deployment/windows-autopilot/windows-autopilot-requirements
-
-[MSFT-1]: https://partner.microsoft.com/
-
-[INT-1]: /intune/network-bandwidth-use
-
-[M365-1]: https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
-
-[EDU-3]: ../tutorial-deploy-apps-winse/considerations.md#enrollment-status-page
-
-[SURF-1]: /surface/surface-autopilot-registration-support

education/windows/tutorial-school-deployment/enroll-entra-join.md

@@ -1,32 +0,0 @@
----
-title: Enrollment in Intune with standard out-of-box experience (OOBE)
-description: Learn how to join devices to Microsoft Entra ID from OOBE and automatically get them enrolled in Intune.
-ms.date: 11/09/2023
-ms.topic: tutorial
----
-
-# Automatic Intune enrollment via Microsoft Entra join
-
-If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Microsoft Entra tenant, and automatically enroll it in Intune.
-With this process, no advance preparation is needed:
-
-1. Follow the on-screen prompts for region selection, keyboard selection, and network connection
-1. Wait for updates. If any updates are available, they'll be installed at this time
-  :::image type="content" source="./images/win11-oobe-updates.png" alt-text="Windows 11 OOBE - updates page" border="true":::
-1. When prompted, select **Set up for work or school** and authenticate using your school's Microsoft Entra account
-  :::image type="content" source="./images/win11-oobe-auth.png" alt-text="Windows 11 OOBE - authentication page" border="true":::
-1. The device will join Microsoft Entra ID and automatically enroll in Intune. All settings defined in Intune will be applied to the device
-
-> [!IMPORTANT]
-> If you configured enrollment restrictions in Intune blocking personal Windows devices, this process will not complete. You will need to use a different enrollment method, or ensure that the devices are registered in Autopilot.
-
-:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
-
----
-
-## Next steps
-
-With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
-
-> [!div class="nextstepaction"]
-> [Next: Manage devices >](manage-overview.md)

education/windows/tutorial-school-deployment/enroll-overview.md

@@ -1,31 +0,0 @@
----
-title: Device enrollment overview
-description: Learn about the different options to enroll Windows devices in Microsoft Intune
-ms.date: 11/09/2023
-ms.topic: overview
----
-
-# Device enrollment overview
-
-There are three main methods for joining Windows devices to Microsoft Entra ID and getting them enrolled and managed by Intune:
-
-- **Automatic Intune enrollment via Microsoft Entra join** happens when a user first turns on a device that is in out-of-box experience (OOBE), and selects the option to join Microsoft Entra ID. In this scenario, the user can customize certain Windows functionalities before reaching the desktop, and becomes a local administrator of the device. This option isn't an ideal enrollment method for education devices
-- **Bulk enrollment with provisioning packages.** Provisioning packages are files that can be used to set up Windows devices, and can include information to connect to Wi-Fi networks and to join a Microsoft Entra tenant. Provisioning packages can be created using either **Set Up School PCs** or **Windows Configuration Designer** applications. These files can be applied during or after the out-of-box experience
-- **Enrollment via Windows Autopilot.** Windows Autopilot is a collection of cloud services to configure the out-of-box experience, enabling light-touch or zero-touch deployment scenarios. Windows Autopilot simplifies the Windows device lifecycle, from initial deployment to end of life, for OEMs, resellers, IT administrators and end users
-
-## Choose the enrollment method
-
-**Windows Autopilot** and the **Set up School PCs** app are usually the most efficient options for school environments.
-This [table][INT-1] describes the ideal scenarios for using either option. It's recommended to review the table when planning your enrollment and deployment strategies.
-
-:::image type="content" source="./images/enroll.png" alt-text="The device lifecycle for Intune-managed devices - enrollment" border="false":::
-
-Select one of the following options to learn the next steps about the enrollment method you chose:
-> [!div class="op_single_selector"]
-> - [Automatic Intune enrollment via Microsoft Entra join](enroll-entra-join.md)
-> - [Bulk enrollment with provisioning packages](enroll-package.md)
-> - [Enroll devices with Windows Autopilot](enroll-autopilot.md)
-
-<!-- Reference links in article -->
-
-[INT-1]: /intune-education/add-devices-windows#when-to-use-set-up-school-pcs-vs-windows-autopilot

education/windows/tutorial-school-deployment/enroll-package.md

@@ -1,65 +0,0 @@
----
-title: Enrollment of Windows devices with provisioning packages
-description: Learn about how to enroll Windows devices with provisioning packages using SUSPCs and Windows Configuration Designer.
-ms.date: 11/09/2023
-ms.topic: tutorial
----
-
-# Enrollment with provisioning packages
-
-Enrolling devices with provisioning packages is an efficient way to deploy a large number of Windows devices. Some of the benefits of provisioning packages are:
-
-- There are no particular hardware dependencies on the devices to complete the enrollment process
-- Devices don't need to be registered in advance
-- Enrollment is a simple task: just open a provisioning package and the process is automated
-
-You can create provisioning packages using either **Set Up School PCs** or **Windows Configuration Designer** applications, which are described in the following sections.
-
-## Set up School PCs
-
-With Set up School PCs, you can create a package containing the most common device configurations that students need, and enroll devices in Intune. The package is saved on a USB stick, which can then be plugged into devices during OOBE. Applications and settings will be automatically applied to the devices, including the Microsoft Entra join and Intune enrollment process.
-
-### Create a provisioning package
-
-The Set Up School PCs app guides you through configuration choices for school-owned devices.
-
-:::image type="content" source="./images/supcs-win11se.png" alt-text="Configure device settings in Set Up School PCs app" border="false":::
-
-> [!CAUTION]
-> If you are creating a provisioning package for **Windows 11 SE** devices, ensure to select the correct *OS version* in the *Configure device settings* page.
-
-Set Up School PCs will configure many settings, allowing you to optimize devices for shared use and other scenarios.
-
-For more information on prerequisites, configuration, and recommendations, see [Use the Set Up School PCs app][EDU-1].
-
-> [!TIP]
-> To learn more and practice with Set up School PCs, try the <a href="https://www.microsoft.com/en-us/education/interactive-demos/enroll-devices-at-scale" target="_blank"><u>Set Up School PCs demo</u></a>, which provides detailed steps to create a provisioning package and deploy a device.
-## Windows Configuration Designer
-
-Windows Configuration Designer is especially useful in scenarios where a school needs to provision packages for both bring-you-own devices and school-owned devices. Differently from Set Up School PCs, Windows Configuration Designer doesn't offer a guided experience, and allows granular customizations, including the possibility to embed scripts in the package.
-
-:::image type="content" source="./images/wcd.png" alt-text="Set up device page in Windows Configuration Designer" border="false":::
-
-For more information, see [Install Windows Configuration Designer][WIN-1], which provides details about the app, its provisioning process, and considerations for its use.
-
-## Enroll devices with the provisioning package
-
-To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Microsoft Entra ID and automatically enroll in Intune.
-All settings defined in the package and in Intune will be applied to the device, and the device will be ready to use.
-
-:::image type="content" source="./images/win11-oobe-ppkg.gif" alt-text="Windows 11 OOBE - enrollment with provisioning package animation." border="false":::
-
----
-
-## Next steps
-
-With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
-
-> [!div class="nextstepaction"]
-> [Next: Manage devices >](manage-overview.md)
-
-<!-- Reference links in article -->
-
-[EDU-1]: /education/windows/use-set-up-school-pcs-app
-
-[WIN-1]: /windows/configuration/provisioning-packages/provisioning-install-icd

education/windows/tutorial-school-deployment/index.md

@@ -1,81 +0,0 @@
----
-title: Introduction to the tutorial deploy and manage Windows devices in a school
-description: Introduction to deployment and management of Windows devices in education environments.
-ms.date: 11/09/2023
-ms.topic: tutorial
-ms.collection: essentials-get-started
----
-
-# Tutorial: deploy and manage Windows devices in a school
-
-This guide introduces the tools and services available from Microsoft to deploy, configure and manage Windows devices in an education environment.
-
-## Audience and user requirements
-
-This tutorial is intended for education professionals responsible for deploying and managing Windows devices, including:  
-
-- School leaders
-- IT administrators
-- Teachers
-- Microsoft partners
-
-This content provides a comprehensive path for schools to deploy and manage new Windows devices with Microsoft Intune. It includes step-by-step information how to manage devices throughout their lifecycle, and specific guidance for **Windows 11 SE** and **Surface devices**.
-
-> [!NOTE]
-> Depending on your school setup scenario, you may not need to implement all steps.
-
-## Device lifecycle management
-
-Historically, school IT administrators and educators have struggled to find an easy-to-use, flexible, and secure way to manage the lifecycle of the devices in their schools. In response, Microsoft has developed integrated suites of products for streamlined, cost-effective device lifecycle management.
-
-Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Intune services. With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices.
-Microsoft Intune services include:
-
-- [Microsoft Intune][MEM-1]
-- [Microsoft Intune for Education][INT-1]
-- [Configuration Manager][MEM-2]
-- [Desktop Analytics][MEM-3]
-- [Windows Autopilot][MEM-4]
-- [Surface Management Portal][MEM-5]
-
-These services are part of the Microsoft 365 stack to help secure access, protect data, and manage risk.
-
-## Why Intune for Education?
-
-Windows devices can be managed with Intune for Education, enabling simplified management of multiple devices from a single point.
-From enrollment, through configuration and protection, to resetting, Intune for Education helps school IT administrators manage and optimize the devices throughout their lifecycle:
-
-:::image type="content" source="./images/device-lifecycle.png" alt-text="The device lifecycle for Intune-managed devices" border="false":::
-
-- **Enroll:** to enable remote device management, devices must be enrolled in Intune with an account in your Microsoft Entra tenant. Some enrollment methods require an IT administrator to initiate enrollment, while others require students to complete the initial device setup process. This document discusses the facets of various device enrollment methodologies
-- **Configure:** once the devices are enrolled in Intune, applications and settings will be applied, as defined by the IT administrator
-- **Protect and manage:** in addition to its configuration capabilities, Intune for Education helps protect devices from unauthorized access or malicious attacks. For example, adding an extra layer of authentication with Windows Hello can make devices more secure. Policies are available that let you control settings for Windows Firewall, Endpoint Protection, and software updates
-- **Retire:** when it's time to repurpose a device, Intune for Education offers several options, including resetting the device, removing it from management, or wiping school data. In this document, we cover different device return and exchange scenarios
-
-## Four pillars of modern device management
-
-In the remainder of this document, we'll discuss the key concepts and benefits of modern device management with Microsoft 365 solutions for education. The guidance is organized around the four main pillars of modern device management:
-
-- **Identity management:** setting up and configuring the identity system, with Microsoft 365 Education and Microsoft Entra ID, as the foundation for user identity and authentication
-- **Initial setup:** setting up the Intune for Education environment for managing devices, including configuring settings, deploying applications, and defining updates cadence  
-- **Device enrollment:** Setting up Windows devices for deployment and enrolling them in Intune for Education
-- **Device reset:** Resetting managed devices with Intune for Education
-
----
-
-## Next steps
-
-Let's begin with the creation and configuration of your Microsoft Entra tenant and Intune environment.
-
-> [!div class="nextstepaction"]
-> [Next: Set up Microsoft Entra ID >](set-up-microsoft-entra-id.md)
-
-<!-- Reference links in article -->
-
-[MEM-1]: /mem/intune/fundamentals/what-is-intune
-[MEM-2]: /mem/configmgr/core/understand/introduction
-[MEM-3]: /mem/configmgr/desktop-analytics/overview
-[MEM-4]: /mem/autopilot/windows-autopilot
-[MEM-5]: /mem/autopilot/dfci-management
-
-[INT-1]: /intune-education/what-is-intune-for-education

education/windows/tutorial-school-deployment/manage-overview.md

@@ -1,59 +0,0 @@
----
-title: Manage devices with Microsoft Intune
-description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting.
-ms.date: 11/09/2023
-ms.topic: tutorial
----
-
-# Manage devices with Microsoft Intune
-
-Microsoft Intune offers a streamlined remote device management experience throughout the school year. IT administrators can optimize device settings, deploy new applications, updates, ensuring that security and privacy are maintained.
-
-:::image type="content" source="./images/protect-manage.png" alt-text="The device lifecycle for Intune-managed devices - protect and manage devices" border="false":::
-
-## Remote device management
-
-With Intune for Education, there are several ways to manage students' devices. Groups can be created to organize devices and students, to facilitate remote management. You can determine which applications students have access to, and fine tune device settings and restrictions. You can also monitor which devices students sign in to, and troubleshoot devices remotely.
-
-### Remote actions
-
-Intune fo Education allows you to perform actions on devices without having to sign in to the devices. For example, you can send a command to a device to restart or to turn off, or you can locate a device.
-
-:::image type="content" source="./images/remote-actions.png" alt-text="Remote actions available in Intune for Education when selecting a Windows device" lightbox="./images/remote-actions.png" border="true":::
-
-With bulk actions, remote actions can be performed on multiple devices at once.
-
-To learn more about remote actions in Intune for Education, see [Remote actions][EDU-1].
-
-## Remote assistance
-
-With devices managed by Intune for Education, you can remotely assist students and teachers that are having issues with their devices.
-
-For more information, see [Remote assistance for managed devices - Intune for Education][EDU-2].
-
-## Device inventory and reporting
-
-With Intune for Education, it's possible view and report on current devices, applications, settings, and overall health. You can also download reports to review or share offline.
-
-Here are the steps for generating reports in Intune for Education:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Reports**
-1. Select between one of the report types:
-    - Device inventory
-    - Device actions
-    - Application inventory
-    - Settings errors
-    - Windows Defender
-    - Autopilot deployment
-1. If needed, use the search box to find specific devices, applications, and settings
-1. To download a report, select **Download**. The report will download as a comma-separated value (CSV) file, which you can view and modify in a spreadsheet app like Microsoft Excel.
-    :::image type="content" source="./images/inventory-reporting.png" alt-text="Reporting options available in Intune for Education when selecting the reports blade" border="true":::
-
-To learn more about reports in Intune for Education, see [Reports in Intune for Education][EDU-3].
-
-<!-- Reference links in article -->
-
-[EDU-1]: /intune-education/edu-device-remote-actions
-[EDU-2]: /intune-education/remote-assist-mobile-devices
-[EDU-3]: /intune-education/what-are-reports

