deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into vp-sandbox

Browse Source
This commit is contained in:
Vinay Pamnani (from Dev Box) 2024-11-26 10:08:09 -07:00
commit bb076be166
172 changed files with 2925 additions and 1718 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
.openpublishing.redirection.windows-security.json
View File

@ -9987,7 +9987,47 @@
},
{
"source_path": "windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md",
"redirect_url": "/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md",
"redirect_url": "/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol",
"redirect_document_id": false
},
{
"source_path": "windows/security/application-security/index.md",
"redirect_url": "/windows/security/book/application-security",
"redirect_document_id": false
},
{
"source_path": "windows/security/hardware-security/index.md",
"redirect_url": "/windows/security/book/hardware-security",
"redirect_document_id": false
},
{
"source_path": "windows/security/cloud-services/index.md",
"redirect_url": "/windows/security/book/cloud-services",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/index.md",
"redirect_url": "/windows/security/book/identity-protection",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/index.md",
"redirect_url": "/windows/security/book/operating-system-security",
"redirect_document_id": false
},
{
"source_path": "windows/security/security-foundations/index.md",
"redirect_url": "/windows/security/book/security-foundation",
"redirect_document_id": false
},
{
"source_path": "windows/security/introduction.md",
"redirect_url": "/windows/security/book",
"redirect_document_id": false
},
{
"source_path": "windows/security/security-foundations/zero-trust-windows-device-health.md",
"redirect_url": "/windows/security/book/security-foundation",
"redirect_document_id": false
}
]

22
education/windows/take-tests-in-windows.md
View File

@ -1,7 +1,7 @@
---
title: Take tests and assessments in Windows
description: Learn about the built-in Take a Test app for Windows and how to use it.
ms.date: 02/29/2024
ms.date: 11/11/2024
ms.topic: how-to
---
@ -9,11 +9,11 @@ ms.topic: how-to
Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. To help schools with testing, Windows provides an application called **Take a Test**. The application is a secure browser that provides different features to help with testing, and can be configured to only allow access a specific URL or a list of URLs. When using Take a Test, students can't:
- print, use screen capture, or text suggestions (unless enabled by the teacher or administrator)
- access other applications
- change system settings, such as display extension, notifications, updates
- access Cortana
- access content copied to the clipboard
- Print, use screen capture, or text suggestions (unless enabled by the teacher or administrator)
- Access other applications
- Change system settings, such as display extension, notifications, updates
- Access Cortana
- Access content copied to the clipboard
## How to use Take a Test
@ -22,7 +22,7 @@ There are different ways to use Take a Test, depending on the use case:
- For lower stakes assessments, such a quick quiz in a class, a teacher can generate a *secure assessment URL* and share it with the students. Students can then open the URL to access the assessment through Take a Test. To learn more, see the next section: [Create a secure assessment link](#create-a-secure-assessment-link)
- For higher stakes assessments, you can configure Windows devices to use a dedicated account for testing and execute Take a Test in a locked-down mode, called **kiosk mode**. Once signed in with the dedicated account, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. For more information, see [Configure Take a Test in kiosk mode](edu-take-a-test-kiosk-mode.md)
:::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false":::
:::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false":::
## Create a secure assessment link
@ -37,9 +37,9 @@ To create a secure assessment link to the test, there are two options:
For this option, copy the assessment URL and open the web application <a href="https://aka.ms/create-a-take-a-test-link" target="_blank"><u>Customize your assessment URL</u></a>, where you can:
- Paste the link to the assessment URL
- Select the options you want to allow during the test
- Generate the link by selecting the button Create link
- Paste the link to the assessment URL.
- Select the options you want to allow during the test.
- Generate the link by selecting the button Create link.
This is an ideal option for teachers who want to create a link to a specific assessment and share it with students using OneNote, for example.
@ -67,7 +67,7 @@ To enable permissive mode, don't include `enforceLockdown` in the schema paramet
## Distribute the secure assessment link
Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choosing.
Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choice.
For example, you can create and copy the shortcut to the assessment URL to the students' desktop.

11
includes/licensing/_edition-requirements.md
View File

@ -1,11 +1,11 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 09/18/2023
ms.date: 11/06/2024
ms.topic: include
---
| Feature name | Windows Pro | Windows Enterprise | Windows Pro Education/SE | Windows Education |
| Feature name | Windows Pro | Windows Enterprise/IoT Enterprise | Windows Pro Education | Windows Education |
|:---|:---:|:---:|:---:|:---:|
|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|
|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|
@ -13,7 +13,7 @@ ms.topic: include
|**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|❌|Yes|
|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|
|**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|Yes|Yes|Yes|Yes|
|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|
|**[Assigned Access (kiosk mode)](/windows/configuration/assigned-access)**|Yes|Yes|Yes|Yes|
|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|
|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|
|**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|
@ -32,7 +32,7 @@ ms.topic: include
|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)**|Yes|Yes|Yes|Yes|
|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes|
|**[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|
|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|
|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/blog/windowsosplatform/understanding-hardware-enforced-stack-protection/1247815)**|Yes|Yes|Yes|Yes|
|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|
|**[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
|**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|
@ -53,7 +53,7 @@ ms.topic: include
|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
|**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|
|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes|
|**[Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|
|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|
|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
@ -84,6 +84,7 @@ ms.topic: include
|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
|**Windows Hotpatch**|❌|Yes|❌|❌|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|
|**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|

7
includes/licensing/_licensing-requirements.md
View File

@ -5,7 +5,7 @@ ms.date: 11/02/2023
ms.topic: include
---
|Feature name|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|Feature name|Windows Pro/Pro Education|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---|:---:|:---:|:---:|:---:|:---:|
|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes|
|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|Yes|
@ -13,7 +13,7 @@ ms.topic: include
|**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|Yes|Yes|Yes|
|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes|
|**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|❌|Yes|Yes|Yes|Yes|
|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes|
|**[Assigned Access (kiosk mode)](/windows/configuration/assigned-access)**|Yes|Yes|Yes|Yes|Yes|
|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes|
|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|Yes|
|**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|Yes|
@ -53,7 +53,7 @@ ms.topic: include
|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
|**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|Yes|
|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes|
|**[Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|
|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|Yes|
|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
@ -84,6 +84,7 @@ ms.topic: include
|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
|**Windows Hotpatch**|❌|Yes|Yes|❌|❌|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|

4
windows/client-management/declared-configuration.md
View File

@ -121,7 +121,7 @@ If the processing of declared configuration document fails, the errors are logge
- If the Document ID doesn't match between the `<LocURI>` and inside DeclaredConfiguration document, Admin event log shows an error message similar to:
`MDM Declared Configuration: End document parsing from CSP: Document Id: (DCA000B5-397D-40A1-AABF-40B25078A7F91), Scenario: (MSFTVPN), Version: (A0), Enrollment Id: (DAD70CC2-365B-450D-A8AB-2EB23F4300CC), Current User: (S-1-5-21-3436249567-4017981746-3373817415-1001), Schema: (1.0), Download URL: (), Scope: (0x1), Enroll Type: (0x1A), File size: (0xDE2), CSP Count: (0x1), URI Count: (0xF), Action Requested: (0x0), Model: (0x1), Result:(0x8000FFFF) Catastrophic failure.`
`MDM Declared Configuration: End document parsing from CSP: Document Id: (DCA000B5-397D-40A1-AABF-40B25078A7F91), Scenario: (MSFTVPN), Version: (A0), Enrollment Id: (DAD70CC2-365B-450D-A8AB-2EB23F4300CC), Current User: (S-1-5-21-1004336348-1177238915-682003330-1234), Schema: (1.0), Download URL: (), Scope: (0x1), Enroll Type: (0x1A), File size: (0xDE2), CSP Count: (0x1), URI Count: (0xF), Action Requested: (0x0), Model: (0x1), Result:(0x8000FFFF) Catastrophic failure.`
- Any typo in the OMA-URI results in a failure. In this example, `TrafficFilterList` is specified instead of `TrafficFilterLists`, and Admin event log shows an error message similar to:
@ -129,4 +129,4 @@ If the processing of declared configuration document fails, the errors are logge
There's also another warning message in operational channel:
`MDM Declared Configuration: Function (DeclaredConfigurationExtension_PolicyCSPConfigureGivenCurrentDoc) operation (ErrorAtDocLevel: one or more CSPs failed) failed with (Unknown Win32 Error code: 0x82d00007)`
`MDM Declared Configuration: Function (DeclaredConfigurationExtension_PolicyCSPConfigureGivenCurrentDoc) operation (ErrorAtDocLevel: one or more CSPs failed) failed with (Unknown Win32 Error code: 0x82d00007).`

BIN
windows/client-management/images/8908044-recall-search.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.5 MiB

BIN
windows/client-management/images/8908044-recall.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.6 MiB

181
windows/client-management/manage-recall.md
View File

@ -1,9 +1,9 @@
---
title: Manage Recall for Windows clients
description: Learn how to manage Recall for commercial environments using MDM and group policy. Learn about Recall features.
description: Learn how to manage Recall for commercial environments and about Recall features.
ms.topic: how-to
ms.subservice: windows-copilot
ms.date: 06/13/2024
ms.date: 11/22/2024
ms.author: mstewart
author: mestew
ms.collection:
@ -18,72 +18,161 @@ appliesto:
<!--8908044-->
>**Looking for consumer information?** See [Retrace your steps with Recall](https://support.microsoft.com/windows/retrace-your-steps-with-recall-aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c).
Recall allows you to search across time to find the content you need. Just describe how you remember it, and Recall retrieves the moment you saw it. Recall takes snapshots of your screen and stores them in a timeline. Snapshots are taken every five seconds while content on the screen is different from the previous snapshot. Snapshots are locally stored and locally analyzed on your PC. Recall's analysis allows you to search for content, including both images and text, using natural language.
Recall (preview) allows users to search locally saved and locally analyzed snapshots of their screen using natural language. By default, Recall is disabled and removed on managed devices. IT admins can choose if they want to allow Recall to be used in their organizations and users, on their own, won't be able to enable it on their managed device if the Allow Recall policy is disabled. IT admins, on their own, can't start saving snapshots for end users. Recall is an opt-in experience that requires end user consent to save snapshots. Users can choose to enable or disable saving snapshots for themselves anytime. IT admins can only set policies that give users the option to enable saving snapshots and configure certain policies for Recall.
This article provides information about Recall and how to manage it in a commercial environment.
> [!NOTE]
> Recall is coming soon through a post-launch Windows update. See [aka.ms/copilotpluspcs](https://aka.ms/copilotpluspcs).
> - Recall is now available in preview to Copilot+ PCs through the Windows Insider Program. For more information, see [Previewing Recall with Click to Do on Copilot+ PCs with Windows Insiders in the Dev Channel](https://blogs.windows.com/windows-insider/2024/11/22/previewing-recall-with-click-to-do-on-copilot-pcs-with-windows-insiders-in-the-dev-channel/).
> - In-market commercial devices are defined as devices with an Enterprise (ENT) or Education (EDU) SKU or any premium SKU device that is managed by an IT administrator (whether via Microsoft Endpoint Manager or other endpoint management solution), has a volume license key, or is joined to a domain. Commercial devices during Out of Box Experience (OOBE) are defined as those with ENT or EDU SKU or any premium SKU device that has a volume license key or is Microsoft Entra joined.
> - Recall is optimized for select languages English, Chinese (simplified), French, German, Japanese, and Spanish. Content-based and storage limitations apply. For more information, see [https://aka.ms/copilotpluspcs](https://aka.ms/copilotpluspcs).
When Recall opens the snapshot a user selected, it enables screenray, which runs on top of the saved snapshot. Screenray analyzes what's in the snapshot and allows users to interact with individual elements in the snapshot. For instance, users can copy text from the snapshot or send pictures from the snapshot to an app that supports `jpeg` files.
## What is Recall?
:::image type="content" source="images/8908044-recall.png" alt-text="Screenshot of Recall with search results displayed for a query about a restaurant that the user's friend sent them." lightbox="images/8908044-recall.png":::
Recall (preview) allows you to search across time to find the content you need. Just describe how you remember it, and Recall retrieves the moment you saw it. Snapshots are taken periodically while content on the screen is different from the previous snapshot. The snapshots of your screen are organized into a timeline. Snapshots are locally stored and locally analyzed on your PC. Recall's analysis allows you to search for content, including both images and text, using natural language.
When Recall opens a snapshot you selected, it enables Click to Do, which runs on top of the saved snapshot. Click to Do analyzes what's in the snapshot and allows you to interact with individual elements in the snapshot. For instance, you can copy text from the snapshot or send pictures from the snapshot to an app that supports `jpeg` files.
:::image type="content" border="true" source="images/8908044-recall-search.png" alt-text="Screenshot of Recall with search results displayed for a query for a presentation with a red barn." lightbox="images/8908044-recall-search.png":::
### Recall security and privacy architecture
Privacy and security are built into Recall's design. With Copilot+ PCs, you get powerful AI that runs locally on the device. No internet or cloud connections are required or used to save and analyze snapshots. Snapshots aren't sent to Microsoft. Recall AI processing occurs locally, and snapshots are securely stored on the local device only.
Recall doesn't share snapshots with other users that are signed into Windows on the same device and IT admins can't access or view the snapshots on end-user devices. Microsoft can't access or view the snapshots. Recall requires users to confirm their identity with [Windows Hello](https://support.microsoft.com/windows/configure-windows-hello-dae28983-8242-bb2a-d3d1-87c9d265a5f0) before it launches and before accessing snapshots. At least one biometric sign-in option must be enabled for Windows Hello, either facial recognition or a fingerprint, to launch and use Recall. Before snapshots start getting saved to the device, users need to open Recall and authenticate. Recall takes advantage of just in time decryption protected by [Hello Enhanced Sign-in Security (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security). Snapshots and any associated information in the vector database are always encrypted. Encryption keys are protected via Trusted Platform Module (TPM), which is tied to the user's Windows Hello ESS identity, and can be used by operations within a secure environment called a [Virtualization-based Security Enclave (VBS Enclave)](/windows/win32/trusted-execution/vbs-enclaves). This means that other users can't access these keys and thus can't decrypt this information. Device Encryption or BitLocker are enabled by default on Windows 11. For more information, see [Recall security and privacy architecture in the Windows Experience Blog](https://blogs.windows.com/windowsexperience/?p=179096).
When using Recall, the **Sensitive information filtering** setting is enabled by default to help ensure your data's confidentiality. This feature operates directly on your device, utilizing the NPU and the Microsoft Classification Engine (MCE) - the same technology leveraged by [Microsoft Purview](/purview/purview) for detecting and labeling sensitive information. When this setting is enabled, snapshots won't be saved when potentially sensitive information is detected. Most importantly, the sensitive information remains on the device at all times, regardless of whether the **Sensitive information filtering** setting is enabled or disabled. For more information about the types of potentially sensitive information, see [Reference for sensitive information filtering in Recall](recall-sensitive-information-filtering.md).
In keeping with Microsoft's commitment to data privacy and security, all saved images and processed data are kept on the device and processed locally. However, Click to Do allows users to choose if they want to perform additional actions on their content.
Click to Do allows users to choose to get more information about their selected content online. When users choose one of the following Click to Do actions, the selected content is sent to the online provider from the local device to complete the request:
- **Search the web**: Sends the selected content to the default search engine of the default browser
- **Open website**: Opens the selected website in the default browser
- **Visual search with Bing**: Sends the selected content to Bing visual search using the default browser.
When you choose to send info from Click to Do to an app, like Paint, Click to Do will temporarily save this info in order to complete the transfer. Click to Do creates a temporary file in the following location:
- `C:\Users\[username]\AppData\Local\Temp`
Temporary files may also be saved when you choose send feedback. These temporary files aren't saved long term. Click to Do doesn't keep any content from your screen after completing the requested action, but some basic telemetry is gathered to keep Click to Do secure, up to date, and working.
## System requirements
Recall has the following minimum system requirements:
- A [Copilot+ PC](https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs)
Recall has the following minimum requirements:
- A [Copilot+ PC](https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs) that meets the [Secured-core standard](/windows-hardware/design/device-experiences/oem-highly-secure-11)
- 40 TOPs NPU ([neural processing unit](https://support.microsoft.com/windows/all-about-neural-processing-units-npus-e77a5637-7705-4915-96c8-0c6a975f9db4))
- 16 GB RAM
- 8 logical processors
- 256 GB storage capacity
- To enable Recall, you need at least 50 GB of space free
- Snapshot capture automatically pauses once the device has less than 25 GB of disk space
- Saving snapshots automatically pauses once the device has less than 25 GB of storage space
- Users need to enable Device Encryption or BitLocker
- Users need to enroll into [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) with at least one biometric sign-in option enabled in order to authenticate.
## Supported browsers
Users need a supported browser for Recall to [filter websites](#user-controlled-settings-for-recall) and to automatically filter private browsing activity. Supported browsers, and their capabilities include:
Users need a supported browser for Recall to [filter websites](#app-and-website-filtering-policies) and to automatically filter private browsing activity. Supported browsers, and their capabilities include:
- **Microsoft Edge**: blocks websites and filters private browsing activity
- **Firefox**: blocks websites and filters private browsing activity
- **Opera**: blocks websites and filters private browsing activity
- **Google Chrome**: blocks websites and filters private browsing activity
- **Chromium based browsers** (124 or later): For Chromium-based browsers not listed above, filters private browsing activity only, doesn't block specific websites
- **Microsoft Edge**: filters specified websites and filters private browsing activity
- **Firefox**: filters specified websites and filters private browsing activity
- **Opera**: filtered specified websites and filters private browsing activity
- **Google Chrome**: filters specified websites and filters private browsing activity
- **Chromium based browsers** (124 or later): For Chromium-based browsers not listed, filters private browsing activity only, doesn't filter specific websites
## Configure policies for Recall
Organizations that aren't ready to use AI for historical analysis can disable it until they're ready with the **Turn off saving snapshots for Windows** policy. If snapshots were previously saved on a device, they'll be deleted when this policy is enabled. The following policy allows you to disable analysis of user content:
By default, Recall is removed on commercially managed devices. If you want to allow Recall to be available for users in your organization and allow them to choose to save snapshots, you need to configure both the **Allow Recall to be enabled** and **Turn off saving snapshots for Windows** policies. Policies for Recall fall into the following general areas:
- [Allow Recall and snapshots policies](#allow-recall-and-snapshots-policies)
- [Storage policies](#storage-policies)
- [App and website filtering policies](#app-and-website-filtering-policies)
### Allow Recall and snapshots policies
The **Allow Recall to be enabled** policy setting allows you to determine whether the Recall optional component is available for end users to enable on their device. By default, Recall is disabled and removed for managed devices. Recall isn't available on managed devices by default, and individual users can't enable Recall on their own. If you disable this policy, the Recall component will be in disabled state and the bits for Recall will be removed from the device. If snapshots were previously saved on the device, they'll be deleted when this policy is disabled. Removing Recall requires a device restart. If the policy is enabled, end users will have Recall available on their device. Depending on the state of the DisableAIDataAnalysis policy (Turn off saving snapshots for use with Recall), end users will be able to choose if they want to save snapshots of their screen and use Recall to find things they've seen on their device.
| &nbsp; | Setting |
|---|---|
| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis) |
| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** |
## Limitations
In two specific scenarios, Recall captures snapshots that include InPrivate windows, blocked apps, and blocked websites. If Recall gets launched, or the **Now** option is selected in Recall, then a snapshot is taken even when InPrivate windows, blocked apps, and blocked websites are displayed. However, Recall doesn't save these snapshots. If you choose to send the information from this snapshot to another app, a temp file is created in `C:\Users\[username]\AppData\Local\Temp` to share the content. The temporary file is deleted once the content is transferred over the app you selected to use.
## User controlled settings for Recall
The following options are user controlled in Recall from the **Settings** > **Privacy & Security** > **Recall & Snapshots** page:
- Website filtering
- App filtering
- Storage allocation
- When the storage limit is reached, the oldest snapshots are deleted first.
- Deleting snapshots
- Delete all snapshots
- Delete snapshots within a specific time frame
| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[AllowRecallEnablement](mdm/policy-csp-windowsai.md#allowrecallenablement) |
| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Allow Recall to be enabled** |
### Storage allocation
The **Turn off saving snapshots for Windows** policy allows you to give the users the choice to save snapshots of their screen for use with Recall. Administrators can't enable saving snapshots on behalf of their users. The choice to enable saving snapshots requires individual user opt-in consent. By default, snapshots won't be saved for use with Recall. If snapshots were previously saved on a device, they'll be deleted when this policy is enabled. If you set this policy to disabled, end users will have a choice to save snapshots of their screen and use Recall to find things they've seen on their device.
The amount of disk space users can allocate to Recall varies depending on how much storage the device has. The following chart shows the storage space options for Recall:
| Device storage capacity | Storage allocation options for Recall |
| &nbsp; | Setting |
|---|---|
| 256 GB | 25 GB (default), 10 GB |
| 512 GB | 75 GB (default), 50 GB, 25 GB |
| 1 TB, or more | 150 GB (default), 100 GB, 75 GB, 50 GB, 25 GB |
| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis) </br> </br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis)|
| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** </br></br>User Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** |
### Storage policies
You can define how much disk space Recall can use by using the **Set maximum storage for snapshots used by Recall** policy. You can set the maximum amount of disk space for snapshots to be 10, 25, 50, 75, 100, or 150 GB. When the storage limit is reached, the oldest snapshots are deleted first. When this setting isn't configured, the OS configures the storage allocation for snapshots based on the device storage capacity. 25 GB is allocated when the device storage capacity is 256 GB. 75 GB is allocated when the device storage capacity is 512 GB. 150 GB is allocated when the device storage capacity is 1 TB or higher.
| &nbsp; | Setting |
|---|---|
| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageSpaceForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots) </br> </br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageSpaceForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots)|
| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** </br></br> User Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** |
You can define how long snapshots can be retained on the device by using the **Set maximum duration for storing snapshots used by Recall** policy. You can configure the maximum storage duration to be 30, 60, 90, or 180 days. If the policy isn't configured, snapshots aren't deleted until the maximum storage allocation is reached, and then the oldest snapshots are deleted first.
| &nbsp; | Setting |
|---|---|
| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageDurationForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots) </br></br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageDurationForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots)|
| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** </br></br>User Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum duration for storing snapshots used by Recall** |
### App and website filtering policies
You can filter both apps and websites from being saved in snapshots. Users are able to add to these filter lists from the **Recall & Snapshots** settings page. Some remote desktop connection clients are filtered by default from snapshots. For more information, see the [Remote desktop connection clients filtered from snapshots](#remote-desktop-connection-clients-filtered-from-snapshots) section.
To filter websites from being saved in snapshots, use the **Set a list of URIs to be filtered from snapshots for Recall** policy. Define the list using a semicolon to separate URIs. Make sure you include the URL scheme such as `http://`, `file://`, `https://www.`. Sites local to a supported browser like `edge://`, or `chrome://`, are filtered by default. For example: `https://www.Contoso.com;https://www.WoodgroveBank.com;https://www.Adatum.com`
> [!NOTE]
> - Private browsing activity is filtered by default when using [supported web browsers](#supported-browsers).
> - Be aware that websites are filtered when they are in the foreground or are in the currently opened tab of a supported browser. Parts of filtered websites can still appear in snapshots such as embedded content, the browser's history, or an opened tab that isn't in the foreground.
> - Filtering doesn't prevent browsers, internet service providers (ISPs), websites, organizations, or others from knowing that the website was accessed and building a history.
> - Changes to this policy take effect after device restart.
| &nbsp; | Setting |
|---|---|
| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyUriListForRecall](mdm/policy-csp-windowsai.md#setdenyurilistforrecall) </br></br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyUriListForRecall](mdm/policy-csp-windowsai.md#setdenyurilistforrecall)|
| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **>Set a list of URIs to be filtered from snapshots for Recall** </br></br>User Configuration > Administrative Templates > Windows Components > Windows AI > **>Set a list of URIs to be filtered from snapshots for Recall** |
**Set a list of apps to be filtered from snapshots for Recall** policy allows you to filter apps from being saved in snapshots. Define the list using a semicolon to separate apps. The list can include Application User Model IDs (AUMID) or the name of the executable file. For example: `code.exe;Microsoft. WindowsNotepad_8wekyb3d8bbwe!App;ms-teams.exe`
> [!Note]
> - Like other Windows apps, such as the Snipping Tool, Recall won't store digital rights management (DRM) content.
> - Changes to this policy take effect after device restart.
| &nbsp; | Setting |
|---|---|
| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyAppListForRecall](mdm/policy-csp-windowsai.md#setdenyapplistforrecall) </br></br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyAppListForRecall](mdm/policy-csp-windowsai.md#setdenyapplistforrecall)|
| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set a list of apps to be filtered from snapshots for Recall** </br></br>User Configuration > Administrative Templates > Windows Components > Windows AI > **Set a list of apps to be filtered from snapshots for Recall**|
#### Remote desktop connection clients filtered from snapshots
Snapshots won't be saved when remote desktop connection clients are used. The following remote desktop connection clients are filtered from snapshots:<!--9119193-->
- [Remote Desktop Connection (mstsc.exe)](/windows-server/administration/windows-commands/mstsc)
- [VMConnect.exe](/windows-server/virtualization/hyper-v/learn-more/hyper-v-virtual-machine-connect)
- [Microsoft Remote Desktop from the Microsoft Store](/windows-server/remote/remote-desktop-services/clients/windows) is saved in snapshots. To prevent the app from being saved in snapshots, add it to the app filtering list.
- [Azure Virtual Desktop (MSI)](/azure/virtual-desktop/users/connect-windows)
- [Azure Virtual Desktop apps from the Microsoft Store](/azure/virtual-desktop/users/connect-remote-desktop-client) are saved in snapshots. To prevent these apps from being saved in snapshots, add them to the app filtering list.
- [Remote applications integrated locally (RAIL)](/openspecs/windows_protocols/ms-rdperp/485e6f6d-2401-4a9c-9330-46454f0c5aba) windows
- [Windows App from the Microsoft Store](/windows-app/get-started-connect-devices-desktops-apps) is saved in snapshots. To prevent the app from being saved in snapshots, add it to the app filtering list.
## Information for developers
If you're a developer and want to launch Recall, you can call the `ms-recall` protocol URI. When you call this URI, Recall opens and takes a snapshot of the screen, which is the default behavior for when Recall is launched. For more information about using Recall in your Windows app, see [Recall overview](/windows/ai/apis/recall) in the Windows AI API documentation.
## Microsoft's commitment to responsible AI
@ -91,6 +180,10 @@ Microsoft has been on a responsible AI journey since 2017, when we defined our p
Recall uses optical character recognition (OCR), local to the PC, to analyze snapshots and facilitate search. For more information about OCR, see [Transparency note and use cases for OCR](/legal/cognitive-services/computer-vision/ocr-transparency-note). For more information about privacy and security, see [Privacy and control over your Recall experience](https://support.microsoft.com/windows/privacy-and-control-over-your-recall-experience-d404f672-7647-41e5-886c-a3c59680af15).
## Information for developers
If you're a developer and want to launch Recall, you can call the `ms-recall` protocol URI. When you call this, Recall opens and takes a snapshot of the screen, which is the default behavior for when Recall is launched. For more information about using Recall in your Windows app, see [Recall overview](/windows/ai/apis/recall) in the Windows AI API documentation.
## Related links
- [Policy CSP - WindowsAI](/windows/client-management/mdm/policy-csp-windowsai)
- [Update on Recall security and privacy architecture](https://blogs.windows.com/windowsexperience/2024/09/27/update-on-recall-security-and-privacy-architecture/)
- [Retrace your steps with Recall](https://support.microsoft.com/windows/aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c)
- [Privacy and control over your Recall experience](https://support.microsoft.com/windows/d404f672-7647-41e5-886c-a3c59680af15)
- [Click to Do in Recall](https://support.microsoft.com/topic/967304a8-32d1-4812-a904-fad59b5e6abf)
- [Previewing Recall with Click to Do on Copilot+ PCs with Windows Insiders in the Dev Channel](https://blogs.windows.com/windows-insider/2024/11/22/previewing-recall-with-click-to-do-on-copilot-pcs-with-windows-insiders-in-the-dev-channel/)

