mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Update cloud services chapter with new images and content
This commit is contained in:
Paolo Matarazzo
parent
cbbec4d31b
commit
9dfb2bd791
@ -45,7 +45,7 @@ In the event of a ransomware attack, OneDrive can enable recovery. And if backup
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [How to recover from a ransomware attack using Microsoft 365](/microsoft-365/security/office-365-security/recover-from-ransomware?view=o365-worldwide)
|
||||
- [How to recover from a ransomware attack using Microsoft 365](/microsoft-365/security/office-365-security/recover-from-ransomware)
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
@ -56,9 +56,3 @@ In the event of a ransomware attack, OneDrive can enable recovery. And if backup
|
||||
OneDrive Personal Vault<sup>[\[9\]](conclusion.md#footnote9)</sup> also provides protection for the most important or sensitive files and photos without sacrificing the convenience of anywhere access. Protect digital copies of important documents in OneDrive Personal Vault. Files will be secured by identity verification yet are still easily accessible across devices.
|
||||
|
||||
Learn how to [set up a Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4) with a strong authentication method or a second step of identity verification, such as fingerprint, face, PIN, or a code sent via email or SMS.
|
||||
|
||||
---
|
||||
|
||||
:::image type="icon" source="images/go-to-section.svg" border="false"::: **Go to section:**
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
@ -11,9 +11,9 @@ ms.date: 04/09/2024
|
||||
|
||||
## Microsoft Entra ID
|
||||
|
||||
[Microsoft Entra ID](https://www.microsoft.com/security/business/identity-access/azure-active-directory?rtc=1)[<sup>[\[9\]](conclusion.md#footnote9)</sup>](https://www.microsoft.com/security/business/identity-access/azure-active-directory?rtc=1) [(formerly Azure Active Directory)](https://www.microsoft.com/security/business/identity-access/azure-active-directory?rtc=1) is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies.
|
||||
Microsoft Entra ID, formerly Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies.
|
||||
|
||||
Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. By registering devices with Microsoft Entra ID—also called Workplace joined—IT admins can support users in bring your own device (BYOD) or mobile device scenarios. Credentials are authenticated and bound to the joined device and cannot be copied to another device without explicit reverification.
|
||||
Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. By registering devices with Microsoft Entra ID - also called Workplace joined - IT admins can support users in bring your own device (BYOD) or mobile device scenarios. Credentials are authenticated and bound to the joined device and cannot be copied to another device without explicit reverification.
|
||||
|
||||
To provide more security and control for IT and a seamless experience for end users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management.
|
||||
|
||||
@ -35,8 +35,7 @@ Every Windows device has a built-in local administrator account that must be sec
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [Windows Local Administrator Password Solution with Microsoft Entra (Azure AD)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487)[](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487)
|
||||
|
||||
- [Windows Local Administrator Password Solution with Microsoft Entra (Azure AD)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487)
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [Microsoft Entra plans and pricing](https://www.microsoft.com/security/business/microsoft-entra-pricing?rtc=1)
|
||||
@ -47,8 +46,8 @@ Windows 11 supports modern device management through mobile device management (M
|
||||
|
||||
Windows 11 built-in management features include:
|
||||
|
||||
- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server.
|
||||
- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.
|
||||
- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server
|
||||
- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
@ -72,13 +71,10 @@ Windows 11 can be configured with Microsoft's MDM security baseline backed by AD
|
||||
|
||||
The security baseline includes policies for:
|
||||
|
||||
- Microsoft inbox security technology such as BitLocker, Microsoft Defender SmartScreen, virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall.
|
||||
|
||||
- Restricting remote access to devices.
|
||||
|
||||
- Setting credential requirements for passwords and PINs.
|
||||
|
||||
- Restricting use of legacy technology.
|
||||
- Microsoft inbox security technology such as BitLocker, Microsoft Defender SmartScreen, virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall
|
||||
- Restricting remote access to devices
|
||||
- Setting credential requirements for passwords and PINs
|
||||
- Restricting use of legacy technology
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
@ -124,11 +120,9 @@ When a device is lost or stolen, IT administrators might want to remotely wipe d
|
||||
|
||||
Windows 11 supports the Remote Wipe configuration service provider (CSP) so that MDM Solutions<sup>[\[9\]](conclusion.md#footnote9)</sup> can remotely initiate any of the following operations:
|
||||
|
||||
- Reset the device and remove user accounts and data.