education/windows/tutorial-school-deployment/manage-surface-devices.md

@@ -1,44 +0,0 @@
----
-title: Management functionalities for Surface devices
-description: Learn about the management capabilities offered to Surface devices, including firmware management and the Surface Management Portal.
-ms.date: 11/09/2023
-ms.topic: tutorial
-appliesto: 
-  - ✅ <b>Surface devices</b>
----
-
-# Management functionalities for Surface devices
-
-Microsoft Surface devices offer advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them.
-
-## Manage device firmware for Surface devices
-
-Surface devices use a Unified Extensible Firmware Interface (UEFI) setting that allows you to enable or disable built-in hardware components, protect UEFI settings from being changed, and adjust device boot configuration. With [Device Firmware Configuration Interface profiles built into Intune][INT-1], Surface UEFI management extends the modern management capabilities to the hardware level. Windows can pass management commands from Intune to UEFI for Autopilot-deployed devices.
-
-DFCI supports zero-touch provisioning, eliminates BIOS passwords, and provides control of security settings for boot options, cameras and microphones, built-in peripherals, and more. For more information, see [Manage DFCI on Surface devices][SURF-1] and [Manage DFCI with Windows Autopilot][MEM-1], which includes a list of requirements to use DFCI.
-
-:::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Intune" lightbox="./images/dfci-profile-expanded.png" border="true":::
-
-## Microsoft Surface Management Portal
-
-Located in the Microsoft Intune admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more.
-
-When Surface devices are enrolled in cloud management and users sign in for the first time, information automatically flows into the Surface Management Portal, giving you a single pane of glass for Surface-specific administration activities.
-
-To access and use the Surface Management Portal:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. Select **All services** > **Surface Management Portal**
-    :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Intune" lightbox="./images/surface-management-portal-expanded.png" border="true":::
-1. To obtain insights for all your Surface devices, select **Monitor**
-    - Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here
-1. To obtain details on each insights category, select **View report**
-    - This dashboard displays diagnostic information that you can customize and export
-1. To obtain the device's warranty information, select **Device warranty and coverage**
-1. To review a list of support requests and their status, select **Support requests**
-
-<!-- Reference links in article -->
-
-[INT-1]: /intune/configuration/device-firmware-configuration-interface-windows
-[MEM-1]: /mem/autopilot/dfci-management
-[SURF-1]: /surface/surface-manage-dfci-guide

education/windows/tutorial-school-deployment/reset-wipe.md

@@ -1,111 +0,0 @@
----
-title: Reset and wipe Windows devices
-description: Learn about the reset and wipe options for Windows devices using Intune for Education, including scenarios when to delete devices.
-ms.date: 11/09/2023
-ms.topic: tutorial
----
-
-# Device reset options
-
-There are different scenarios that require a device to be reset, for example:
-
-- The device isn't responding to commands
-- The device is lost or stolen
-- It's the end of the life of the device
-- It's the end of the school year and you want to prepare the device for a new school year
-- The device has hardware problems and you want to send it to the service center
-
-:::image type="content" source="./images/retire.png" alt-text="The device lifecycle for Intune-managed devices - retirement" border="false":::
-
-Intune for Education provides two device reset functionalities that enable IT administrators to remotely execute them:
-
-- **Factory reset** (also known as **wipe**) is used to wipe all data and settings from the device, returning it to the default factory settings
-- **Autopilot reset** is used to return the device to a fully configured or known IT-approved state
-
-## Factory reset (wipe)
-
-A factory reset, or a wipe, reverts a device to the original settings when it was purchased. All settings, applications and data installed on the device after purchase are removed. The device is also removed from Intune management.
-
-Once the wipe is completed, the device will be in out-of-box experience.
-
-Here are the steps to perform a factory reset from Intune for Education: 
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Devices**
-1. Select the device you want to reset > **Factory reset**
-1. Select **Factory reset** to confirm the action
-
-:::image type="content" source="./images/win11-wipe.png" alt-text="Three screenshots showing the device being wiped, ending up in OOBE" lightbox="./images/win11-wipe.png" border="false":::
-
-Consider using factory reset in the following example scenarios:
-
-- The device isn't working properly, and you want to reset it without reimaging it
-- It's the end of school year and you want to prepare the device for a new school year
-- You need to reassign the device to a different student, and you want to reset the device to its original settings
-- You're returning a device to the service center, and you want to remove all data and settings from the device
-
-> [!TIP]
-> Consider that once the device is wiped, the new user will go through OOBE. This option may be ideal if the device is also registered in Autopilot to make the OOBE experience seamless, or if you plan to use a provisioning package to re-enroll the device.
-
-## Autopilot Reset
-
-Autopilot Reset is ideal when all data on a device needs to be wiped, but the device remains enrolled in your tenant.
-
-Once the Autopilot reset action is completed, the device will ask to chose region and keyboard layout, then it will display the sign-in screen.
-
-Here are the steps to perform an Autopilot reset from Intune for Education: 
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Devices**
-1. Select the device you want to reset > **Autopilot reset**
-1. Select **Autopilot reset** to confirm the action
-
-:::image type="content" source="./images/win11-autopilot-reset.png" alt-text="Three screenshots showing the device being wiped, ending up in the login screen" border="false":::
-
-Consider using Autopilot reset in the following example scenarios:
-
-- The device isn't working properly, and you want to reset it without reimaging it
-- It's the end of school year and you want to prepare the device for a new school year
-- You need to reassign the device to a different student, and you want to reset the device to without requiring the student to go through OOBE
-
-> [!TIP]
-> Consider that the end user will **not** go through OOBE, and the association of the user to  the device in Intune doesn't change. For this reason, this option may be ideal for devices that have been enrolled in Intune as *shared devices* (for example, a device that was enrolled with a provisioning package or using Autopilot self-deploying mode).
-
-## Wiping and deleting a device
-
-There are scenarios that require a device to be deleted from your tenant, for example:
-
-- The device is lost or stolen
-- It's the end of the life of the device
-- The device has been replaced with a new device or has its motherboard replaced
-
-> [!IMPORTANT]
-> The following actions should only be performed for devices that are no longer going to be used in your tenant.
-
- To completely remove a device, you need to perform the following actions:
-
-1. If possible, perform a **factory reset (wipe)** of the device. If the device can't be wiped, delete the device from Intune using [these steps][MEM-1]
-1. If the device is registered in Autopilot, delete the Autopilot object using [these steps][MEM-2]
-1. Delete the device from Microsoft Entra ID using [these steps][MEM-3]
-
-## Autopilot considerations for a motherboard replacement scenario
-
-Repairing Autopilot-enrolled devices can be complex, as OEM requirements must be balanced with Autopilot requirements. If a motherboard replacement is needed on an Autopilot device, it's suggested the following process:
-
-1. Deregister the device from Autopilot
-1. Replace the motherboard
-1. Capture a new device ID (4K HH)
-1. Re-register the device with Autopilot
-    > [!IMPORTANT]
-    > For DFCI management, the device must be re-registered by a partner or OEM. Self-registration of devices is not supported with DFCI management.
-1. Reset the device
-1. Return the device
-
-For more information, see [Autopilot motherboard replacement scenario guidance][MEM-4].
-
-<!-- Reference links in article -->
-
-[MEM-1]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
-[MEM-2]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
-[MEM-3]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-azure-active-directory-portal
-[MEM-4]: /mem/autopilot/autopilot-mbr

education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md

@@ -1,173 +0,0 @@
----
-title: Set up Microsoft Entra ID
-description: Learn how to create and prepare your Microsoft Entra tenant for an education environment.
-ms.date: 01/16/2024
-ms.topic: tutorial
-appliesto:
----
-
-# Set up Microsoft Entra ID
-
-The Microsoft platform for education simplifies the management of Windows devices with Intune for Education and Microsoft 365 Education. The first, fundamental step, is to configure the identity infrastructure to manage user access and permissions for your school.
-
-Microsoft Entra ID, which is included with the Microsoft 365 Education subscription, provides authentication and authorization to any Microsoft cloud services. Identity objects are defined in Microsoft Entra ID for human identities, like students and teachers, as well as non-human identities, like devices, services, and applications. Once users get Microsoft 365 licenses assigned, they'll be able to consume services and access resources within the tenant. With Microsoft 365 Education, you can manage identities for your teachers and students, assign licenses to devices and users, and create groups for the classrooms.
-
-> [!div class="checklist"]
->In this section you will:
->
-> - Set up a Microsoft 365 Education tenant
-> - Add users, create groups, and assign licenses
-> - Configure school branding
-> - Enable bulk enrollment
-
-## Create a Microsoft 365 tenant
-
-If you don't already have a Microsoft 365 tenant, you'll need to create one.
-
-For more information, see [Create your Office 365 tenant account][M365-1]
-
-> [!TIP]
-> To learn more, and practice how to configure the Microsoft 365 tenant for your school, try <a href="https://www.microsoft.com/en-us/education/interactive-demos/set-up-Microsoft-365" target="_blank"><u>this interactive demo</u></a>.
-### Explore the Microsoft 365 admin center
-
-The **Microsoft 365 admin center** is the hub for all administrative consoles for the Microsoft 365 cloud. To access the <a href="https://entra.microsoft.com" target="_blank"><u>Microsoft Entra admin center</u></a>, sign in with the same global administrator account when you [created the Microsoft 365 tenant](#create-a-microsoft-365-tenant).
-
-From the Microsoft 365 admin center, you can access different administrative dashboards: Microsoft Entra ID, Microsoft Intune, Intune for Education, and others:
-
-:::image type="content" source="./images/m365-admin-center.png" alt-text="*All admin centers* page in *Microsoft 365 admin center*" lightbox="./images/m365-admin-center.png" border="true":::
-
-For more information, see [Overview of the Microsoft 365 admin center][M365-2].
-
-> [!NOTE]
-> Setting up your school's basic cloud infrastructure does not require you to complete the rest of the Microsoft 365 setup. For this reason, we will skip directly to adding students and teachers as users in the Microsoft 365 tenant.
-
-## Add users, create groups, and assign licenses
-
-With the Microsoft 365 tenant in place, it's time to add users, create groups, and assign licenses. All students and teachers need a user account before they can sign in and access the different Microsoft 365 services. There are multiple ways to do this, including using School Data Sync (SDS), synchronizing an on-premises Active Directory, manually, or a combination of the above.
-
-> [!NOTE]
-> Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [Microsoft Entra Connect Sync](#microsoft-entra-connect-sync) below.
-
-### School Data Sync
-
-School Data Sync (SDS) imports and synchronizes SIS data to create classes in Microsoft 365, such as Microsoft 365 groups and class teams in Microsoft Teams. SDS can be used to create new, cloud-only, identities or to evolve existing identities. Users evolve into *students* or *teachers* and are associated with a *grade*, *school*, and other education-specific attributes.
-
-For more information, see [Overview of School Data Sync][SDS-1].
-
-> [!TIP]
-> To learn more and practice with School Data Sync, follow the <a href="https://interactiveguides-schooldatasync.azurewebsites.net/" target="_blank"><u>Microsoft School Data Sync demo</u></a>, which provides detailed steps to access, configure, and deploy School Data Sync in your Microsoft 365 Education tenant.
-
-> [!NOTE]
-> You can perform a test deployment by cloning or downloading sample SDS CSV school data from the [<u>O365-EDU-Tools GitHub site</u>](https://github.com/OfficeDev/O365-EDU-Tools).
->
-> Remember that you should typically deploy test SDS data (users, groups, and so on) in a separate test tenant, not your school production environment.
-
-### Microsoft Entra Connect Sync
-
-To integrate an on-premises directory with Microsoft Entra ID, you can use **Microsoft Entra Connect** to synchronize users, groups, and other objects. Microsoft Entra Connect lets you configure the authentication method appropriate for your school, including:
-
-- [Password hash synchronization][AAD-1]
-- [Pass-through authentication][AAD-2]
-- [Federated authentication][AAD-3]
-
-For more information, see [Set up directory synchronization for Microsoft 365][O365-1].
-
-### Create users manually
-
-In addition to the above methods, you can manually add users and groups, and assign licenses through the Microsoft 365 admin center.
-
-There are two options for adding users manually, either individually or in bulk:
-
-1. To add students and teachers as users in Microsoft 365 Education *individually*:
-    - Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-    - Select **Microsoft Entra ID** > **Users** > **All users** > **New user** > **Create new user**
-    For more information, see [Add users and assign licenses at the same time][M365-3].
-1. To add *multiple* users to Microsoft 365 Education:
-    - Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-    - Select **Microsoft Entra ID** > **Users** > **All users** > **Bulk operations** > **Bulk create**
-
-For more information, see [Add multiple users in the Microsoft 365 admin center][M365-4].
-
-### Create groups
-
-Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups:
-
-1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Microsoft Entra ID** > **Groups** > **All groups** > **New group**
-1. On the **New group** page, select **Group type** > **Security**
-1. Provide a group name and add members, as needed
-1. Select **Next**
-
-For more information, see [Create a group in the Microsoft 365 admin center][M365-5].
-
-### Assign licenses
-
-The recommended way to assign licenses is through group-based licensing. With this method, Microsoft Entra ID ensures that licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses, and when members leave, their licenses are removed.
-
-To assign a license to a group:
-
-1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Microsoft Entra ID** > **Show More** > **Billing** > **Licenses**
-1. Select the required products that you want to assign licenses for > **Assign**
-1. Add the groups to which the licenses should be assigned
-
-   :::image type="content" source="images/entra-assign-licenses.png" alt-text="Assign licenses from Microsoft Entra admin center." lightbox="images/entra-assign-licenses.png":::
-
-For more information, see [Group-based licensing using Microsoft Entra admin center][AAD-4].
-
-## Configure school branding
-
-Configuring your school branding enables a more familiar Autopilot experience to students and teachers. With a custom school branding, you can define a custom logo and a welcome message, which will appear during the Windows out-of-box experience.
-
-To configure your school's branding:
-
-1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Microsoft Entra ID** > **Show More** > **User experiences** > **Company branding**
-1. You can specify brand settings like background image, logo, username hint and a sign-in page text
-    :::image type="content" source="images/entra-branding.png" alt-text="Configure Microsoft Entra ID branding from Microsoft Entra admin center." lightbox="images/entra-branding.png":::
-1. To adjust the school tenant's name displayed during OOBE, select **Microsoft Entra ID** > **Overview** > **Properties**
-1. In the **Name** field, enter the school district or organization's name > **Save**
-    :::image type="content" alt-text="Configure Microsoft Entra tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png" lightbox="images/entra-tenant-name.png":::
-
-For more information, see [Add branding to your directory][AAD-5].
-
-## Enable bulk enrollment
-
-If you decide to enroll Windows devices using provisioning packages instead of Windows Autopilot, you must ensure that the provisioning packages can join Windows devices to the Microsoft Entra tenant.
-
-To allow provisioning packages to complete the Microsoft Entra join process:
-
-1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Microsoft Entra ID** > **Devices** > **Device Settings**
-1. Under **Users may join devices to Microsoft Entra ID**, select **All**
-    > [!NOTE]
-    > If it is required that only specific users can join devices to Microsoft Entra ID, select **Selected**. Ensure that the user account that will create provisioning packages is included in the list of users.
-1. Select Save
-    :::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png":::
-
----
-
-## Next steps
-
-With users and groups created, and licensed for Microsoft 365 Education, you can now configure Microsoft Intune.
-
-> [!div class="nextstepaction"]
-> [Next: Set up Microsoft Intune >](set-up-microsoft-intune.md)
-
-<!-- Reference links in article -->
-
-[AAD-1]: /azure/active-directory/hybrid/whatis-phs
-[AAD-2]: /azure/active-directory/hybrid/how-to-connect-pta
-[AAD-3]: /azure/active-directory/hybrid/how-to-connect-fed-whatis
-[AAD-4]: /azure/active-directory/enterprise-users/licensing-groups-assign
-[AAD-5]: /azure/active-directory/fundamentals/customize-branding
-
-[M365-1]: /microsoft-365/education/deploy/create-your-office-365-tenant
-[M365-2]: /microsoft-365/admin/admin-overview/admin-center-overview
-[M365-3]: /microsoft-365/admin/add-users/add-users
-[M365-4]: /microsoft-365/enterprise/add-several-users-at-the-same-time
-[M365-5]: /microsoft-365/admin/create-groups/create-groups
-
-[O365-1]: /office365/enterprise/set-up-directory-synchronization
-
-[SDS-1]: /schooldatasync/overview-of-school-data-sync