18
windows/client-management/mdm/personaldataencryption-csp.md
View File

@ -1,21 +1,21 @@
---
title: PDE CSP
description: Learn more about the PDE CSP.
title: Personal Data Encryption CSP
description: Learn more about the Personal Data Encryption CSP.
ms.date: 01/18/2024
---
<!-- Auto-Generated CSP Document -->
<!-- PDE-Begin -->
# PDE CSP
# Personal Data Encryption CSP
<!-- PDE-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Personal Data Encryption (PDE) configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
The Personal Data Encryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
<!-- PDE-Editable-End -->
<!-- PDE-Tree-Begin -->
The following list shows the PDE configuration service provider nodes:
The following list shows the Personal Data Encryption configuration service provider nodes:
- ./User/Vendor/MSFT/PDE
- [EnablePersonalDataEncryption](#enablepersonaldataencryption)
@ -45,7 +45,7 @@ Allows the Admin to enable Personal Data Encryption. Set to '1' to set this poli
<!-- User-EnablePersonalDataEncryption-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for PDE to be enabled.
The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for Personal Data Encryption to be enabled.
<!-- User-EnablePersonalDataEncryption-Editable-End -->
<!-- User-EnablePersonalDataEncryption-DFProperties-Begin -->
@ -93,10 +93,10 @@ The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.u
<!-- User-Status-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Reports the current status of Personal Data Encryption (PDE) for the user.
Reports the current status of Personal Data Encryption for the user.
- If prerequisites of PDE aren't met, then the status will be 0.
- If all prerequisites are met for PDE, then PDE will be enabled and status will be 1.
- If prerequisites of Personal Data Encryption aren't met, then the status will be 0.
- If all prerequisites are met for Personal Data Encryption, then Personal Data Encryption will be enabled and status will be 1.
<!-- User-Status-Editable-End -->
<!-- User-Status-DFProperties-Begin -->

8
windows/client-management/mdm/policies-in-preview.md
View File

@ -1,7 +1,7 @@
---
title: Configuration service provider preview policies
description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
ms.date: 11/05/2024
ms.date: 11/22/2024
---
<!-- Auto-Generated CSP Document -->
@ -137,9 +137,15 @@ This article lists the policies that are applicable for Windows Insider Preview
## WindowsAI
- [DisableAIDataAnalysis](policy-csp-windowsai.md#disableaidataanalysis)
- [SetCopilotHardwareKey](policy-csp-windowsai.md#setcopilothardwarekey)
- [SetDenyAppListForRecall](policy-csp-windowsai.md#setdenyapplistforrecall)
- [SetDenyUriListForRecall](policy-csp-windowsai.md#setdenyurilistforrecall)
- [SetMaximumStorageSpaceForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots)
- [SetMaximumStorageDurationForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots)
- [DisableImageCreator](policy-csp-windowsai.md#disableimagecreator)
- [DisableCocreator](policy-csp-windowsai.md#disablecocreator)
- [AllowRecallEnablement](policy-csp-windowsai.md#allowrecallenablement)
## WindowsLicensing CSP

