mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 10:23:37 +00:00
updates
This commit is contained in:
Paolo Matarazzo
@ -15,17 +15,14 @@ Windows 11 requires all PCs to use Unified Extensible Firmware Interface (UEFI)'
|
||||
|
||||
Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
|
||||
|
||||
To reduce the risk of firmware rootkits, the PC verifies that firmware is digitally signed as it begins the boot process. Then Secure Boot checks the OS bootloader's digital signature as well as all code that runs prior to the operating system starting to ensure the signature and code are uncompromised and trusted by the Secure Boot policy.
|
||||
To mitigate the risk of firmware rootkits, the PC verifies the digital signature of the firmware at the start of the boot process. Secure Boot then checks the digital signature of the OS bootloader and all code that runs before the operating system starts, ensuring that the signature and code are uncompromised and trusted according to the Secure Boot policy.
|
||||
|
||||
Trusted Boot picks up the process that begins with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and any anti-malware product's early-launch anti-malware (ELAM) driver. If any of these files have been tampered with, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
|
||||
|
||||
Tampering or malware attacks on the Windows boot sequence are blocked by the signature enforcement handshakes between the UEFI, bootloader, kernel, and application environments.
|
||||
|
||||
For more information about these features and how they help prevent rootkits and bootkits from loading during the startup process, see [Secure the Windows boot process](../operating-system-security/system-security/secure-the-windows-10-boot-process.md)
|
||||
|
||||
[!INCLUDE [learn-more](includes/learn-more.md)]
|
||||
|
||||
- [Secure Boot and Trusted Boot](../operating-system-security/system-security/trusted-boot.md)
|
||||
- [Secure the Windows boot process][LINK-1]
|
||||
- [Secure Boot and Trusted Boot][LINK-2]
|
||||
|
||||
## Cryptography
|
||||
|
||||
@ -56,20 +53,20 @@ exchange, opportunities to engage with technical content about Microsoft's produ
|
||||
|
||||
## Certificates
|
||||
|
||||
To help safeguard and authenticate information, Windows provides comprehensive support for certificates and certificate management. The built-in certificate management command-line utility (certmgr.exe) or Microsoft Management Console (MMC) snap-in (certmgr.msc) can be used to view and manage certificates, certificate trust lists (CTLs), and certificate revocation lists (CRLs). Whenever a certificate is used in Windows, we validate that the leaf certificate and all the certificates in its chain of trust have not been revoked or compromised. The trusted root and intermediate certificates and publicly revoked certificates on the machine are used as a reference for Public Key Infrastructure (PKI) trust and are updated monthly by the Microsoft Trusted Root program. If a trusted certificate or root is revoked, all global devices will be updated, meaning users can trust that Windows will automatically protect against vulnerabilities in public key infrastructure. For cloud and enterprise deployments, Windows also offers users the ability to autoenroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration.
|
||||
To help safeguard and authenticate information, Windows provides comprehensive support for certificates and certificate management. The built-in certificate management command-line utility (certmgr.exe) or Microsoft Management Console (MMC) snap-in (certmgr.msc) can be used to view and manage certificates, certificate trust lists (CTLs), and certificate revocation lists (CRLs). Whenever a certificate is used in Windows, we validate that the leaf certificate and all the certificates in its chain of trust haven't been revoked or compromised. The trusted root and intermediate certificates and publicly revoked certificates on the machine are used as a reference for Public Key Infrastructure (PKI) trust and are updated monthly by the Microsoft Trusted Root program. If a trusted certificate or root is revoked, all global devices are updated, meaning users can trust that Windows will automatically protect against vulnerabilities in public key infrastructure. For cloud and enterprise deployments, Windows also offers users the ability to autoenroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration.
|
||||
|
||||
## Code signing and integrity
|
||||
|
||||
To ensure that Windows files haven't been tampered with, the Windows Code Integrity process verifies the signature of each file in Windows. Code signing is core to establishing the integrity of firmware, drivers, and software across the Windows platform. Code signing creates a digital signature by encrypting the hash of the file with the private key portion of a code-signing certificate and embedding the signature into the file. The Windows code integrity process verifies the signed file by decrypting the signature to check the integrity of the file and confirm that it is from a reputable publisher, ensuring that the file hasn't been tampered with.