education/windows/tutorial-school-deployment/set-up-microsoft-intune.md

@@ -1,97 +0,0 @@
----
-title: Set up device management
-description: Learn how to configure the Intune service and set up the environment for education.
-ms.date: 01/16/2024
-ms.topic: tutorial
-appliesto:
----
-
-# Set up Microsoft Intune
-
-Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Intune is a collection of services that simplifies the management of devices at scale.
-
-The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments.
-
-:::image type="content" source="./images/intune-education-portal.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-education-portal.png" border="true":::
-
-**Intune for Education** supports the entire device lifecycle, from the enrollment phase through retirement. IT administrators can start managing classroom devices with bulk enrollment options and a streamlined deployment. At the end of the school year, IT admins can reset devices, ensuring they're ready for the next year.
-
-For more information, see [Intune for Education documentation][INT-1].
-
-> [!div class="checklist"]
->In this section you will:
->
-> - Review Intune's licensing prerequisites
-> - Configure the Intune service for education devices
-
-## Prerequisites
-
-Before configuring settings with Intune for Education, consider the following prerequisites:
-
-- **Intune subscription.** Microsoft Intune is licensed in three ways:
-  - As a standalone service
-  - As part of [Enterprise Mobility + Security][MSFT-1]
-  - As part of a [Microsoft 365 Education subscription][MSFT-2]
-- **Device platform.** Intune for Education can manage devices running a supported version of Windows 10, Windows 11, Windows 11 SE, iOS, and iPad OS
-
-For more information, see [Intune licensing][MEM-1] and [this comparison sheet][MSFT-3], which includes a table detailing the *Microsoft Modern Work Plan for Education*.
-
-## Configure the Intune service for education devices
-
-The Intune service can be configured in different ways, depending on the needs of your school. In this section, you'll configure the Intune service using settings commonly implemented by K-12 school districts.
-
-### Configure enrollment restrictions
-
-With enrollment restrictions, you can prevent certain types of devices from being enrolled and therefore managed by Intune. For example, you can prevent the enrollment of devices that are not owned by the school.
-
-To block personally owned Windows devices from enrolling:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Devices** > **Enroll devices** > **Enrollment device platform restrictions**
-1. Select the **Windows restrictions** tab
-1. Select **Create restriction**
-1. On the **Basics** page, provide a name for the restriction and, optionally, a description > **Next**
-1. On the **Platform settings** page, in the **Personally owned devices** field, select **Block** > **Next**
-    :::image type="content" source="./images/enrollment-restrictions.png" alt-text="This screenshot is of the device enrollment restriction page in Microsoft Intune admin center." lightbox="./images/enrollment-restrictions.png":::
-1. Optionally, on the **Scope tags** page, add scope tags > **Next**
-1. On the **Assignments** page, select **Add groups**, and then use the search box to find and choose groups to which you want to apply the restriction > **Next**
-1. On the **Review + create** page, select **Create** to save the restriction
-
-For more information, see [Create a device platform restriction][MEM-2].
-
-### Disable Windows Hello for Business
-
-Windows Hello for Business is a biometric authentication feature that allows users to sign in to their devices using a PIN, password, or fingerprint. Windows Hello for Business is enabled by default on Windows devices, and to set it up, users must perform for multi-factor authentication (MFA). As a result, this feature may not be ideal for students, who may not have MFA enabled.
-It's suggested to disable Windows Hello for Business on Windows devices at the tenant level, and enabling it only for devices that need it, for example for teachers and staff devices.
-To disable Windows Hello for Business at the tenant level:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Devices** > **Windows** > **Windows Enrollment**
-1. Select **Windows Hello for Business**
-1. Ensure that **Configure Windows Hello for Business** is set to **disabled**
-1. Select **Save**
-
-:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="./images/whfb-disable.png":::
-
-For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4].
-
----
-
-## Next steps
-
-With the Intune service configured, you can configure policies and applications in preparation to the deployment of students' and teachers' devices.
-
-> [!div class="nextstepaction"]
-> [Next: Configure devices >](configure-devices-overview.md)
-
-<!-- Reference links in article -->
-
-[MEM-1]: /mem/intune/fundamentals/licenses
-[MEM-2]: /mem/intune/enrollment/enrollment-restrictions-set
-[MEM-4]: /mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy
-
-[INT-1]: /intune-education/what-is-intune-for-education
-
-[MSFT-1]: https://www.microsoft.com/microsoft-365/enterprise-mobility-security
-[MSFT-2]: https://www.microsoft.com/licensing/product-licensing/microsoft-365-education
-[MSFT-3]: https://edudownloads.azureedge.net/msdownloads/Microsoft-Modern-Work-Plan-Comparison-Education_11-2021.pdf

education/windows/tutorial-school-deployment/toc.yml

@@ -1,38 +0,0 @@
-items: 
-  - name: Introduction
-    href: index.md
-  - name: 1. Prepare your tenant
-    items:
-      - name: Set up Microsoft Entra ID
-        href: set-up-microsoft-entra-id.md
-      - name: Set up Microsoft Intune
-        href: set-up-microsoft-intune.md
-  - name: 2. Configure settings and applications
-    items:
-      - name: Overview
-        href: configure-devices-overview.md
-      - name: Configure policies
-        href: configure-device-settings.md
-      - name: Configure applications
-        href: configure-device-apps.md        
-  - name: 3. Deploy devices
-    items: 
-      - name: Overview
-        href: enroll-overview.md
-      - name: Enroll devices via Microsoft Entra join
-        href: enroll-entra-join.md
-      - name: Enroll devices with provisioning packages
-        href: enroll-package.md
-      - name: Enroll devices with Windows Autopilot
-        href: enroll-autopilot.md
-  - name: 4. Manage devices
-    items: 
-      - name: Overview
-        href: manage-overview.md
-      - name: Management functionalities for Surface devices
-        href: manage-surface-devices.md       
-      - name: Reset and wipe devices
-        href: reset-wipe.md
-  - name: 5. Troubleshoot and get help
-    href: troubleshoot-overview.md
-    

education/windows/tutorial-school-deployment/troubleshoot-overview.md

@@ -1,56 +0,0 @@
----
-title: Troubleshoot Windows devices
-description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other services.
-ms.date: 11/09/2023
-ms.topic: tutorial
----
-
-# Troubleshoot Windows devices
-
-Microsoft Intune provides many tools that can help you troubleshoot Windows devices.
-Here's a collection of resources to help you troubleshoot Windows devices managed by Intune:
-
-- [Troubleshooting device enrollment in Intune][MEM-2]
-- [Troubleshooting Windows Autopilot][MEM-9]
-- [Troubleshoot Windows Wi-Fi profiles][MEM-6]
-- [Troubleshooting policies and profiles in Microsoft Intune][MEM-5]
-- [Troubleshooting BitLocker with the Intune encryption report][MEM-4]
-- [Troubleshooting CSP custom settings][MEM-8]
-- [Troubleshooting Win32 app installations with Intune][MEM-7]
-- [Troubleshooting device actions in Intune][MEM-3]
-- [**Collect diagnostics**][MEM-10] is a remote action that lets you collect and download Windows device logs without interrupting the user
-  :::image type="content" source="./images/intune-diagnostics.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-diagnostics.png" border="true":::
-
-## How to contact Microsoft Support
-
-Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop.
-
-Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices:
-
-- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-- Select **Troubleshooting + support** > **Help and support**
-    :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Intune." lightbox="images/advanced-support.png":::
-- Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365
-- Above **How can we help?**, select one of three icons to open different panes: *Find solutions*, *Contact support*, or *Service requests*
-- In the **Find solutions** pane, use the text box to specify a few details about your issue. The console may offer suggestions based on what you've entered. Depending on the presence of specific keywords, the console provides help like:
-  - Run diagnostics: start automated tests and investigations of your tenant from the console to reveal known issues. When you run a diagnostic, you may receive mitigation steps to help with resolution
-  - View insights: find links to documentation that provides context and background specific to the product area or actions you've described
-  - Recommended articles: browse suggested troubleshooting topics and other content related to your issue
-- If needed, use the *Contact support* pane to file an online support ticket
-  > [!IMPORTANT]
-  > When opening a case, be sure to include as many details as possible in the *Description* field. Such information includes: timestamp and date, device ID, device model, serial number, OS version, and any other details relevant to the issue.
-- To review your case history, select the **Service requests** pane. Active cases are at the top of the list, with closed issues also available for review
-
-For more information, see [Microsoft Intune support page][MEM-1]
-
-<!-- Reference links in article -->
-[MEM-1]: /mem/get-support
-[MEM-2]: /troubleshoot/mem/intune/troubleshoot-device-enrollment-in-intune
-[MEM-3]: /troubleshoot/mem/intune/troubleshoot-device-actions
-[MEM-4]: /troubleshoot/mem/intune/troubleshoot-bitlocker-admin-center
-[MEM-5]: /troubleshoot/mem/intune/troubleshoot-policies-in-microsoft-intune
-[MEM-6]: /troubleshoot/mem/intune/troubleshoot-wi-fi-profiles#troubleshoot-windows-wi-fi-profiles
-[MEM-7]: /troubleshoot/mem/intune/troubleshoot-win32-app-install
-[MEM-8]: /troubleshoot/mem/intune/troubleshoot-csp-custom-settings
-[MEM-9]: /mem/autopilot/troubleshooting
-[MEM-10]: /mem/intune/remote-actions/collect-diagnostics

education/windows/windows-11-se-settings-list.md

@@ -2,7 +2,7 @@
 title: Windows 11 SE settings list
 description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change.
 ms.topic: reference
-ms.date: 08/18/2023
+ms.date: 05/06/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
 ms.collection:

windows/client-management/client-tools/quick-assist.md

@@ -1,7 +1,7 @@
 ---
 title: Use Quick Assist to help users
 description: Learn how IT Pros can use Quick Assist to help users.
-ms.date: 08/10/2023
+ms.date: 05/09/2024
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.collection:
@@ -13,6 +13,11 @@ ms.collection:
 