390
windows/client-management/mdm/policy-csp-windowsai.md
View File

@ -1,7 +1,7 @@
---
title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP.
ms.date: 11/05/2024
ms.date: 11/22/2024
---
<!-- Auto-Generated CSP Document -->
@ -15,28 +15,103 @@ ms.date: 11/05/2024
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- WindowsAI-Editable-End -->
<!-- AllowRecallEnablement-Begin -->
## AllowRecallEnablement
<!-- AllowRecallEnablement-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllowRecallEnablement-Applicability-End -->
<!-- AllowRecallEnablement-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsAI/AllowRecallEnablement
```
<!-- AllowRecallEnablement-OmaUri-End -->
<!-- AllowRecallEnablement-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to determine whether the Recall optional component is available for end users to enable on their device. By default, Recall is disabled for managed commercial devices. Recall isn't available on managed devices by default, and individual users can't enable Recall on their own.
- If this policy isn't configured, end users will have the Recall component in a disabled state.
- If this policy is disabled, the Recall component will be in disabled state and the bits for Recall will be removed from the device. If snapshots were previously saved on the device, they'll be deleted when this policy is disabled. Removing Recall requires a device restart.
- If the policy is enabled, end users will have Recall available on their device. Depending on the state of the DisableAIDataAnalysis policy (Turn off saving snapshots for use with Recall), end users are able to choose if they want to save snapshots of their screen and use Recall to find things they've seen on their device.
<!-- AllowRecallEnablement-Description-End -->
<!-- AllowRecallEnablement-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowRecallEnablement-Editable-End -->
<!-- AllowRecallEnablement-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- AllowRecallEnablement-DFProperties-End -->
<!-- AllowRecallEnablement-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Recall isn't available. |
| 1 (Default) | Recall is available. |
<!-- AllowRecallEnablement-AllowedValues-End -->
<!-- AllowRecallEnablement-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AllowRecallEnablement |
| Friendly Name | Allow Recall to be enabled |
| Location | Computer Configuration |
| Path | Windows Components > Windows AI |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
| Registry Value Name | AllowRecallEnablement |
| ADMX File Name | WindowsCopilot.admx |
<!-- AllowRecallEnablement-GpMapping-End -->
<!-- AllowRecallEnablement-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowRecallEnablement-Examples-End -->
<!-- AllowRecallEnablement-End -->
<!-- DisableAIDataAnalysis-Begin -->
## DisableAIDataAnalysis
<!-- DisableAIDataAnalysis-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
| Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DisableAIDataAnalysis-Applicability-End -->
<!-- DisableAIDataAnalysis-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
```
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
```
<!-- DisableAIDataAnalysis-OmaUri-End -->
<!-- DisableAIDataAnalysis-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to control whether Windows saves snapshots of the screen and analyzes the user's activity on their device.
This policy setting allows you to determine whether snapshots of the screen can be saved for use with Recall. By default, snapshots for Recall aren't enabled. IT administrators can't, on their own, enable saving snapshots on behalf of their users. The choice to enable saving snapshots requires individual user opt-in consent.
- If you enable this policy setting, Windows won't be able to save snapshots and users won't be able to search for or browse through their historical device activity using Recall.
- If the policy isn't configured, snapshots won't be saved for use with Recall.
- If you disable or don't configure this policy setting, Windows will save snapshots of the screen and users will be able to search for or browse through a timeline of their past activities using Recall.
- If you enable this policy, snapshots won't be saved for use with Recall. If snapshots were previously saved on the device, they'll be deleted when this policy is enabled.
If you set this policy to disabled, end users will have a choice to save snapshots of their screen and use Recall to find things they've seen on their device.
<!-- DisableAIDataAnalysis-Description-End -->
<!-- DisableAIDataAnalysis-Editable-Begin -->
@ -68,8 +143,8 @@ This policy setting allows you to control whether Windows saves snapshots of the
| Name | Value |
|:--|:--|
| Name | DisableAIDataAnalysis |
| Friendly Name | Turn off Saving Snapshots for Windows |
| Location | User Configuration |
| Friendly Name | Turn off saving snapshots for use with Recall |
| Location | Computer and User Configuration |
| Path | Windows Components > Windows AI |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
| Registry Value Name | DisableAIDataAnalysis |
@ -222,7 +297,7 @@ This policy setting allows you to control whether Image Creator functionality is
<!-- SetCopilotHardwareKey-OmaUri-End -->
<!-- SetCopilotHardwareKey-Description-Begin -->
<!-- Description-Source-DDF -->
<!-- Description-Source-ADMX -->
This policy setting determines which app opens when the user presses the Copilot key on their keyboard.
- If the policy is enabled, the specified app will open when the user presses the Copilot key. Users can change the key assignment in Settings.
@ -249,7 +324,11 @@ This policy setting determines which app opens when the user presses the Copilot
| Name | Value |
|:--|:--|
| Name | SetCopilotHardwareKey |
| Path | WindowsCopilot > AT > WindowsComponents > WindowsCopilot |
| Friendly Name | Set Copilot Hardware Key |
| Location | User Configuration |
| Path | Windows Components > Windows Copilot |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CopilotKey |
| ADMX File Name | WindowsCopilot.admx |
<!-- SetCopilotHardwareKey-GpMapping-End -->
<!-- SetCopilotHardwareKey-Examples-Begin -->
@ -258,12 +337,297 @@ This policy setting determines which app opens when the user presses the Copilot
<!-- SetCopilotHardwareKey-End -->
<!-- SetDenyAppListForRecall-Begin -->
## SetDenyAppListForRecall
<!-- SetDenyAppListForRecall-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SetDenyAppListForRecall-Applicability-End -->
<!-- SetDenyAppListForRecall-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyAppListForRecall
```
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyAppListForRecall
```
<!-- SetDenyAppListForRecall-OmaUri-End -->
<!-- SetDenyAppListForRecall-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to define a list of apps that won't be included in snapshots for Recall.
Users are able to add additional applications to exclude from snapshots using Recall settings.
The list can include Application User Model IDs (AUMID) or name of the executable file.
Use a semicolon-separated list of apps to define the deny app list for Recall.
For example: `code.exe;Microsoft.WindowsNotepad_8wekyb3d8bbwe!App;ms-teams.exe`
> [!IMPORTANT]
> When configuring this policy setting, changes won't take effect until the device restarts.
<!-- SetDenyAppListForRecall-Description-End -->
<!-- SetDenyAppListForRecall-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SetDenyAppListForRecall-Editable-End -->
<!-- SetDenyAppListForRecall-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- SetDenyAppListForRecall-DFProperties-End -->
<!-- SetDenyAppListForRecall-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SetDenyAppListForRecall |
| Friendly Name | Set a list of apps to be filtered from snapshots for Recall |
| Location | Computer and User Configuration |
| Path | Windows Components > Windows AI |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
| Registry Value Name | SetDenyAppListForRecall |
| ADMX File Name | WindowsCopilot.admx |
<!-- SetDenyAppListForRecall-GpMapping-End -->
<!-- SetDenyAppListForRecall-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SetDenyAppListForRecall-Examples-End -->
<!-- SetDenyAppListForRecall-End -->
<!-- SetDenyUriListForRecall-Begin -->
## SetDenyUriListForRecall
<!-- SetDenyUriListForRecall-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SetDenyUriListForRecall-Applicability-End -->
<!-- SetDenyUriListForRecall-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyUriListForRecall
```
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyUriListForRecall
```
<!-- SetDenyUriListForRecall-OmaUri-End -->
<!-- SetDenyUriListForRecall-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets you define a list of URIs that won't be included in snapshots for Recall when a supported browser is used. People within your organization can use Recall settings to add more websites to the list. Define the list using a semicolon to separate URIs.
For example: `https://www.Contoso.com;https://www.WoodgroveBank.com;https://www.Adatum.com`.
Adding `https://www.WoodgroveBank.com` to the list would also filter `https://Account.WoodgroveBank.com` and `https://www.WoodgroveBank.com/Account`.
> [!IMPORTANT]
> Changes to this policy take effect after device restart.
<!-- SetDenyUriListForRecall-Description-End -->
<!-- SetDenyUriListForRecall-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SetDenyUriListForRecall-Editable-End -->
<!-- SetDenyUriListForRecall-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- SetDenyUriListForRecall-DFProperties-End -->
<!-- SetDenyUriListForRecall-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SetDenyUriListForRecall |
| Friendly Name | Set a list of URIs to be filtered from snapshots for Recall |
| Location | Computer and User Configuration |
| Path | Windows Components > Windows AI |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
| Registry Value Name | SetDenyUriListForRecall |
| ADMX File Name | WindowsCopilot.admx |
<!-- SetDenyUriListForRecall-GpMapping-End -->
<!-- SetDenyUriListForRecall-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SetDenyUriListForRecall-Examples-End -->
<!-- SetDenyUriListForRecall-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-Begin -->
## SetMaximumStorageDurationForRecallSnapshots
<!-- SetMaximumStorageDurationForRecallSnapshots-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SetMaximumStorageDurationForRecallSnapshots-Applicability-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageDurationForRecallSnapshots
```
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageDurationForRecallSnapshots
```
<!-- SetMaximumStorageDurationForRecallSnapshots-OmaUri-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to control the maximum amount of time (in days) that Windows saves snapshots for Recall.
When the policy is enabled, you can configure the maximum storage duration to be 30, 60, 90, or 180 days.
When this policy isn't configured, a time frame isn't set for deleting snapshots.
Snapshots aren't deleted until the maximum storage allocation for Recall is reached, and then the oldest snapshots are deleted first.
<!-- SetMaximumStorageDurationForRecallSnapshots-Description-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SetMaximumStorageDurationForRecallSnapshots-Editable-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- SetMaximumStorageDurationForRecallSnapshots-DFProperties-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Let the OS define the maximum amount of time the snapshots will be saved. |
| 30 | 30 days. |
| 60 | 60 days. |
| 90 | 90 days. |
| 180 | 180 days. |
<!-- SetMaximumStorageDurationForRecallSnapshots-AllowedValues-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SetMaximumStorageDurationForRecallSnapshots |
| Friendly Name | Set maximum duration for storing snapshots used by Recall |
| Location | Computer and User Configuration |
| Path | Windows Components > Windows AI |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
| Registry Value Name | SetMaximumStorageDurationForRecallSnapshots |
| ADMX File Name | WindowsCopilot.admx |
<!-- SetMaximumStorageDurationForRecallSnapshots-GpMapping-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SetMaximumStorageDurationForRecallSnapshots-Examples-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-Begin -->
## SetMaximumStorageSpaceForRecallSnapshots
<!-- SetMaximumStorageSpaceForRecallSnapshots-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SetMaximumStorageSpaceForRecallSnapshots-Applicability-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageSpaceForRecallSnapshots
```
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageSpaceForRecallSnapshots
```
<!-- SetMaximumStorageSpaceForRecallSnapshots-OmaUri-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to control the maximum amount of disk space that can be used by Windows to save snapshots for Recall.
You can set the maximum amount of disk space for snapshots to be 10, 25, 50, 75, 100, or 150 GB.
When this setting isn't configured, the OS configures the storage allocation for snapshots based on the device storage capacity.
25 GB is allocated when the device storage capacity is 256 GB. 75 GB is allocated when the device storage capacity is 512 GB. 150 GB is allocated when the device storage capacity is 1 TB or higher.
<!-- SetMaximumStorageSpaceForRecallSnapshots-Description-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-Editable-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- SetMaximumStorageSpaceForRecallSnapshots-DFProperties-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Let the OS define the maximum storage amount based on hard drive storage size. |
| 10000 | 10GB. |
| 25000 | 25GB. |
| 50000 | 50GB. |
| 75000 | 75GB. |
| 100000 | 100GB. |
| 150000 | 150GB. |
<!-- SetMaximumStorageSpaceForRecallSnapshots-AllowedValues-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SetMaximumStorageSpaceForRecallSnapshots |
| Friendly Name | Set maximum storage for snapshots used by Recall |
| Location | Computer and User Configuration |
| Path | Windows Components > Windows AI |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
| Registry Value Name | SetMaximumStorageSpaceForRecallSnapshots |
| ADMX File Name | WindowsCopilot.admx |
<!-- SetMaximumStorageSpaceForRecallSnapshots-GpMapping-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-Examples-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-End -->
<!-- TurnOffWindowsCopilot-Begin -->
## TurnOffWindowsCopilot
> [!NOTE]
> This policy is deprecated and may be removed in a future release.
<!-- TurnOffWindowsCopilot-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
@ -282,7 +646,7 @@ This policy setting allows you to turn off Windows Copilot.
- If you enable this policy setting, users won't be able to use Copilot. The Copilot icon won't appear on the taskbar either.
- If you disable or don't configure this policy setting, users will be able to use Copilot when it's available to them.
- If you disable or don't configure this policy setting, users are able to use Copilot when it's available to them.
<!-- TurnOffWindowsCopilot-Description-End -->
<!-- TurnOffWindowsCopilot-Editable-Begin -->

4
windows/client-management/mdm/toc.yml
View File

@ -837,10 +837,10 @@ items:
items:
- name: PassportForWork DDF file
href: passportforwork-ddf.md
- name: PDE
- name: Personal Data Encryption
href: personaldataencryption-csp.md
items:
- name: PDE DDF file
- name: Personal Data Encryption DDF file
href: personaldataencryption-ddf-file.md
- name: Personalization
href: personalization-csp.md

190
windows/client-management/recall-sensitive-information-filtering.md Normal file
View File

@ -0,0 +1,190 @@
---
title: Sensitive information filtering in Recall
description: Learn about the types of potentially sensitive information Recall detects.
ms.topic: reference
ms.subservice: windows-copilot
ms.date: 11/22/2024
ms.author: mstewart
author: mestew
ms.collection:
- windows-copilot
- magic-ai-copilot
appliesto:
- ✅ <a href="https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs" target="_blank">Copilot+ PCs</a>
---
# Reference for sensitive information filtering in Recall
This article provides information about the types of potentially sensitive information that [Recall](manage-recall.md) detects when the **Sensitive Information Filtering** setting is enabled.
## Types of potentially sensitive information
Types of potentially sensitive information that Recall detects and filters include:
ABA Routing Number </br>
Argentina National Identity (DNI) Number </br>
Argentina Unique Tax Identification Key (CUIT/CUIL) </br>
Australia Bank Account Number </br>
Australia Drivers License Number </br>
Australia Tax File Number </br>
Austria Driver's License Number </br>
Austria Identity Card </br>
Austria Social Security Number </br>
Austria Tax Identification Number </br>
Austria Value Added Tax </br>
Azure Document DB Auth Key </br>
Azure IAAS Database Connection String and Azure SQL Connection String </br>
Azure IoT Connection String </br>
Azure Redis Cache Connection String </br>
Azure SAS </br>
Azure Secrets (Generic) </br>
Azure Service Bus Connection String </br>
Azure Storage Account Key </br>
Belgium Driver's License Number </br>
Belgium National Number </br>
Belgium Value Added Tax Number </br>
Brazil CPF Number </br>
Brazil Legal Entity Number (CNPJ) </br>
Brazil National ID Card (RG) </br>
Bulgaria Driver's License Number </br>
Bulgaria Uniform Civil Number </br>
Canada Bank Account Number </br>
Canada Driver's License Number </br>
Canada Social Insurance Number </br>
Chile Identity Card Number </br>
China Resident Identity Card (PRC) Number </br>
Colombia National ID </br>
Credit Card Number </br>
Croatia Driver's License Number </br>
Croatia Identity Card Number </br>
Croatia Personal Identification (OIB) Number </br>
Cyprus Driver's License Number </br>
Cyprus Identity Card </br>
Cyprus Tax Identification Number </br>
Czech Driver's License Number </br>
Czech Personal Identity Number </br>
DEA Number </br>
Denmark Driver's License Number </br>
Denmark Personal Identification Number </br>
Ecuador Unique Identification Number </br>
Estonia Driver's License Number </br>
Estonia Personal Identification Code </br>
EU Debit Card Number </br>
EU Driver's License Number </br>
EU National Id Card </br>
EU SSN or Equivalent Number </br>
EU Tax File Number </br>
Finland Driver's License Number </br>
Finnish National ID </br>
France CNI </br>
France Driver's License Number </br>
France INSEE </br>
France Tax Identification Number (numéro SPI.) </br>
France Value Added Tax Number </br>
General Password </br>
German Driver's License Number </br>
Germany Identity Card Number </br>
Germany Tax Identification Number </br>
Germany Value Added Tax Number </br>
Greece Driver's License Number </br>
Greece National ID Card </br>
Greece Social Security Number (AMKA) </br>
Greek Tax Identification Number </br>
Hong Kong Identity Card (HKID) number </br>
Hungarian Social Security Number (TAJ) </br>
Hungarian Value Added Tax Number </br>
Hungary Driver's License Number </br>
Hungary Personal Identification Number </br>
Hungary Tax Identification Number </br>
IBAN </br>
India Driver's License Number </br>
India GST number </br>
India Permanent Account Number </br>
India Unique Identification (Aadhaar) number </br>
India Voter Id Card </br>
Indonesia Drivers License Number </br>
Indonesia Identity Card (KTP) Number </br>
Ireland Driver's License Number </br>
Ireland Personal Public Service (PPS) Number </br>
Israel Bank Account Number </br>
Israel National ID Number </br>
Italy Driver's license Number </br>
Italy Fiscal Code </br>
Italy Value Added Tax </br>
Japan Bank Account Number </br>
Japan Driver's License Number </br>
Japan Residence Card Number </br>
Japan Resident Registration Number </br>
Japan Social Insurance Number </br>
Japanese My Number Corporate </br>
Japanese My Number Personal </br>
Latvia Driver's License Number </br>
Latvia Personal Code </br>
Lithuania Driver's License Number </br>
Lithuania Personal Code </br>
Luxembourg Driver's License Number </br>
Luxembourg National Identification Number (Natural persons) </br>
Luxembourg National Identification Number (Non-natural persons) </br>
Malaysia ID Card Number </br>
Malta Driver's License Number </br>
Malta Identity Card Number </br>
Malta Tax ID Number </br>
Mexico Unique Population Registry Code (CURP) </br>
Netherlands Citizen's Service (BSN) Number </br>
Netherlands Driver's License Number </br>
Netherlands Tax Identification Number </br>
Netherlands Value Added Tax Number </br>
New Zealand Bank Account Number </br>
New Zealand Driver License Number </br>
New Zealand Inland Revenue Number </br>
Newzealand Social Welfare Number </br>
Norway Identification Number </br>
Philippines National ID </br>
Philippines Passport Number </br>
Philippines Unified Multi-Purpose ID number </br>
Poland Driver's License Number </br>
Poland Identity Card </br>
Poland National ID (PESEL) </br>
Poland Tax Identification Number </br>
Polish REGON Number </br>
Portugal Citizen Card Number </br>
Portugal Driver's License Number </br>
Portugal Tax Identification Number </br>
Qatari ID Card Number </br>
Romania Driver's License Number </br>
Romania Personal Numerical Code (CNP) </br>
Saudi Arabia National ID </br>
Singapore Driving License Number </br>
Singapore National Registration Identity Card (NRIC) Number </br>
Slovakia Driver's License Number </br>
Slovakia Personal Number </br>
Slovenia Driver's License Number </br>
Slovenia Tax Identification Number </br>
Slovenia Unique Master Citizen Number </br>
South Africa Identification Number </br>
South Korea Driver's License Number </br>
South Korea Resident Registration Number </br>
Spain DNI </br>
Spain Driver's License Number </br>
Spain SSN </br>
Spain Tax Identification Number </br>
Sweden Driver's License Number </br>
Sweden National ID </br>
Sweden Tax Identification Number </br>
SWIFT Code </br>
Swiss SSN AHV Number </br>
Taiwan Resident Certificate (ARC/TARC) </br>
Taiwanese National ID </br>
Thai Citizen ID </br>
Turkish National Identity </br>
U.K. Driver's License Number </br>
U.K. Electoral Number </br>
U.K. NHS Number </br>
U.K. NINO </br>
U.K. Unique Taxpayer Reference Number </br>
U.S. Bank Account Number </br>
U.S. Driver's License Number </br>
U.S. Individual Taxpayer Identification Number (ITIN) </br>
U.S. Social Security Number </br>
UAE Identity Card Number </br>

2
windows/client-management/toc.yml
View File

@ -52,6 +52,8 @@ items:
href: manage-windows-copilot.md
- name: Manage Recall
href: manage-recall.md
- name: Reference for sensitive information filtering in Recall
href: recall-sensitive-information-filtering.md
- name: Secured-Core PC Configuration Lock
href: config-lock.md
- name: Certificate renewal

11
windows/configuration/assigned-access/policy-settings.md
View File

@ -39,7 +39,7 @@ The following policy settings are applied at the device level when you deploy a
## User policy settings
The following policy settings are applied to any nonadministrator account when you deploy a restricted user experience:
The following policy settings are applied to targeted user accounts when you deploy a restricted user experience:
| Type | Path | Name/Description |
|---------|----------------------------------------------------------------------------------|-------------------------------------------------------------------|
@ -47,8 +47,9 @@ The following policy settings are applied to any nonadministrator account when y
| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HidePeopleBar` | Hide People Bar from appearing on taskbar |
| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HideRecentlyAddedApps` | Hide recently added apps from appearing on the Start menu |
| **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HideRecentJumplists` | Hide recent jumplists from appearing on the Start menu/taskbar |
| **GPO** | User Configuration\Administrative Templates\Desktop | Hide and disable all items on the desktop |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Clear history of recently opened documents on exit |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Disable showing balloon notifications as toast |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Disable showing balloon notifications as toasts |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not allow pinning items in Jump Lists |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not allow pinning programs to the Taskbar |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Do not display or track items in Jump Lists from remote locations |
@ -69,21 +70,23 @@ The following policy settings are applied to any nonadministrator account when y
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Notification and Action Center |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Quick Settings |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove Run menu from Start Menu |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Remove the Security and Maintenance icon |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Turn off all balloon notifications |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar | Turn off feature advertisement balloon notifications |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications | Hide the TaskView button |