|
||||
|
||||
- Reset the device and clean the drive.
|
||||
|
||||
- Reset the device but persist user accounts and data.
|
||||
- Reset the device and remove user accounts and data
|
||||
- Reset the device and clean the drive
|
||||
- Reset the device but persist user accounts and data
|
||||
|
||||
Learn More: [Remote Wipe CSP](/windows/client-management/mdm/remotewipe-csp)
|
||||
|
||||
@ -138,13 +132,11 @@ Remote attestation helps ensure that devices are compliant with security policie
|
||||
|
||||
**Attestation policies are configured in the Microsoft Azure Attestation Service which can then:**
|
||||
|
||||
- Verify the integrity of evidence provided by the Windows Attestation component by validating the signature and ensuring the Platform Configuration Registers (PCRs) match the values recomputed by replaying the measured boot log.
|
||||
- Verify the integrity of evidence provided by the Windows Attestation component by validating the signature and ensuring the Platform Configuration Registers (PCRs) match the values recomputed by replaying the measured boot log
|
||||
- Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM
|
||||
- Verify that security features are in the expected states
|
||||
|
||||
- Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM.
|
||||
|
||||
- Verify that security features are in the expected states.
|
||||
|
||||
Once this verification is complete, the attestation service returns a signed report with the security features state to the relying party—such as Microsoft Intune—to assess the trustworthiness of the platform relative to the admin-configured device compliance specifications. Conditional access is then granted or denied based on the device's compliance.
|
||||
Once this verification is complete, the attestation service returns a signed report with the security features state to the relying party - such as Microsoft Intune - to assess the trustworthiness of the platform relative to the admin-configured device compliance specifications. Conditional access is then granted or denied based on the device's compliance.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
@ -152,9 +144,9 @@ Once this verification is complete, the attestation service returns a signed rep
|
||||
|
||||
## Windows Update for Business deployment service
|
||||
|
||||
The Windows Update for Business deployment service, a core component of the Windows Update for Business product family, is a cloud-based solution that transforms the way update management is handled. Complementing existing [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) policies and [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview)[,](/windows/deployment/update/wufb-reports-overview) the service provides control over the approval, scheduling, and safeguarding of updates—delivered straight from Windows Update to managed devices.
|
||||
The Windows Update for Business deployment service, a core component of the Windows Update for Business product family, is a cloud-based solution that transforms the way update management is handled. Complementing existing [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) policies and [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), the service provides control over the approval, scheduling, and safeguarding of updates - delivered straight from Windows Update to managed devices.
|
||||
|
||||
The Windows Update for Business deployment service powers Windows Update management via Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> and Autopatch. The deployment services currently allows the management of [drivers and firmware](/graph/windowsupdates-manage-driver-update)[,](/graph/windowsupdates-manage-driver-update) expedited [quality updates](/graph/windowsupdates-deploy-expedited-update) [](/graph/windowsupdates-deploy-expedited-update)and [feature updates](/graph/windowsupdates-deploy-update)[.](/graph/windowsupdates-deploy-update)
|
||||
The Windows Update for Business deployment service powers Windows Update management via Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> and Autopatch. The deployment services currently allows the management of [drivers and firmware](/graph/windowsupdates-manage-driver-update), expedited [quality updates](/graph/windowsupdates-deploy-expedited-update) and [feature updates](/graph/windowsupdates-deploy-update).
|
||||
|
||||
For an in-depth understanding of this service, including its benefits and prerequisites for use, practical guides on specific capabilities, Microsoft Graph training, and a behind-the-scenes look at how the deployment service functions, read [here](/windows/deployment/update/waas-manage-updates-wufb)[.](/windows/deployment/update/waas-manage-updates-wufb)
|
||||
|
||||
@ -168,7 +160,7 @@ Available as part of Windows Enterprise E3 and E5, Windows Autopatch automates u
|
||||
|
||||
From a technical standpoint, Windows Autopatch configures the policies and deployment service of Windows Update for Business to deliver updates, all within Microsoft Intune.<sup>[\[9\]](conclusion.md#footnote9)</sup> The results for IT admins: up-to-date endpoints and detailed reports to demonstrate compliance or help identify issues. The goal is to help IT teams be more secure and update more efficiently with less effort.