|
||||
|
||||
The digital signature is evaluated across the Windows environment on Windows boot code, Windows kernel code, and Windows user mode applications. Secure Boot and Code Integrity verify the signature on bootloaders, Option ROMs, and other boot components to ensure that it's trusted and from a reputable publisher. For drivers not published by Microsoft, Kernel Code Integrity verifies the signature on kernel drivers and requires that drivers be signed by Windows or certified by the [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) (WHCP). This program ensures that third-party drivers are compatible with various hardware and Windows and that the drivers are from vetted driver developers.
|
||||
The digital signature is evaluated across the Windows environment on Windows boot code, Windows kernel code, and Windows user mode applications. Secure Boot and Code Integrity verify the signature on bootloaders, Option ROMs, and other boot components to ensure that it's trusted and from a reputable publisher. For drivers not published by Microsoft, Kernel Code Integrity verifies the signature on kernel drivers and requires that drivers be signed by Windows or certified by the [Windows Hardware Compatibility Program (WHCP)][LINK-3]. This program ensures that third-party drivers are compatible with various hardware and Windows and that the drivers are from vetted driver developers.
|
||||
|
||||
## Device health attestation
|
||||
|
||||
The Windows device health attestation process supports a Zero Trust paradigm that shifts the focus from static, network-based perimeters to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. These
|
||||
determinations are made with data stored in the TPM, which provides a secure root-of-trust. The information is sent to an attestation service such as Azure Attestation to verify that the device is in a trusted state. Then a cloud-native device management solution like Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup> reviews device health and connects this information with Microsoft Entra ID<sup>[\[7\]](conclusion.md#footnote7)</sup> for conditional access.
|
||||
|
||||
Windows includes many security features to help protect users from malware and attacks. However, security components are trustworthy only if the platform boots as expected and isn't tampered with. As noted above, Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot, and other low-level hardware and firmware security features to protect your PC from attacks. From the moment you power on your PC until your antimalware starts, Windows is backed with the appropriate hardware configurations that help keep you safe. Measured Boot, implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to the TPM, that functions as a hardware root-of-trust. Remote attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper-resilient report. Remote attestation is the trusted auditor of your system's boot, allowing reliant parties to bind trust to the device and its security.
|
||||
Windows includes many security features to help protect users from malware and attacks. However, security components are trustworthy only if the platform boots as expected and isn't tampered with. As noted above, Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot, and other low-level hardware and firmware security features to protect your PC from attacks. From the moment you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configurations that help keep you safe. Measured Boot, implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to the TPM, that functions as a hardware root-of-trust. Remote attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper-resilient report. Remote attestation is the trusted auditor of your system's boot, allowing reliant parties to bind trust to the device and its security.