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications | Turn off toast notifications |
| **GPO** | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Change Password |
| **GPO** | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Logoff |
| **GPO** | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Task Manager |
| **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer | Prevent access to drives from My Computer |
| **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer | Remove *Map network drive* and *Disconnect Network Drive* |
| **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer | Remove File Explorer's default context menu |
| **GPO** | User Configuration\Administrative Templates\Windows Components\Windows Copilot | Turn off Windows Copilot |
The following policy settings are applied to the kiosk account when you configure a kiosk experience with Microsoft Edge:
| Type | Path | Name/Description |
|---------|-----------------------------------------------------------------------------------|--------------------------------------------------------|
| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications | Run only specified Windows applications > `msedge.exe` |
| **GPO** | User Configuration\Administrative Templates\System | Run only specified Windows applications > `msedge.exe` |
| **GPO** | User Configuration\Administrative Templates\System | Turn off toast notifications |
| **GPO** | User Configuration\Administrative Templates\Windows Components\Attachment Manager | Default risk level for file attachments > High risk |
| **GPO** | User Configuration\Administrative Templates\Windows Components\Attachment Manager | Inclusion list for low file types > `.pdf;.epub` |

2
windows/configuration/taskbar/xsd.md
View File

@ -2,7 +2,7 @@
title: Windows Taskbar XML Schema Definition (XSD)
description: Reference article about the Taskbar XML schema definition (XSD).
ms.topic: reference
ms.date: 11/07/2024
ms.date: 11/11/2024
---
# Taskbar XML Schema Definition (XSD)

46
windows/deployment/update/media-dynamic-update.md
View File

@ -13,7 +13,7 @@ appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server</a>
ms.date: 11/06/2024
ms.date: 11/11/2024
---
# Update Windows installation media with Dynamic Update
@ -40,8 +40,49 @@ Devices must be able to connect to the internet to obtain Dynamic Updates. In so
You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://catalog.update.microsoft.com). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. Check various parts of the results to be sure you've identified the files needed. The following tables show the key values to search for or look for in the results.
### Windows Server 2025 Dynamic Update packages
**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update.
| Update packages |Title |
|-----------------------------------|--------------------------------------------------------------------------------------|
|Safe OS Dynamic Update | YYYY-MM Safe OS Dynamic Update for Microsoft server operating system version 24H2 |
|Setup Dynamic Update | YYYY-MM Setup Dynamic Update for Microsoft server operating system version 24H2 |
|Latest cumulative update | YYYY-MM Cumulative Update for Microsoft server operating system version 24H2 |
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system version 24H2 |
### Windows Server, version 23H2 Dynamic Update packages
**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. Azure Stack HCI, version 23H2 has a similar format.
| Update packages |Title |
|-----------------------------------|--------------------------------------------------------------------------------------|
|Safe OS Dynamic Update | YYYY-MM Safe OS Dynamic Update for Microsoft server operating system version 23H2 |
|Setup Dynamic Update | YYYY-MM Setup Dynamic Update for Microsoft server operating system version 23H2 |
|Latest cumulative update | YYYY-MM Cumulative Update for Microsoft server operating system version 23H2 |
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system version 23H2 |
### Azure Stack HCI, version 22H2 Dynamic Update packages
**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|----------------------------------------------------------------------------------------|----------------------------------------------|------------------|
|Safe OS Dynamic Update | YYYY-MM Dynamic Update for Microsoft server operating system, version 22H2 |Windows Safe OS Dynamic Update | ComponentUpdate |
|Setup Dynamic Update | YYYY-MM Dynamic Update for Microsoft server operating system, version 22H2 |Windows 10 and later Dynamic Update | SetupUpdate |
|Latest cumulative update | YYYY-MM Cumulative Update for Microsoft server operating system, version 22H2 | | |
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system, version 22H2 | | |
### Windows Server 2022 later Dynamic Update packages
**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|----------------------------------------------------------------------------------------|----------------------------------------------|------------------|
|Safe OS Dynamic Update | YYYY-MM Dynamic Update for Microsoft server operating system, version 21H2 |Windows Safe OS Dynamic Update | ComponentUpdate |
|Setup Dynamic Update | YYYY-MM Dynamic Update for Microsoft server operating system, version 21H2 |Windows 10 and later Dynamic Update | SetupUpdate |
|Latest cumulative update | YYYY-MM Cumulative Update for Microsoft server operating system, version 21H2 | | |
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system, version 21H2 | | |
### Windows 11, version 22H2 and later Dynamic Update packages
**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update.Titles below are for Windows 11, version 22H2. Windows 11, version 23H2 and 24H2 have a similar format.
**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. Titles below are for Windows 11, version 22H2. Windows 11, version 23H2 and 24H2 have a similar format.
| Update packages |Title |
|-----------------------------------|---------------------------------------------------------------|
@ -50,7 +91,6 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Latest cumulative update | YYYY-MM Cumulative Update for Windows 11 Version 22H2 |
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Windows 11 Version 22H2 |
### Windows 11, version 21H2 Dynamic Update packages
**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.

10
windows/deployment/update/optional-content.md
View File

@ -70,9 +70,9 @@ Most commercial organizations understand the pain points outlined above, and dis
Windows Update for Business solves the optional content problem. Optional content is published and available for acquisition by Windows Setup from a nearby Microsoft content delivery network and acquired using the Unified Update Platform. Optional content migration and acquisition scenarios just work when the device is connected to an update service that uses the Unified Update Platform, such as Windows Update or Windows Update for Business. If for some reason a language pack fails to install during the update, the update will automatically roll back.
The [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/) is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is *unified* because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens.
The [Unified Update Platform](https://blogs.windows.com/windows-insider/2016/11/03/introducing-unified-update-platform-uup/) is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is *unified* because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens.
Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes. Further, devices are immune to the challenge of upgrading Windows when the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more information about this issue, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) and the [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002).
Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes. Further, devices are immune to the challenge of upgrading Windows when the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more information about this issue, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/blog/windows-itpro-blog/upgrading-windows-10-devices-with-installation-media-different-than-the-original/746126).
### Option 2: Use WSUS with UUP Integration
@ -115,7 +115,7 @@ You can customize the Windows image in these ways:
- Adding or removing languages
- Adding or removing Features on Demand
The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where `Setup.exe` is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and the [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Dynamic Update, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there's a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.
The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where `Setup.exe` is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/blog/windows-itpro-blog/updating-windows-10-media-with-dynamic-update-packages/982477). Also like Dynamic Update, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there's a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.
### Option 5: Install language features during deployment
@ -151,11 +151,9 @@ For more information about the Unified Update Platform and the approaches outlin
- [/DynamicUpdate](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate)
- [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source)
- [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions)
- [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/)
- [Unified Update Platform](https://blogs.windows.com/windows-insider/2016/11/03/introducing-unified-update-platform-uup/)
- [Updating Windows installation media with Dynamic Update packages](media-dynamic-update.md)
- [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
- [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073)
- [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002)
## Sample scripts

4
windows/deployment/windows-autopatch/TOC.yml
View File

@ -68,6 +68,8 @@
href: manage/windows-autopatch-windows-update-policies.md
- name: Programmatic controls for expedited Windows quality updates
href: manage/windows-autopatch-windows-quality-update-programmatic-controls.md
- name: Hotpatch updates
href: manage/windows-autopatch-hotpatch-updates.md
- name: Driver and firmware updates
href: manage/windows-autopatch-manage-driver-and-firmware-updates.md
items:
@ -116,6 +118,8 @@
href: monitor/windows-autopatch-windows-quality-update-trending-report.md
- name: Reliability report
href: monitor/windows-autopatch-reliability-report.md
- name: Hotpatch quality update report
href: monitor/windows-autopatch-hotpatch-quality-update-report.md
- name: Windows feature and quality update device alerts
href: monitor/windows-autopatch-device-alerts.md
- name: Policy health and remediation

78
windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Hotpatch updates
description: Use Hotpatch updates to receive security updates without restarting your device
ms.date: 11/19/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: aaroncz
ms.reviewer: adnich
ms.collection:
- highpri
- tier1
---
# Hotpatch updates (public preview)
[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
> [!IMPORTANT]
> This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
Hotpatch updates are [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) that can be installed without requiring you to restart the device. Hotpatch updates are designed to reduce downtime and disruptions. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted.
## Key benefits
- Hotpatch updates streamline the installation process and enhance compliance efficiency.
- No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies.
- The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates.
## Eligible devices
To benefit from Hotpatch updates, devices must meet the following prerequisites:
- Operating System: Devices must be running Windows 11 24H2 or later.
- VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates.
- Latest Baseline Release: Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).
## Ineligible devices
Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases.
LCUs requires you to restart the device, but the LCU ensures that the device remains fully secure and compliant.
> [!NOTE]
> If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings.
## Release cycles
For more information about the release calendar for Hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).
- Baseline Release Months: January, April, July, October
- Hotpatch Release Months: February, March, May, June, August, September, November, December
## Enroll devices to receive Hotpatch updates
> [!NOTE]
> If you're using Autopatch groups and want your devices to receive Hotpatch updates, you must create a Hotpatch policy and assign devices to it. Turning on Hotpatch updates doesn't change the deferral setting applied to devices within an Autopatch group.
**To enroll devices to receive Hotpatch updates:**
1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** from the left navigation menu.
1. Under the **Manage updates** section, select **Windows updates**.
1. Go to the **Quality updates** tab.
1. Select **Create**, and select **Windows quality update policy (preview)**.
1. Under the **Basics** section, enter a name for your new policy and select Next.
1. Under the **Settings** section, set **"When available, apply without restarting the device ("hotpatch")** to **Allow**. Then, select **Next**.
1. Select the appropriate Scope tags or leave as Default and select **Next**.
1. Assign the devices to the policy and select **Next**.
1. Review the policy and select **Create**.
These steps ensure that targeted devices, which are [eligible](#eligible-devices) to receive Hotpatch updates, are configured properly. [Ineligible devices](#ineligible-devices) are offered the latest cumulative updates (LCU).
> [!NOTE]
> Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings will still apply.

5
windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md
View File

@ -1,7 +1,7 @@
---
title: Windows feature updates overview
description: This article explains how Windows feature updates are managed
ms.date: 10/30/2024
ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: overview
@ -120,6 +120,9 @@ For more information about Windows feature update policies that are created for
## Pause and resume a release
> [!IMPORTANT]
> **Due to a recent change, we have identified an issue that prevents the Paused and Pause status columns from being displayed** in reporting. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
> [!IMPORTANT]
> **Pausing or resuming an update can take up to eight hours to be applied to devices**. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates. For more information, see[how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

5
windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality updates overview
description: This article explains how Windows quality updates are managed
ms.date: 10/30/2024
ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: conceptual
@ -66,6 +66,9 @@ For the deployment rings that pass quality updates deferral date, the OOB releas
## Pause and resume a release
> [!IMPORTANT]
> **Due to a recent change, we have identified an issue that prevents the Paused and Pause status columns from being displayed** in reporting. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
The service-level pause is driven by the various software update deployment-related signals. Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
If Windows Autopatch detects a significant issue with a release, we might decide to pause that release.

67
windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md Normal file
View File

@ -0,0 +1,67 @@
---
title: Hotpatch quality update report
description: Use the Hotpatch quality update report to view the current update statuses for all devices that receive Hotpatch updates
ms.date: 11/19/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: aaroncz
ms.reviewer: adnich
ms.collection:
- highpri
- tier1
---
# Hotpatch quality update report (public preview)
[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
> [!IMPORTANT]
> This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
The Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. For more information about Hotpatching, see [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md).
**To view the Hotpatch quality update status report:**
1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**.
1. Select the **Reports** tab.
1. Select **Hotpatch quality updates (preview)**.
> [!NOTE]
> The data in this report is refreshed every four hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
## Report information
The Hotpatch quality update report provides a visual representation of the update status trend for all devices over the last 90 days.
### Default columns
> [!IMPORTANT]
> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
The following information is available as default columns in the Hotpatch quality update report:
| Column name | Description |
| ----- | ----- |
| Quality update policy | The name of the policy. |
| Device name | Total number of devices in the policy. |
| Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
| Hotpatched | Total devices that successfully received a Hotpatch update. |
| Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
| In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). |
| % with the latest quality update | Percent of [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices on the most current Windows release and its build number |
| Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
## Report options
The following options are available:
| Option | Description |
| ----- | ----- |
| By percentage | Select **By percentage** to show your trending graphs and indicators by percentage. |
| By device count | Select **By device count** to show your trending graphs and indicators by numeric value. |

9
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md
View File

@ -1,7 +1,7 @@
---
title: Feature update status report
description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
ms.date: 09/16/2024
description: Provides a per device view of the current Windows OS upgrade status for all Intune devices.
ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -19,7 +19,7 @@ ms.collection:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
The Feature update status report provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
The Feature update status report provides a per device view of the current Windows OS upgrade status for all Intune devices.
**To view the Feature update status report:**
@ -32,6 +32,9 @@ The Feature update status report provides a per device view of the current Windo
### Default columns
> [!IMPORTANT]
> **Due to a recent change, we have identified an issue that prevents the Pause status column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
The following information is available as default columns in the Feature update status report:
| Column name | Description |

9
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md
View File

@ -1,7 +1,7 @@
---
title: Windows feature update summary dashboard
description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
ms.date: 09/16/2024
description: Provides a broader view of the current Windows OS upgrade status for all Intune devices.
ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -19,7 +19,7 @@ ms.collection:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
The Summary dashboard provides a broader view of the current Windows OS update status for all devices registered with Windows Autopatch.
The Summary dashboard provides a broader view of the current Windows OS update status for all Intune devices.
The first part of the Summary dashboard provides you with an all-devices trend report where you can follow the deployment trends within your organization. You can view if updates were successfully installed, failing, in progress, not ready or have their Windows feature update paused.
@ -31,6 +31,9 @@ The first part of the Summary dashboard provides you with an all-devices trend r
## Report information
> [!IMPORTANT]
> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
The following information is available in the Summary dashboard:
| Column name | Description |

6
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality and feature update reports overview
description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch.
ms.date: 09/16/2024
ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: overview
@ -27,7 +27,7 @@ The Windows quality reports provide you with information about:
- Device update health
- Device update alerts
Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch.
Together, these reports provide insight into the quality update state and compliance of Intune devices.
The Windows quality report types are organized into the following focus areas:
@ -61,7 +61,7 @@ Users with the following permissions can access the reports:
## About data latency
The data source for these reports is Windows [diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 48 hours.
The data source for these reports is Windows [diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately four hours.
## Windows quality and feature update statuses

11
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md
View File

@ -1,7 +1,7 @@
---
title: Quality update status report
description: Provides a per device view of the current update status for all Windows Autopatch managed devices.
ms.date: 09/16/2024
description: Provides a per device view of the current update status for all Intune devices.
ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -19,7 +19,7 @@ ms.collection:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
The Quality update status report provides a per device view of the current update status for all Windows Autopatch managed devices.
The Quality update status report provides a per device view of the current update status for all Intune devices.
**To view the Quality update status report:**
@ -29,12 +29,15 @@ The Quality update status report provides a per device view of the current updat
1. Select**Quality update status**.
> [!NOTE]
> The data in this report is refreshed every 24 hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
> The data in this report is refreshed every four hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
## Report information
### Default columns
> [!IMPORTANT]
> **Due to a recent change, we have identified an issue that prevents the Pause status column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
The following information is available as default columns in the Quality update status report:
| Column name | Description |

11
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality update summary dashboard
description: Provides a summary view of the current update status for all Windows Autopatch managed devices.
ms.date: 09/16/2024
description: Provides a summary view of the current update status for all Intune devices.
ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -19,7 +19,7 @@ ms.collection:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
The Summary dashboard provides a summary view of the current update status for all Windows Autopatch managed devices.
The Summary dashboard provides a summary view of the current update status for all Intune devices.
**To view the current update status for all your enrolled devices:**
@ -27,10 +27,13 @@ The Summary dashboard provides a summary view of the current update status for a
1. Navigate to**Reports**>**Windows Autopatch**>**Windows quality updates**.
> [!NOTE]
> The data in this report is refreshed every 24 hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
> The data in this report is refreshed every four hours with data received by your managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
## Report information
> [!IMPORTANT]
> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
The following information is available in the Summary dashboard:
| Column name | Description |

6
windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
View File

@ -1,7 +1,7 @@
---
title: What is Windows Autopatch?
description: Details what the service is and shortcuts to articles.
ms.date: 09/27/2024
ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: overview
@ -49,7 +49,9 @@ The goal of Windows Autopatch is to deliver software updates to registered devic
| [Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md) | With Windows Autopatch, you can manage Windows quality update profiles for Windows 10 and later devices. You can expedite a specific Windows quality update using targeted policies. |
| [Windows feature updates](../manage/windows-autopatch-windows-feature-update-overview.md) | Windows Autopatch provides tools to assist with the controlled roll out of annual Windows feature updates. |
| [Driver and firmware updates](../manage/windows-autopatch-manage-driver-and-firmware-updates.md) | You can manage and control your driver and firmware updates with Windows Autopatch.|
| [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md) | Install [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) without requiring you to restart the device. |