|
||||
|
||||
There's a lot more to learn about Windows Autopatch: this [Forrester study commissioned by](https://aka.ms/AutopatchProductivity) [Microsoft](https://aka.ms/AutopatchProductivity) analyzes the impact of Windows Autopatch on real customers, [regular IT pro blogs](https://aka.ms/MoreAboutAutopatch) provide updates and background on Autopatch features and the future of the service, and the [community](https://aka.ms/AutopatchCommunity) allows IT professionals to get answers to questions from their peers and the Autopatch team.
|
||||
There's a lot more to learn about Windows Autopatch: this [Forrester study commissioned by](https://aka.ms/AutopatchProductivity) Microsoft analyzes the impact of Windows Autopatch on real customers, [regular IT pro blogs](https://aka.ms/MoreAboutAutopatch) provide updates and background on Autopatch features and the future of the service, and the [community](https://aka.ms/AutopatchCommunity) allows IT professionals to get answers to questions from their peers and the Autopatch team.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
@ -178,25 +170,19 @@ There's a lot more to learn about Windows Autopatch: this [Forrester study commi
|
||||
|
||||
Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach with a collection of technologies used to set up and preconfigure new devices, getting them ready for productive use and ensuring they are delivered locked down and compliant with corporate security policies.
|
||||
|
||||
- From a user perspective, it only takes a few simple operations to get their device ready for use.
|
||||
|
||||
- From an IT professional perspective, the only interaction required from the end user is to connect to a network and verify their credentials. Setup is automated after that point.
|
||||
- From a user perspective, it only takes a few simple operations to get their device ready for use
|
||||
- From an IT professional perspective, the only interaction required from the end user is to connect to a network and verify their credentials. Setup is automated after that point
|
||||
|
||||
Windows Autopilot enables you to:
|
||||
|
||||
- Automatically join devices to Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> or Active Directory<sup>[\[9\]](conclusion.md#footnote9)</sup> via hybrid Microsoft Entra ID Join. For more information about the differences between these two join options, see [Introduction to device management in Microsoft Entra ID](/azure/active-directory/device-management-introduction)[.](/azure/active-directory/device-management-introduction)
|
||||
- Automatically join devices to Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> or Active Directory via hybrid Microsoft Entra ID Join. For more information about the differences between these two join options, see [Introduction to device management in Microsoft Entra ID](/azure/active-directory/device-management-introduction).
|
||||
- Auto-enroll devices into MDM services such as Microsoft Intune (requires an Microsoft Entra ID Premium subscription for configuration)
|
||||
- Automatic upgrade to Enterprise Edition if required
|
||||
- Restrict administrator account creation
|
||||
- Create and auto-assign devices to configuration groups based on a device's profile
|
||||
- Customize Out of Box Experience (OOBE) content specific to the organization
|
||||
|
||||
- Auto-enroll devices into MDM services such as Microsoft Intune (requires an Microsoft Entra ID Premium subscription for configuration).
|
||||
|
||||
- Automatic upgrade to Enterprise Edition if required.
|
||||
|
||||
- Restrict administrator account creation.
|
||||
|
||||
- Create and auto-assign devices to configuration groups based on a device's profile.
|
||||
|
||||
- Customize Out of Box Experience (OOBE) content specific to the organization.
|
||||
|
||||
Existing devices can also be quickly prepared for a new user with [Windows Autopilot Reset](/mem/autopilot/windows-autopilot-reset)[.](/mem/autopilot/windows-autopilot-reset) The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state.
|
||||
Existing devices can also be quickly prepared for a new user with [Windows Autopilot Reset](/mem/autopilot/windows-autopilot-reset). The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
@ -228,23 +214,25 @@ Universal Print supports Zero Trust security by requiring that:
|
||||
|
||||
- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it is highly recommended that only cloud applications use application authentication.
|
||||
|
||||
- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications—for example, the Universal Print connector—are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant.
|
||||
- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant.
|
||||
|
||||
- Each authentication with Microsoft Entra ID from an acting application cannot extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached.
|
||||
|
||||
Additionally, Windows 11 and Windows 10 include MDM support to simplify printer setup for users. With initial support from Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, admins can now configure policies to provision specific printers onto the user's Windows devices.
