From 42019d6fe3d4cb75b666ab7fa96e75e0f5a819ac Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Mon, 24 Jun 2024 09:23:55 -0700 Subject: [PATCH 01/28] Updates --- .../book/hardware-security-silicon-assisted-security.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/book/hardware-security-silicon-assisted-security.md b/windows/security/book/hardware-security-silicon-assisted-security.md index 032a1f4c0e..02c22d7c03 100644 --- a/windows/security/book/hardware-security-silicon-assisted-security.md +++ b/windows/security/book/hardware-security-silicon-assisted-security.md @@ -15,7 +15,7 @@ In addition to a modern hardware root-of-trust, there are numerous other capabil To secure the kernel we have two key features: virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices will support HVCI and most new devices will come with VBS and HVCI protection turned on by default. -Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS +**Virtualization-based security (VBS)**, also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel. Since more privileged VTLs can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe. @@ -24,11 +24,11 @@ Since more privileged VTLs can enforce their own memory protections, higher VTLs - [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) -Virtualization-based security enclaves, a tool to allow developers to leverage VBS by building a secure enclave within their application, which lives in secure memory. +**Virtualization-based security enclaves**, a tool to allow developers to leverage VBS by building a secure enclave within their application, which lives in secure memory. -Hypervisor-enforced Paging Translation (HVPT), overall security enhancement for the system. protects linear address translations from being tampered with +**Hypervisor-enforced Paging Translation (HVPT)**, overall security enhancement for the system. protects linear address translations from being tampered with -Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs. +**Hypervisor-protected code integrity (HVCI)**, also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs. With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. From 11023a058fc39e4d8319c1dd9e86682285295994 Mon Sep 17 00:00:00 2001 From: cchavez-msft <136099320+cchavez-msft@users.noreply.github.com> Date: Mon, 24 Jun 2024 14:04:59 -0400 Subject: [PATCH 02/28] hardwareSecurityAshwinBaliga --- .../security/book/hardware-security-hardware-root-of-trust.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/book/hardware-security-hardware-root-of-trust.md b/windows/security/book/hardware-security-hardware-root-of-trust.md index 871680e2f4..43a29bc8d2 100644 --- a/windows/security/book/hardware-security-hardware-root-of-trust.md +++ b/windows/security/book/hardware-security-hardware-root-of-trust.md @@ -27,6 +27,8 @@ Pluton supports the TPM 2.0 industry standard, allowing customers to immediately As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers cannot access sensitive data - even if attackers use emerging techniques like speculative execution. +In an ongoing commitment to enhancing security, there are plans to introduce additional Pluton Security Processor capabilities, such as a Key Storage Provider (KSP). This new functionality, known internally as CredGuard v2, will leverage this KSP to provide advanced protection to Azure AD and Intune credentials. This is a testament to continuous efforts to stay ahead of potential threats and provide users with the most secure experience possible. + Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for customers to get alerts about security updates, keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs. :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** From 66fe0f84dccc3d0ea8b9c6a614689e21e569ca85 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 24 Jun 2024 14:17:35 -0400 Subject: [PATCH 03/28] Update windows/security/book/conclusion.md --- windows/security/book/conclusion.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/book/conclusion.md b/windows/security/book/conclusion.md index d40f57fecb..c8f4d95829 100644 --- a/windows/security/book/conclusion.md +++ b/windows/security/book/conclusion.md @@ -7,6 +7,9 @@ ms.date: 06/17/2024 # Conclusion +## tetle 2 + +The purpose.... We will continue to bring you new features to protect against evolving threats, simplify management, and securely enable new workstyles. With Windows 11 devices, organizations of all sizes can benefit from the security and performance to thrive anywhere. From eefa53ed9928b394116acc36c351d12722df5afb Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Mon, 24 Jun 2024 11:22:31 -0700 Subject: [PATCH 04/28] update --- windows/security/book/conclusion.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/security/book/conclusion.md b/windows/security/book/conclusion.md index c8f4d95829..d40f57fecb 100644 --- a/windows/security/book/conclusion.md +++ b/windows/security/book/conclusion.md @@ -7,9 +7,6 @@ ms.date: 06/17/2024 # Conclusion -## tetle 2 - -The purpose.... We will continue to bring you new features to protect against evolving threats, simplify management, and securely enable new workstyles. With Windows 11 devices, organizations of all sizes can benefit from the security and performance to thrive anywhere. From 582b645f7f57f0d01718ce8a1fb44737ba86b37c Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Mon, 24 Jun 2024 11:23:06 -0700 Subject: [PATCH 05/28] update --- windows/security/book/conclusion.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/book/conclusion.md b/windows/security/book/conclusion.md index d40f57fecb..951830adfb 100644 --- a/windows/security/book/conclusion.md +++ b/windows/security/book/conclusion.md @@ -6,8 +6,6 @@ ms.date: 06/17/2024 --- # Conclusion - - We will continue to bring you new features to protect against evolving threats, simplify management, and securely enable new workstyles. With Windows 11 devices, organizations of all sizes can benefit from the security and performance to thrive anywhere. :::image type="content" source="images/chip-to-cloud.png" alt-text="Diagram of chip-to-cloud containing a list of security features." lightbox="images/chip-to-cloud.png" border="false"::: From 85d41e3657cfd1c4f72ed6a4503b848f93d12ad8 Mon Sep 17 00:00:00 2001 From: cchavez-msft <136099320+cchavez-msft@users.noreply.github.com> Date: Tue, 25 Jun 2024 10:48:39 -0400 Subject: [PATCH 06/28] securityBookSachinGoyal --- .../book/security-foundation-offensive-research.