|
||||
|
||||
A summary of the steps involved in attestation and Zero-Trust on a Windows device are as follows:
|
||||
|
||||
@ -80,7 +77,7 @@ A summary of the steps involved in attestation and Zero-Trust on a Windows devic
|
||||
|
||||
[!INCLUDE [learn-more](includes/learn-more.md)]
|
||||
|
||||
- [Control the health of Windows devices](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)
|
||||
- [Control the health of Windows devices][LINK-4]
|
||||
|
||||
## Windows security policy settings and auditing
|
||||
|
||||
@ -103,8 +100,8 @@ All auditing categories are disabled when Windows is first installed. Before ena
|
||||
|
||||
[!INCLUDE [learn-more](includes/learn-more.md)]
|
||||
|
||||
- [Security policy settings](/windows/security/threat-protection/security-policy-settings/security-policy-settings)
|
||||
- [Security auditing](/windows/security/threat-protection/auditing/security-auditing-overview)
|
||||
- [Security policy settings][LINK-5]
|
||||
- [Security auditing][LINK-6]
|
||||
|
||||
## Windows security settings
|
||||
|
||||
@ -112,8 +109,8 @@ Visibility and awareness of device security and health are key to any action tak
|
||||
|
||||
[!INCLUDE [learn-more](includes/learn-more.md)]
|
||||
|
||||
- [Windows security settings](https://support.microsoft.com/topic/2ae0363d-0ada-c064-8b56-6a39afb6a963)
|
||||
- [Windows Security](../operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md)
|
||||
- [Windows security settings][LINK-7]
|
||||
- [Windows Security][LINK-8]
|
||||
|
||||
## Config Refresh
|
||||
|
||||
@ -127,11 +124,11 @@ Config Refresh can also be paused for a configurable period of time, after which
|
||||
|
||||
[!INCLUDE [learn-more](includes/learn-more.md)]
|
||||
|
||||
- [Config Refresh](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/intro-to-config-refresh-a-refreshingly-new-mdm-feature/ba-p/4176921#:~:text=With%20Config%20Refresh,%20you%20can%20now)
|
||||
- [Config Refresh][LINK-9]
|
||||
|
||||
## Kiosk mode
|
||||
|
||||
With Assigned Access and Shell Launcher, you can configure Windows to restrict functionality to pre-selected applications. These features are ideal for public-facing or shared devices like kiosks. Configuring a device as a kiosk is straightforward and can be done locally on the device or through a cloud-based device management solution like Microsoft Intune.
|
||||
With Assigned Access and Shell Launcher, you can configure Windows to restrict functionality to preselected applications. These features are ideal for public-facing or shared devices like kiosks. Configuring a device as a kiosk is straightforward and can be done locally on the device or through a cloud-based device management solution like Microsoft Intune.
|
||||
|
||||
[!INCLUDE [learn-more](includes/learn-more.md)]
|
||||
|
||||
@ -151,5 +148,29 @@ Windows protected print mode is designed to work with Mopria certified printers
|
||||
|
||||
[!INCLUDE [learn-more](includes/learn-more.md)]
|
||||
|
||||
- [Windows protected print mode](/windows-hardware/drivers/print/modern-print-platform)
|
||||
- [New, modern, and secure print experience from Windows](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645)
|
||||
- [Windows protected print mode][LINK-10]
|
||||
- [New, modern, and secure print experience from Windows][LINK-11]
|
||||
|
||||
## Rust in Windows
|
||||
|
||||
Rust is a modern programming language known for its focus on safety, performance, and concurrency. It was designed to prevent common programming errors such as null pointer dereferencing and buffer overflows, which can lead to security vulnerabilities and crashes. Rust achieves this through its unique ownership system, which ensures memory safety without needing a garbage collector.
|
||||
We're expanding the integration of Rust into the Windows kernel to enhance the safety and reliability of Windows' codebase. This strategic move underscores our commitment to adopting modern technologies to improve the quality and security of Windows.
|
||||
|
||||
[!INCLUDE [learn-more](includes/learn-more.md)]
|
||||
|
||||
- [Rust for Windows, and the windows crate][LINK-12]
|
||||
|
||||
<!--links-->
|
||||
|
||||
[LINK-1]: /windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process
|
||||
[LINK-2]: /windows/security/operating-system-security/system-security/trusted-boot
|
||||
[LINK-3]: /windows-hardware/design/compatibility/
|
||||
[LINK-4]: /windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices
|
||||
[LINK-5]: /windows/security/threat-protection/security-policy-settings/security-policy-settings
|
||||
[LINK-6]: /windows/security/threat-protection/auditing/security-auditing-overview
|
||||
[LINK-7]: https://support.microsoft.com/topic/2ae0363d-0ada-c064-8b56-6a39afb6a963
|
||||
[LINK-8]: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center
|
||||
[LINK-9]: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/intro-to-config-refresh-a-refreshingly-new-mdm-feature/ba-p/4176921#:~:text=With%20Config%20Refresh,%20you%20can%20now
|
||||
[LINK-10]: /windows-hardware/drivers/print/modern-print-platform
|
||||
[LINK-11]: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645
|
||||
[LINK-12]: /windows/dev-environment/rust/rust-for-windows
|
||||
|
||||
Reference in New Issue
Block a user