|
||||
|
||||
Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft Office products. More information about Universal Print data residency and encryption can be found [here](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Funiversal-print%2Ffundamentals%2Funiversal-print-encryption&data=05%7C01%7Cnganguly%40microsoft.com%7C4cf654ec95f14b9b4bd408db558104cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638197784866029671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NHB%2FCEOs%2B%2F3kamLH631Too9zlItJBcLlAKVAtRkDnGc%3D&reserved=0)[.](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Funiversal-print%2Ffundamentals%2Funiversal-print-encryption&data=05%7C01%7Cnganguly%40microsoft.com%7C4cf654ec95f14b9b4bd408db558104cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638197784866029671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NHB%2FCEOs%2B%2F3kamLH631Too9zlItJBcLlAKVAtRkDnGc%3D&reserved=0)
|
||||
Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft Office products.
|
||||
|
||||
More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fm365-dr-overview%3Fview%3Do365-worldwide&data=05%7C01%7Cnganguly%40microsoft.com%7C4cf654ec95f14b9b4bd408db558104cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638197784866029671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1iz%2BPywZ6mynk5ywld7sUdgeRFhWArmis9JYuMOZSNQ%3D&reserved=0)[.](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fm365-dr-overview%3Fview%3Do365-worldwide&data=05%7C01%7Cnganguly%40microsoft.com%7C4cf654ec95f14b9b4bd408db558104cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638197784866029671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1iz%2BPywZ6mynk5ywld7sUdgeRFhWArmis9JYuMOZSNQ%3D&reserved=0)
|
||||
More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here](/microsoft-365/enterprise/m365-dr-overview?view=o365-worldwide).
|
||||
|
||||
The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here](/universal-print/fundamentals/universal-print-qrcode)[.](/universal-print/fundamentals/universal-print-qrcode)
|
||||
The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here](/universal-print/fundamentals/universal-print-qrcode).
|
||||
|
||||
Universal Print has integrated with Administrative Units in Microsoft Entra ID to enable customers to assign a Printer Administrator role to their local IT team in the same way customers assign User Administrator or Groups Administrator roles. The local IT team can configure only the printers that are part of the same Administrative Unit. Detailed configuration information can be found [here](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Funiversal-print%2Fportal%2Fdelegated-admin&data=05%7C01%7Cnganguly%40microsoft.com%7C4cf654ec95f14b9b4bd408db558104cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638197784866029671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9wg1Ju2YMKS1IwkZr8ms2X6%2B7mPC4%2FFpZBEzAumJCvs%3D&reserved=0)[.](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Funiversal-print%2Fportal%2Fdelegated-admin&data=05%7C01%7Cnganguly%40microsoft.com%7C4cf654ec95f14b9b4bd408db558104cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638197784866029671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9wg1Ju2YMKS1IwkZr8ms2X6%2B7mPC4%2FFpZBEzAumJCvs%3D&reserved=0)
|
||||
Universal Print has integrated with Administrative Units in Microsoft Entra ID to enable customers to assign a Printer Administrator role to their local IT team in the same way customers assign User Administrator or Groups Administrator roles. The local IT team can configure only the printers that are part of the same Administrative Unit.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [Universal Print](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fwindows%2Funiversal-print&data=05%7C01%7Cnganguly%40microsoft.com%7C4cf654ec95f14b9b4bd408db558104cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638197784866029671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KDsmUMf2QpFYrYIZ6A8jXo6KP4LsdYM5FYfEXfzfpBc%3D&reserved=0)
|
||||
- [Universal Print](https://www.microsoft.com/microsoft-365/windows/universal-print)
|
||||
- [Data storage in Universal Print](/universal-print/fundamentals/universal-print-encryption)
|
||||
- [Delegate Printer Administration with Administrative Units](/universal-print/portal/delegated-admin)
|
||||
|
||||
For customers who want to stay on Print Servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM.
|
||||
|
||||
@ -262,17 +250,17 @@ Authenticated connections are not allowed over HTTP and instead redirect to HTTP
|
||||
|
||||
There are several ways that OneDrive for work or school is protected at rest:
|
||||
|
||||
- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security)[.](/compliance/assurance/assurance-datacenter-physical-access-security)
|
||||
- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security).
|
||||
|
||||
- Network protection: The networks and identities are isolated from the corporate network. Firewalls limit traffic into the environment from unauthorized locations.
|
||||
|
||||
- Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. [The](https://technet.microsoft.com/security/dn440717.aspx) [Microsoft Security Response Center](https://technet.microsoft.com/security/dn440717.aspx) helps triage incoming vulnerability reports and evaluate mitigations. Through the [Microsoft Cloud Bug Bounty Terms](https://technet.microsoft.com/dn800983)[,](https://technet.microsoft.com/dn800983) people across the world can earn money by reporting vulnerabilities.