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/windows/security/book/security-foundation-offensive-research.md b/windows/security/book/security-foundation-offensive-research.md index 965ecba6c0..6d55096523 100644 --- a/windows/security/book/security-foundation-offensive-research.md +++ b/windows/security/book/security-foundation-offensive-research.md @@ -17,13 +17,6 @@ The Microsoft Security Development Lifecycle (SDL) introduces security best prac A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released. -Microsoft is dedicated to working with the community and our customers to continuously improve and tune our platform and products to help defend against the dynamic and sophisticated threat landscape. Project OneFuzz - an extensible fuzz testing framework used by Microsoft Edge, Windows, and teams across Microsoft - is now available to developers around the world through GitHub as an open-source tool. - -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** - -- [Project OneFuzz framework, an open source developer tool to find and fix bugs at scale](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/) -- [OneFuzz on GitHub](https://github.com/microsoft/onefuzz) - ## Microsoft Offensive Research and Security Engineering [Microsoft Offensive Research and Security Engineering](https://github.com/microsoft/WindowsAppSDK-Samples?msclkid=1a6280c6c73d11ecab82868efae04e5c) performs targeted design reviews, audits, and deep penetration testing of Windows features using Microsoft's open-source OneFuzz platform as part of their development and testing cycle. From 174e205eac1b4b49771781d0040745893129049b Mon Sep 17 00:00:00 2001 From: cchavez-msft <136099320+cchavez-msft@users.noreply.github.com> Date: Tue, 25 Jun 2024 13:09:28 -0400 Subject: [PATCH 07/28] securityBookMatthewPalko --- .../identity-protection-advanced-credential-protection.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md index f5b1e3d1a4..68a93af8fc 100644 --- a/windows/security/book/identity-protection-advanced-credential-protection.md +++ b/windows/security/book/identity-protection-advanced-credential-protection.md @@ -27,6 +27,8 @@ Windows has several critical processes to verify a user's identity. Verification To help keep these credentials safe, additional LSA protection will be enabled by default on new, enterprise-joined Windows 11 devices. By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection also now supports configuration using Group Policy and modern device management. +End users have the ability to manage their LSA protection state in the Windows Security Application under Device Security -> Core Isolation -> Local Security Authority protection. It’s important to note that the enterprise policy for LSA protection will take precedence over enablement on upgrade. This ensures a seamless transition and enhanced security for all users. + :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** - [Configuring additional LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection) @@ -37,6 +39,8 @@ Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-back By protecting the LSA process with virtualization-based security, Credential Guard shields systems from credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. +Protections are now expanded to optionally include machine account passwords for Active Directory joined devices. Administrators can enable audit mode of this capability or enforcement using Credential Guard management policy. + :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** - [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) From dea17de702d17926cd2ae7ef23331e6522ddb0af Mon Sep 17 00:00:00 2001 From: cchavez-msft <136099320+cchavez-msft@users.noreply.github.com> Date: Wed, 26 Jun 2024 13:00:12 -0400 Subject: [PATCH 08/28] HardwareSecurityAshwinBaligaV2 --- .../security/book/hardware-security-hardware-root-of-trust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/book/hardware-security-hardware-root-of-trust.md b/windows/security/book/hardware-security-hardware-root-of-trust.md index 43a29bc8d2..c9cd0c1032 100644 --- a/windows/security/book/hardware-security-hardware-root-of-trust.md +++ b/windows/security/book/hardware-security-hardware-root-of-trust.md @@ -27,7 +27,7 @@ Pluton supports the TPM 2.0 industry standard, allowing customers to immediately As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers cannot access sensitive data - even if attackers use emerging techniques like speculative execution. -In an ongoing commitment to enhancing security, there are plans to introduce additional Pluton Security Processor capabilities, such as a Key Storage Provider (KSP). This new functionality, known internally as CredGuard v2, will leverage this KSP to provide advanced protection to Azure AD and Intune credentials. This is a testament to continuous efforts to stay ahead of potential threats and provide users with the most secure experience possible. +In an ongoing commitment to enhancing security, Microsoft will introduce additional Pluton Security Processor capabilities, such as a Key Storage Provider (KSP). This KSP will provide advanced protection to Microsoft Entra and Intune credentials. This is a testament to the continuous efforts to stay ahead of potential threats and provide users with the most secure experience possible. Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for customers to get alerts about security updates, keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs. From 6439697279b102698551d21836006e686dcd5607 Mon Sep 17 00:00:00 2001 From: cchavez-msft <136099320+cchavez-msft@users.noreply.github.com> Date: Wed, 26 Jun 2024 14:21:24 -0400 Subject: [PATCH 09/28] applicationSecurityChristianChavez --- .../book/application-security-application-isolation.