 Quick Assist is an application that enables a person to share their [Windows](#install-quick-assist-on-windows) or [macOS](#install-quick-assist-on-macos) device with another person over a remote connection. Your support staff can use it to remotely connect to a user's device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
 
+> [!IMPORTANT]
+> Learn how to [protect yourself from tech support scams](https://support.microsoft.com/help/4013405). Tech support scams are an industry-wide issue where scammers use scare tactics to trick you into unnecessary technical support services. Only allow a Helper to connect to your device if you initiated the interaction by contacting Microsoft Support or your IT support staff directly.
+>
+> If you or someone you know has been affected by a tech support scam, use the [technical support scam form](https://support.microsoft.com/windows/cfa4609a-92cc-4808-95e8-392b4ffd0753) to report it.
+
 ## Before you begin
 
 All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
@@ -38,7 +43,7 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis
 | `*.trouter.skype.com` | Used for Azure Communication Service for chat and connection between parties. |
 | `aadcdn.msauth.net` | Required for logging in to the application (Microsoft Entra ID). |
 | `edge.skype.com` | Used for Azure Communication Service for chat and connection between parties. |
-| `login.microsoftonline.com` | Required for Microsoft login service. |
+| `login.microsoftonline.com` | Required for Microsoft sign-in service. |
 | `remoteassistanceprodacs.communication.azure.com` | Used for Azure Communication Service for chat and connection between parties. |
 | `turn.azure.com` | Required for Azure Communication Service. |
 
@@ -105,7 +110,7 @@ Before installing Quick Assist, you need to set up synchronization between Intun
 1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**.
 1. Using your Global Admin account, log into [Microsoft Store for Business](https://businessstore.microsoft.com).
 1. Select **Manage** / **Settings** and enable **Show offline apps**.
-1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You may need to use the **+Add management tool** link if it's not.
+1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You might need to use the **+Add management tool** link if it's not.
 1. Search for **Quick Assist** and select it from the Search results.
 1. Choose the **Offline** license and select **Get the app**
 1. In the Intune admin center, choose **Sync**.
@@ -122,27 +127,64 @@ Visit [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps
 
 To install Quick Assist offline, you need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information.
 
-1. Start **Windows PowerShell** with Administrative privileges.
-1. In PowerShell, change the directory to the location you've saved the file to in step 1: `cd <location of package file>`
+1. Start **Windows PowerShell** with Administrative privileges
+1. In PowerShell, change the directory to the location where you saved the file in step 1: `cd <location of package file>`
 1. Run the following command to install Quick Assist: `Add-AppxProvisionedPackage -Online -PackagePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"`
-1. After Quick Assist has installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers`
+1. After Quick Assist is installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers`
 
 ### Microsoft Edge WebView2
 
-The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist application has been developed using this control, making it a necessary component for the app to function.
+The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist application is developed using this control, making it a necessary component for the app to function.
 
 - For Windows 11 users, this runtime control is built in.
 - For Windows 10 users, the Quick Assist Store app detects if WebView2 is present on launch and if necessary, installs it automatically. If an error message or prompt is shown indicating WebView2 isn't present, it needs to be installed separately.
 
-For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](/microsoft-edge/webview2/concepts/distribution)
+For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime.](/microsoft-edge/webview2/concepts/distribution)
 
 ## Install Quick Assist on macOS
 
-Quick Assist for macOS is available for interactions with Microsoft Support. If Microsoft products on your macOS device are not working as expected, contact [Microsoft Support](https://support.microsoft.com/contactus) for assistance. Your Microsoft Support agent will guide you through the process of downloading and installing it on your device.
+Quick Assist for macOS is available for interactions with Microsoft Support. If Microsoft products on your macOS device aren't working as expected, contact [Microsoft Support](https://support.microsoft.com/contactus) for assistance. Your Microsoft Support agent will guide you through the process of downloading and installing it on your device.
 
 > [!NOTE]
 > Quick Assist for macOS is not available outside of Microsoft Support interactions.
 
+## Disable Quick Assist within your organization
+
+If your organization utilizes another remote support tool such as [Remote Help](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune-remote-help), disable or remove Quick Assist as a best practice, if it isn't used within your environment. This prevents external users from using Quick Assist to gain access to devices within your organization.
+
+### Disable Quick Assist
+
+To disable Quick Assist, block traffic to the `https://remoteassistance.support.services.microsoft.com` endpoint. This is the primary endpoint used by Quick Assist to establish a session, and once blocked, Quick Assist can't be used to get help or help someone.
+
+### Uninstall Quick Assist
+
+#### Uninstall via PowerShell
+
+Run the following PowerShell command as Administrator:
+
+`Remove-AppxPackage -Package MicrosoftCorporationII.QuickAssist_2.0.30.0_x64__8wekyb3d8bbwe -AllUsers`
+
+#### Uninstall via Windows Settings
+
+Navigate to **Settings** > **Apps** > **Installed apps** > Quick Assist > select the ellipsis (…), then select **Uninstall**.
+
+## Report Abuse
+
+Before joining a session, it's important for you to know who you are connecting to. Anyone that has control over your device can perform actions on your device, and potentially install malicious applications or take other actions that can damage your device.
+
+Follow these best practices for using Quick Assist or any remote desktop software:
+
+- Never allow a connection to your device by someone claiming to be "IT Support" unless you initiated the interaction with them.
+- Don't provide access to anyone claiming to have an urgent need to access your device.
+- Don't share credentials to any websites or applications.
+
+> [!NOTE]
+> Microsoft will never contact you through unsolicited emails, phone calls, or other methods to request access to your device. Microsoft will only request access to your device if you have contacted us and directly requested help with solving an issue you are experiencing. If you need customer service support from Microsoft, please visit [Microsoft Support](https://support.microsoft.com/).
+
+If you suspect that the person connecting to your device is being malicious, disconnect from the session immediately and report the concern to your local authorities and/or any relevant IT members within your organization.
+
+If you or someone you know has been affected by a tech support scam, use the [technical support scam form](https://support.microsoft.com/windows/cfa4609a-92cc-4808-95e8-392b4ffd0753) to report it.
+
 ## Next steps
 
 If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332).

windows/client-management/mdm/configuration-service-provider-ddf.md

@@ -13,7 +13,7 @@ This article lists the OMA DM device description framework (DDF) files for vario
 
 As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download:
 
-- [DDF v2 Files, September 2023](https://download.microsoft.com/download/0/e/c/0ec027e5-8971-49a2-9230-ec9352bc3ead/DDFv2September2023.zip)
+- [DDF v2 Files, May 2024](https://download.microsoft.com/download/f/6/1/f61445f7-1d38-45f7-bc8c-609b86e4aabc/DDFv2May24.zip)
 
 ## DDF v2 schema
 
@@ -575,6 +575,7 @@ DDF v2 XML schema definition is listed below along with the schema definition fo
 
 You can download the older DDF files for various CSPs from the links below:
 
+- [Download all the DDF files for Windows 10 and 11 September 2023](https://download.microsoft.com/download/0/e/c/0ec027e5-8971-49a2-9230-ec9352bc3ead/DDFv2September2023.zip)
 - [Download all the DDF files for Windows 10 and 11 December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip)
 - [Download all the DDF files for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/Windows10_2004_DDF_download.zip)
 - [Download all the DDF files for Windows 10, version 1903](https://download.microsoft.com/download/6/F/0/6F019079-6EB0-41B5-88E8-D1CE77DBA27B/Windows10_1903_DDF_download.zip)

windows/configuration/assigned-access/xsd.md

@@ -2,7 +2,7 @@
 title: Assigned Access XML Schema Definition (XSD)
 description: Assigned Access XSD reference article.
 ms.topic: reference
-ms.date: 02/15/2024
+ms.date: 04/08/2024
 ---
 
 # Assigned Access XML Schema Definition (XSD)
@@ -232,7 +232,7 @@ Here's the Assigned Access XSD for the features added in Windows 11:
 