|
||||
- Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The [Microsoft Security Response Center](https://technet.microsoft.com/security/dn440717.aspx) helps triage incoming vulnerability reports and evaluate mitigations. Through the [Microsoft Cloud Bug Bounty Terms](https://technet.microsoft.com/dn800983), people across the world can earn money by reporting vulnerabilities.
|
||||
|
||||
- Content protection: Each file is encrypted at rest with a unique AES-256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/office/how-onedrive-safeguards-your-data-in-the-cloud-23c6ea94-3608-48d7-8bf0-80e142edd1e1)[](https://support.microsoft.com/office/how-onedrive-safeguards-your-data-in-the-cloud-23c6ea94-3608-48d7-8bf0-80e142edd1e1)
|
||||
- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/office/how-onedrive-safeguards-your-data-in-the-cloud-23c6ea94-3608-48d7-8bf0-80e142edd1e1)
|
||||
|
||||
## MDM enrollment certificate attestation
|
||||
|
||||
|
||||
@ -7,6 +7,8 @@ ms.date: 04/09/2024
|
||||
|
||||
# Cloud services
|
||||
|
||||
:::image type="content" source="images/cloud-services-cover.png" alt-text="Cover of the cloud services chapter." border="false":::
|
||||
|
||||
:::image type="content" source="images/cloud-security-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/cloud-security.png" border="false":::
|
||||
|
||||
Today's workforce has more freedom and mobility than ever before, but the risk of data exposure is also at its highest. At Microsoft, we are focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on Zero Trust principles, Windows 11 works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
|
||||
|
||||
@ -25,7 +25,7 @@ The Microsoft Pluton security processor is the result of Microsoft's close partn
|
||||
|
||||
Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs, including BitLocker, Windows Hello, and System Guard. Pluton can also support other security functionality beyond what is possible with the TPM 2.0 specification. This extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update.
|
||||
|
||||
As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers cannot access sensitive data—even if attackers use emerging techniques like speculative execution.
|
||||
As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers cannot access sensitive data - even if attackers use emerging techniques like speculative execution.
|
||||
|
||||
Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for customers to get alerts about security updates, keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs.
|
||||
|
||||
|
||||
@ -9,7 +9,7 @@ ms.date: 04/09/2024
|
||||
|
||||
:::image type="content" source="images/identity-protection.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
|
||||
|
||||
Passwords are inconvenient to use and prime targets for cybercriminals—and they've been an important part of digital security for years. That changes with the passwordless protection available with Windows 11. After a secure authorization process, credentials are protected behind layers of hardware and software security, giving users secure, passwordless access to their apps and cloud services.
|
||||
Passwords are inconvenient to use and prime targets for cybercriminals - and they've been an important part of digital security for years. That changes with the passwordless protection available with Windows 11. After a secure authorization process, credentials are protected behind layers of hardware and software security, giving users secure, passwordless access to their apps and cloud services.
|
||||
|
||||
## Windows Hello
|
||||
|
||||
@ -74,7 +74,7 @@ Enhanced Sign-in Security biometrics uses virtualization-based security (VBS) an
|
||||
|
||||
These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional attack classes.
|
||||
|
||||
Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in Secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations—please check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Please reach out to specific OEMs for support details.
|
||||
Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in Secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations - please check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Please reach out to specific OEMs for support details.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 251 KiB After Width: | Height: | Size: 250 KiB |
@ -11,4 +11,4 @@ ms.date: 04/09/2024
|
||||
|
||||
:::image type="content" source="images/privacy-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/privacy.png" border="false":::
|
||||
|
||||
[Privacy: Your data, powering your experiences, controlled by you](https://privacy.microsoft.com/)[.](https://privacy.microsoft.com/) Privacy is becoming top of mind for customers, who want to know who is using their data and why. They also need to know how to control and manage the data that is being collected—so providing transparency and control over this personal data is essential. At Microsoft we are focused on protecting the privacy and confidentiality of your data and will only use it in a way that is consistent with your expectations.
|
||||
[Privacy: Your data, powering your experiences, controlled by you](https://privacy.microsoft.com/)[.](https://privacy.microsoft.com/) Privacy is becoming top of mind for customers, who want to know who is using their data and why. They also need to know how to control and manage the data that is being collected - so providing transparency and control over this personal data is essential. At Microsoft we are focused on protecting the privacy and confidentiality of your data and will only use it in a way that is consistent with your expectations.