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md index 603d0138a4..589481a1e8 100644 --- a/windows/security/book/application-security-application-isolation.md +++ b/windows/security/book/application-security-application-isolation.md @@ -11,7 +11,7 @@ ms.date: 04/09/2024 ## Win32 app isolation -Win32 app isolation is a new security feature in public preview designed to be the default isolation standard on Windows clients. It's built on [AppContainer](/windows/win32/secauthz/implementing-an-appcontainer), and offers several added security features to help the Windows platform defend against attacks that leverage vulnerabilities in applications or third-party libraries. To isolate their apps, developers can update their applications using the tools provided by Microsoft. +Win32 app isolation is a new security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer](/windows/win32/secauthz/implementing-an-appcontainer), and offers several added security features to help the Windows platform defend against attacks that leverage vulnerabilities in applications or third-party libraries. To isolate their apps, developers can update their applications using Visual Studio. Win32 app isolation follows a two-step process. In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Microsoft. Consequently, the process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level. @@ -29,6 +29,8 @@ The first factor relates to implementing methods to manage access to files and p :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** - [Win32 app isolation](https://github.com/microsoft/win32-app-isolation) +- [Learn how to adop Win32 app isolation with Visual Studio](https://github.com/microsoft/win32-app-isolation/blob/main/docs/packaging/packaging-with-visual-studio.md) +- [Sandboxing Python with Win32 app isolation](https://blogs.windows.com/windowsdeveloper/2024/03/06/sandboxing-python-with-win32-app-isolation/) ## Windows Sandbox From f6ad4c81060595f43ab17e0e2039005062d9ad06 Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Fri, 28 Jun 2024 10:00:15 -0700 Subject: [PATCH 10/28] Updates --- .../book/cloud-services-protect-your-work-information.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index 789ac396b8..7dd228b998 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -74,6 +74,8 @@ The security baseline includes policies for: - Setting credential requirements for passwords and PINs - Restricting use of legacy technology +The MDM security baseline has been enhanced with over 70 new settings which enable local user rights assignment, services management, and local security policies which were previously only available through Group Policy. This enable adoption of pure MDM management and closer adherence to industry standard benchmarks for security. + :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** - [MDM security baseline](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) From 1f3a6bc5f743dc2bef7d884fd6321dc4768453f2 Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Fri, 28 Jun 2024 10:07:03 -0700 Subject: [PATCH 11/28] Update --- .../book/cloud-services-protect-your-work-information.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index 7dd228b998..4167db60b6 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -264,7 +264,7 @@ There are several ways that OneDrive for work or school is protected at rest: ## MDM enrollment certificate attestation -When a device is enrolled into device management, the administrator assumes that the device will enroll and receive appropriate policies to secure and manage the PC as they expect. In some circumstances, enrollment certificates can be removed by malicious actors and then used on unmanaged PCs to appear as though they are enrolled, but without the security and management policies the administrator intended. With MDM enrollment certificate attestation, the certificate and keys are bound to a specific machine through the use of the Trusted Platform Module (TPM) to ensure that they can't be lifted from one device and applied to another. This capability has existed for physical PCs since Windows 11 22H2 and is now being extended to Windows 11-based Cloud PCs and Azure Virtual Desktop VMs. +When a device is enrolled into device management, the administrator assumes that the device will enroll and receive appropriate policies to secure and manage the PC as they expect. In some circumstances, enrollment certificates can be removed by malicious actors and then used on unmanaged PCs to appear as though they are enrolled, but without the security and management policies the administrator intended. With MDM enrollment certificate attestation, the certificate and keys are bound to a specific machine through the use of the Trusted Platform Module (TPM) to ensure that they can't be lifted from one device and applied to another. :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** From aef137d61dc616f66f0107c45ae01c0bd01b3738 Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Mon, 1 Jul 2024 00:35:43 -0700 Subject: [PATCH 12/28] update --- .../application-security-application-and-driver-control.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/book/application-security-application-and-driver-control.md b/windows/security/book/application-security-application-and-driver-control.md index 462cf9cf11..76c079d89d 100644 --- a/windows/security/book/application-security-application-and-driver-control.md +++ b/windows/security/book/application-security-application-and-driver-control.md @@ -19,6 +19,10 @@ Smart App Control prevents users from running malicious applications on Windows Smart App Control builds on top of the same cloud-based AI used in App Control for Business to predict the safety of an application so that users can be confident that their applications are safe and reliable on their new Windows devices. Additionally, Smart App Control blocks unknown script files and macros from the web are blocked, greatly improving security for everyday users. Smart App Control will ship with new devices with Windows 11, version 22H2 installed. +We have been making significant improvements to Smart App Control to increase the security, usability, and cloud intelligence response for apps in the Windows ecosystem. Users can get the latest and best experience with Smart App Control by keeping their PC up to date via Windows Update every month. + +Additionally, evaluation mode will start automatically enabling devices that the cloud AI model predicts will have a good experience with Smart App Control in the coming months, first starting with users in North America and eventually expanding to other regions. Note that enterprise-enrolled devices will still have Smart App Control disabled by default, and we recommend enterprises running line-of-business applications continue to leverage App Control for Business. + Devices running previous versions of Windows 11 will have to be reset with a clean installation of Windows 11, version 22H2 to take advantage of this feature. Smart App Control will be disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to leverage App Control for Business. :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** From 31070ff1e86757df0664853db2b39347ef0a04e6 Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Mon, 1 Jul 2024 00:49:49 -0700 Subject: [PATCH 13/28] Update --- .../application-security-application-isolation.