| [Intune reports](/mem/intune/fundamentals/reports) | Use Intune reports to monitor the health and activity of endpoints in your organization.|
| [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) | Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. |
> [!IMPORTANT]
> Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do **not** have access to all Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities).
@ -70,7 +72,7 @@ In addition to the features included in [Business Premium and A3+ licenses](#bus
| [Microsoft Edge updates](../manage/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. |
| [Microsoft Teams updates](../manage/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. |
| [Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md) | When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch raises alerts and detailed recommended actions to ensure healthy operation of the service. |
| Enhanced [Windows quality and feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) and [device alerts](../monitor/windows-autopatch-device-alerts.md) | Using Windows quality and feature update reports, you can monitor and remediate Windows Autopatch managed devices that are Not up to Date and resolve any device alerts to bring Windows Autopatch managed devices back into compliance. |
| Enhanced [Windows quality and feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) and [device alerts](../monitor/windows-autopatch-device-alerts.md) | Using Windows quality and feature update reports, you can monitor and remediate managed devices that are Not up to Date and resolve any device alerts to bring managed devices back into compliance. |
| [Submit support requests](../manage/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team | When you activate additional Autopatch features, you can submit, manage, and edit support requests. |
## Communications

4
windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md
View File

@ -87,7 +87,7 @@ The following groups target Windows Autopatch configurations to devices and mana
## Microsoft Edge update policies
> [!IMPORTANT]
> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).<p>To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).</p>
> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).<p>To update Microsoft Edge, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).</p>
- Windows Autopatch - Edge Update Channel Stable
- Windows Autopatch - Edge Update Channel Beta
@ -100,7 +100,7 @@ The following groups target Windows Autopatch configurations to devices and mana
## Driver updates for Windows 10 and later
> [!IMPORTANT]
> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).<p>To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).</p>
> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).<p>To update drivers and firmware, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).</p>
- Windows Autopatch - Driver Update Policy [Test]
- Windows Autopatch - Driver Update Policy [First]

10
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
View File

@ -1,7 +1,7 @@
---
title: What's new 2024
description: This article lists the 2024 feature releases and any corresponding Message center post numbers.
ms.date: 09/27/2024
ms.date: 11/19/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: whats-new
@ -21,6 +21,14 @@ This article lists new and updated feature releases, and service releases, with
Minor corrections such as typos, style, or formatting issues aren't listed.
## November 2024
### November feature releases or updates
| Article | Description |
| ----- | ----- |
| Hotpatch | <ul><li>[Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md)</li><li>[Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md)</li></ul> |
## September 2024
### September feature releases or updates

28
windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md
View File

@ -139,22 +139,22 @@ The Microsoft Root certificates can be allowed and denied in policy using 'WellK
| 0| None | N/A |
| 1| Unknown | N/A |
| 2 | Self-Signed | N/A |
| 3 | Microsoft Authenticode(tm) Root Authority | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100DF08BAE33F6E649BF589AF28964A078F1B2E8B3E1DFCB88069A3A1CEDBDFB08E6C8976294FCA603539AD7232E00BAE293D4C16D94B3C9DDAC5D3D109C92C6FA6C2605345DD4BD155CD031CD2595624F3E578D807CCD8B31F903FC01A71501D2DA712086D7CB0866CC7BA853207E1616FAF03C56DE5D6A18F36F6C10BD13E69974872C97FA4C8C24A4C7EA1D194A6D7DCEB05462EB818B4571D8649DB694A2C21F55E0F542D5A43A97A7E6A8E504D2557A1BF1B1505437B2C058DBD3D038C93227D63EA0A5705060ADB6198652D4749A8E7E656755CB8640863A9304066B2F9B6E334E86730E1430B87FFC9BE72105E23F09BA74865BF09887BCD72BC2E799B7B0203010001` |
| 4 | Microsoft Product Root 1997 | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100A902BDC170E63BF24E1B289F97785E30EAA2A98D255FF8FE954CA3B7FE9DA2203E7C51A29BA28F60326BD1426479EEAC76C954DAF2EB9C861C8F9F8466B3C56B7A6223D61D3CDE0F0192E896C4BF2D669A9A682699D03A2CBF0CB55826C146E70A3E38962CA92839A8EC498342E3840FBB9A6C5561AC827CA1602D774CE999B4643B9A501C310824149FA9E7912B18E63D986314605805659F1D375287F7A7EF9402C61BD3BF5545B38980BF3AEC54944EAEFDA77A6D744EAF18CC96092821005790606937BB4B12073C56FF5BFBA4660A08A6D2815657EFB63B5E16817704DAF6BEAE8095FEB0CD7FD6A71A725C3CCABCF008A32230B30685C9B320771385DF0203010001` |
| 5 | Microsoft Product Root 2001 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F35DFA8067D45AA7A90C2C9020D035083C7584CDB707899C89DADECEC360FA91685A9E94712918767CC2E0C82576940E58FA043436E6DFAFF780BAE9580B2B93E59D05E3772291F734643C22911D5EE10990BC14FEFC755819E179B70792A3AE885908D89F07CA0358FC68296D32D7D2A8CB4BFCE10B48324FE6EBB8AD4FE45C6F139499DB95D575DBA81AB79491B4775BF5480C8F6A797D1470047D6DAF90F5DA70D847B7BF9B2F6CE705B7E11160AC7991147CC5D6A6E4E17ED5C37EE592D23C00B53682DE79E16DF3B56EF89F33C9CB527D739836DB8BA16BA295979BA3DEC24D26FF0696672506C8E7ACE4EE1233953199C835084E34CA7953D5B5BE6332594036C0A54E044D3DDB5B0733E458BFEF3F5364D842593557FD0F457C24044D9ED6387411972290CE684474926FD54B6FB086E3C73642A0D0FCC1C05AF9A361B9304771960A16B091C04295EF107F286AE32A1FB1E4CD033F777104C720FC490F1D4588A4D7CB7E88AD8E2DEC45DBC45104C92AFCEC869E9A11975BDECE5388E6E2B7FDAC95C22840DBEF0490DF813339D9B245A5238706A5558931BB062D600E41187D1F2EB597CB11EB15D524A594EF151489FD4B73FA325BFCD13300F95962700732EA2EAB402D7BCADD21671B30998F16AA23A841D1B06E119B36C4DE40749CE15865C1601E7A5B38C88FBB04267CD41640E5B66B6CAA86FD00BFCEC1350203010001`|
| 6 | Microsoft Product Root 2010 | `30820222300D06092A864886F70D01010105000382020F003082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
| 7 | Microsoft Standard Root 2011 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100B28041AA35384D13723268224DB8B2F1FFD552BC6CC7F5D24A8C36EED1C25C7E8C8AAEAF13286FC073E33ACED025A85A3A6DEFA8B859AB132368CD0C2987D16F805C8F447F5D90015258AC51C55F2A87DCDCD80A1DC103B97BB056E8A3DE6461C29EF8F37CB9EC0DB554FE4CB6654F88F09C48990C420B097C315917790678288D893A4C0325BE716A5C0BE78460A49922E3D2AF84A4A7FBD198ED0CA9DE9489E10EA0DCC0CE993DEA0852BB5679E41F84BA1EB8B4C4495C4F314B87DDDD0567269980E07111A3B8A541E2A453B9F73229830C13BF365E04B34B43472F6BE2911ED3984FDD4207C8E81D12FC99A96B3E927EC8D6693AFC64BDB6099DCAFD0C0BA29B77604B0394A4306912D6422DC1414CCADCAAFD8F5B83469AD9FCB1D1E3B3C97F487ACD24F0418F5C74D0ACB010200649B7C72D21C857E3D086F30368FBD0CE71C189994A64016CFDEC3091CF413C92C7E5BA861D6184C75F833962AEB4922F47F30BF855EBA01F59D0BB749B1ED076E6F2E906D710E8FA64DE69C635968802F046B83F27996FCB71892935F7481602358FD5797C4D02CF5FEB8A834F457188F9A90D4E72E9C29C07CF491B4E040E63518C5ED800C1552CB6C6E0C2654EC93439F59CB3C47EE8616E135F15C45FD97EED1DCEEE44ECCB2E86B1EC38F670EDAB5C13C1D90F0DC780B255ED34F7AC9BE4C3DAE7473CA6B58F31DFC54BAFEBF10203010001`|
| 8 | Microsoft Code Verification Root 2006 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100BD77C91C7F157838C50743215AFBE4CC3BC65531FC2189B1BCE7019CFB90BE20115576A74D02E7B2F42E8DEFB2874656CA47CEC8C363E308034B9606B9702244E64B7B443F75B7B8A62B910841EF4B0759D6A4199DF6CBA4BB8E02654DCADE0FB49022F1B56B5C22F6CAF938AA280B062D3C198DB7355F83EDDD65738446929F44E2894A8CD598A76D3DE819CB44AD180BEA5C5F7C0BC39A936844F3B6BF979930723F2859D070C8055778F54A82340A24C17AB064A53A6E12D5036138BB0E2DFD859CD648756A1CB2A2E891FAB7E4F53C5FFDC940ACC7A042F574D8B9DBD7FE73771AE0C4B709B1059A6DE35E8038757852B612D379AE43F765A7D1166469858F783AB894BF4512625A4D8748D6F819BC590106F51ADB60299F013F6E73F9FD8045CE95D78AF6920CC173402C6DAA32A6F17F30F890F1AE4527B9B40E3002BDC60EEC3C8C5BB63485CF140B0C500DA9E259912EA80139F42C15630480B840DF62F7FEB74C13A82CA966133862FC4070627B7577D52B8E1BA599E5B9B7C7ADEA01A0257B5846525654A2C9922B581D4851C01FFE3700D1E2AB10C2A959E942996E8FB51E4766741E98765757045EBD2F8593D50E0B9F2E7B2664A78612095063E7D1C78E7E0E3B07E7BBE4CD1A40D47ABA05594AD6D0EEDC965E224A271C45E3DEDAB2E9D343FDE96FC0C97D1FFD9F909C862008CC74DC40A729B3AB58656BB10203010001`|
| 3 | Microsoft Authenticode(tm) Root Authority | `3082010A0282010100DF08BAE33F6E649BF589AF28964A078F1B2E8B3E1DFCB88069A3A1CEDBDFB08E6C8976294FCA603539AD7232E00BAE293D4C16D94B3C9DDAC5D3D109C92C6FA6C2605345DD4BD155CD031CD2595624F3E578D807CCD8B31F903FC01A71501D2DA712086D7CB0866CC7BA853207E1616FAF03C56DE5D6A18F36F6C10BD13E69974872C97FA4C8C24A4C7EA1D194A6D7DCEB05462EB818B4571D8649DB694A2C21F55E0F542D5A43A97A7E6A8E504D2557A1BF1B1505437B2C058DBD3D038C93227D63EA0A5705060ADB6198652D4749A8E7E656755CB8640863A9304066B2F9B6E334E86730E1430B87FFC9BE72105E23F09BA74865BF09887BCD72BC2E799B7B0203010001` |
| 4 | Microsoft Product Root 1997 | `3082010A0282010100A902BDC170E63BF24E1B289F97785E30EAA2A98D255FF8FE954CA3B7FE9DA2203E7C51A29BA28F60326BD1426479EEAC76C954DAF2EB9C861C8F9F8466B3C56B7A6223D61D3CDE0F0192E896C4BF2D669A9A682699D03A2CBF0CB55826C146E70A3E38962CA92839A8EC498342E3840FBB9A6C5561AC827CA1602D774CE999B4643B9A501C310824149FA9E7912B18E63D986314605805659F1D375287F7A7EF9402C61BD3BF5545B38980BF3AEC54944EAEFDA77A6D744EAF18CC96092821005790606937BB4B12073C56FF5BFBA4660A08A6D2815657EFB63B5E16817704DAF6BEAE8095FEB0CD7FD6A71A725C3CCABCF008A32230B30685C9B320771385DF0203010001` |
| 5 | Microsoft Product Root 2001 | `3082020A0282020100F35DFA8067D45AA7A90C2C9020D035083C7584CDB707899C89DADECEC360FA91685A9E94712918767CC2E0C82576940E58FA043436E6DFAFF780BAE9580B2B93E59D05E3772291F734643C22911D5EE10990BC14FEFC755819E179B70792A3AE885908D89F07CA0358FC68296D32D7D2A8CB4BFCE10B48324FE6EBB8AD4FE45C6F139499DB95D575DBA81AB79491B4775BF5480C8F6A797D1470047D6DAF90F5DA70D847B7BF9B2F6CE705B7E11160AC7991147CC5D6A6E4E17ED5C37EE592D23C00B53682DE79E16DF3B56EF89F33C9CB527D739836DB8BA16BA295979BA3DEC24D26FF0696672506C8E7ACE4EE1233953199C835084E34CA7953D5B5BE6332594036C0A54E044D3DDB5B0733E458BFEF3F5364D842593557FD0F457C24044D9ED6387411972290CE684474926FD54B6FB086E3C73642A0D0FCC1C05AF9A361B9304771960A16B091C04295EF107F286AE32A1FB1E4CD033F777104C720FC490F1D4588A4D7CB7E88AD8E2DEC45DBC45104C92AFCEC869E9A11975BDECE5388E6E2B7FDAC95C22840DBEF0490DF813339D9B245A5238706A5558931BB062D600E41187D1F2EB597CB11EB15D524A594EF151489FD4B73FA325BFCD13300F95962700732EA2EAB402D7BCADD21671B30998F16AA23A841D1B06E119B36C4DE40749CE15865C1601E7A5B38C88FBB04267CD41640E5B66B6CAA86FD00BFCEC1350203010001`|
| 6 | Microsoft Product Root 2010 | `3082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
| 7 | Microsoft Standard Root 2011 | `3082020A0282020100B28041AA35384D13723268224DB8B2F1FFD552BC6CC7F5D24A8C36EED1C25C7E8C8AAEAF13286FC073E33ACED025A85A3A6DEFA8B859AB132368CD0C2987D16F805C8F447F5D90015258AC51C55F2A87DCDCD80A1DC103B97BB056E8A3DE6461C29EF8F37CB9EC0DB554FE4CB6654F88F09C48990C420B097C315917790678288D893A4C0325BE716A5C0BE78460A49922E3D2AF84A4A7FBD198ED0CA9DE9489E10EA0DCC0CE993DEA0852BB5679E41F84BA1EB8B4C4495C4F314B87DDDD0567269980E07111A3B8A541E2A453B9F73229830C13BF365E04B34B43472F6BE2911ED3984FDD4207C8E81D12FC99A96B3E927EC8D6693AFC64BDB6099DCAFD0C0BA29B77604B0394A4306912D6422DC1414CCADCAAFD8F5B83469AD9FCB1D1E3B3C97F487ACD24F0418F5C74D0ACB010200649B7C72D21C857E3D086F30368FBD0CE71C189994A64016CFDEC3091CF413C92C7E5BA861D6184C75F833962AEB4922F47F30BF855EBA01F59D0BB749B1ED076E6F2E906D710E8FA64DE69C635968802F046B83F27996FCB71892935F7481602358FD5797C4D02CF5FEB8A834F457188F9A90D4E72E9C29C07CF491B4E040E63518C5ED800C1552CB6C6E0C2654EC93439F59CB3C47EE8616E135F15C45FD97EED1DCEEE44ECCB2E86B1EC38F670EDAB5C13C1D90F0DC780B255ED34F7AC9BE4C3DAE7473CA6B58F31DFC54BAFEBF10203010001`|
| 8 | Microsoft Code Verification Root 2006 | `3082020A0282020100BD77C91C7F157838C50743215AFBE4CC3BC65531FC2189B1BCE7019CFB90BE20115576A74D02E7B2F42E8DEFB2874656CA47CEC8C363E308034B9606B9702244E64B7B443F75B7B8A62B910841EF4B0759D6A4199DF6CBA4BB8E02654DCADE0FB49022F1B56B5C22F6CAF938AA280B062D3C198DB7355F83EDDD65738446929F44E2894A8CD598A76D3DE819CB44AD180BEA5C5F7C0BC39A936844F3B6BF979930723F2859D070C8055778F54A82340A24C17AB064A53A6E12D5036138BB0E2DFD859CD648756A1CB2A2E891FAB7E4F53C5FFDC940ACC7A042F574D8B9DBD7FE73771AE0C4B709B1059A6DE35E8038757852B612D379AE43F765A7D1166469858F783AB894BF4512625A4D8748D6F819BC590106F51ADB60299F013F6E73F9FD8045CE95D78AF6920CC173402C6DAA32A6F17F30F890F1AE4527B9B40E3002BDC60EEC3C8C5BB63485CF140B0C500DA9E259912EA80139F42C15630480B840DF62F7FEB74C13A82CA966133862FC4070627B7577D52B8E1BA599E5B9B7C7ADEA01A0257B5846525654A2C9922B581D4851C01FFE3700D1E2AB10C2A959E942996E8FB51E4766741E98765757045EBD2F8593D50E0B9F2E7B2664A78612095063E7D1C78E7E0E3B07E7BBE4CD1A40D47ABA05594AD6D0EEDC965E224A271C45E3DEDAB2E9D343FDE96FC0C97D1FFD9F909C862008CC74DC40A729B3AB58656BB10203010001`|
| 9 | Microsoft Test Root 1999 | `3081DF300D06092A864886F70D01010105000381CD003081C90281C100A9AA83586DB5D30C4B5B8090E5C30F280C7E3D3C24C52956638CEEC7834AD88C25D30ED312B7E1867274A78BFB0F05E965C19BD856C293F0FBE95A48857D95AADF0186B733334656CB5B7AC4AFA096533AE9FB3B78C1430CC76E1C2FD155F119B23FF8D6A0C724953BC845256F453A464FD2278BC75075C6805E0D9978617739C1B30F9D129CC4BB327BB24B26AA4EC032B02A1321BEED24F47D0DEAAA8A7AD28B4D97B54D64BAFB46DD696F9A0ECC5377AA6EAE20D6219869D946B96432D4170203010001`|
| 0A | Microsoft Test Root 2010 | `30820222300D06092A864886F70D01010105000382020F003082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
| 0B | Microsoft DMD Test Root 2005 | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100BCACAFF12BE9877F310994630F483012C16BEA7E0EFC58B8C890F3C7719F41B5BB29E3834735BF42DE7A9CC16D125094061E721B6FF8C0207FDF6DAD840F08BB9A3F93589D931F05B640AB878C7FAA4F033D7DFA6B3BBCFBE0C426B0173EB67ECC9D089875667A34AF189B3D2CCEFCD943599197F3933255B7DA328ADADE6826C30C6F7EAB434CF5C00A22FD5B47A7A9964617529FBB3B1D850A90CD818105342BCA43C29075574D6151C0D6D2648C412107BE5C824A4F9451087522B9AEB94828F7C78606040B7011F0CDCDA079D3CE9CC5367C579BB6DF5B83BE616BE258D2D9858D7EE1A446574661F9DF4F82B9AC8FD2DFEF6082EC1272BF14D20ACCAF3F0203010001`|
| 0C | Microsoft DMDRoot 2005 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100BCFD36D32F1C7CBAC60458F2AB30A3F17DD4B983EF72DB009CCFE65F0CF144BE62225D2F77507CD68539FE7AAE991EC8B3F9C73CC0228DC7A7F9ED87E841ACE42DF2804E148BB4F5250B948D6FB42982CFE69EFDF79FE5B828B7366B2F6D00A449BF78814FA8069433D0D55720A8728BFED7F5632C8D44E960FE2FF539B625069E04C34D952ED52205304A4122610D5A24F0DF636C7FD8D2F69EF35E76E7B4BDBB9589F20AD44E73BD917E46103D2749427489C4E8AAA3A7407785A27F4626CCC6C0CBC3F2B88121A3BB68F3E2E57EF47C7107EBC10AF5DC038C510BE9C71373C1349EABD28E665811A57441CBD2D9E47480F089CB459896D7DB0815A598446CE223785693BC122A854CC29FD15917A1161025FAE7BD141A56F44E396FF563A256C50B7C9FD6F0B068151C6B367171F83983762354F755BC16E30CBC218BDE6DE9EB943D5440C3D320B0AF96BBE7C3B89DFBEEDC9B7153830D9A9FA6B3D216ACEAC8801D8D24243C8291463C497290BA698FBA7A30DDF6A6F13D68E537ED1A43528F19D71A52528CD80FB26428A5ABA70E04A267AA650B666FF696B2905FA5ECAE9BB3B984536DBC5FBE647036E6EE1DD17EB58AE4A137E8DB3E8FC2FDEAE9E35F74B494FCA0206E8FD396146BFBF56AD8122636955F1C7516AD18E50C9AC53774EC0CC367044FD6DAA68096D1263713BD7A0F21892B33B3189B3B37FDE451170203010001`|
| 0D | Microsoft DMD Preview Root 2005 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100C3FF519F7576E65C5B6C6EBBB50760626E065740611131724066A5CE94519D702061FCE3C43A49BB6690D5BF94AFEB506B90F3AE5432F01A8AB0EFB064A7CC5EDCEDA6F8DA0FF0430A84B65AC746A1B4D8108CB74924F5FC6F7A4CD1232433E2554EC9778248C08FFDA9F89C189C5A23C608E68CD5C917954E424FA35F3F3649012BA2A1EC4C84FFC182E9B1F2E83773BAA7795AF85A421FDC904665DCE74FC8B3B9501C267F2B7E96790F170EC951E88BEC1E9D425C2DE4907722E6E8411265380A79D128255E67B79B393F76372FB388204E365FF7E952218B5D694CF0146BFFEAD4E8A5E82364E7AACE73E8F5DF25753A0446802321AFC923C322B2631D7B6364FA95FEE16191EBCD2F8755C61DF17B44DABD736FFEE5846569785AE835D35A893968487BB49890DA9FC166E87D5672EA9F73647A2BD0B4F340F0037226F6A0C500B721CC4B9B5E1756A1DA9B45B3B61E300DFFC85F13590147A57AB51950628FFD18ABA29A7CC5EF83CD5A1F00FDC8E854A5B9AEC755B5C572196A370D15A5736C1B9C772DA34B88C338E69044581C54F2EE23048ABAB7D5FEEF22C037163DCFE6D4E35CB088C5AFCA850ADF675CDB5E063412B262A912D0A1E25984BC5FEBFF0194F49A8B388DFD3C5EC02C31062B35D56F04BD1B3F29CE55113785FFAA000778EF5D080E911FF3432187AF0AD7786141429523F274EA749383187A47CF0203010001`|
| 0E | Microsoft Flight Root 2014 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100C20F7F6D49BB39F04D943FE8FB4DC5EB3BE1285AB9892A467EA5C333271D82893FEB33A1876AEAE882B9DAC39D77D135C0CB833672A6571912BC15E2C83C7B83623414D5ABB6DE368BA15A71A65196A70633B3221D146253C2A5AF9A40CABE2C485499E72A9368A769190B99693BC1B2ACAE94DC5FAB7E02CADE3CA774A68C10A0E5AEB69C35EF838B10E5972ABA916B9A6A4595D9D054718E653FC48A53CA1E38470AE9D04184A5DA1E66016504E6505B7735F5B42E29320CC6BF5F61EE3220B77C39F911FAFF605EFEC669F46F1E1DED1D06E7651E9A112E6344065F31431733E9A32682D44B83124FD2A126032548E13ABD84F58AD5B46E1AE871200E45530167ADE31E6BE8B2E4ABFDF53B8EBA67AF5984CC5C75D09DAA5C72C42636A2AC324C6AB1F8331744D2A77D70EEEB70949ABCEABA1C104B635B38DDD2254504B2F0B35A7C0B0A8E21406437114D96694533E493839EF9B3B51C2B0571EA6DCCE748B6B6DE805010CA4938B35905704EBD9E880222586489EB40DAB12D2D6A40885D23C33ED0F5D5B7908A28543962A2C5C6B1BF74CD8695F9456BCCF207EAAC5CD336F7A27AB5B472532A063EC337945858B14A71BB5CCD9CB2AF109AD943363E528519E7422891118C8CE7BBDFE6C855087375F3960D86B7D2E506B2C08A54A86177207D6CD1FEBA68F3454AAF1184EB867D2F04F354EA20FFD5DB3D250270870203010001`|
| 0F | Microsoft Third Party Marketplace Root | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F0AD5E8240052D682459CBDE0AE884CC48B93B1DB08B52250E1214C410153A84BE81E075E6BA0EF861E36B1DCE9D1EDF9F283336DA8332C8A1A1ED594AE28C600C6A82B19A09A25C222E39ED92F681017AFF91689085A39C8A97837112946E32D71527E6670B7FE57A02FB90FFF049001ACF300C7BFFE94EA806FD2231166DDE496D96AA91261603419B1614EE98B85B4BD3F12FDB7E30FC79A668124A86773CECE533C3DFEA815519AD085E65D3DEAFBD5E741326839CCE585648E08AA76992ED72DB6782C2E6384ECF5F2BA03BD3C38B9A9A17125554A6647394F85356F21DE1BBD9CE92E2275B7DC4569CEB57FC0D9EE4A27A5999BD23C4656C906D08B25E871A6EA7D1F0EA0532857806504996988928566B0D29793567B8629FA3CFEF8563F8BE16DCED94047C6D610F9B78341E824CDD2A1C8F6D80B6DD7A051F84EDD855D711EB8793179F9A4D0E2874AAAC094F0E08BFFE59BF66EEE2F3511C178E3E3E5B7F2478A31CF4CAC2D619FDE8EBED4F94A55F34C49CE254BA48838B6444D3423B156AC60A6810242A227F4BB079D6DEE5E317199098063AEB5981A64EF496233FA28DCC76C8194EBD68553CD8FD8F844439894D1061951AE89CCCAFF14D38AE821C631CBF68EA45A236B6886A042C6BCB66D4C741090DADF3B0B498127369278E60E606ECEE8A6F30E55DDB56F0F02B523CA73B2A1A7EC0FF03C5ECE029DF0203010001`|
| 0A | Microsoft Test Root 2010 | `3082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
| 0B | Microsoft DMD Test Root 2005 | `3082010A0282010100BCACAFF12BE9877F310994630F483012C16BEA7E0EFC58B8C890F3C7719F41B5BB29E3834735BF42DE7A9CC16D125094061E721B6FF8C0207FDF6DAD840F08BB9A3F93589D931F05B640AB878C7FAA4F033D7DFA6B3BBCFBE0C426B0173EB67ECC9D089875667A34AF189B3D2CCEFCD943599197F3933255B7DA328ADADE6826C30C6F7EAB434CF5C00A22FD5B47A7A9964617529FBB3B1D850A90CD818105342BCA43C29075574D6151C0D6D2648C412107BE5C824A4F9451087522B9AEB94828F7C78606040B7011F0CDCDA079D3CE9CC5367C579BB6DF5B83BE616BE258D2D9858D7EE1A446574661F9DF4F82B9AC8FD2DFEF6082EC1272BF14D20ACCAF3F0203010001`|
| 0C | Microsoft DMDRoot 2005 | `3082020A0282020100BCFD36D32F1C7CBAC60458F2AB30A3F17DD4B983EF72DB009CCFE65F0CF144BE62225D2F77507CD68539FE7AAE991EC8B3F9C73CC0228DC7A7F9ED87E841ACE42DF2804E148BB4F5250B948D6FB42982CFE69EFDF79FE5B828B7366B2F6D00A449BF78814FA8069433D0D55720A8728BFED7F5632C8D44E960FE2FF539B625069E04C34D952ED52205304A4122610D5A24F0DF636C7FD8D2F69EF35E76E7B4BDBB9589F20AD44E73BD917E46103D2749427489C4E8AAA3A7407785A27F4626CCC6C0CBC3F2B88121A3BB68F3E2E57EF47C7107EBC10AF5DC038C510BE9C71373C1349EABD28E665811A57441CBD2D9E47480F089CB459896D7DB0815A598446CE223785693BC122A854CC29FD15917A1161025FAE7BD141A56F44E396FF563A256C50B7C9FD6F0B068151C6B367171F83983762354F755BC16E30CBC218BDE6DE9EB943D5440C3D320B0AF96BBE7C3B89DFBEEDC9B7153830D9A9FA6B3D216ACEAC8801D8D24243C8291463C497290BA698FBA7A30DDF6A6F13D68E537ED1A43528F19D71A52528CD80FB26428A5ABA70E04A267AA650B666FF696B2905FA5ECAE9BB3B984536DBC5FBE647036E6EE1DD17EB58AE4A137E8DB3E8FC2FDEAE9E35F74B494FCA0206E8FD396146BFBF56AD8122636955F1C7516AD18E50C9AC53774EC0CC367044FD6DAA68096D1263713BD7A0F21892B33B3189B3B37FDE451170203010001`|
| 0D | Microsoft DMD Preview Root 2005 | `3082020A0282020100C3FF519F7576E65C5B6C6EBBB50760626E065740611131724066A5CE94519D702061FCE3C43A49BB6690D5BF94AFEB506B90F3AE5432F01A8AB0EFB064A7CC5EDCEDA6F8DA0FF0430A84B65AC746A1B4D8108CB74924F5FC6F7A4CD1232433E2554EC9778248C08FFDA9F89C189C5A23C608E68CD5C917954E424FA35F3F3649012BA2A1EC4C84FFC182E9B1F2E83773BAA7795AF85A421FDC904665DCE74FC8B3B9501C267F2B7E96790F170EC951E88BEC1E9D425C2DE4907722E6E8411265380A79D128255E67B79B393F76372FB388204E365FF7E952218B5D694CF0146BFFEAD4E8A5E82364E7AACE73E8F5DF25753A0446802321AFC923C322B2631D7B6364FA95FEE16191EBCD2F8755C61DF17B44DABD736FFEE5846569785AE835D35A893968487BB49890DA9FC166E87D5672EA9F73647A2BD0B4F340F0037226F6A0C500B721CC4B9B5E1756A1DA9B45B3B61E300DFFC85F13590147A57AB51950628FFD18ABA29A7CC5EF83CD5A1F00FDC8E854A5B9AEC755B5C572196A370D15A5736C1B9C772DA34B88C338E69044581C54F2EE23048ABAB7D5FEEF22C037163DCFE6D4E35CB088C5AFCA850ADF675CDB5E063412B262A912D0A1E25984BC5FEBFF0194F49A8B388DFD3C5EC02C31062B35D56F04BD1B3F29CE55113785FFAA000778EF5D080E911FF3432187AF0AD7786141429523F274EA749383187A47CF0203010001`|
| 0E | Microsoft Flight Root 2014 | `3082020A0282020100C20F7F6D49BB39F04D943FE8FB4DC5EB3BE1285AB9892A467EA5C333271D82893FEB33A1876AEAE882B9DAC39D77D135C0CB833672A6571912BC15E2C83C7B83623414D5ABB6DE368BA15A71A65196A70633B3221D146253C2A5AF9A40CABE2C485499E72A9368A769190B99693BC1B2ACAE94DC5FAB7E02CADE3CA774A68C10A0E5AEB69C35EF838B10E5972ABA916B9A6A4595D9D054718E653FC48A53CA1E38470AE9D04184A5DA1E66016504E6505B7735F5B42E29320CC6BF5F61EE3220B77C39F911FAFF605EFEC669F46F1E1DED1D06E7651E9A112E6344065F31431733E9A32682D44B83124FD2A126032548E13ABD84F58AD5B46E1AE871200E45530167ADE31E6BE8B2E4ABFDF53B8EBA67AF5984CC5C75D09DAA5C72C42636A2AC324C6AB1F8331744D2A77D70EEEB70949ABCEABA1C104B635B38DDD2254504B2F0B35A7C0B0A8E21406437114D96694533E493839EF9B3B51C2B0571EA6DCCE748B6B6DE805010CA4938B35905704EBD9E880222586489EB40DAB12D2D6A40885D23C33ED0F5D5B7908A28543962A2C5C6B1BF74CD8695F9456BCCF207EAAC5CD336F7A27AB5B472532A063EC337945858B14A71BB5CCD9CB2AF109AD943363E528519E7422891118C8CE7BBDFE6C855087375F3960D86B7D2E506B2C08A54A86177207D6CD1FEBA68F3454AAF1184EB867D2F04F354EA20FFD5DB3D250270870203010001`|
| 0F | Microsoft Third Party Marketplace Root | `3082020A0282020100F0AD5E8240052D682459CBDE0AE884CC48B93B1DB08B52250E1214C410153A84BE81E075E6BA0EF861E36B1DCE9D1EDF9F283336DA8332C8A1A1ED594AE28C600C6A82B19A09A25C222E39ED92F681017AFF91689085A39C8A97837112946E32D71527E6670B7FE57A02FB90FFF049001ACF300C7BFFE94EA806FD2231166DDE496D96AA91261603419B1614EE98B85B4BD3F12FDB7E30FC79A668124A86773CECE533C3DFEA815519AD085E65D3DEAFBD5E741326839CCE585648E08AA76992ED72DB6782C2E6384ECF5F2BA03BD3C38B9A9A17125554A6647394F85356F21DE1BBD9CE92E2275B7DC4569CEB57FC0D9EE4A27A5999BD23C4656C906D08B25E871A6EA7D1F0EA0532857806504996988928566B0D29793567B8629FA3CFEF8563F8BE16DCED94047C6D610F9B78341E824CDD2A1C8F6D80B6DD7A051F84EDD855D711EB8793179F9A4D0E2874AAAC094F0E08BFFE59BF66EEE2F3511C178E3E3E5B7F2478A31CF4CAC2D619FDE8EBED4F94A55F34C49CE254BA48838B6444D3423B156AC60A6810242A227F4BB079D6DEE5E317199098063AEB5981A64EF496233FA28DCC76C8194EBD68553CD8FD8F844439894D1061951AE89CCCAFF14D38AE821C631CBF68EA45A236B6886A042C6BCB66D4C741090DADF3B0B498127369278E60E606ECEE8A6F30E55DDB56F0F02B523CA73B2A1A7EC0FF03C5ECE029DF0203010001`|
| 14 | Microsoft Trusted Root Store | N/A |
| 15 | Microsoft OEM Root Certificate Authority 2017 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F8DB3BE3FCDCEBA78508F59D89CEF3CE3B0FDA78135D682B2FA6977DA8111D685C2CAE4B190FC07E19EC30DA6079E1B9F728EAC5ACFAB79E824700F7015B1BD58112F57A43DCAF44179E179A9D40A8C05BD52F4155144E35C65A40C7D2D6216D4636B678E8311DF6812BC64A05354A5035A1A3783779702E7FB3D48E44B51A71E50F9F0DB4C261A91A664C6F88DC62DCEF19631FB43549D953AC564FAD2C9500C9EDCD351ABB2EFD1DDEFAC282E4CCAE8936D80AA4F28739F1A2E1D5735EA68723962540EAC1850E0619C2867A89584F4FFD372A05B4510BF6122F55A721FFB5B44C609D6160A8453A014F28F1545F78510D322020B06E6FEF9E248173B7D6DA3721C40E674ED45A000B390210BEF3D2C4B5E210144830E3E3049B70429F71A1C8128A333EBA664AF1B216C690D598CFFC160A18D609A2CAAF28BC0DDFE57C81BF0D93A320DAE44FF8E3AB00101D52C4A0049811ECFA872EC5765267A17911AA6D857060F821768C1120CE6FB778C1ED0DA2A3DC3C24B1F371630C174EF80A7EDA331B35A19A87CAA9DCC0DC1889BAF5A1B117899E8C4D70FFDC333ACF78A2BA37BC04A7D376660718B16DD69FE58D0F515680EB16A72E4D4F0233D132C561CFCB2FC0ADE8708AD0A2B50184DB995F8218CF49830367BD7E3A10A72919810D77101BAB42E54A021D45FC048F2C2C3A59A442E3F0E99EA3369537A1AA9D9DA7B90203010001`|