|
||||
|
||||
@ -15,9 +15,9 @@ The Microsoft Security Development Lifecycle (SDL) introduces security best prac
|
||||
|
||||
## OneFuzz service
|
||||
|
||||
A range of tools and techniques—such as threat modeling, static analysis, fuzz testing, and code quality checks—enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released.
|
||||
A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released.
|
||||
|
||||
Microsoft is dedicated to working with the community and our customers to continuously improve and tune our platform and products to help defend against the dynamic and sophisticated threat landscape. Project OneFuzz—an extensible fuzz testing framework used by Microsoft Edge, Windows, and teams across Microsoft—is now available to developers around the world through GitHub as an open-source tool.
|
||||
Microsoft is dedicated to working with the community and our customers to continuously improve and tune our platform and products to help defend against the dynamic and sophisticated threat landscape. Project OneFuzz - an extensible fuzz testing framework used by Microsoft Edge, Windows, and teams across Microsoft - is now available to developers around the world through GitHub as an open-source tool.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
@ -26,7 +26,7 @@ Microsoft is dedicated to working with the community and our customers to contin
|
||||
|
||||
## Microsoft Offensive Research and Security Engineering
|
||||
|
||||
[Microsoft Offensive Research and Security Engineering](https://github.com/microsoft/WindowsAppSDK-Samples?msclkid=1a6280c6c73d11ecab82868efae04e5c) [](https://github.com/microsoft/WindowsAppSDK-Samples?msclkid=1a6280c6c73d11ecab82868efae04e5c)performs targeted design reviews, audits, and deep penetration testing of Windows features using Microsoft's open-source OneFuzz platform as part of their development and testing cycle.
|
||||
[Microsoft Offensive Research and Security Engineering](https://github.com/microsoft/WindowsAppSDK-Samples?msclkid=1a6280c6c73d11ecab82868efae04e5c) performs targeted design reviews, audits, and deep penetration testing of Windows features using Microsoft's open-source OneFuzz platform as part of their development and testing cycle.
|
||||
|
||||
## Windows Insider and Bug Bounty program
|
||||
|
||||
|
||||
@ -63,4 +63,4 @@ Traditionally, code signing has been a difficult undertaking due to the complexi
|
||||
|
||||
Developers can design highly secure applications that benefit from the latest Windows 11 safeguards using the Windows App SDK. The SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows 11 and Windows 10. To help create apps that are up to date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system.
|
||||
|
||||
If you are a developer, you can find security best practices and information at [Windows](/windows/security/threat-protection/windows-platform-common-criteria#security-and-privacy) [application development—best practices](/windows/security/threat-protection/windows-platform-common-criteria#security-and-privacy). You can get started with [Windows App SDK](/windows/security/threat-protection/fips-140-validation#windows-app-sdk-samples) [](/windows/security/threat-protection/fips-140-validation#windows-app-sdk-samples)[Samples on GitHub](/windows/security/threat-protection/fips-140-validation#windows-app-sdk-samples)[.](/windows/security/threat-protection/fips-140-validation#windows-app-sdk-samples) For an example of the continuous security process in action with the Windows App SDK, see the [most recent release](https://insider.windows.com/#version-11).
|
||||
If you are a developer, you can find security best practices and information at [Windows application development - best practices](/windows/security/threat-protection/windows-platform-common-criteria#security-and-privacy). You can get started with [Windows App SDK samples on GitHub](/windows/security/threat-protection/fips-140-validation#windows-app-sdk-samples). For an example of the continuous security process in action with the Windows App SDK, see the [most recent release](https://insider.windows.com/#version-11).
|
||||
|
||||
@ -9,13 +9,9 @@ ms.author: paoloma
|
||||
|
||||
# Windows and cloud security
|
||||
|
||||
<<<<<<< HEAD
|
||||
:::image type="content" source="..\book\images\cloud-security.png" alt-text="Diagram of containng a list of security features." lightbox="..\book\images\cloud-security.png" border="false":::
|
||||
=======
|
||||
Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We're focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
|
||||
|
||||
From identity and device management to Office apps and data storage, Windows and integrated cloud services can help improve productivity, security, and resilience anywhere.
|
||||
>>>>>>> d65c158b0fcdec87d3101dc5a7b2807aad0bcd95
|
||||
|
||||
Learn more about cloud security features in Windows.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user