deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 11:53:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2024-10-04 11:35:43 -04:00
parent f749d53bdd
commit a3041b4f0a
1 changed files with 62 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
windows/security/book/cloud-services-protect-your-work-information.md
View File

@ -57,6 +57,14 @@ Both these features use a new [Global Secure Access client for Windows](/entra/g
- [Microsoft Entra Private Access](/entra/global-secure-access/concept-private-access)
- [Microsoft Entra Internet Access](/entra/global-secure-access/concept-internet-access)
### Enterprise State Roaming
Available to any organization with a Microsoft Entra ID Premium<sup>[\[9\]](conclusion.md#footnote9)</sup> `license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Enterprise State Roaming in Microsoft Entra ID](/entra/identity/devices/enterprise-state-roaming-enable)
## Cloud-native management
Microsoft recommends cloud-based device management so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With cloud-native device management solutions like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate device management client.
@ -70,6 +78,60 @@ Windows 11 built-in management features include:
- [Mobile device management overview](/windows/client-management/mdm-overview)
## Microsoft Intune
Microsoft Intune<sup>[\[15\]](conclusion.md#footnote15)</sup> is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication and conditional access.
Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies<sup>[\[15\]](conclusion.md#footnote16)</sup>. For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot.
Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune)
### Endpoint Privilege Management (EPM)
Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run tasks allowed by the organization to remain productive.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Endpoint Privilege Management](/mem/intune/protect/epm-overview?formCode=MG0AV3)
### Mobile Application Management (MAM)
With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
Customers have asked for App Control for Business (previously called Windows Defender Application Control) to manage Installer support for a long time. Now customers will be able to enable allowlisting of Win32 apps within their enterprise to proactively reduce the number of malware infections.
Finally, Config Refresh helps organizations move to cloud from on-premises by protecting against settings deviating from the admin's intent.
Microsoft Intune also has policies and settings to configure and manage the flow of operating system updates to devices, working with WUfB and WUfB-DS and giving admins great control over their deployments
With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Data protection for Windows MAM](/mem/intune/apps/protect-mam-windows?formCode=MG0AV3)
## MDM enrollment certificate attestation
When a device is enrolled into device management, the administrator assumes that the device will enroll and receive appropriate policies to secure and manage the PC as they expect. In some circumstances, enrollment certificates can be removed by malicious actors and then used on unmanaged PCs to appear as though they are enrolled, but without the security and management policies the administrator intended. With MDM enrollment certificate attestation, the certificate and keys are bound to a specific machine through the use of the Trusted Platform Module (TPM) to ensure that they can't be lifted from one device and applied to another.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows enrollment attestation](/mem/intune/enrollment/windows-enrollment-attestation)
## Local Administrator Password (LAPs)
Local Administrator Password solution was a key consideration for many customers when deciding to make the transition from on-premises to cloud-managed devices using Intune. With LAPS, organizations can automatically manage and back up the password of a local administrator account on Microsoft Entra ID joined or hybrid Microsoft Entra ID joined devices.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows LAPS overview](/windows-server/identity/laps/laps-overview)
## Microsoft security baselines
Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company might focus on protecting its internet-facing web apps, while a hospital on confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
@ -98,60 +160,6 @@ The security baseline has been enhanced with over 70 new settings, enabling loca
- [Intune security baseline overview](/mem/intune/protect/security-baselines)
- [List of the settings in the Windows security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all)
## MDM enrollment certificate attestation
When a device is enrolled into device management, the administrator assumes that the device will enroll and receive appropriate policies to secure and manage the PC as they expect. In some circumstances, enrollment certificates can be removed by malicious actors and then used on unmanaged PCs to appear as though they are enrolled, but without the security and management policies the administrator intended. With MDM enrollment certificate attestation, the certificate and keys are bound to a specific machine through the use of the Trusted Platform Module (TPM) to ensure that they can't be lifted from one device and applied to another.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows enrollment attestation](/mem/intune/enrollment/windows-enrollment-attestation)
## Microsoft Intune
Microsoft Intune<sup>[\[15\]](conclusion.md#footnote15)</sup> is a comprehensive endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication and conditional access.
Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies<sup>[\[15\]](conclusion.md#footnote16)</sup>. For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot.
Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune)
### Endpoint Privilege Management (EPM)
Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run tasks allowed by the organization to remain productive.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Endpoint Privilege Management](/mem/intune/protect/epm-overview?formCode=MG0AV3)
### Local Administrator Password (LAPs)
Local Administrator Password solution was a key consideration for many customers when deciding to make the transition from on-premises to cloud-managed devices using Intune. With LAPS (available in preview), organizations can automatically manage and back up the password of a local administrator account on Microsoft Entra ID joined or hybrid Microsoft Entra ID joined devices.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows LAPS overview](/windows-server/identity/laps/laps-overview)
### Mobile Application Management (MAM)
With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
Customers have asked for App Control for Business (previously called Windows Defender Application Control) to manage Installer support for a long time. Now customers will be able to enable allowlisting of Win32 apps within their enterprise to proactively reduce the number of malware infections.
Finally, Config Refresh helps organizations move to cloud from on-premises by protecting against settings deviating from the admin's intent.
Microsoft Intune also has policies and settings to configure and manage the flow of operating system updates to devices, working with WUfB and WUfB-DS and giving admins great control over their deployments
With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Data protection for Windows MAM](/mem/intune/apps/protect-mam-windows?formCode=MG0AV3)
## Remote Wipe
When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user.
@ -251,14 +259,6 @@ Explore more about Windows Autopatch through [Forrester study](https://aka.ms/Au
- [Windows Autopatch documentation](https://aka.ms/Autopatchdocs)
## Enterprise State Roaming with Azure
Available to any organization with a Microsoft Entra ID Premium<sup>[\[9\]](conclusion.md#footnote9)</sup> or Enterprise Mobility + Security (EMS)<sup>[\[9\]](conclusion.md#footnote9)</sup> license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Enterprise State Roaming FAQ](/azure/active-directory/devices/enterprise-state-roaming-faqs)
## Universal Print
Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models](/universal-print/fundamentals/universal-print-partner-integrations). It also supports existing printers by using the connector software that comes with Universal Print.