| 16 | Microsoft Identity Verification Root Certificate Authority 2020 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100B3912A07830667FD9E9DE0C7C0B7A4E642047F0FA6DB5FFBD55AD745A0FB770BF080F3A66D5A4D7953D8A08684574520C7A254FBC7A2BF8AC76E35F3A215C42F4EE34A8596490DFFBE99D814F6BC2707EE429B2BF50B9206E4FD691365A89172F29884EB833D0EE4D771124821CB0DEDF64749B79BF9C9C717B6844FFFB8AC9AD773674985E386BD3740D02586D4DEB5C26D626AD5A978BC2D6F49F9E56C1414FD14C7D3651637DECB6EBC5E298DFD629B152CD605E6B9893233A362C7D7D6526708C42EF4562B9E0B87CCECA7B4A6AAEB05CD1957A53A0B04271C91679E2D622D2F1EBEDAC020CB0419CA33FB89BE98E272A07235BE79E19C836FE46D176F90F33D008675388ED0E0499ABBDBD3F830CAD55788684D72D3BF6D7F71D8FDBD0DAE926448B75B6F7926B5CD9B952184D1EF0F323D7B578CF345074C7CE05E180E35768B6D9ECB3674AB05F8E0735D3256946797250AC6353D9497E7C1448B80FDC1F8F47419E530F606FB21573E061C8B6B158627497B8293CA59E87547E83F38F4C75379A0B6B4E25C51EFBD5F38C113E6780C955A2EC5405928CC0F24C0ECBA0977239938A6B61CDAC7BA20B6D737D87F37AF08E33B71DB6E731B7D9972B0E486335974B516007B506DC68613DAFDC439823D24009A60DABA94C005512C34AC50991387BBB30580B24D30025CB826835DB46373EFAE23954F6028BE37D55BA50203010001`|
| 15 | Microsoft OEM Root Certificate Authority 2017 | `3082020A0282020100F8DB3BE3FCDCEBA78508F59D89CEF3CE3B0FDA78135D682B2FA6977DA8111D685C2CAE4B190FC07E19EC30DA6079E1B9F728EAC5ACFAB79E824700F7015B1BD58112F57A43DCAF44179E179A9D40A8C05BD52F4155144E35C65A40C7D2D6216D4636B678E8311DF6812BC64A05354A5035A1A3783779702E7FB3D48E44B51A71E50F9F0DB4C261A91A664C6F88DC62DCEF19631FB43549D953AC564FAD2C9500C9EDCD351ABB2EFD1DDEFAC282E4CCAE8936D80AA4F28739F1A2E1D5735EA68723962540EAC1850E0619C2867A89584F4FFD372A05B4510BF6122F55A721FFB5B44C609D6160A8453A014F28F1545F78510D322020B06E6FEF9E248173B7D6DA3721C40E674ED45A000B390210BEF3D2C4B5E210144830E3E3049B70429F71A1C8128A333EBA664AF1B216C690D598CFFC160A18D609A2CAAF28BC0DDFE57C81BF0D93A320DAE44FF8E3AB00101D52C4A0049811ECFA872EC5765267A17911AA6D857060F821768C1120CE6FB778C1ED0DA2A3DC3C24B1F371630C174EF80A7EDA331B35A19A87CAA9DCC0DC1889BAF5A1B117899E8C4D70FFDC333ACF78A2BA37BC04A7D376660718B16DD69FE58D0F515680EB16A72E4D4F0233D132C561CFCB2FC0ADE8708AD0A2B50184DB995F8218CF49830367BD7E3A10A72919810D77101BAB42E54A021D45FC048F2C2C3A59A442E3F0E99EA3369537A1AA9D9DA7B90203010001`|
| 16 | Microsoft Identity Verification Root Certificate Authority 2020 | `3082020A0282020100B3912A07830667FD9E9DE0C7C0B7A4E642047F0FA6DB5FFBD55AD745A0FB770BF080F3A66D5A4D7953D8A08684574520C7A254FBC7A2BF8AC76E35F3A215C42F4EE34A8596490DFFBE99D814F6BC2707EE429B2BF50B9206E4FD691365A89172F29884EB833D0EE4D771124821CB0DEDF64749B79BF9C9C717B6844FFFB8AC9AD773674985E386BD3740D02586D4DEB5C26D626AD5A978BC2D6F49F9E56C1414FD14C7D3651637DECB6EBC5E298DFD629B152CD605E6B9893233A362C7D7D6526708C42EF4562B9E0B87CCECA7B4A6AAEB05CD1957A53A0B04271C91679E2D622D2F1EBEDAC020CB0419CA33FB89BE98E272A07235BE79E19C836FE46D176F90F33D008675388ED0E0499ABBDBD3F830CAD55788684D72D3BF6D7F71D8FDBD0DAE926448B75B6F7926B5CD9B952184D1EF0F323D7B578CF345074C7CE05E180E35768B6D9ECB3674AB05F8E0735D3256946797250AC6353D9497E7C1448B80FDC1F8F47419E530F606FB21573E061C8B6B158627497B8293CA59E87547E83F38F4C75379A0B6B4E25C51EFBD5F38C113E6780C955A2EC5405928CC0F24C0ECBA0977239938A6B61CDAC7BA20B6D737D87F37AF08E33B71DB6E731B7D9972B0E486335974B516007B506DC68613DAFDC439823D24009A60DABA94C005512C34AC50991387BBB30580B24D30025CB826835DB46373EFAE23954F6028BE37D55BA50203010001`|
For well-known roots, the TBS hashes for the certificates are baked into the code for App Control for Business. For example, they don't need to be listed as TBS hashes in the policy file.

14
windows/security/application-security/index.md
View File

@ -1,14 +0,0 @@
---
title: Windows application security
description: Get an overview of application security in Windows
ms.date: 08/02/2023
ms.topic: conceptual
---
# Windows application security
Cybercriminals can take advantage of poorly secured applications to access valuable resources. With Windows, IT admins can combat common application attacks from the moment a device is provisioned. For example, IT can remove local admin rights from user accounts, so that PCs run with least privilege to prevent malicious applications from accessing sensitive resources.
Learn more about application security features in Windows.
[!INCLUDE [application](../includes/sections/application.md)]

2
windows/security/application-security/toc.yml
View File

@ -1,6 +1,4 @@
items:
- name: Overview
href: index.md
- name: Application and driver control
href: application-control/toc.yml
- name: Application isolation

79
windows/security/book/application-security-application-and-driver-control.md
View File

@ -1,68 +1,77 @@
---
title: Application and driver control
description: Windows 11 security book - Application and driver control.
title: Windows 11 security book - Application and driver control
description: Application and driver control.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 11/18/2024
---
# Application and driver control
:::image type="content" source="images/application-security.png" alt-text="Diagram of containing a list of application security features." lightbox="images/application-security.png" border="false":::
:::image type="content" source="images/application-security.png" alt-text="Diagram containing a list of application security features." lightbox="images/application-security.png" border="false":::
Windows 11 offers a rich application platform with layers of security like isolation and code integrity that help protect your valuable data. Developers can also take advantage of these
capabilities to build in security from the ground up to protect against breaches and malware.
## Smart App Control
Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run if they are predicted to be safe based on existing and new intelligence updated daily.
Smart App Control prevents users from running malicious applications by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, Smart App Control only allows processes to run if they're predicted to be safe based on existing and new intelligence updated daily.
Smart App Control builds on top of the same cloud-based AI used in App Control for Business to predict the safety of an application so that users can be confident that their applications are safe and reliable on their new Windows devices. Additionally, Smart App Control blocks unknown script files and macros from the web are blocked, greatly improving security for everyday users.
Smart App Control will ship with new devices with Windows 11, version 22H2 installed.
Smart App Control builds on top of the same cloud-based AI used in *App Control for Business* to predict the safety of an application, so that users can be confident that their applications are safe and reliable. Additionally, Smart App Control blocks unknown script files and macros from the web, greatly improving security for everyday users.
Devices running previous versions of Windows 11 will have to be reset with a clean installation of Windows 11, version 22H2 to take advantage of this feature. Smart App Control will be disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to leverage App Control for Business.
We've been making significant improvements to Smart App Control to increase the security, usability, and cloud intelligence response for apps in the Windows ecosystem. Users can get the latest and best experience with Smart App Control by keeping their devices up to date via Windows Update every month.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
To ensure that users have a seamless experience with Smart App Control enabled, we ask developers to sign their applications with a code signing certificate from the Microsoft Trusted Root Program. Developers should include all binaries, such as exe, dll, temp installer files, and uninstallers. Trusted Signing makes the process of obtaining, maintaining, and signing with a trusted certificate simple and secure.
- [Smart App Control](/windows/apps/develop/smart-app-control/overview)
Smart App Control is disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to use *App Control for Business*.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Smart App Control][LINK-1]
## App Control for Business
Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
Your organization is only as secure as the applications that run on your devices. With *application control*, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
Windows 10 and above include App Control for Business (previously called Windows Defender Application Control) as well as AppLocker. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
App Control for Business (previously called *Windows Defender Application Control*) and AppLocker are both included in Windows. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Organizations that were using AppLocker on previous versions of Windows, can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
Customers using Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.
Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> can configure App Control for Business in the admin console, including setting up Intune as a managed installer. Intune includes built-in options for App Control for Business and the possibility to upload policies as an XML file for Intune to package and deploy.
Customers can use some built-in options for App Control for Business or upload their own policy as an XML file for Intune to package and deploy.
[!INCLUDE [learn-more](includes/learn-more.md)]
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Application Control for Windows][LINK-2]
- [Automatically allow apps deployed by a managed installer with App Control for Business][LINK-3]
- [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac)
## :::image type="icon" source="images/soon-button-title.svg" border="false"::: Administrator protection
## User Account Control
When users sign in with administrative rights to Windows, they have the power to make significant changes to the system, which can impact its overall security. These rights can be a target for malicious software.
User Account Control (UAC) helps prevent malware from damaging a PC and enables organizations to deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
Administrator protection is a new security feature in Windows 11 designed to safeguard these administrative rights. It allows administrators to perform all necessary functions with **just-in-time administrative rights**, while running most tasks without administrative privileges. The goal of administrator protection is to provide a secure and seamless experience, ensuring users operate with the least required privileges.
Organizations can use a modern device management (MDM) solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to remotely configure UAC settings. Organizations without MDM can change settings directly
on the device.
When administrator protection is enabled, if an app needs special permissions like administrative rights, the user is asked for approval. When an approval is needed, Windows Hello provides a secure and easy way to approve or deny these requests.
Enabling UAC helps prevent malware from altering PC settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized
apps and prevent inadvertent changes to system settings.
Users with standard accounts, or those using administrative accounts with UAC enabled, run most programs with limited access rights. This includes the Windows shell and any apps started from the shell, such as Windows Explorer, a web browser, productivity suite, graphics programs, or games.
Some apps require additional permissions and will not work properly (or at all) when running with limited permissions. When an app needs to run with more than standard user rights, UAC allows users to run apps with a "full" administrator token (with administrative groups and privileges) instead of their default user access token. Users continue to operate in the standard user security context while enabling certain executables to run with elevated privileges if needed.
:::image type="content" source="images/uac-settings.png" alt-text="Screenshot of the UAC settings." border="false":::
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [How User Account Control works](/windows/security/identity-protection/user-account-control/how-user-account-control-works)
> [!NOTE]
> Administrator protection is currently in preview. For devices running previous versions of Windows, refer to [User Account Control (UAC)][LINK-5].
## Microsoft vulnerable driver blocklist
The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. Prior to the Windows 11 2022 Update, Windows enforced a block policy when hypervisor-protected code integrity (HVCI) was enabled to prevent vulnerable versions of drivers from running. Beginning with the Windows 11 2022 Update, the block policy is now on by default for all new Windows PCs, and users can opt in to enforce the policy from the Windows Security app.
The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. To prevent vulnerable versions of drivers from running, Windows has a *block policy* turned on by default. Users can configure the policy from the Windows Security app.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)
- [Microsoft recommended driver block rules][LINK-4]
## :::image type="icon" source="images/new-button-title.svg" border="false"::: Trusted Signing
Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the signing process and empowers third-party developers to easily build and distribute applications.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [What is Trusted Signing](/azure/trusted-signing/overview)
<!--links-->
[LINK-1]: /windows/apps/develop/smart-app-control/overview
[LINK-2]: /windows/security/application-security/application-control/windows-defender-application-control/wdac
[LINK-3]: /windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer
[LINK-4]: /windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
[LINK-5]: /windows/security/identity-protection/user-account-control/how-user-account-control-works

99
windows/security/book/application-security-application-isolation.md
View File

@ -1,46 +1,38 @@
---
title: Application isolation
description: Windows 11 security book - Application isolation.
title: Windows 11 security book - Application isolation
description: Application isolation.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 11/18/2024
---
# Application isolation
:::image type="content" source="images/application-security.png" alt-text="Diagram of containing a list of application security features." lightbox="images/application-security.png" border="false":::
:::image type="content" source="images/application-security.png" alt-text="Diagram containing a list of application security features." lightbox="images/application-security.png" border="false":::
## Win32 app isolation
## :::image type="icon" source="images/new-button-title.svg" border="false"::: Win32 app isolation
Win32 app isolation is a new security feature in public preview designed to be the default isolation standard on Windows clients. It's built on [AppContainer](/windows/win32/secauthz/implementing-an-appcontainer), and offers several added security features to help the Windows platform defend against attacks that leverage vulnerabilities in applications or third-party libraries. To isolate their apps, developers can update their applications using the tools provided by Microsoft.
Win32 app isolation is a security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer][LINK-1], and offers several added security features to help the Windows platform defend against attacks that use vulnerabilities in applications or third-party libraries. To isolate their applications, developers can update them using Visual Studio.
Win32 app isolation follows a two-step process. In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Microsoft. Consequently, the process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level.
Win32 app isolation follows a two-step process:
In the second step, least privilege is enforced by granting authorized access to Windows securable objects. This access is determined by capabilities that are added to the application manifest through MSIX packaging. Securable objects in this context refer to Windows resources whose access is safeguarded by capabilities. These capabilities enable the implantation of a [Discretionary Access Control List](/windows/win32/secauthz/access-control-lists) on Windows.
- In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Windows. The process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level
- In the second step, least privilege is enforced by granting authorized access to Windows securable objects. This access is determined by capabilities that are added to the application manifest through MSIX packaging. *Securable objects* in this context refers to Windows resources whose access is safeguarded by capabilities. These capabilities enable the implantation of a [Discretionary Access Control List][LINK-2] on Windows
To help ensure that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. The Application Capability Profiler (ACP) simplifies the entire process by allowing the application to run in "learn mode" with low privileges. Instead of denying access if the capability is not present, ACP allows access and logs additional capabilities required for access if the application were to run isolated. For more information on ACP, please refer to the [GitHub documentation page](https://github.com/microsoft/win32-app-isolation/blob/main/docs/profiler/application-capability-profiler.md#stack-tracing---acp-stacktracewpaprofile).
To help ensuring that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. The *Application Capability Profiler (ACP)* simplifies the entire process by allowing the application to run in *learn mode* with low privileges. Instead of denying access if the capability isn't present, ACP allows access and logs additional capabilities required for access if the application were to run isolated.
To create a smooth user experience that aligns with nonisolated, native Win32 applications, two key factors should be taken into consideration:
- Approaches for accessing data and privacy information
- Integrating Win32 apps for compatibility with other Windows interfaces
The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary ([AppContainer](/windows/win32/secauthz/implementing-an-appcontainer)). The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts.
The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary AppContainer. The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Win32 app isolation](https://github.com/microsoft/win32-app-isolation)
## Windows Sandbox
Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation using the same hardware-based Hyper-V virtualization technology without fear of lasting impact to the PC. Any untrusted Win32 app installed in Windows Sandbox stays only in the sandbox and can't affect the host.
Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox)
- [Windows Sandbox is a new lightweight desktop environment tailored for safely
running applications in isolation](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/windows-sandbox/ba-p/301849)
- [Win32 app isolation overview][LINK-4]
- [Application Capability Profiler (ACP)][LINK-5]
- [Packaging a Win32 app isolation application with Visual Studio][LINK-6]
- [Sandboxing Python with Win32 app isolation][LINK-7]
## App containers
@ -48,6 +40,61 @@ In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP)
Processes that run in app containers operate at a low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the file system, registry, and other resources. The app container also enforces restrictions on network connectivity. For example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Windows and app container](/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations)
- [Windows and app container][LINK-8]
## Windows Sandbox
Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based virtualization technology as Hyper-V. Any untrusted Win32 app installed in Windows Sandbox stays only in the sandbox and can't affect the host.
Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Windows Sandbox][LINK-9]
## Windows Subsystem for Linux (WSL)
With Windows Subsystem for Linux (WSL) you can run a Linux environment on a Windows device, without the need for a separate virtual machine or dual booting. WSL is designed to provide a seamless and productive experience for developers who want to use both Windows and Linux at the same time.
[!INCLUDE [new-24h2](includes/new-24h2.md)]
- **Hyper-V Firewall** is a network firewall solution that enables filtering of inbound and outbound traffic to/from WSL containers hosted by Windows
- **DNS Tunneling** is a networking setting that improves compatibility in different networking environments, making use of virtualization features to obtain DNS information rather than a networking packet
- **Auto proxy** is a networking setting that enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it makes that proxy automatically apply to WSL distributions
These features can be set up using a device management solution such as Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>. Microsoft Defender for Endpoint (MDE) integrates with WSL, allowing it to monitor activities within a WSL distro and report them to the MDE dashboards.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Hyper-V Firewall][LINK-10]
- [DNS Tunneling][LINK-11]
- [Auto proxy][LINK-12]
- [Intune setting for WSL][LINK-13]
- [Microsoft Defender for Endpoint plug-in for WSL][LINK-14]
## :::image type="icon" source="images/new-button-title.svg" border="false"::: Virtualization-based security enclaves
A **Virtualization-based security enclave** is a software-based trusted execution environment (TEE) inside a host application. VBS enclaves enable developers to use VBS to protect their application's secrets from admin-level attacks. VBS enclaves are available on Windows 10 onwards on both x64 and ARM64.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Virtualization-based security enclave][LINK-15]
<!--links-->
[LINK-1]: /windows/win32/secauthz/implementing-an-appcontainer
[LINK-2]: /windows/win32/secauthz/access-control-lists
[LINK-4]: /windows/win32/secauthz/app-isolation-overview
[LINK-5]: /windows/win32/secauthz/app-isolation-capability-profiler
[LINK-6]: /windows/win32/secauthz/app-isolation-packaging-with-vs
[LINK-7]: https://blogs.windows.com/windowsdeveloper/2024/03/06/sandboxing-python-with-win32-app-isolation/
[LINK-8]: /windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations
[LINK-9]: /windows/security/application-security/application-isolation/windows-sandbox
[LINK-10]: /windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall
[LINK-11]: /windows/wsl/networking#dns-tunneling
[LINK-12]: /windows/wsl/networking#auto-proxy
[LINK-13]: /windows/wsl/intune
[LINK-14]: /defender-endpoint/mde-plugin-wsl
[LINK-15]: /windows/win32/trusted-execution/vbs-enclaves

14
windows/security/book/application-security.md
View File

@ -1,16 +1,16 @@
---
title: Application security
description: Windows 11 security book - Application security chapter.
title: Windows 11 security book - Application security
description: Application security chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 11/18/2024
---
# Application security
:::image type="content" source="images/application-security-cover.png" alt-text="Cover of the application security chapter." border="false":::
Applications are prime vectors for cyberattacks due to their frequent usage and access to valuable data. Common attempts include injection attacks that insert malicious code, man-in-the-middle attacks that intercept and potentially alter communication between users and applications, and various methods of tricking users into divulging sensitive information or changing system settings.
Windows 11 protects users, apps, and data with features like Windows App Control for Business and the Microsoft vulnerable driver blocklist, which help ensure that only trusted apps and drivers can run on the device.
:::image type="content" source="images/application-security-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/application-security.png" border="false":::
Cybercriminals can take advantage of poorly secured applications to access valuable resources. With Windows 11, IT admins can combat common application attacks from the moment a device is provisioned. For example, IT can remove local admin rights from user accounts so that PCs run with the least amount of privileges to prevent malicious applications from accessing sensitive resources.
In addition, organizations can control which applications run on their devices with App Control for Business (previously called Windows Defender Application Control - WDAC).

63
windows/security/book/cloud-services-protect-your-personal-information.md
View File

@ -1,58 +1,65 @@
---
title: Cloud services - Protect your personal information
description: Windows 11 security book - Cloud services chapter - Protect your personal information.
title: Windows 11 security book - Cloud services - Protect your personal information
description: Cloud services chapter - Protect your personal information.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 11/18/2024
---
# Protect your personal information
:::image type="content" source="images/cloud-security.png" alt-text="Diagram of containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