 ## Windows 11, version 21H2 additions
 
-Here's the Assigned Access XSD for the features added in Windows 10, version 21H2:
+Here's the Assigned Access XSD for the features added in Windows 11, version 21H2:
 
 ```xml
 <xs:schema

windows/deployment/customize-boot-image.md

@@ -1,13 +1,13 @@
 ---
 title: Customize Windows PE boot images
-description: This article describes how to customize a Windows PE (WinPE) boot image including updating with the latest cumulative update, adding drivers, and adding optional components.
+description: This article describes how to customize a Windows PE (WinPE) boot image including updating it with the latest cumulative update, adding drivers, and adding optional components.
 ms.service: windows-client
 ms.localizationpriority: medium
 author: frankroj
 manager: aaroncz
 ms.author: frankroj
 ms.topic: article
-ms.date: 09/05/2023
+ms.date: 05/09/2024
 ms.subservice: itpro-deploy
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@@ -88,7 +88,8 @@ This walkthrough describes how to customize a Windows PE boot image including up
 
 > [!NOTE]
 >
-> When updating the boot image in the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads), download the cumulative update for Windows 10 Version 22H2.
+> - When updating the boot image in the [ADK 10.1.25398.1 (September 2023)](/windows-hardware/get-started/adk-install#download-the-adk-101253981-september-2023), download the **Cumulative Update for Microsoft server operating system version 23H2 for x64-based Systems**.
+> - When updating the boot image in the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads), download the **Cumulative Update for Windows 10 Version 22H2**.
 
 ## Step 3: Backup existing boot image
 
@@ -141,7 +142,7 @@ For more information, see [copy](/windows-server/administration/windows-commands
 
 > [!IMPORTANT]
 >
-> When using the default `winpe.wim` boot image from the **Windows PE add-on for the Windows ADK**, it's recommended to always have a backed copy of the original unmodified boot image. This allows reverting back to the pristine untouched original boot image in case any issues occur with any iteration of an updated boot image. Additionally, whenever a new cumulative update needs to be applied to a boot image, it's recommended to always start fresh and update from the original boot image with no updates instead of updating a previously updated boot image.
+> When using the default `winpe.wim` boot image from the **Windows PE add-on for the Windows ADK**, it's recommended to always have a backed up copy of the original unmodified boot image. This allows reverting back to the pristine untouched original boot image in case any issues occur with any iteration of an updated boot image. Additionally, whenever a new cumulative update needs to be applied to a boot image, it's recommended to always start fresh and update from the original boot image with no updates instead of updating a previously updated boot image.
 
 ## Step 4: Mount boot image to mount folder
 

windows/deployment/update/wufb-reports-admin-center.md

@@ -14,7 +14,7 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows Update for Business reports</a>	
 - ✅ <a href=https://learn.microsoft.com/microsoft-365/admin/admin-overview/admin-center-overview >Microsoft 365 admin center</a>	
-ms.date: 04/26/2023
+ms.date: 05/08/2024
 ---
 
 # Microsoft 365 admin center software updates page

windows/deployment/update/wufb-reports-faq.yml

@@ -9,7 +9,7 @@ metadata:
   manager: aaroncz
   author: mestew
   ms.author: mstewart
-  ms.date: 01/26/2024
+  ms.date: 05/07/2024
 title: Frequently Asked Questions about Windows Update for Business reports
 summary: |
   This article answers frequently asked questions about Windows Update for Business reports. <!--7760853-->
@@ -64,6 +64,8 @@ sections:
       - question: What Windows versions are supported?
         answer: |
           Windows Update for Business reports supports clients running a [supported version of Windows 10 or Windows 11](/windows/release-health/supported-versions-windows-client) Professional, Education, Enterprise, and Enterprise multi-session editions. Windows Update for Business reports only provides data for the standard Desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions.
+          > [!Important]
+          > Currently there is a known issue where Windows Update for Business reports doesn't display data for Enterprise multi-session edition devices. <!--8928451-->
 
   - name: Setup questions
     questions:
@@ -103,7 +105,7 @@ sections:
         answer: |
           Here are some reasons why you may not be seeing devices in reports:
 
-          - **The device isn't enrolled with Azure Active Directory**: A [prerequisite](wufb-reports-prerequisites.md#azure-and-azure-active-directory) for devices is that they're either [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+          - **The device isn't enrolled with Microsoft Entra**: A [prerequisite](wufb-reports-prerequisites.md#azure-and-azure-active-directory) for devices is that they're either [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
           - **The device isn't sending data**: It's possible devices aren't sharing data due to a policy being incorrectly configured or a proxy or firewall configuration. Try using the [configuration script](wufb-reports-configuration-script.md) on devices to ensure they're configured properly.
           - **The device isn't active enough**: Clients must be active and connected to the internet to scan against Microsoft Update. Ensure devices are powered on and have been active at least once in the past 28 days.
           - **The workbook has limited the results**: The default limit for rows in Azure workbooks is set to 1000. This limit is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the three dots beside each component.
@@ -115,13 +117,13 @@ sections:
           An unknown client state is displayed if there isn't an update record for the device. This state can happen for many reasons, like the device not being active, not being able to scan Windows Update, or it doesn't currently have any update related activity occurring.                 
       - question: What is the difference between OS version and target version?
         answer: |
-          The word *target* in data labels refers to the update version, build or KB the client intends to update to. Typically, the fields starting with *OS*, such as OSbuild and OSversion, represents what the device is currently running.
+          The word *target* in data labels refers to the update version, build, or KB the client intends to update to. Typically, the fields starting with *OS*, such as OSbuild and OSversion, represents what the device is currently running.
       - question: When should I use the UCClient, UCClientUpdateStatus, or UCUpdateAlert tables?
         answer: |
           These tables can be used for the following information:
 
           - **UCClient**: Represents an individual device's record. It contains data such as the device's name, currently installed build, and the OS Edition. Each device has one record in this table. Use this table to get the overall compliance status of your devices.
-            - To display information for a specific device by Azure AD device ID: </br>
+            - To display information for a specific device by Microsoft Entra device ID: </br>
               `UCClient where AzureADDeviceId contains "01234567-89ab-cdef-0123-456789abcdef"`
             - To display all device records for devices running any Windows 11 OS version:</br>
               `UCClient | where OSVersion contains "Windows 11"`
@@ -132,7 +134,7 @@ sections:
             - To display devices that are in the restart required substate:</br>
               `UCClientUpdateStatus |where ClientSubstate =="RestartRequired"`
           
-          - **UCUpdateAlert**: Use this table to understand update failures and act on devices through alert recommendations. This table contains information that needs attention, relative to one device, one update and one deployment (if relevant).  
+          - **UCUpdateAlert**: Use this table to understand update failures and act on devices through alert recommendations. This table contains information that needs attention, relative to one device, one update, and one deployment (if relevant).  
             - To display information about an error code: 
               `UCUpdateAlert|where ErrorCode =="0X8024000b"`
             - To display a count of devices with active alerts by subtype:

windows/deployment/update/wufb-reports-prerequisites.md

@@ -11,7 +11,7 @@ manager: aaroncz
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 12/15/2023
+ms.date: 05/07/2024
 ---
 
 # Windows Update for Business reports prerequisites
@@ -35,11 +35,14 @@ Before you begin the process of adding Windows Update for Business reports to yo
 
 ## Operating systems and editions
 
-- Windows 11 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions
-- Windows 10 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions
+- Windows 11 Professional, Education, Enterprise, and Enterprise multi-session editions <!--8928451-->
+- Windows 10 Professional, Education, Enterprise, and Enterprise multi-session editions
 
 Windows Update for Business reports only provides data for the standard desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions.
 
+> [!Important]
+> Currently there is a known issue where Windows Update for Business reports doesn't display data for Enterprise multi-session edition devices. <!--8928451, also listed in FAQ-->
+
 ## Windows client servicing channels
 
 Windows Update for Business reports supports Windows client devices on the following channels:

windows/privacy/diagnostic-data-viewer-overview.md

@@ -174,3 +174,6 @@ The **Review problem reports** tool opens, showing you your Windows Error Report
 - Restart the *DiagTrack* service, through the Services tab in task manager, and open Diagnostic Data Viewer.
 
 **Background:** Some of the diagnostic data collected from the new Microsoft Edge is sent using a Protocol Buffers (protobuf) to reduce network bandwidth and to improve data transfer efficiency. Diagnostic Data Viewer has a decoding capability to translate this protobuf format into human readable text. Due to a bug, sometimes the decoder fails to translate these protobuf messages and hence some of the New Microsoft Edge diagnostic data will appear as a blob of encoded text.
+
+> [!IMPORTANT]
+> To inquire about Windows data access or interoperability related to the Digital Markets Act (DMA), [submit this form](https://go.microsoft.com/fwlink/p/?linkid=2271128&clcid=0x409).

windows/privacy/essential-services-and-connected-experiences.md

@@ -117,3 +117,6 @@ To view endpoints for non-Enterprise Windows editions, see:
 - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
 - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
 - [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
+
+> [!IMPORTANT]
+> To inquire about Windows data access or interoperability related to the Digital Markets Act (DMA), [submit this form](https://go.microsoft.com/fwlink/p/?linkid=2271128&clcid=0x409).

windows/security/book/application-security-application-and-driver-control.md

@@ -0,0 +1,68 @@
+---
+title: Application and driver control
+description: Windows 11 security book - Application and driver control.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Application and driver control
+
+:::image type="content" source="images/application-security.png" alt-text="Diagram of containing a list of application security features." lightbox="images/application-security.png" border="false":::
+
+Windows 11 offers a rich application platform with layers of security like isolation and code integrity that help protect your valuable data. Developers can also take advantage of these
+capabilities to build in security from the ground up to protect against breaches and malware.
+
+## Smart App Control
+
+Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run if they are predicted to be safe based on existing and new intelligence updated daily.
+
+Smart App Control builds on top of the same cloud-based AI used in App Control for Business to predict the safety of an application so that users can be confident that their applications are safe and reliable on their new Windows devices. Additionally, Smart App Control blocks unknown script files and macros from the web are blocked, greatly improving security for everyday users.
+Smart App Control will ship with new devices with Windows 11, version 22H2 installed.
+
+Devices running previous versions of Windows 11 will have to be reset with a clean installation of Windows 11, version 22H2 to take advantage of this feature. Smart App Control will be disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to leverage App Control for Business.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Smart App Control](/windows/apps/develop/smart-app-control/overview)
+
+## App Control for Business
+
+Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
+
+Windows 10 and above include App Control for Business (previously called Windows Defender Application Control) as well as AppLocker. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
+
+Customers using Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.
+
+Customers can use some built-in options for App Control for Business or upload their own policy as an XML file for Intune to package and deploy.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac)
+
+## User Account Control
+
+User Account Control (UAC) helps prevent malware from damaging a PC and enables organizations to deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
+
+Organizations can use a modern device management (MDM) solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to remotely configure UAC settings. Organizations without MDM can change settings directly
+on the device.
+
+Enabling UAC helps prevent malware from altering PC settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized
+apps and prevent inadvertent changes to system settings.
+
+Users with standard accounts, or those using administrative accounts with UAC enabled, run most programs with limited access rights. This includes the Windows shell and any apps started from the shell, such as Windows Explorer, a web browser, productivity suite, graphics programs, or games.
+
+Some apps require additional permissions and will not work properly (or at all) when running with limited permissions. When an app needs to run with more than standard user rights, UAC allows users to run apps with a "full" administrator token (with administrative groups and privileges) instead of their default user access token. Users continue to operate in the standard user security context while enabling certain executables to run with elevated privileges if needed.
+
+:::image type="content" source="images/uac-settings.png" alt-text="Screenshot of the UAC settings." border="false":::
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [How User Account Control works](/windows/security/identity-protection/user-account-control/how-user-account-control-works)
+
+## Microsoft vulnerable driver blocklist
+
+The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. Prior to the Windows 11 2022 Update, Windows enforced a block policy when hypervisor-protected code integrity (HVCI) was enabled to prevent vulnerable versions of drivers from running. Beginning with the Windows 11 2022 Update, the block policy is now on by default for all new Windows PCs, and users can opt in to enforce the policy from the Windows Security app.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)

windows/security/book/application-security-application-isolation.md

@@ -0,0 +1,53 @@
+---
+title: Application isolation
+description: Windows 11 security book - Application isolation.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Application isolation
+
+:::image type="content" source="images/application-security.png" alt-text="Diagram of containing a list of application security features." lightbox="images/application-security.png" border="false":::
+
+## Win32 app isolation
+
+Win32 app isolation is a new security feature in public preview designed to be the default isolation standard on Windows clients. It's built on [AppContainer](/windows/win32/secauthz/implementing-an-appcontainer), and offers several added security features to help the Windows platform defend against attacks that leverage vulnerabilities in applications or third-party libraries. To isolate their apps, developers can update their applications using the tools provided by Microsoft.
+
+Win32 app isolation follows a two-step process. In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Microsoft. Consequently, the process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level.
+
+In the second step, least privilege is enforced by granting authorized access to Windows securable objects. This access is determined by capabilities that are added to the application manifest through MSIX packaging. Securable objects in this context refer to Windows resources whose access is safeguarded by capabilities. These capabilities enable the implantation of a [Discretionary Access Control List](/windows/win32/secauthz/access-control-lists) on Windows.
+
+To help ensure that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. The Application Capability Profiler (ACP) simplifies the entire process by allowing the application to run in "learn mode" with low privileges. Instead of denying access if the capability is not present, ACP allows access and logs additional capabilities required for access if the application were to run isolated. For more information on ACP, please refer to the [GitHub documentation page](https://github.com/microsoft/win32-app-isolation/blob/main/docs/profiler/application-capability-profiler.md#stack-tracing---acp-stacktracewpaprofile).
+
+To create a smooth user experience that aligns with nonisolated, native Win32 applications, two key factors should be taken into consideration:
+
+- Approaches for accessing data and privacy information
+- Integrating Win32 apps for compatibility with other Windows interfaces
+
+The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary ([AppContainer](/windows/win32/secauthz/implementing-an-appcontainer)). The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Win32 app isolation](https://github.com/microsoft/win32-app-isolation)
+
+## Windows Sandbox
+
+Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation using the same hardware-based Hyper-V virtualization technology without fear of lasting impact to the PC. Any untrusted Win32 app installed in Windows Sandbox stays only in the sandbox and can't affect the host.
+
+Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)
+- [Windows Sandbox is a new lightweight desktop environment tailored for safely
+running applications in isolation](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/windows-sandbox/ba-p/301849)
+
+## App containers
+
+In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP) applications run in Windows containers known as *app containers*. App containers act as process and resource isolation boundaries, but unlike Docker containers, these are special containers designed to run Windows applications.
+
+Processes that run in app containers operate at a low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the file system, registry, and other resources. The app container also enforces restrictions on network connectivity. For example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows and app container](/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations)

windows/security/book/application-security.md

@@ -0,0 +1,16 @@
+---
+title: Application security
+description: Windows 11 security book - Application security chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Application security
+
+:::image type="content" source="images/application-security-cover.png" alt-text="Cover of the application security chapter." border="false":::
+
+:::image type="content" source="images/application-security-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/application-security.png" border="false":::
+