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md index 589481a1e8..f8e08c4cdf 100644 --- a/windows/security/book/application-security-application-isolation.md +++ b/windows/security/book/application-security-application-isolation.md @@ -44,6 +44,18 @@ Once Windows Sandbox is closed, nothing persists on the device. All the software - [Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/windows-sandbox/ba-p/301849) +##Windows Subsystem for Linux (WSL) +Windows Subsystem for Linux (WSL) is a feature of Windows that allows you to run a Linux environment on your Windows machine, without the need for a separate virtual machine or dual booting. WSL is designed to provide a seamless and productive experience for developers who want to use both Windows and Linux at the same time. In Ge, we added 3 networking security features and Intune/MDM integration in WSL on Windows 11 (SV2 and Ge) for Enterprises: +- Hyper-V Firewall: This new firewall setting is a network firewall solution that enables filtering of inbound and outbound traffic to/from WSL containers hosted by Windows. +:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** + +- [Hyper-V Firewall](windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall) + +- DNS Tunneling: This new networking setting improves compatibility in different networking environments and makes use of virtualization features to obtain DNS information rather than a networking packet. +- Auto proxy: This new networking setting enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it will make that proxy automatically apply to WSL distributions. +- Intune/MDM setting in WSL: Microsoft Defender for Endpoint (MDE) now integrates with WSL, providing the ability to monitor what’s running inside of your WSL distros and report them to your online MDE dashboards. + + ## App containers In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP) applications run in Windows containers known as *app containers*. App containers act as process and resource isolation boundaries, but unlike Docker containers, these are special containers designed to run Windows applications. From d1f545d1723b027bc9974449dc8e537d277bee90 Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Mon, 1 Jul 2024 10:50:40 -0700 Subject: [PATCH 14/28] Updates --- ...lication-security-application-isolation.md | 23 ++++++++++++++----- 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md index f8e08c4cdf..7a1ba2a582 100644 --- a/windows/security/book/application-security-application-isolation.md +++ b/windows/security/book/application-security-application-isolation.md @@ -44,16 +44,27 @@ Once Windows Sandbox is closed, nothing persists on the device. All the software - [Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/windows-sandbox/ba-p/301849) -##Windows Subsystem for Linux (WSL) +## Windows Subsystem for Linux (WSL) Windows Subsystem for Linux (WSL) is a feature of Windows that allows you to run a Linux environment on your Windows machine, without the need for a separate virtual machine or dual booting. WSL is designed to provide a seamless and productive experience for developers who want to use both Windows and Linux at the same time. In Ge, we added 3 networking security features and Intune/MDM integration in WSL on Windows 11 (SV2 and Ge) for Enterprises: -- Hyper-V Firewall: This new firewall setting is a network firewall solution that enables filtering of inbound and outbound traffic to/from WSL containers hosted by Windows. +- **Hyper-V Firewall**: This new firewall setting is a network firewall solution that enables filtering of inbound and outbound traffic to/from WSL containers hosted by Windows. + :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[Hyper-V Firewall](/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall) -- [Hyper-V Firewall](windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall) +- **DNS Tunneling**: This new networking setting improves compatibility in different networking environments and makes use of virtualization features to obtain DNS information rather than a networking packet. -- DNS Tunneling: This new networking setting improves compatibility in different networking environments and makes use of virtualization features to obtain DNS information rather than a networking packet. -- Auto proxy: This new networking setting enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it will make that proxy automatically apply to WSL distributions. -- Intune/MDM setting in WSL: Microsoft Defender for Endpoint (MDE) now integrates with WSL, providing the ability to monitor what’s running inside of your WSL distros and report them to your online MDE dashboards. +:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[DNS Tunneling](/windows/wsl/networking#dns-tunneling) + +- **Auto proxy**: This new networking setting enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it will make that proxy automatically apply to WSL distributions. + +:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[Auto proxy](/windows/wsl/networking#auto-proxy) + +- **Intune/MDM setting in WSL**: Microsoft Defender for Endpoint (MDE) now integrates with WSL, providing the ability to monitor what’s running inside of your WSL distros and report them to your online MDE dashboards. + +:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[Intune/MDM setting in WSL](/windows/wsl/intune) ## App containers From 950e4d7c57b9e9db5373520bd5832eb10944d928 Mon Sep 17 00:00:00 2001 From: Nilanjana Ganguly <74384702+ngangulyms@users.noreply.github.com> Date: Mon, 1 Jul 2024 14:39:38 -0700 Subject: [PATCH 15/28] Test changes from NG in Win 32 app isolation --- .../security/book/application-security-application-isolation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md index 7a1ba2a582..59586b8bbd 100644 --- a/windows/security/book/application-security-application-isolation.md +++ b/windows/security/book/application-security-application-isolation.md @@ -11,7 +11,7 @@ ms.date: 04/09/2024 ## Win32 app isolation -Win32 app isolation is a new security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer](/windows/win32/secauthz/implementing-an-appcontainer), and offers several added security features to help the Windows platform defend against attacks that leverage vulnerabilities in applications or third-party libraries. To isolate their apps, developers can update their applications using Visual Studio. + Win32 app isolation is a new security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer](/windows/win32/secauthz/implementing-an-appcontainer), and offers several added security features to help the Windows platform defend against attacks that leverage vulnerabilities in applications or third-party libraries. To isolate their apps, developers can update their applications using Visual Studio. Win32 app isolation follows a two-step process. In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Microsoft. Consequently, the process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level. From 4cecb48606449dfe932c85cb17d1690c239b6e6e Mon Sep 17 00:00:00 2001 From: Nilanjana Ganguly <74384702+ngangulyms@users.noreply.github.com> Date: Mon, 1 Jul 2024 14:46:59 -0700 Subject: [PATCH 16/28] Test change from Nilanjana 2 --- .../security/book/application-security-application-isolation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md index 59586b8bbd..84306e89cc 100644 --- a/windows/security/book/application-security-application-isolation.md +++ b/windows/security/book/application-security-application-isolation.md @@ -11,7 +11,7 @@ ms.date: 04/09/2024 ## Win32 app isolation - Win32 app isolation is a new security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer](/windows/win32/secauthz/implementing-an-appcontainer), and offers several added security features to help the Windows platform defend against attacks that leverage vulnerabilities in applications or third-party libraries. To isolate their apps, developers can update their applications using Visual Studio. +Change from Nilanjana Win32 app isolation is a new security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer](/windows/win32/secauthz/implementing-an-appcontainer), and offers several added security features to help the Windows platform defend against attacks that leverage vulnerabilities in applications or third-party libraries. To isolate their apps, developers can update their applications using Visual Studio. Win32 app isolation follows a two-step process. In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Microsoft. Consequently, the process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level. From a5d67809147ba9ad0945135efee9877494484d54 Mon Sep 17 00:00:00 2001 From: Nilanjana Ganguly <74384702+ngangulyms@users.noreply.github.com> Date: Mon, 1 Jul 2024 14:52:52 -0700 Subject: [PATCH 17/28] revert --- .../security/book/application-security-application-isolation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md index 84306e89cc..7a1ba2a582 100644 --- a/windows/security/book/application-security-application-isolation.md +++ b/windows/security/book/application-security-application-isolation.md @@ -11,7 +11,7 @@ ms.date: 04/09/2024 ## Win32 app isolation -Change from Nilanjana Win32 app isolation is a new security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer](/windows/win32/secauthz/implementing-an-appcontainer), and offers several added security features to help the Windows platform defend against attacks that leverage vulnerabilities in applications or third-party libraries. To isolate their apps, developers can update their applications using Visual Studio. +Win32 app isolation is a new security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer](/windows/win32/secauthz/implementing-an-appcontainer), and offers several added security features to help the Windows platform defend against attacks that leverage vulnerabilities in applications or third-party libraries. To isolate their apps, developers can update their applications using Visual Studio. Win32 app isolation follows a two-step process. In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Microsoft. Consequently, the process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level. From 8489628da6b95da7ea764d9c284fc6cd6f9f5996 Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Mon, 1 Jul 2024 17:15:39 -0700 Subject: [PATCH 18/28] Updates --- .../application-security-application-isolation.md | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md index 7a1ba2a582..07bd47e364 100644 --- a/windows/security/book/application-security-application-isolation.md +++ b/windows/security/book/application-security-application-isolation.md @@ -48,22 +48,16 @@ running applications in isolation](https://techcommunity.microsoft.com/t5/window Windows Subsystem for Linux (WSL) is a feature of Windows that allows you to run a Linux environment on your Windows machine, without the need for a separate virtual machine or dual booting. WSL is designed to provide a seamless and productive experience for developers who want to use both Windows and Linux at the same time. In Ge, we added 3 networking security features and Intune/MDM integration in WSL on Windows 11 (SV2 and Ge) for Enterprises: - **Hyper-V Firewall**: This new firewall setting is a network firewall solution that enables filtering of inbound and outbound traffic to/from WSL containers hosted by Windows. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** -[Hyper-V Firewall](/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall) - - **DNS Tunneling**: This new networking setting improves compatibility in different networking environments and makes use of virtualization features to obtain DNS information rather than a networking packet. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** -[DNS Tunneling](/windows/wsl/networking#dns-tunneling) - - **Auto proxy**: This new networking setting enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it will make that proxy automatically apply to WSL distributions. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** -[Auto proxy](/windows/wsl/networking#auto-proxy) - - **Intune/MDM setting in WSL**: Microsoft Defender for Endpoint (MDE) now integrates with WSL, providing the ability to monitor what’s running inside of your WSL distros and report them to your online MDE dashboards. :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[Hyper-V Firewall](/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall) +[DNS Tunneling](/windows/wsl/networking#dns-tunneling) +[Auto proxy](/windows/wsl/networking#auto-proxy) [Intune/MDM setting in WSL](/windows/wsl/intune) From fd6184f8ed315181fac39de82e8241167275839b Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Mon, 8 Jul 2024 09:45:07 -0700 Subject: [PATCH 19/28] Updates --- .../security/book/application-security-application-isolation.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md index 07bd47e364..e29bb57dfc 100644 --- a/windows/security/book/application-security-application-isolation.md +++ b/windows/security/book/application-security-application-isolation.md @@ -70,3 +70,4 @@ Processes that run in app containers operate at a low integrity level, meaning t :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** - [Windows and app container](/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations) + From f4c4c4bd1d7144a52c676b1ed54914271f89104b Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Mon, 8 Jul 2024 10:14:11 -0700 Subject: [PATCH 20/28] Updates --- .../cloud-services-protect-your-work-information.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index 4167db60b6..a6e7601f2d 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -35,10 +35,23 @@ In combination with Microsoft Intune, Microsoft Entra ID offers powerful securit Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID. +### Microsoft Entra Private Access ### +Microsoft Entra Private Access unlocks the ability to specify the fully qualified domain names (FQDNs) and IP addresses that you consider private or internal, so you can manage how your organization accesses them. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need. + +### Microsoft Entra Internet Access ### +Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. + +Both these features use a new Global Secure Access client for Windows, deployed on the desktop, that secure and control the feature. Note that both requires Microsoft Entra ID and Microsoft Entra Joined devices and refer to the deployment guide. +- [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Private Access Proof of Concept](https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-private-access) +https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-internet-access +- [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept](https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-internet-access) + :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** - [Windows Local Administrator Password Solution with Microsoft Entra (Azure AD)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487) - [Microsoft Entra plans and pricing](https://www.microsoft.com/security/business/microsoft-entra-pricing?rtc=1) +- [Learn about Microsoft Entra Private Access](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-private-access) +- [Learn about Microsoft Entra Internet Access for all apps](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-private-access) ## Modern device management through (MDM) From fd8bb5c227ae11593d00c7f57503721216acac1a Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Mon, 8 Jul 2024 10:15:32 -0700 Subject: [PATCH 21/28] Updates --- .../book/cloud-services-protect-your-work-information.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index a6e7601f2d..a471727158 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -41,7 +41,7 @@ Microsoft Entra Private Access unlocks the ability to specify the fully qualifie ### Microsoft Entra Internet Access ### Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. -Both these features use a new Global Secure Access client for Windows, deployed on the desktop, that secure and control the feature. Note that both requires Microsoft Entra ID and Microsoft Entra Joined devices and refer to the deployment guide. +Both these features use a new [Global Secure Access client for Windows](https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client), deployed on the desktop, that secure and control the feature. Note that both requires Microsoft Entra ID and Microsoft Entra Joined devices and refer to the deployment guide. - [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Private Access Proof of Concept](https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-private-access) https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-internet-access - [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept](https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-internet-access) From ea49561f5b6a7793662e7fe002fc226846cb9a44 Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Mon, 8 Jul 2024 10:31:13 -0700 Subject: [PATCH 22/28] Updates --- .../book/cloud-services-protect-your-work-information.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index a471727158..00b5501c62 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -36,15 +36,12 @@ In combination with Microsoft Intune, Microsoft Entra ID offers powerful securit Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID. ### Microsoft Entra Private Access ### -Microsoft Entra Private Access unlocks the ability to specify the fully qualified domain names (FQDNs) and IP addresses that you consider private or internal, so you can manage how your organization accesses them. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need. +Microsoft Entra Private Access unlocks the ability to specify the fully qualified domain names (FQDNs) and IP addresses that you consider private or internal, so you can manage how your organization accesses them. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need. Note that Microsoft Entra Private Access requires Microsoft Entra ID and Microsoft Entra Joined devices and refer to [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Private Access Proof of Concept](https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-private-access). ### Microsoft Entra Internet Access ### -Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. +Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. Note that Microsoft Entra Private Access requires Microsoft Entra ID and Microsoft Entra Joined devices and refer to [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept](https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-internet-access). -Both these features use a new [Global Secure Access client for Windows](https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client), deployed on the desktop, that secure and control the feature. Note that both requires Microsoft Entra ID and Microsoft Entra Joined devices and refer to the deployment guide. -- [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Private Access Proof of Concept](https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-private-access) -https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-internet-access -- [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept](https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-internet-access) +Both these features use a new [Global Secure Access client for Windows](https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client), deployed on the desktop, that secure and control the feature. :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** From 7e773582bd780af31d83493836c1ba1961859e3e Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Mon, 8 Jul 2024 10:47:08 -0700 Subject: [PATCH 23/28] Updates --- .../cloud-services-protect-your-work-information.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index 00b5501c62..1b33962691 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -36,10 +36,12 @@ In combination with Microsoft Intune, Microsoft Entra ID offers powerful securit Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID. ### Microsoft Entra Private Access ### -Microsoft Entra Private Access unlocks the ability to specify the fully qualified domain names (FQDNs) and IP addresses that you consider private or internal, so you can manage how your organization accesses them. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need. Note that Microsoft Entra Private Access requires Microsoft Entra ID and Microsoft Entra Joined devices and refer to [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Private Access Proof of Concept](https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-private-access). +Microsoft Entra Private Access unlocks the ability to specify the fully qualified domain names (FQDNs) and IP addresses that you consider private or internal, so you can manage how your organization accesses them. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need. +Note that Microsoft Entra Private Access requires Microsoft Entra ID and Microsoft Entra Joined devices and for deployment, refer to [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Private Access Proof of Concept](https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-private-access). ### Microsoft Entra Internet Access ### -Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. Note that Microsoft Entra Private Access requires Microsoft Entra ID and Microsoft Entra Joined devices and refer to [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept](https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-internet-access). +Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. +Note that Microsoft Entra Private Access requires Microsoft Entra ID and Microsoft Entra Joined devices and for deployment, refer to [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept](https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-internet-access). Both these features use a new [Global Secure Access client for Windows](https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client), deployed on the desktop, that secure and control the feature. @@ -47,8 +49,8 @@ Both these features use a new [Global Secure Access client for Windows](https:// - [Windows Local Administrator Password Solution with Microsoft Entra (Azure AD)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487) - [Microsoft Entra plans and pricing](https://www.microsoft.com/security/business/microsoft-entra-pricing?rtc=1) -- [Learn about Microsoft Entra Private Access](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-private-access) -- [Learn about Microsoft Entra Internet Access for all apps](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-private-access) +- [Microsoft Entra Private Access](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-private-access) +- [Microsoft Entra Internet Access for all apps](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-private-access) ## Modern device management through (MDM) From c0154ee24b7dd1209823df5e6376f6cee0bda2fb Mon Sep 17 00:00:00 2001 From: cchavez-msft <136099320+cchavez-msft@users.noreply.github.com> Date: Mon, 8 Jul 2024 16:50:24 -0400 Subject: [PATCH 24/28] hardwareSecurityAshwinBaligaV2 --- .../security/book/hardware-security-hardware-root-of-trust.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/book/hardware-security-hardware-root-of-trust.md b/windows/security/book/hardware-security-hardware-root-of-trust.md index c9cd0c1032..871680e2f4 100644 --- a/windows/security/book/hardware-security-hardware-root-of-trust.md +++ b/windows/security/book/hardware-security-hardware-root-of-trust.md @@ -27,8 +27,6 @@ Pluton supports the TPM 2.0 industry standard, allowing customers to immediately As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers cannot access sensitive data - even if attackers use emerging techniques like speculative execution. -In an ongoing commitment to enhancing security, Microsoft will introduce additional Pluton Security Processor capabilities, such as a Key Storage Provider (KSP). This KSP will provide advanced protection to Microsoft Entra and Intune credentials. This is a testament to the continuous efforts to stay ahead of potential threats and provide users with the most secure experience possible. - Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for customers to get alerts about security updates, keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs. :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** From f5b8bc8ae098817f8438789d2275167a03eaec94 Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Wed, 10 Jul 2024 00:33:39 -0700 Subject: [PATCH 25/28] Updates --- ...oud-services-protect-your-work-information.