:::image type="content" source="images/cloud-security.png" alt-text="Diagram containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
## Microsoft Account
## Microsoft account
Your Microsoft Account (MSA) gives you access to Microsoft products and services with just one login, allowing you to manage everything all in one place. Keep tabs on your subscriptions and order history, update your privacy and security settings, track the health and safety of your devices, and get rewards. Everything stays with you in the cloud, across devices, and between OS ecosystems, including iOS and Android.
Your Microsoft account (MSA) provides seamless access to Microsoft products and services with just one sign-in, allowing you to manage everything in one place. You can easily keep track of your subscriptions and order history, update your privacy and security settings, monitor the health and safety of your devices, and earn rewards. Your information stays with you in the cloud, accessible across devices and operating systems, including iOS and Android.
You can even go passwordless with your Microsoft Account by removing the password from your MSA and using the Microsoft Authenticator app on your mobile Android or iOS phone.
You can even go passwordless with your Microsoft account by removing the password from your MSA:
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- Use Windows Hello to eliminate the password sign-in method for an even more secure experience
- Use the Microsoft Authenticator app on your Android or iOS device
- [What is a Microsoft account?](https://support.microsoft.com/windows/what-is-a-microsoft-account-4a7c48e9-ff5a-e9c6-5a5c-1a57d66c3bfa)
[!INCLUDE [learn-more](includes/learn-more.md)]
## User reauthentication before password disablement
Windows provides greater flexibility for users to balance ease of use with security. Users can choose the interval that the machine remains idle before it automatically signs the user out. To avoid a security breach and prevent users from accidentally making settings changes, Windows reauthenticates the user before they are allowed to change the setting to not sign out the user even after the device remains idle indefinitely.
This setting is available on the Sign-in options page in Settings and is available on Windows 11 and onward for MSA users worldwide.
- [What is a Microsoft account?][LINK-1]
- [Go passwordless with your Microsoft account][LINK-5]
## Find my device
When location services and Find my device settings are turned on, basic system services like time zone and Find my device will be allowed to use the device's location. When enabled, Find my device can be used by the admin on the device to help recover lost or stolen Windows devices to reduce security threats that rely on physical access.
When location services and *Find my device* settings are turned on, basic system services like time zone and Find my device are allowed to use the device's location. Find my device can be used to help recover lost or stolen Windows devices, reducing the security threats that rely on physical access.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [How to set up, find, and lock a lost Windows device using a Microsoft Account](https://support.microsoft.com/account-billing/find-and-lock-a-lost-windows-device-890bf25e-b8ba-d3fe-8253-e98a12f26316)
- [How to set up, find, and lock a lost Windows device using a Microsoft account][LINK-2]
## OneDrive for personal
Microsoft OneDrive17 for personal provides additional security, backup, and restore options for important personal files. OneDrive stores and protects files in the cloud, allowing users to access them from laptops, desktops, and mobile devices. Plus, OneDrive provides an excellent solution for backing up folders. If a device is lost or stolen, the user can quickly recover all their important files from the cloud.
Microsoft OneDrive for personal<sup>[\[10\]](conclusion.md#footnote10)</sup> offers enhanced security, backup, and restore options for important personal files. Users can access their data from anywhere, since their files are stored and protected in the cloud. OneDrive provides an excellent solution for backing up folders, ensuring that:
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- If a device is lost or stolen, users can quickly recover all their important files from the cloud
- If a user is targeted by a ransomware attack, OneDrive enables recovery. With configured backups, users have more options to mitigate and recover from such attacks
- [OneDrive](/onedrive/plan-onedrive-enterprise)
[!INCLUDE [learn-more](includes/learn-more.md)]
In the event of a ransomware attack, OneDrive can enable recovery. And if backups are configured in OneDrive, users have additional options to mitigate and recover from a ransomware attack.
- [Get started with OneDrive][LINK-6]
- [How to recover from a ransomware attack using Microsoft 365][LINK-7]
- [How to restore from OneDrive][LINK-3]
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
## Personal Vault
- [How to recover from a ransomware attack using Microsoft 365](/microsoft-365/security/office-365-security/recover-from-ransomware)
Personal Vault offers robust protection for the most important or sensitive files, without sacrificing the convenience of anywhere access. Secure digital copies of crucial documents in Personal Vault, where they're protected by identity verification and are easily accessible across devices.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
Once the Personal Vault is configured, users can access it using a strong authentication method or a second step of identity verification. The second steps of verification include fingerprint, face recognition, PIN, or a code sent via email or text.
- [How to restore from OneDrive](https://support.microsoft.com/office/restore-your-onedrive-fa231298-759d-41cf-bcd0-25ac53eb8a15)
[!INCLUDE [learn-more](includes/learn-more.md)]
## OneDrive Personal Vault
- [Protect your OneDrive files in Personal Vault][LINK-4]
OneDrive Personal Vault<sup>[\[9\]](conclusion.md#footnote9)</sup> also provides protection for the most important or sensitive files and photos without sacrificing the convenience of anywhere access. Protect digital copies of important documents in OneDrive Personal Vault. Files will be secured by identity verification yet are still easily accessible across devices.
<!--links-->
Learn how to [set up a Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4) with a strong authentication method or a second step of identity verification, such as fingerprint, face, PIN, or a code sent via email or SMS.
[LINK-1]: https://support.microsoft.com/topic/4a7c48e9-ff5a-e9c6-5a5c-1a57d66c3bfa
[LINK-2]: https://support.microsoft.com/topic/890bf25e-b8ba-d3fe-8253-e98a12f26316
[LINK-3]: https://support.microsoft.com/topic/fa231298-759d-41cf-bcd0-25ac53eb8a15
[LINK-4]: https://support.microsoft.com/topic/6540ef37-e9bf-4121-a773-56f98dce78c4
[LINK-5]: https://support.microsoft.com/topic/585a71d7-2295-4878-aeac-a014984df856
[LINK-6]: https://support.microsoft.com/onedrive
[LINK-7]: /microsoft-365/security/office-365-security/recover-from-ransomware

437
windows/security/book/cloud-services-protect-your-work-information.md
View File

@ -1,138 +1,88 @@
---
title: Cloud services - Protect your work information
description: Windows 11 security book - Cloud services chapter - Protect your work information.
title: Windows 11 security book - Cloud services - Protect your work information
description: Cloud services chapter - Protect your work information.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 11/04/2024
---
# Protect your work information
:::image type="content" source="images/cloud-security.png" alt-text="Diagram of containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
:::image type="content" source="images/cloud-security.png" alt-text="Diagram containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
## Microsoft Entra ID
## :::image type="icon" source="images/microsoft-entra-id.svg" border="false"::: Microsoft Entra ID
Microsoft Entra ID, formerly Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies.
Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies.
Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. By registering devices with Microsoft Entra ID - also called Workplace joined - IT admins can support users in bring your own device (BYOD) or mobile device scenarios. Credentials are authenticated and bound to the joined device and cannot be copied to another device without explicit reverification.
Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. For the most seamless and delightful end to end single sign-on (SSO) experience, we recommend users configure Windows Hello for Business during the out of box experience for easy passwordless sign-in to Entra ID .
To provide more security and control for IT and a seamless experience for end users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management.
:::row:::
:::column:::
For users wanting to connect to Microsoft Entra on their personal devices, they can do so by adding their work or school account to Windows. This action registers the user's personal device with Microsoft Entra ID, allowing IT admins to support users in bring your own device (BYOD) scenarios. Credentials are authenticated and bound to the joined device, and can't be copied to another device without explicit reverification.
:::column-end:::
:::column:::
:::image type="content" source="images/device-registration.png" alt-text="Screenshot of the Entra account registration page." border="false" lightbox="images/device-registration.png":::
:::column-end:::
:::row-end:::
To provide more security and control for IT and a seamless experience for users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management.
Windows 11 works with Microsoft Entra ID to provide secure access, identity management, and single sign-on to apps and services from anywhere. Windows has built-in settings to add work or school accounts by syncing the device configuration to an Active Directory domain or Microsoft Entra ID tenant.
:::image type="content" source="images/access-work-or-school.png" alt-text="Screenshot of the add work or school account in Settings." border="false":::
When a device is Microsoft Entra ID joined and managed with Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, it receives the following security benefits:
When a device is Microsoft Entra ID joined and managed with Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>, it receives the following security benefits:
- Default managed user and device settings and policies
- Single sign-in to all Microsoft Online Services
- Full suite of authentication management capabilities using Windows Hello for Business
- Single sign-on (SSO) to enterprise and SaaS applications
- No use of consumer Microsoft Account identity
- No use of consumer Microsoft account identity
Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can setup Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication.
Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can set up Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication.
In combination with Microsoft Intune, Microsoft Entra ID offers powerful security control through Conditional Access to restrict access to organizational resources to healthy and compliant devices. Note that Microsoft Entra ID is only supported on Windows Pro and Enterprise editions.
Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Windows Local Administrator Password Solution with Microsoft Entra (Azure AD)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487)
- [Microsoft Entra plans and pricing](https://www.microsoft.com/security/business/microsoft-entra-pricing?rtc=1)
- [Microsoft Entra ID documentation][LINK-1]
- [Microsoft Entra plans and pricing][LINK-2]
## Modern device management through (MDM)
### Microsoft Entra Private Access
Windows 11 supports modern device management through mobile device management (MDM) protocols so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
Microsoft Entra Private Access provides organizations the ability to manage and give users access to private or internal fully qualified domain names (FQDNs) and IP addresses. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need.
Windows 11 built-in management features include:
[!INCLUDE [learn-more](includes/learn-more.md)]
- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server
- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT
- [Microsoft Entra Private Access][LINK-4]
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
### Microsoft Entra Internet Access
- [Mobile device management overview](/windows/client-management/mdm-overview)
Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs.
## Microsoft security baselines
> [!NOTE]
> Both Microsoft Entra Private Access and Microsoft Entra Internet Access requires Microsoft Entra ID and Microsoft Entra Joined devices for deployment. The two solutions use the Global Secure Access client for Windows, which secures and controls the features.
Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company may focus on protecting its internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
[!INCLUDE [learn-more](includes/learn-more.md)]
A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
- [Microsoft Entra Internet Access][LINK-3]
- [Global Secure Access client for Windows][LINK-6]
- [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept][LINK-5]
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
### Enterprise State Roaming
- [Windows security baselines you can deploy with Microsoft Intune](/mem/intune/protect/security-baselines)
Available to any organization with a Microsoft Entra ID Premium<sup>[\[4\]](conclusion.md#footnote4)</sup> license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
## MDM security baseline
[!INCLUDE [learn-more](includes/learn-more.md)]
Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices.
- [Enterprise State Roaming in Microsoft Entra ID][LINK-7]
The security baseline includes policies for:
## :::image type="icon" source="images/azure-attestation.svg" border="false"::: Azure Attestation service
- Microsoft inbox security technology such as BitLocker, Microsoft Defender SmartScreen, virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall
- Restricting remote access to devices
- Setting credential requirements for passwords and PINs
- Restricting use of legacy technology
Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they're allowed to access resources. Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> integrates with Azure Attestation service to review Windows device health comprehensively and connect this information with Microsoft Entra ID<sup>[\[4\]](conclusion.md#footnote4)</sup> Conditional Access.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [MDM security baseline](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)
## Microsoft Intune
Microsoft Intune15 is a comprehensive endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication.
Organizations can cut costs while securing and managing remote PCs through the cloud in compliance with company policies.16 For example, organizations save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot for zerotouch deployment.
Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for Group Policy administrative templates (ADMX-backed policies) in MDM solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
### Endpoint Privilege Management (EPM)
Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run tasks allowed by the organization to remain productive.
### Local Administrator Password (LAPs)
Local Administrator Password solution was a key consideration for many customers when deciding to make the transition from on-premises to cloud-managed devices using Intune. With LAPS (available in preview), organizations can automatically manage and back up the password of a local administrator account on Microsoft Entra ID joined or hybrid Microsoft Entra ID joined devices.
### Mobile Application Management (MAM)
With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
Customers have asked for App Control for Business (previously called Windows Defender Application Control) to manage Installer support for a long time. Now customers will be able to enable allowlisting of Win32 apps within their enterprise to proactively reduce the number of malware infections.
Finally, Config Refresh helps organizations move to cloud from on-premises by protecting against settings deviating from the admin's intent.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows LAPS overview](/windows-server/identity/laps/laps-overview)
Microsoft Intune also has policies and settings to configure and manage the flow of operating system updates to devices, working with WUfB and WUfB-DS and giving admins great control over their deployments
With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune)
## Remote Wipe
When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user.
Windows 11 supports the Remote Wipe configuration service provider (CSP) so that MDM Solutions<sup>[\[9\]](conclusion.md#footnote9)</sup> can remotely initiate any of the following operations:
- Reset the device and remove user accounts and data
- Reset the device and clean the drive
- Reset the device but persist user accounts and data
Learn More: [Remote Wipe CSP](/windows/client-management/mdm/remotewipe-csp)
## Microsoft Azure Attestation Service
Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they are allowed to access resources. Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> integrates with [Microsoft Azure Attestation Service](/azure/attestation/overview) to review Windows device health comprehensively and connect this information with Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> Conditional Access.
**Attestation policies are configured in the Microsoft Azure Attestation Service which can then:**
**Attestation policies are configured in the Azure Attestation service which can then:**
- Verify the integrity of evidence provided by the Windows Attestation component by validating the signature and ensuring the Platform Configuration Registers (PCRs) match the values recomputed by replaying the measured boot log
- Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM
@ -140,130 +90,293 @@ Remote attestation helps ensure that devices are compliant with security policie
Once this verification is complete, the attestation service returns a signed report with the security features state to the relying party - such as Microsoft Intune - to assess the trustworthiness of the platform relative to the admin-configured device compliance specifications. Conditional access is then granted or denied based on the device's compliance.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Azure Attestation overview](/azure/attestation/overview)
- [Azure Attestation overview][LINK-8]
## Windows Update for Business deployment service
## :::image type="icon" source="images/defender-for-endpoint.svg" border="false"::: Microsoft Defender for Endpoint
The Windows Update for Business deployment service, a core component of the Windows Update for Business product family, is a cloud-based solution that transforms the way update management is handled. Complementing existing [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) policies and [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), the service provides control over the approval, scheduling, and safeguarding of updates - delivered straight from Windows Update to managed devices.
Microsoft Defender for Endpoint<sup>[\[4\]](conclusion.md#footnote4)</sup> is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents.
The Windows Update for Business deployment service powers Windows Update management via Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> and Autopatch. The deployment services currently allows the management of [drivers and firmware](/graph/windowsupdates-manage-driver-update), expedited [quality updates](/graph/windowsupdates-deploy-expedited-update) and [feature updates](/graph/windowsupdates-deploy-update).
Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents:
For an in-depth understanding of this service, including its benefits and prerequisites for use, practical guides on specific capabilities, Microsoft Graph training, and a behind-the-scenes look at how the deployment service functions, read [here](/windows/deployment/update/waas-manage-updates-wufb)[.](/windows/deployment/update/waas-manage-updates-wufb)
- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated cloud instance of Microsoft Defender for Endpoint
- With Automatic Attack Disruption uses AI, machine learning, and Microsoft Security Intelligence to analyze the entire attack and respond at the incident level, where it's able to contain a device, and/or a user which reduces the impact of attacks such as ransomware, human-operated attacks, and other advanced attacks.
- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365<sup>[\[4\]](conclusion.md#footnote4)</sup>, and online assets
- Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours, yielding a deep and broad view into the evolving threat landscape. Combined with our global team of security experts and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. This threat intelligence helps provide unparalleled protection for our customers. The protections built into our platforms and products blocked attacks that include 31 billion identity threats and 32 billion email threats
- Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate, remediate, and remote into machines to further investigate and stop active threats in their environment, as well as block files, network destinations, and create alerts for them. In addition, Automated Investigation and Remediation can help reduce the load on the SOC by automatically performing otherwise manual steps towards remediation and providing
detailed investigation outcomes
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
Defender for Endpoint is also part of Microsoft Defender XDR, our end-to-end, cloud-native extended detection and response (XDR) solution that combines best-of-breed endpoint, email, and identity security products. It enables organizations to prevent, detect, investigate, and remediate attacks by delivering deep visibility, granular context, and actionable insights generated from raw signals harnessed across the Microsoft 365 environment and other
platforms, all synthesized into a single dashboard. This solution offers tremendous value to organizations of any size, especially those that are looking to break away from the added complexity of multiple point solutions, keeping them protected from sophisticated attacks and saving IT and security teams' time and resources.
- [Windows Update for Business - Windows Deployment](/windows/deployment/update/waas-manage-updates-wufb)
[!INCLUDE [learn-more](includes/learn-more.md)]
## Windows Autopatch
- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint)
- [Microsoft 365 Defender](/defender-xdr/microsoft-365-defender)
Cybercriminals often target outdated or unpatched software to gain access to networks. Keeping endpoints up to date is critical in closing existing vulnerabilities, but planning, monitoring, and reporting on update compliance can take IT resources away from other important tasks.
## Cloud-native device management
Available as part of Windows Enterprise E3 and E5, Windows Autopatch automates update management for Windows, drivers, firmware, Microsoft 365, Edge, and Teams apps. The service can even manage the upgrade to Windows 11. While the service is designed to be simple by default, admins can customize the service to reflect their business organization with Autopatch groups. This allows custom content or deployment schedules to be applied to different populations of devices.
Microsoft recommends cloud-based device management so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With cloud-native device management solutions like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>, IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate device management client.
From a technical standpoint, Windows Autopatch configures the policies and deployment service of Windows Update for Business to deliver updates, all within Microsoft Intune.<sup>[\[9\]](conclusion.md#footnote9)</sup> The results for IT admins: up-to-date endpoints and detailed reports to demonstrate compliance or help identify issues. The goal is to help IT teams be more secure and update more efficiently with less effort.
Windows 11 built-in management features include:
There's a lot more to learn about Windows Autopatch:
- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server
- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT
- This [Forrester study](https://aka.ms/AutopatchProductivity) commissioned by Microsoft, analyzes the impact of Windows Autopatch on real customers
- [IT pro blogs](https://aka.ms/MoreAboutAutopatch) provide updates and background on Autopatch features and the future of the service
- The [Windows Autopatch community](https://aka.ms/AutopatchCommunity) allows IT professionals to get answers to questions from their peers and the Autopatch team
[!INCLUDE [learn-more](includes/learn-more.md)]