+Cybercriminals can take advantage of poorly secured applications to access valuable resources. With Windows 11, IT admins can combat common application attacks from the moment a device is provisioned. For example, IT can remove local admin rights from user accounts so that PCs run with the least amount of privileges to prevent malicious applications from accessing sensitive resources.
+
+In addition, organizations can control which applications run on their devices with App Control for Business (previously called Windows Defender Application Control - WDAC).

windows/security/book/cloud-services-protect-your-personal-information.md

@@ -0,0 +1,58 @@
+---
+title: Cloud services - Protect your personal information
+description: Windows 11 security book - Cloud services chapter - Protect your personal information.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Protect your personal information
+
+:::image type="content" source="images/cloud-security.png" alt-text="Diagram of containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
+
+## Microsoft Account
+
+Your Microsoft Account (MSA) gives you access to Microsoft products and services with just one login, allowing you to manage everything all in one place. Keep tabs on your subscriptions and order history, update your privacy and security settings, track the health and safety of your devices, and get rewards. Everything stays with you in the cloud, across devices, and between OS ecosystems, including iOS and Android.
+
+You can even go passwordless with your Microsoft Account by removing the password from your MSA and using the Microsoft Authenticator app on your mobile Android or iOS phone.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [What is a Microsoft account?](https://support.microsoft.com/windows/what-is-a-microsoft-account-4a7c48e9-ff5a-e9c6-5a5c-1a57d66c3bfa)
+
+## User reauthentication before password disablement
+
+Windows provides greater flexibility for users to balance ease of use with security. Users can choose the interval that the machine remains idle before it automatically signs the user out. To avoid a security breach and prevent users from accidentally making settings changes, Windows reauthenticates the user before they are allowed to change the setting to not sign out the user even after the device remains idle indefinitely.
+
+This setting is available on the Sign-in options page in Settings and is available on Windows 11 and onward for MSA users worldwide.
+
+## Find my device
+
+When location services and Find my device settings are turned on, basic system services like time zone and Find my device will be allowed to use the device's location. When enabled, Find my device can be used by the admin on the device to help recover lost or stolen Windows devices to reduce security threats that rely on physical access.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [How to set up, find, and lock a lost Windows device using a Microsoft Account](https://support.microsoft.com/account-billing/find-and-lock-a-lost-windows-device-890bf25e-b8ba-d3fe-8253-e98a12f26316)
+
+## OneDrive for personal
+
+Microsoft OneDrive17 for personal provides additional security, backup, and restore options for important personal files. OneDrive stores and protects files in the cloud, allowing users to access them from laptops, desktops, and mobile devices. Plus, OneDrive provides an excellent solution for backing up folders. If a device is lost or stolen, the user can quickly recover all their important files from the cloud.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [OneDrive](/onedrive/plan-onedrive-enterprise)
+
+In the event of a ransomware attack, OneDrive can enable recovery. And if backups are configured in OneDrive, users have additional options to mitigate and recover from a ransomware attack.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [How to recover from a ransomware attack using Microsoft 365](/microsoft-365/security/office-365-security/recover-from-ransomware)
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [How to restore from OneDrive](https://support.microsoft.com/office/restore-your-onedrive-fa231298-759d-41cf-bcd0-25ac53eb8a15)
+
+## OneDrive Personal Vault
+
+OneDrive Personal Vault<sup>[\[9\]](conclusion.md#footnote9)</sup> also provides protection for the most important or sensitive files and photos without sacrificing the convenience of anywhere access. Protect digital copies of important documents in OneDrive Personal Vault. Files will be secured by identity verification yet are still easily accessible across devices.
+
+Learn how to [set up a Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4) with a strong authentication method or a second step of identity verification, such as fingerprint, face, PIN, or a code sent via email or SMS.

windows/security/book/cloud-services-protect-your-work-information.md

@@ -0,0 +1,269 @@
+---
+title: Cloud services - Protect your work information
+description: Windows 11 security book - Cloud services chapter - Protect your work information.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Protect your work information
+
+:::image type="content" source="images/cloud-security.png" alt-text="Diagram of containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
+
+## Microsoft Entra ID
+
+Microsoft Entra ID, formerly Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies.
+
+Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. By registering devices with Microsoft Entra ID - also called Workplace joined - IT admins can support users in bring your own device (BYOD) or mobile device scenarios. Credentials are authenticated and bound to the joined device and cannot be copied to another device without explicit reverification.
+
+To provide more security and control for IT and a seamless experience for end users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management.
+
+Windows 11 works with Microsoft Entra ID to provide secure access, identity management, and single sign-on to apps and services from anywhere. Windows has built-in settings to add work or school accounts by syncing the device configuration to an Active Directory domain or Microsoft Entra ID tenant.
+
+:::image type="content" source="images/access-work-or-school.png" alt-text="Screenshot of the add work or school account in Settings." border="false":::
+
+When a device is Microsoft Entra ID joined and managed with Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, it receives the following security benefits:
+
+- Default managed user and device settings and policies
+- Single sign-in to all Microsoft Online Services
+- Full suite of authentication management capabilities using Windows Hello for Business
+- Single sign-on (SSO) to enterprise and SaaS applications
+- No use of consumer Microsoft Account identity
+
+Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can setup Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication.
+
+In combination with Microsoft Intune, Microsoft Entra ID offers powerful security control through Conditional Access to restrict access to organizational resources to healthy and compliant devices. Note that Microsoft Entra ID is only supported on Windows Pro and Enterprise editions.
+
+Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows Local Administrator Password Solution with Microsoft Entra (Azure AD)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487)
+- [Microsoft Entra plans and pricing](https://www.microsoft.com/security/business/microsoft-entra-pricing?rtc=1)
+
+## Modern device management through (MDM)
+
+Windows 11 supports modern device management through mobile device management (MDM) protocols so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, IT can manage Windows 11 using industrystandard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
+
+Windows 11 built-in management features include:
+
+- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server
+- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Mobile device management overview](/windows/client-management/mdm-overview)
+
+## Microsoft security baselines
+
+Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company may focus on protecting its internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
+
+A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows security baselines you can deploy with Microsoft Intune](/mem/intune/protect/security-baselines)
+
+## MDM security baseline
+
+Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices.
+
+The security baseline includes policies for:
+
+- Microsoft inbox security technology such as BitLocker, Microsoft Defender SmartScreen, virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall
+- Restricting remote access to devices
+- Setting credential requirements for passwords and PINs
+- Restricting use of legacy technology
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [MDM security baseline](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)
+
+## Microsoft Intune
+
+Microsoft Intune15 is a comprehensive endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
+
+Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication.
+
+Organizations can cut costs while securing and managing remote PCs through the cloud in compliance with company policies.16 For example, organizations save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot for zerotouch deployment.
+
+Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for Group Policy administrative templates (ADMX-backed policies) in MDM solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
+
+### Endpoint Privilege Management (EPM)
+
+Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run tasks allowed by the organization to remain productive.
+
+### Local Administrator Password (LAPs)
+
+Local Administrator Password solution was a key consideration for many customers when deciding to make the transition from on-premises to cloud-managed devices using Intune. With LAPS (available in preview), organizations can automatically manage and back up the password of a local administrator account on Microsoft Entra ID joined or hybrid Microsoft Entra ID joined devices.
+
+### Mobile Application Management (MAM)
+
+With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
+
+Customers have asked for App Control for Business (previously called Windows Defender Application Control) to manage Installer support for a long time. Now customers will be able to enable allowlisting of Win32 apps within their enterprise to proactively reduce the number of malware infections.
+
+Finally, Config Refresh helps organizations move to cloud from on-premises by protecting against settings deviating from the admin's intent.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows LAPS overview](/windows-server/identity/laps/laps-overview)
+
+Microsoft Intune also has policies and settings to configure and manage the flow of operating system updates to devices, working with WUfB and WUfB-DS and giving admins great control over their deployments
+
+With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune)
+
+## Remote Wipe
+
+When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user.
+
+Windows 11 supports the Remote Wipe configuration service provider (CSP) so that MDM Solutions<sup>[\[9\]](conclusion.md#footnote9)</sup> can remotely initiate any of the following operations:
+
+- Reset the device and remove user accounts and data
+- Reset the device and clean the drive
+- Reset the device but persist user accounts and data
+
+Learn More: [Remote Wipe CSP](/windows/client-management/mdm/remotewipe-csp)
+
+## Microsoft Azure Attestation Service
+
+Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they are allowed to access resources. Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> integrates with [Microsoft Azure Attestation Service](/azure/attestation/overview) to review Windows device health comprehensively and connect this information with Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> Conditional Access.
+
+**Attestation policies are configured in the Microsoft Azure Attestation Service which can then:**
+
+- Verify the integrity of evidence provided by the Windows Attestation component by validating the signature and ensuring the Platform Configuration Registers (PCRs) match the values recomputed by replaying the measured boot log
+- Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM
+- Verify that security features are in the expected states
+
+Once this verification is complete, the attestation service returns a signed report with the security features state to the relying party - such as Microsoft Intune - to assess the trustworthiness of the platform relative to the admin-configured device compliance specifications. Conditional access is then granted or denied based on the device's compliance.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Azure Attestation overview](/azure/attestation/overview)
+
+## Windows Update for Business deployment service
+
+The Windows Update for Business deployment service, a core component of the Windows Update for Business product family, is a cloud-based solution that transforms the way update management is handled. Complementing existing [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) policies and [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), the service provides control over the approval, scheduling, and safeguarding of updates - delivered straight from Windows Update to managed devices.
+
+The Windows Update for Business deployment service powers Windows Update management via Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> and Autopatch. The deployment services currently allows the management of [drivers and firmware](/graph/windowsupdates-manage-driver-update), expedited [quality updates](/graph/windowsupdates-deploy-expedited-update) and [feature updates](/graph/windowsupdates-deploy-update).
+
+For an in-depth understanding of this service, including its benefits and prerequisites for use, practical guides on specific capabilities, Microsoft Graph training, and a behind-the-scenes look at how the deployment service functions, read [here](/windows/deployment/update/waas-manage-updates-wufb)[.](/windows/deployment/update/waas-manage-updates-wufb)
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows Update for Business - Windows Deployment](/windows/deployment/update/waas-manage-updates-wufb)
+
+## Windows Autopatch
+
+Cybercriminals often target outdated or unpatched software to gain access to networks. Keeping endpoints up to date is critical in closing existing vulnerabilities, but planning, monitoring, and reporting on update compliance can take IT resources away from other important tasks.
+
+Available as part of Windows Enterprise E3 and E5, Windows Autopatch automates update management for Windows, drivers, firmware, Microsoft 365, Edge, and Teams apps. The service can even manage the upgrade to Windows 11. While the service is designed to be simple by default, admins can customize the service to reflect their business organization with Autopatch groups. This allows custom content or deployment schedules to be applied to different populations of devices.
+
+From a technical standpoint, Windows Autopatch configures the policies and deployment service of Windows Update for Business to deliver updates, all within Microsoft Intune.<sup>[\[9\]](conclusion.md#footnote9)</sup> The results for IT admins: up-to-date endpoints and detailed reports to demonstrate compliance or help identify issues. The goal is to help IT teams be more secure and update more efficiently with less effort.
+
+There's a lot more to learn about Windows Autopatch:
+
+- This [Forrester study](https://aka.ms/AutopatchProductivity) commissioned by Microsoft, analyzes the impact of Windows Autopatch on real customers
+- [IT pro blogs](https://aka.ms/MoreAboutAutopatch) provide updates and background on Autopatch features and the future of the service
+- The [Windows Autopatch community](https://aka.ms/AutopatchCommunity) allows IT professionals to get answers to questions from their peers and the Autopatch team
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows Autopatch documentation](https://aka.ms/Autopatchdocs)
+
+## Windows Autopilot and zero-touch deployment
+
+Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach with a collection of technologies used to set up and preconfigure new devices, getting them ready for productive use and ensuring they are delivered locked down and compliant with corporate security policies.
+
+- From a user perspective, it only takes a few simple operations to get their device ready for use
+- From an IT professional perspective, the only interaction required from the end user is to connect to a network and verify their credentials. Setup is automated after that point
+
+Windows Autopilot enables you to:
+
+- Automatically join devices to Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> or Active Directory via hybrid Microsoft Entra ID Join. For more information about the differences between these two join options, see [Introduction to device management in Microsoft Entra ID](/azure/active-directory/device-management-introduction).
+- Auto-enroll devices into MDM services such as Microsoft Intune (requires an Microsoft Entra ID Premium subscription for configuration)
+- Automatic upgrade to Enterprise Edition if required
+- Restrict administrator account creation
+- Create and auto-assign devices to configuration groups based on a device's profile
+- Customize Out of Box Experience (OOBE) content specific to the organization
+
+Existing devices can also be quickly prepared for a new user with [Windows Autopilot Reset](/mem/autopilot/windows-autopilot-reset). The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows Autopilot](https://aka.ms/WindowsAutopilot)
+
+## Enterprise State Roaming with Azure
+
+Available to any organization with a Microsoft Entra ID Premium<sup>[\[9\]](conclusion.md#footnote9)</sup> or Enterprise Mobility + Security (EMS)<sup>[\[9\]](conclusion.md#footnote9)</sup> license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Enterprise State Roaming FAQ](/azure/active-directory/devices/enterprise-state-roaming-faqs)
+
+## Universal Print
+
+Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models](/universal-print/fundamentals/universal-print-partner-integrations). It also supports existing printers by using the connector software that comes with Universal Print.
+
+Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices do not need to be on the same local network as the printers or the Universal Print connector.
+
+Universal Print supports Zero Trust security by requiring that:
+
+- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup>. A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service
+- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data
+- Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data
+- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it is highly recommended that only cloud applications use application authentication
+- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant
+- Each authentication with Microsoft Entra ID from an acting application cannot extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached
+
+Additionally, Windows 11 and Windows 10 include MDM support to simplify printer setup for users. With initial support from Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, admins can now configure policies to provision specific printers onto the user's Windows devices.
+
+Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft Office products.
+
+More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here](/microsoft-365/enterprise/m365-dr-overview).
+
+The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here](/universal-print/fundamentals/universal-print-qrcode).
+
+Universal Print has integrated with Administrative Units in Microsoft Entra ID to enable customers to assign a Printer Administrator role to their local IT team in the same way customers assign User Administrator or Groups Administrator roles. The local IT team can configure only the printers that are part of the same Administrative Unit.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Universal Print](https://www.microsoft.com/microsoft-365/windows/universal-print)
+- [Data storage in Universal Print](/universal-print/fundamentals/universal-print-encryption)