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index 1b33962691..bf06ab4789 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -36,21 +36,25 @@ In combination with Microsoft Intune, Microsoft Entra ID offers powerful securit Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID. ### Microsoft Entra Private Access ### + Microsoft Entra Private Access unlocks the ability to specify the fully qualified domain names (FQDNs) and IP addresses that you consider private or internal, so you can manage how your organization accesses them. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need. -Note that Microsoft Entra Private Access requires Microsoft Entra ID and Microsoft Entra Joined devices and for deployment, refer to [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Private Access Proof of Concept](https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-private-access). + +Note that Microsoft Entra Private Access requires Microsoft Entra ID and Microsoft Entra Joined devices and for deployment, refer to [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Private Access Proof of Concept](/entra/architecture/sse-deployment-guide-private-access). ### Microsoft Entra Internet Access ### -Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. -Note that Microsoft Entra Private Access requires Microsoft Entra ID and Microsoft Entra Joined devices and for deployment, refer to [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept](https://learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-internet-access). -Both these features use a new [Global Secure Access client for Windows](https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client), deployed on the desktop, that secure and control the feature. +Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. + +Note that Microsoft Entra Private Access requires Microsoft Entra ID and Microsoft Entra Joined devices and for deployment, refer to [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept](/entra/architecture/sse-deployment-guide-internet-access). + +Both these features use a new [Global Secure Access client for Windows](/entra/global-secure-access/how-to-install-windows-client), deployed on the desktop, that secure and control the feature. :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** - [Windows Local Administrator Password Solution with Microsoft Entra (Azure AD)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487) - [Microsoft Entra plans and pricing](https://www.microsoft.com/security/business/microsoft-entra-pricing?rtc=1) -- [Microsoft Entra Private Access](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-private-access) -- [Microsoft Entra Internet Access for all apps](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-private-access) +- [Microsoft Entra Private Access](/entra/global-secure-access/concept-private-access) +- [Microsoft Entra Internet Access for all apps](/entra/global-secure-access/concept-private-access) ## Modern device management through (MDM) From b93d93a7c00582840e33834e34364e219350edcd Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Wed, 10 Jul 2024 00:37:22 -0700 Subject: [PATCH 26/28] update --- .../book/cloud-services-protect-your-work-information.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index bf06ab4789..96c4cbeced 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -144,7 +144,8 @@ Windows 11 supports the Remote Wipe configuration service provider (CSP) so that - Reset the device and clean the drive - Reset the device but persist user accounts and data -Learn More: [Remote Wipe CSP](/windows/client-management/mdm/remotewipe-csp) +:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[Remote Wipe CSP](/windows/client-management/mdm/remotewipe-csp) ## Microsoft Azure Attestation Service From 8af8e05b10888077da5c39e03aa01625729ed3dd Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Wed, 10 Jul 2024 00:40:23 -0700 Subject: [PATCH 27/28] Update --- .../book/cloud-services-protect-your-work-information.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index 96c4cbeced..abae6f58f5 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -145,7 +145,8 @@ Windows 11 supports the Remote Wipe configuration service provider (CSP) so that - Reset the device but persist user accounts and data :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** -[Remote Wipe CSP](/windows/client-management/mdm/remotewipe-csp) + +- [Remote Wipe CSP](/windows/client-management/mdm/remotewipe-csp) ## Microsoft Azure Attestation Service From 2529e5d8b6563571963bd66b9232f2be4c54ee56 Mon Sep 17 00:00:00 2001 From: MokumaPM <105771503+MokumaPM@users.noreply.github.com> Date: Wed, 10 Jul 2024 01:05:13 -0700 Subject: [PATCH 28/28] updates --- .../book/application-security-application-isolation.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md index e29bb57dfc..13802fa4ec 100644 --- a/windows/security/book/application-security-application-isolation.md +++ b/windows/security/book/application-security-application-isolation.md @@ -55,10 +55,10 @@ Windows Subsystem for Linux (WSL) is a feature of Windows that allows you to run - **Intune/MDM setting in WSL**: Microsoft Defender for Endpoint (MDE) now integrates with WSL, providing the ability to monitor what’s running inside of your WSL distros and report them to your online MDE dashboards. :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** -[Hyper-V Firewall](/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall) -[DNS Tunneling](/windows/wsl/networking#dns-tunneling) -[Auto proxy](/windows/wsl/networking#auto-proxy) -[Intune/MDM setting in WSL](/windows/wsl/intune) +- [Hyper-V Firewall](/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall) +- [DNS Tunneling](/windows/wsl/networking#dns-tunneling) +- [Auto proxy](/windows/wsl/networking#auto-proxy) +- [Intune/MDM setting in WSL](/windows/wsl/intune) ## App containers