+- [Delegate Printer Administration with Administrative Units](/universal-print/portal/delegated-admin)
+
+For customers who want to stay on Print Servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Print support app design guide](/windows-hardware/drivers/devapps/print-support-app-design-guide)
+
+## OneDrive for work or school
+
+Data in OneDrive for work or school is protected both in transit and at rest.
+
+When data transits either into the service from clients or between datacenters, it's protected using transport layer security (TLS) encryption. OneDrive only permits secure access.
+
+Authenticated connections are not allowed over HTTP and instead redirect to HTTPS.
+
+There are several ways that OneDrive for work or school is protected at rest:
+
+- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security)
+- Network protection: The networks and identities are isolated from the corporate network. Firewalls limit traffic into the environment from unauthorized locations
+- Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The [Microsoft Security Response Center](https://technet.microsoft.com/security/dn440717.aspx) helps triage incoming vulnerability reports and evaluate mitigations. Through the [Microsoft Cloud Bug Bounty Terms](https://technet.microsoft.com/dn800983), people across the world can earn money by reporting vulnerabilities
+- Content protection: Each file is encrypted at rest with a unique AES-256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/office/how-onedrive-safeguards-your-data-in-the-cloud-23c6ea94-3608-48d7-8bf0-80e142edd1e1)
+
+## MDM enrollment certificate attestation
+
+When a device is enrolled into device management, the administrator assumes that the device will enroll and receive appropriate policies to secure and manage the PC as they expect. In some circumstances, enrollment certificates can be removed by malicious actors and then used on unmanaged PCs to appear as though they are enrolled, but without the security and management policies the administrator intended. With MDM enrollment certificate attestation, the certificate and keys are bound to a specific machine through the use of the Trusted Platform Module (TPM) to ensure that they can't be lifted from one device and applied to another. This capability has existed for physical PCs since Windows 11 22H2 and is now being extended to Windows 11-based Cloud PCs and Azure Virtual Desktop VMs.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Configuration Service Provider - Windows Client Management](/windows/client-management/mdm/)

windows/security/book/cloud-services.md

@@ -0,0 +1,16 @@
+---
+title: Cloud services
+description: Windows 11 security book - Cloud services chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Cloud services
+
+:::image type="content" source="images/cloud-services-cover.png" alt-text="Cover of the cloud services chapter." border="false":::
+
+:::image type="content" source="images/cloud-security-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/cloud-security.png" border="false":::
+
+Today's workforce has more freedom and mobility than ever before, but the risk of data exposure is also at its highest. At Microsoft, we are focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on Zero Trust principles, Windows 11 works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
+
+From identity and device management to Office apps and data storage, Windows 11 and integrated cloud services can help improve productivity, security, and resilience anywhere.

windows/security/book/conclusion.md

@@ -0,0 +1,92 @@
+---
+title: Conclusion
+description: Conclusion
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Conclusion
+
+We will continue to bring you new features to protect against evolving threats, simplify management, and securely enable new workstyles. With Windows 11 devices, organizations of all sizes can benefit from the security and performance to thrive anywhere.
+
+:::image type="content" source="images/chip-to-cloud.png" alt-text="Diagram of chip-to-cloud containing a list of security features." lightbox="images/chip-to-cloud.png" border="false":::
+
+## What's new
+
+New:
+
+- Config Refresh
+- 5G and eSIM
+- Win32 apps in isolation (public preview)
+- Passkey
+- Sign-in Session Token Protection
+- Windows Local Administrator Password Solution (LAPS) (public preview)
+- Microsoft Intune Suite Endpoint Privilège Management (EPM)
+- Microsoft Intune Suite Endpoint Privilege Management (EPM)
+
+Enhanced:
+
+- Hardware security user experience
+- BitLocker to go
+- Device encryption
+- Windows Firewall
+- Server Message Block direct
+- Smart App Control (SAC) going into Enforcement mode
+- Application Control for Business
+- Enhanced Sign-in security (ESS)
+- Windows Hello for Business
+- Presence Detection
+- Wake on approach, lock on leave
+- Universal Print
+- Lockout policies for local admin
+- Enhanced Phishing protection
+
+## Document revision history
+
+| Date | Summary |
+|-|-|
+|November 2021 |Link updates and formatting.|
+|February 2022 |Revisions to Hardware root-of-trust, Virus and threat protection, and Windows Hello for Business content.|
+|April 2022| Added Upcoming features section.|
+| September 2022| Updates with Windows 11 2022 Update features and enhancements.|
+|April 2023| Minor edits and updates to edition availability.|
+|September 2023| Updates with Windows 11 2023 Update features and enhancement.|
+|May 2024| Move form PDF format to web format.|
+
+## Endnotes
+
+<sup><a name="footnote1"></a>1</sup> "2023 Data Breach Investigations Report" - Verizon, 2023.\
+<sup><a name="footnote2"></a>2</sup> "Microsoft Digital Defense Report 2022" - Microsoft, 2022.\
+<sup><a name="footnote3"></a>3</sup> Compared to Windows 10 devices. "Improve your day-to-day experience with Windows 11 Pro laptops" - Principled Technologies, February 2023.\
+<sup><a name="footnote4"></a>4</sup> Based on Monthly Active Device data. "Earnings Release FY23 Q3" - Microsoft, April 2023.\
+<sup><a name="footnote5"></a>5</sup> Windows 11 results are in comparison with Windows 10 devices. "Windows 11 Survey Report," Techaisle, February 2022.\
+<sup><a name="footnote6"></a>6</sup> Requires developer enablement.\
+<sup><a name="footnote7"></a>7</sup> Requires Microsoft Entra ID and Microsoft Intune, or other modern device management solution product required; sold separately.\
+<sup><a name="footnote8"></a>8</sup> Commissioned study delivered by Forrester Consulting. "The Total Economic Impact&trade; of Windows 11 Pro Devices", December 2022. Note: quantified benefits reflect results over three years combined into a single composite organization that generates $1 billion in annual revenue, has 2,000 employees, refreshes hardware on a four-year cycle, and migrates the entirety of its workforce to Windows 11 devices.\
+<sup><a name="footnote9"></a>9</sup> Sold separately.\
+<sup><a name="footnote"></a>10</sup> Email encryption is supported on products such as Microsoft Exchange Server and Microsoft Exchange Online.\
+<sup><a name="footnote"></a>11</sup> Microsoft internal data.\
+<sup><a name="footnote"></a>12</sup> Microsoft Entra ID Basic is included with Microsoft Azure and Microsoft 365 subscriptions, and other commercial services subscriptions.\
+<sup><a name="footnote"></a>13</sup> Requires Microsoft Entra ID (formerly AAD) Premium; sold separately.\
+<sup><a name="footnote"></a>14</sup> Hardware dependent.\
+<sup><a name="footnote"></a>15</sup> Microsoft 365 E3 or E5 required; sold separately.\
+<sup><a name="footnote"></a>16</sup> The Total Economic Impact&trade; of Windows Pro Device, Forrester study commissioned by Microsoft, June 2020.\
+<sup><a name="footnote"></a>17</sup> All users with a Microsoft Account get 5GB of OneDrive storage free, and all Microsoft 365 subscriptions include 1TB of OneDrive storage. Additional OneDrive storage is sold separately.
+
+---
+
+> The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
+>
+> This paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document.
+>
+> Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
+>
+> Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
+>
+> &copy; 2024 Microsoft Corporation. All rights reserved.
+>
+> Microsoft, list Microsoft trademarks used in your white paper alphabetically are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
+>
+> The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
+>
+> Part No. May 2024

windows/security/book/hardware-security-hardware-root-of-trust.md

@@ -0,0 +1,35 @@
+---
+title: Hardware root-of-trust
+description: Windows 11 security book - Hardware root-of-trust.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Hardware root-of-trust
+
+:::image type="content" source="images/hardware.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
+
+## Trusted Platform Module (TPM)
+
+Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, System Guard (previously called Windows Defender System Guard), and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. These capabilities in turn help organizations strengthen the protection of their identities and data. The 2.0 version of TPM includes support for newer algorithms, which provides improvements like support for stronger cryptography. To upgrade to Windows 11, existing Windows 10 devices much meet minimum system requirements for CPU, RAM, storage, firmware, TPM, and more. All new Windows 11 devices come with TPM 2.0 built in. With Windows 11, both new and upgraded devices must have TPM 2.0. The requirement strengthens the security posture across all Windows 11 devices and helps ensure that these devices can benefit from future security capabilities that depend on a hardware root-of-trust.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows 11 TPM specifications](https://www.microsoft.com/windows/windows-11-specifications)
+- [Enabling TPM 2.0 on your PC](https://support.microsoft.com/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c)
+- [Trusted Platform Module Technology Overview](../hardware-security/tpm/trusted-platform-module-overview.md)
+
+## Microsoft Pluton security processor
+
+The Microsoft Pluton security processor is the result of Microsoft's close partnership with silicon partners. Pluton enhances the protection of Windows 11 devices, including Secured-core PCs, with a hardware security processor that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface by integrating the security chip directly into the processor. It can be used as a TPM 2.0 or as a standalone security processor. When a security processor is located on a separate, discrete chip on the motherboard, the communication path between the hardware root-of-trust and the CPU can be vulnerable to physical attack. Embedding Pluton into the CPU makes it harder to exploit the communication path.
+
+Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs, including BitLocker, Windows Hello, and System Guard. Pluton can also support other security functionality beyond what is possible with the TPM 2.0 specification. This extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update.
+
+As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers cannot access sensitive data - even if attackers use emerging techniques like speculative execution.
+
+Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for customers to get alerts about security updates, keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Meet the Microsoft Pluton processor - The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/)
+- [Microsoft Pluton security processor](../hardware-security/pluton/microsoft-pluton-security-processor.md)

windows/security/book/hardware-security-silicon-assisted-security.md

@@ -0,0 +1,82 @@
+---
+title: Silicon assisted security
+description: Windows 11 security book - Silicon assisted security.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Silicon assisted security
+
+:::image type="content" source="images/hardware.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
+
+In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats by protecting the boot process, safeguarding the integrity of memory, isolating security-sensitive compute logic, and more.
+
+## Secured kernel
+
+To secure the kernel we have two key features: virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices will support HVCI and most new devices will come with VBS and HVCI protection turned on by default.
+
+Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS
+implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel.
+
+Since more privileged VTLs can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)
+
+Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
+
+With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Enable virtualization-based protection of code integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
+- [Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)
+
+## Hardware-enforced stack protection
+
+Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats like memory corruption and zero-day exploits. Based on Control- flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack.
+
+Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called stack smashing. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate "shadow stack" for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Understanding Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)
+- [Developer Guidance for Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-kernel-internals/developer-guidance-for-hardware-enforced-stack-protection/ba-p/2163340)
+
+## Kernel Direct Memory Access (DMA) protection
+
+Windows 11 protects against physical threats such as drive-by Direct Memory Access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that do not require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)
+
+## Secured-core PC
+
+The March 2021 Security Signals report found that more than 80% of enterprises have experienced at least one firmware attack in the past two years. For customers in data-sensitive industries like financial services, government, and healthcare, Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs (SCPCs). The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows.
+
+Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root-of-trust. Virtualization-based security comes enabled by default. With built-in hypervisor-protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all kernel executable code is signed only by known and approved authorities. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks with kernel DMA protection.
+
+Secured-core PCs provide multiple layers of robust protection against hardware and firmware attacks. Sophisticated malware attacks may commonly attempt to install "bootkits" or "rootkits" on the system to evade detection and achieve persistence. This malicious software may run at the firmware level prior to Windows being loaded or during the Windows boot process itself, enabling the system to start with the highest level of privilege. Because critical subsystems in Windows leverage virtualization-based security, protecting the hypervisor becomes increasingly important. To ensure that no unauthorized firmware or software can start before the Windows bootloader, Windows PCs rely on the Unified Extensible Firmware Interface (UEFI) Secure Boot standard, a baseline security feature of all Windows 11 PCs. Secure Boot helps ensure that only authorized firmware and software with trusted digital signatures can execute. In addition, measurements of all boot components are securely stored in the TPM to help establish a non-repudiable audit log of the boot called the Static Root of Trust for Measurement (SRTM).
+
+Thousands of PC vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements.
+
+In Secured-core PCs, [System Guard Secure Launch](/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection) protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit or bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. [Firmware Attack Surface Reduction (FASR) technology](/windows-hardware/drivers/bringup/firmware-attack-surface-reduction) can be used instead of DRTM on supported devices, such as Microsoft Surface.
+
+System Management Mode (SMM) isolation is an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. SMM complements the protections provided by DRTM by helping to reduce the attack surface. Relying on capabilities provided by silicon providers like Intel and AMD, SMM isolation enforces policies that implement restrictions such as preventing SMM code from accessing OS memory. The SMM isolation policy is included as part of the DRTM measurements that can be sent to a verifier like Microsoft Azure Remote Attestation.
+
+:::image type="content" source="images/secure-launch.png" alt-text="Diagram of secure launch components." lightbox="images/secure-launch.png" border="false":::
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Dynamic Root of Trust measure and SMM isolation](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/)
+- [Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)
+
+## Secured-core configuration lock
+
+In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync, when configuration is reset with the mobile device management (MDM) solution. Secured-core configuration lock (config lock) is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that are supported and reverts to the IT-desired SCPC state in seconds after detecting a drift.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows 11 with config lock](/windows/client-management/mdm/config-lock)

windows/security/book/hardware-security.md

@@ -0,0 +1,16 @@
+---
+title: Hardware security
+description: Windows 11 security book - Hardware security chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Hardware security
+
+:::image type="content" source="images/hardware-security-cover.png" alt-text="Cover of the hardware security chapter." border="false":::
+
+:::image type="content" source="images/hardware-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
+
+Today's ever-evolving threats require strong alignment between hardware and software technologies to keep users, data, and devices protected. The operating system alone cannot defend against the wide range of tools and techniques cybercriminals use to compromise a computer. Once they gain a foothold, intruders can be difficult to detect as they engage in multiple nefarious activities ranging from stealing important data and credentials to implanting malware into low-level device firmware. Once malware is installed in firmware, it becomes difficult to identify and remove. These new threats call for computing hardware that is secure down to the very core, including the hardware chips and processors that store sensitive business information. With hardware-based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to thwart with software alone. Hardware-based protection can also improve the system's overall security without measurably slowing performance, compared to implementing the same capability in software.
+
+With Windows 11, Microsoft has raised the hardware security bar to design the most secure version of Windows ever from chip to cloud. We have carefully chosen the hardware requirements and default security features based on threat intelligence, global regulatory requirements, and our own Microsoft Security team's expertise. We have worked with our chip and device manufacturing partners to integrate advanced security capabilities across software, firmware, and hardware. Through a powerful combination of hardware root-of-trust and silicon-assisted security, Windows 11 delivers built-in hardware protection out of the box.

windows/security/book/identity-protection-advanced-credential-protection.md

@@ -0,0 +1,96 @@
+---
+title: Identity protection - Advanced credential protection
+description: Windows 11 security book -Identity protection chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Advanced credential protection
+
+:::image type="content" source="images/identity-protection.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
+
+In addition to adopting passwordless sign-in, organizations can strengthen security for user and domain credentials in Windows 11 with Credential Guard and Remote Credential Guard.
+
+## Enhanced phishing protection with Microsoft Defender SmartScreen
+
+As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing has emerged as a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business.
+
+However, people who are still using passwords can also benefit from powerful credential protection in Windows 11. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Enhanced phishing protection in Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)
+
+## Local Security Authority (LSA) protection
+
+Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single sign-on to a Microsoft account and Azure services.
+
+To help keep these credentials safe, additional LSA protection will be enabled by default on new, enterprise-joined Windows 11 devices. By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection also now supports configuration using Group Policy and modern device management.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Configuring additional LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)
+
+## Credential Guard
+
+Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-backed, virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+
+By protecting the LSA process with virtualization-based security, Credential Guard shields systems from credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)
+
+## Remote Credential Guard
+
+Remote Credential Guard helps organizations protect credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
+
+Administrator credentials are highly privileged and must be protected. When Remote Credential Guard is configured and enabled to connect during Remote Desktop sessions, the credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, the credentials aren't exposed.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Remote Credential Guard - Windows Security | Microsoft Learn](/windows/security/identity-protection/remote-credential-guard?tabs=intune)
+
+## Token protection
+
+Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies<sup>[\[9\]](conclusion.md#footnote9)</sup> can be configured to require token protection when using sign-in tokens for specific services.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Token protection in Entra ID Conditional Access](/azure/active-directory/conditional-access/concept-token-protection)
+
+## Sign-in session token protection policy
+
+At the inaugural Microsoft Secure event in March 2023, we announced the public preview of token protection for sign-ins. This feature allows applications and services to cryptographically bind security tokens to the device, restricting attackers' ability to impersonate users on a different device if tokens are stolen.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Conditional Access: Token protection (preview)](/azure/active-directory/conditional-access/concept-token-protection)
+
+## Account lockout policies
+
+New devices with Windows 11 installed will have account lockout policies that are secure by default. These policies will mitigate brute-force attacks such as hackers attempting to access Windows devices via the Remote Desktop Protocol (RDP).
+
+The account lockout threshold policy is now set to 10 failed sign-in attempts by default, with the account lockout duration set to 10 minutes. The Allow Administrator account lockout is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default as well.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Account lockout policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)
+
+## Access management and control
+
+Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.
+
+Access Control Lists (ACLs) describe the permissions for a specific object and can also contain System Access Control Lists (SACLs). SACLs provide a way to audit specific system level events, such as when a user attempts to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack.
+
+IT administrators can refine the application and management of access to:
+
+- Protect a greater number and variety of network resources from misuse
+- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. Organizations can implement the principle of least-privilege access, which asserts that users should be granted access only to the data and operations they require to perform their jobs
+- Update users' ability to access resources on a regular basis as an organization's policies change or as users' jobs change
+- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and mobile phones
+- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Access control](/windows/security/identity-protection/access-control/access-control)

windows/security/book/identity-protection-passwordless-sign-in.md

@@ -0,0 +1,172 @@
+---
+title: Identity protection - Passwordless sign-in
+description: Windows 11 security book -Identity protection chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Passwordless sign-in
+
+:::image type="content" source="images/identity-protection.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
+
+Passwords are inconvenient to use and prime targets for cybercriminals - and they've been an important part of digital security for years. That changes with the passwordless protection available with Windows 11. After a secure authorization process, credentials are protected behind layers of hardware and software security, giving users secure, passwordless access to their apps and cloud services.
+
+## Windows Hello
+
+Too often, passwords are weak, stolen, or forgotten. Organizations are moving toward passwordless sign-in to reduce the risk of breaches, lower the cost of managing passwords, and improve productivity and satisfaction for their employees and customers. Microsoft is committed to helping customers move toward a secure, passwordless future with Windows Hello, a cornerstone of Windows security and identity protection.
+
+[Windows Hello](/windows/security/identity-protection/hello-for-business/passwordless-strategy) can enable passwordless sign-in using biometric or PIN verification and provides built-in support for the FIDO2 passwordless industry standard. As a result, people no longer need to carry external hardware like a security key for authentication.
+
+The secure, convenient sign-in experience can augment or replace passwords with a stronger authentication model based on a PIN or biometric data such as facial or fingerprint recognition secured by the Trusted Platform Module (TPM). Step-by-step guidance makes setup easy.
+
+Using asymmetric keys provisioned in the TPM, Windows Hello protects authentication by binding a user's credentials to their device. Windows Hello validates the user based on either a PIN or biometrics match and only then allows the use of cryptographic keys bound to that user in the TPM.
+
+PIN and biometric data stay on the device and cannot be stored or accessed externally. Since the data cannot be accessed by anyone without physical access to the device, credentials are protected against replay attacks, phishing, and spoofing as well as password reuse and leaks.
+
+Windows Hello can authenticate users to a Microsoft account (MSA), identity provider services, or the relying parties that also implement the FIDO2 or WebAuthn standards.
+
+## Windows Hello for Business
+
+Windows Hello for Business extends Windows Hello to work with an organization's Active Directory and Microsoft Entra ID accounts. It provides single sign-on access to work or school resources such as OneDrive for Business, work email, and other business apps. Windows Hello for Business also give IT admins the ability to manage PIN and other sign-in requirements for devices connecting to work or school resources.
+
+## Windows Hello for Business Passwordless
+
+Windows 11 devices with Windows Hello for Business can protect user identities by removing the need to use passwords from day one.
+
+IT can now set a policy for Microsoft Entra ID joined machines so users no longer see the option to enter a password when accessing company resources.12 Once the policy is set, passwords are removed from the Windows user experience, both for device unlock as well as in-session authentication scenarios via CredUI. However, passwords are not eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can leverage passwordless recovery mechanisms such as Windows Hello for Business PIN reset or Web Sign-in.
+
+During a device's lifecycle, a password may only need to be used once during the provisioning process. After that, people can use a PIN, face, or fingerprint to unlock credentials and sign into the device.
+
+Provisioning methods include:
+
+- Temporary Access Pass (TAP), a time-limited passcode with strong authentication requirements issued through Microsoft Entra ID
+- Existing multifactor authentication with Microsoft Entra ID, including authentication methods like the Microsoft Authenticator app
+
+Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometric data and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business depending on an organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers.
+
+Organizations with hybrid scenarios can eliminate the need for on-premises domain controllers and simplify passwordless adoption by using Windows Hello for Business cloud Kerberos trust.13 This solution uses security keys and replaces on-premises domain controllers with a cloud-based root-of-trust. As a result, organizations can take advantage of Windows Hello for Business and deploy passwordless security keys with minimal additional setup or infrastructure.
+
+Users will authenticate directly with Microsoft Entra ID, helping speed access to on- premises applications and other resources.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows Hello for Business overview](/windows/security/identity-protection/hello-for-business/)
+
+## Windows Hello PIN
+
+The Windows Hello PIN, which can only be entered by someone with physical access to the device, can be used for strong multifactor authentication. The PIN is protected by the TPM and, like biometric data, never leaves the device. When a user enters their PIN, an authentication key is unlocked and used to sign a request sent to the authenticating server.
+
+The TPM protects against threats including PIN brute-force attacks on lost or stolen devices. After too many incorrect guesses, the device locks. IT admins can set security policies for PINs, such as complexity, length, and expiration requirements.
+
+## Windows Hello biometric sign-in
+
+Windows Hello biometric sign-in enhances both security and productivity with a quick, convenient sign-in experience. There's no need to enter a password every time when a face or fingerprint is the credential.
+
+Windows devices that support biometric hardware such as fingerprint or facial recognition cameras integrate directly with Windows Hello, enabling access to Windows client resources and services. Biometric readers for both face and fingerprint must comply with [Microsoft](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements). Windows Hello facial recognition is designed to only authenticate from trusted cameras used at the time of enrollment.
+
+If a peripheral camera is attached to the device after enrollment, that camera will only be allowed for facial authentication after it has been validated by signing in with the internal camera. For additional security, external cameras can be disabled for use with Windows Hello facial recognition.
+
+## Windows Hello Enhanced Sign-in Security
+
+Windows Hello biometrics also supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in.
+
+Enhanced Sign-in Security biometrics uses virtualization-based security (VBS) and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated.
+
+These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional attack classes.
+
+Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in Secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations - please check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Please reach out to specific OEMs for support details.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
+
+## Windows Hello for Business multi-factor unlock
+
+For organizations that need an extra layer of sign-in security, multi-factor unlock enables IT admins to configure Windows by requiring a combination of two unique trusted signals to sign in. Trusted signal examples include a PIN or biometric data (face or fingerprint) combined with either a PIN, Bluetooth, IP configuration, or Wi-Fi.
+
+Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Multi-factor unlock](/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock)
+
+## Windows presence sensing
+
+Windows presence sensing14 provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment.
+
+Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers will be able to customize and build extensions for the presence sensor.
+
+## Developer APIs and app privacy support for presence sensing
+
+Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. We are pleased to announce new app privacy settings that enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup.
+
+Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We are also supporting developers with new APIs for presence sensing for thirdparty applications. Third-party applications can now access user presence information on devices with modern presence sensors.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Presence sensing](/windows-hardware/design/device-experiences/sensors-presence-sensing)
+- [Manage presence sensing settings in Windows 11](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)
+
+## FIDO support
+
+The FIDO Alliance, the Fast Identity Online industry standards body, was established to promote authentication technologies and standards that reduce reliance on passwords. FIDO Alliance and World Wide Web Consortium (W3C) have worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications, which are the industry standard for providing strong, phishing-resistant, user friendly, and privacy preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
+
+Windows 11 can also use passkeys from external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Passwordless security key sign-in](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
+
+## Passkeys
+
+Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the crossplatform future of secure sign-in. Microsoft and other technology leaders are supporting passkeys across their platforms and services.
+
+A passkey is a unique, unguessable cryptographic secret that is securely stored on the device. Instead of using a username and password to sign in to a website or application, Windows 11 users can create and use a passkey from Windows Hello, an external security provider, or their mobile device.
+
+Passkeys on Windows 11 are protected by Windows Hello or Windows Hello for Business. This enables users to sign in to the site or app using their face, fingerprint, or device PIN. Passkeys on Windows work in any browser or app that supports them for sign in. Users can manage passkeys on their device on Windows 11 account settings.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Passkeys (passkey authentication)](https://fidoalliance.org/passkeys/)
+
+## Microsoft Authenticator
+
+The Microsoft Authenticator app, which runs on iOS and Android devices, helps keep
+
+Windows 11 users secure and productive. Microsoft Authenticator can be used to bootstrap Windows Hello for Business, which removes the need for a password to get started on Windows 11.
+
+Microsoft Authenticator also enables easy, secure sign-in for all online accounts using multifactor authentication, passwordless phone sign-in, or password autofill. The accounts in the Authenticator app are secured with a public/private key pair in hardware-backed storage such as the Keychain in iOS and Keystore on Android. IT admins can leverage different tools to nudge their users to set up the Authenticator app, provide them with extra context about where the authentication is coming from, and ensure that they are actively using it.
+
+Individual users can back up their credentials to the cloud by enabling the encrypted backup option in settings. They can also see their sign-in history and security settings for Microsoft personal, work, or school accounts.
+
+Using this secure app for authentication and authorization enables people to be in control of how, where, and when their credentials are used. To keep up with an ever-changing security landscape, the app is constantly updated, and new capabilities are added to stay ahead of emerging threat vectors.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Microsoft Authenticator](/azure/active-directory/authentication/concept-authentication-authenticator-app)
+
+## Smart cards for Windows service
+
+Organizations also have the option of using smart cards, an authentication method that predates biometric authentication. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating users, signing code, securing e-mail, and signing in with Windows domain accounts.
+
+**Smart cards provide:**
+
+- Ease of use in scenarios such as healthcare where employees need to sign in and out quickly without using their hands or when sharing a workstation
+- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card
+- Portability of credentials and other private information between computers at work, home, or on the road
+
+Smart cards can only be used to sign in to domain accounts or Microsoft Entra ID accounts.
+
+When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Entra ID certificate-based authentication. Smart cards cannot be used with local accounts.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Smart Card technical reference](/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference)
+
+## Federated sign-in
+
+Windows 11 supports federated sign-in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign-in through methods like QR codes or pictures. Additionally, we have added shared device support. It allows multiple students (one at a time) to use the device throughout the school day.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in)

windows/security/book/identity-protection.md

@@ -0,0 +1,16 @@
+---
+title: Identity protection
+description: Windows 11 security book -Identity protection chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Identity protection
+
+:::image type="content" source="images/identity-protection-cover.png" alt-text="Cover of the identity protection chapter." border="false":::
+
+:::image type="content" source="images/identity-protection-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
+
+Today's flexible workstyles and the security of your organization depend on secure access to corporate resources, including strong identity protection. Weak or reused passwords, password spraying, social engineering, and phishing are some of the top attack vectors. In the last 12 months, we saw an average of more than 4,000 password attacks per second.11 And phishing threats have increased, making identity a continuous battleground. As Bret Arsenault, Chief Information Security Officer at Microsoft says, *Hackers don't break in, they log in.*
+
+Because threats are constantly evolving and often difficult for employees to detect, organizations need proactive protection, including effortlessly secure authentication and features that defend users in real time while they work. Windows 11 is designed with powerful identity protection from chip to cloud, keeping identities and personal and business data safe anywhere people work.

windows/security/book/images/learn-more.svg

@@ -0,0 +1,3 @@
+<svg width="22" height="18" viewBox="0 0 22 18" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M0 2.25C0 1.00736 1.00736 0 2.25 0H12.6C13.8426 0 14.85 1.00736 14.85 2.25V15.075C14.85 15.4478 14.5478 15.75 14.175 15.75H1.35C1.35 16.2471 1.75295 16.65 2.25 16.65H14.175C14.5478 16.65 14.85 16.9522 14.85 17.325C14.85 17.6978 14.5478 18 14.175 18H2.25C1.00736 18 0 16.9926 0 15.75V2.25ZM7.425 5.4C7.92207 5.4 8.325 4.99705 8.325 4.5C8.325 4.00295 7.92207 3.6 7.425 3.6C6.92793 3.6 6.525 4.00295 6.525 4.5C6.525 4.99705 6.92793 5.4 7.425 5.4ZM6.75 6.975V11.475C6.75 11.8478 7.05222 12.15 7.425 12.15C7.79778 12.15 8.1 11.8478 8.1 11.475V6.975C8.1 6.60221 7.79778 6.3 7.425 6.3C7.05222 6.3 6.75 6.60221 6.75 6.975Z" fill="#0883D9"/>
+</svg>