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Mobile device management overview][LINK-9]
- [Windows Autopatch documentation](https://aka.ms/Autopatchdocs)
### Remote wipe
## Windows Autopilot and zero-touch deployment
When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user.
Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach with a collection of technologies used to set up and preconfigure new devices, getting them ready for productive use and ensuring they are delivered locked down and compliant with corporate security policies.
Windows 11 supports the Remote Wipe configuration service provider (CSP) so that device management solutions can remotely initiate any of the following operations:
- From a user perspective, it only takes a few simple operations to get their device ready for use
- From an IT professional perspective, the only interaction required from the end user is to connect to a network and verify their credentials. Setup is automated after that point
- Reset the device and remove user accounts and data
- Reset the device and clean the drive
- Reset the device but persist user accounts and data
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Remote wipe CSP][LINK-10]
## :::image type="icon" source="images/microsoft-intune.svg" border="false"::: Microsoft Intune
Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication and conditional access.
Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies<sup>[\[11\]](conclusion.md#footnote11)</sup>. For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot.
Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
Customers have asked for App Control for Business (previously called *Windows Defender Application Control*) to support manage installer for a long time. Now it's possible to enable allowlisting of Win32 apps to proactively reduce the number of malware infections.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [What is Microsoft Intune][LINK-12]
### Windows enrollment attestation
When a device enrolls into device management, the administrator expects it to receive the appropriate policies to secure and manage the PC. However, in some cases, malicious actors can remove enrollment certificates and use them on unmanaged PCs, making them appear enrolled but without the intended security and management policies.
With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certificates are bound to a device using the Trusted Platform Module (TPM). This ensures that the certificates can't be transferred from one device to another, maintaining the integrity of the enrollment process.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Windows enrollment attestation][LINK-13]
### Microsoft Cloud PKI
Microsoft Cloud PKI is a cloud-based service included in the Microsoft Intune Suite<sup>[\[4\]](conclusion.md#footnote4)</sup> that simplifies and automates the management of a Public Key Infrastructure (PKI) for organizations. It eliminates the need for on-premises servers, hardware, and connectors, making it easier to set up and manage a PKI compared to, for instance, Microsoft Active Directory Certificate Services (AD CS) combined with the Certificate Connector for Microsoft Intune.
Key features include:
- Certificate lifecycle management: automates the lifecycle of certificates, including issuance, renewal, and revocation, for all devices managed by Intune
- Multi-platform support: supports certificate management for Windows, iOS/iPadOS, macOS, and Android devices
- Enhanced security: enables certificate-based authentication for Wi-Fi, VPN, and other scenarios, improving security over traditional password-based methods. All certificate requests leverage Simple Certificate Enrollment Protocol (SCEP), making sure that the private key never leaves the requesting client
- Simplified management: provides easy management of certification authorities (CAs), registration authorities (RAs), certificate revocation lists (CRLs), monitoring, and reporting
With Microsoft Cloud PKI, organizations can accelerate their digital transformation and achieve a fully managed cloud PKI service with minimal effort.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Overview of Microsoft Cloud PKI for Microsoft Intune](/mem/intune/protect/microsoft-cloud-pki-overview)
### Endpoint Privilege Management (EPM)
Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run elevated tasks allowed by the organization to remain productive.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Endpoint Privilege Management][LINK-14]
### Mobile application management (MAM)
With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Data protection for Windows MAM][LINK-15]
## Security baselines
Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company might focus on protecting its internet-facing web apps, while a hospital on confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Security baselines][LINK-11]
### Security baseline for cloud-based device management solutions
Windows 11 can be configured with Microsoft's security baseline, designed for cloud-based device management solutions like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>. These security baselines function similarly to group policy-based ones and can be easily integrated into existing device management tools.
The security baseline includes policies for:
- Microsoft inbox security technologies such as BitLocker, Microsoft Defender SmartScreen, Virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall
- Restricting remote access to devices
- Setting credential requirements for passwords and PINs
- Restricting the use of legacy technology
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Intune security baseline overview][LINK-16]
- [List of the settings in the Windows security baseline in Intune][LINK-17]
## Windows Local Administrator Password Solution (LAPS)
Windows Local Administrator Password Solution (LAPS) is a feature that automatically manages and backs up the password of a local administrator account on Microsoft Entra joined and Active Directory-joined devices. It helps enhance security by regularly rotating and managing local administrator account passwords, protecting against pass-the-hash and lateral-traversal attacks.
Windows LAPS can be configured via group policy or with a device management solution like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>.
[!INCLUDE [new-24h2](includes/new-24h2.md)]
Several enhancements have been made to improve manageability and security. Administrators can now configure LAPS to automatically create managed local accounts, integrating with existing policies to enhance security and efficiency. Policy settings have been updated to generate more readable passwords by ignoring certain characters and to support the generation of readable passphrases, with options to choose from three separate word source list and control passphrase length. Additionally, LAPS can detect when a computer rolls back to a previous image, ensuring password consistency between the computer and Active Directory.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Windows LAPS overview][LINK-18]
## Windows Autopilot
Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. If you're purchasing new devices or managing device refresh cycles, you can use Windows Autopilot to set up and preconfigure new devices, getting them ready for productive use. Autopilot helps you ensure your devices are delivered locked down and compliant with corporate security policies. The solution can also be used to reset, repurpose, and recover devices with zero touch by your IT team and no infrastructure to manage, enhancing efficiency with a process that's both easy and simple.
With Windows Autopilot, there's no need to reimage or manually set-up devices before giving them to the users. Your hardware vendor can ship them, ready to go, directly to the users. From a user perspective, they turn on their device, go online, and Windows Autopilot delivers apps and settings.
Windows Autopilot enables you to:
- Automatically join devices to Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> or Active Directory via hybrid Microsoft Entra ID Join. For more information about the differences between these two join options, see [Introduction to device management in Microsoft Entra ID](/azure/active-directory/device-management-introduction).
- Auto-enroll devices into MDM services such as Microsoft Intune (requires an Microsoft Entra ID Premium subscription for configuration)
- Automatic upgrade to Enterprise Edition if required
- Restrict administrator account creation
- Create and auto-assign devices to configuration groups based on a device's profile
- Customize Out of Box Experience (OOBE) content specific to the organization
- Automatically join devices to Microsoft Entra ID or Active Directory via Microsoft Entra hybrid join
- Autoenroll devices into a device management solution like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> (requires a Microsoft Entra ID Premium subscription for configuration)
- Create and autoassignment of devices to configuration groups based on a device's profile
- Customize of the out-of-box experience (OOBE) content specific to your organization
Existing devices can also be quickly prepared for a new user with [Windows Autopilot Reset](/mem/autopilot/windows-autopilot-reset). The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state.
Existing devices can also be quickly prepared for a new user with Windows Autopilot Reset. The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Windows Autopilot](https://aka.ms/WindowsAutopilot)
- [Windows Autopilot][LINK-19]
- [Windows Autopilot Reset][LINK-20]
## Enterprise State Roaming with Azure
## Windows Update for Business
Available to any organization with a Microsoft Entra ID Premium<sup>[\[9\]](conclusion.md#footnote9)</sup> or Enterprise Mobility + Security (EMS)<sup>[\[9\]](conclusion.md#footnote9)</sup> license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
Windows Update for Business empowers IT administrators to ensure that their organization's Windows client devices are consistently up to date with the latest security updates and features. By directly connecting these systems to the Windows Update service, administrators can maintain a high level of security and functionality.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
Administrators can utilize group policy or a device management solution like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>, to configure Windows Update for Business settings. These settings control the timing and manner in which updates are applied, allowing for thorough reliability and performance testing on a subset of devices before deploying updates across the entire organization.
- [Enterprise State Roaming FAQ](/azure/active-directory/devices/enterprise-state-roaming-faqs)
This approach not only provides control over the update process but also ensures a seamless and positive update experience for all users within the organization. By using Windows Update for Business, organizations can achieve a more secure and efficient operational environment.
## Universal Print
[!INCLUDE [learn-more](includes/learn-more.md)]
Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models](/universal-print/fundamentals/universal-print-partner-integrations). It also supports existing printers by using the connector software that comes with Universal Print.
- [Windows Update for Business documentation][LINK-21]
Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices do not need to be on the same local network as the printers or the Universal Print connector.
## Windows Autopatch
Universal Print supports Zero Trust security by requiring that:
Cybercriminals commonly exploit obsolete or unpatched software to infiltrate networks. It's essential to maintain current updates to seal security gaps. Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates so your IT Admins can focus on other activities and tasks.
- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup>. A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service
- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data
- Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data
- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it is highly recommended that only cloud applications use application authentication
- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant
- Each authentication with Microsoft Entra ID from an acting application cannot extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached
There's a lot more to learn about Windows Autopatch: this [Forrester Consulting Total Economic Impact&trade; Study][LINK-22] commissioned by Microsoft, features insights from customers who deployed Windows Autopatch and its impact on their organizations. You can also find out more information about new Autopatch features and the future of the service in the regularly published Windows IT Pro Blog andWindows Autopatch community.
Additionally, Windows 11 and Windows 10 include MDM support to simplify printer setup for users. With initial support from Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, admins can now configure policies to provision specific printers onto the user's Windows devices.
[!INCLUDE [learn-more](includes/learn-more.md)]
Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft Office products.
- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/)
- [Windows updates API overview](/graph/windowsupdates-concept-overview)
- [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows-ITPro-blog/label-name/Windows%20Autopatch)
- [Windows Autopatch community](https://techcommunity.microsoft.com/t5/windows-autopatch/bd-p/Windows-Autopatch)
More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here](/microsoft-365/enterprise/m365-dr-overview).
## :::image type="icon" source="images/soon-button-title.svg" border="false"::: Windows Hotpatch
The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here](/universal-print/fundamentals/universal-print-qrcode).
Windows Hotpatch is a feature designed to enhance security and minimize disruptions. With Windows Hotpatch, organizations can apply critical security updates without requiring a system restart, reducing the time to adopt a security update by 60% from the moment the update is offered. Hotpatch updates streamline the installation process, enhance compliance efficiency, and provide a per-policy level view of update statuses for all devices.
Universal Print has integrated with Administrative Units in Microsoft Entra ID to enable customers to assign a Printer Administrator role to their local IT team in the same way customers assign User Administrator or Groups Administrator roles. The local IT team can configure only the printers that are part of the same Administrative Unit.
By utilizing hotpatching through Windows Autopatch, the number of system restarts for Windows updates can be reduced from 12 times a year to just 4, ensuring consistent protection and uninterrupted productivity. This means less downtime, a streamlined experience for users, and a reduction in security risks. This technology, proven in the Azure Server environment, is now expanding to Windows 11, offering immediate security from day one without the need for a restart.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Universal Print](https://www.microsoft.com/microsoft-365/windows/universal-print)
- [Data handling in Universal Print](/universal-print/data-handling)
- [Delegate Printer Administration with Administrative Units](/universal-print/portal/delegated-admin)
- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/)
For customers who want to stay on Print Servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM.
## :::image type="icon" source="images/onedrive.svg" border="false"::: OneDrive for work or school
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Print support app design guide](/windows-hardware/drivers/devapps/print-support-app-design-guide)
## OneDrive for work or school
Data in OneDrive for work or school is protected both in transit and at rest.
OneDrive for work or school is a cloud storage service that allows users to store, share, and collaborate on files. It's a part of Microsoft 365 and is designed to help organizations protect their data and comply with regulations. OneDrive for work or school is protected both in transit and at rest.
When data transits either into the service from clients or between datacenters, it's protected using transport layer security (TLS) encryption. OneDrive only permits secure access.
Authenticated connections are not allowed over HTTP and instead redirect to HTTPS.
Authenticated connections aren't allowed over HTTP and instead redirect to HTTPS.
There are several ways that OneDrive for work or school is protected at rest:
- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security)
- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security).
- Network protection: The networks and identities are isolated from the corporate network. Firewalls limit traffic into the environment from unauthorized locations
- Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The [Microsoft Security Response Center](https://technet.microsoft.com/security/dn440717.aspx) helps triage incoming vulnerability reports and evaluate mitigations. Through the [Microsoft Cloud Bug Bounty Terms](https://technet.microsoft.com/dn800983), people across the world can earn money by reporting vulnerabilities
- Content protection: Each file is encrypted at rest with a unique AES-256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/office/how-onedrive-safeguards-your-data-in-the-cloud-23c6ea94-3608-48d7-8bf0-80e142edd1e1)
- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/topic/23c6ea94-3608-48d7-8bf0-80e142edd1e1)
## MDM enrollment certificate attestation
## :::image type="icon" source="images/universal-print.svg" border="false"::: Universal Print
When a device is enrolled into device management, the administrator assumes that the device will enroll and receive appropriate policies to secure and manage the PC as they expect. In some circumstances, enrollment certificates can be removed by malicious actors and then used on unmanaged PCs to appear as though they are enrolled, but without the security and management policies the administrator intended. With MDM enrollment certificate attestation, the certificate and keys are bound to a specific machine through the use of the Trusted Platform Module (TPM) to ensure that they can't be lifted from one device and applied to another. This capability has existed for physical PCs since Windows 11 22H2 and is now being extended to Windows 11-based Cloud PCs and Azure Virtual Desktop VMs.
Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models][LINK-23]. It also supports existing printers by using the connector software that comes with Universal Print.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices don't need to be on the same local network as the printers or the Universal Print connector.
- [Configuration Service Provider - Windows Client Management](/windows/client-management/mdm/)
Universal Print supports Zero Trust security by requiring that:
- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID<sup>[\[4\]](conclusion.md#footnote4)</sup>. A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service
- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data
- Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data
- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it's highly recommended that only cloud applications use application authentication
- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant
- Each authentication with Microsoft Entra ID from an acting application can't extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached
Additionally, Windows 11 includes device management support to simplify printer setup for users. With support from Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>, admins can now configure policy settings to provision specific printers onto the user's Windows devices.
Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft 365 products.
More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here][LINK-24].
The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here][LINK-25].
Universal Print supports Administrative Units in Microsoft Entra ID to enable the assignments of a *Printer Administrator* role to specific teams in the organization. The assigned team can configure only the printers that are part of the same Administrative Unit.
For customers who want to stay on print servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Universal Print][LINK-26]
- [Data handling in Universal Print][LINK-27]
- [Delegate Printer Administration with Administrative Units][LINK-28]
- [Print support app design guide][LINK-29]
<!--links-->
[LINK-1]: /entra
[LINK-2]: https://www.microsoft.com/security/business/microsoft-entra-pricing
[LINK-3]: /entra/global-secure-access/concept-internet-access
[LINK-4]: /entra/global-secure-access/concept-private-access
[LINK-5]: /entra/architecture/sse-deployment-guide-internet-access
[LINK-6]: /entra/global-secure-access/how-to-install-windows-client
[LINK-7]: /entra/identity/devices/enterprise-state-roaming-enable
[LINK-8]: /azure/attestation/overview
[LINK-9]: /windows/client-management/mdm-overview
[LINK-10]: /windows/client-management/mdm/remotewipe-csp
[LINK-11]: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
[LINK-12]: /mem/intune/fundamentals/what-is-intune
[LINK-13]: /mem/intune/enrollment/windows-enrollment-attestation
[LINK-14]: /mem/intune/protect/epm-overview?formCode=MG0AV3
[LINK-15]: /mem/intune/apps/protect-mam-windows?formCode=MG0AV3
[LINK-16]: /mem/intune/protect/security-baselines
[LINK-17]: /mem/intune/protect/security-baseline-settings-mdm-all
[LINK-18]: /windows-server/identity/laps/laps-overview
[LINK-19]: /autopilot/overview
[LINK-20]: /mem/autopilot/windows-autopilot-reset
[LINK-21]: /windows/deployment/update/waas-manage-updates-wufb
[LINK-22]: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW10vlw
[LINK-23]: /universal-print/fundamentals/universal-print-partner-integrations
[LINK-24]: /microsoft-365/enterprise/m365-dr-overview
[LINK-25]: /universal-print/fundamentals/universal-print-qrcode
[LINK-26]: https://www.microsoft.com/microsoft-365/windows/universal-print
[LINK-27]: /universal-print/data-handling
[LINK-28]: /universal-print/portal/delegated-admin
[LINK-29]: /windows-hardware/drivers/devapps/print-support-app-design-guide

12
windows/security/book/cloud-services.md
View File

@ -1,16 +1,16 @@
---
title: Cloud services
description: Windows 11 security book - Cloud services chapter.
title: Windows 11 security book - Cloud services
description: Cloud services chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 11/18/2024
---
# Cloud services
:::image type="content" source="images/cloud-services-cover.png" alt-text="Cover of the cloud services chapter." border="false":::
:::image type="content" source="images/cloud-security-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/cloud-security.png" border="false":::
The workplace is constantly evolving, with many users working outside the office at least some of the time. While remote work and cloud services provide more flexibility, they also result in more endpoints and locations for organizations to worry about.
Today's workforce has more freedom and mobility than ever before, but the risk of data exposure is also at its highest. At Microsoft, we are focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on Zero Trust principles, Windows 11 works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
Windows 11, combined with Microsoft Entra ID for identity management, and cloud-based device management solutions like Microsoft Intune, can be the foundation of a *Zero Trust* security model that enables flexible workstyles while controlling access, safeguarding sensitive information, and mitigating threats.
From identity and device management to Office apps and data storage, Windows 11 and integrated cloud services can help improve productivity, security, and resilience anywhere.
:::image type="content" source="images/cloud-security-on.png" alt-text="Diagram containing a list of security features." lightbox="images/cloud-security.png" border="false":::

90
windows/security/book/conclusion.md
View File

@ -1,13 +1,13 @@
---
title: Conclusion
description: Conclusion
title: Windows 11 security book - Conclusion
description: Windows 11 security book conclusion.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 11/18/2024
---
# Conclusion
We will continue to bring you new features to protect against evolving threats, simplify management, and securely enable new workstyles. With Windows 11 devices, organizations of all sizes can benefit from the security and performance to thrive anywhere.
We will continue to innovate with security by design and security by default at the heart of every new Windows 11 PC and Windows 11 IoT device. This commitment ensures that our products not only meet, but exceed, the security expectations of our customers by providing robust protection against modern cyber threats while maintaining ease-of-use and performance. By integrating advanced security measures from the ground up, we aim to create a safer digital environment for everyone.
:::image type="content" source="images/chip-to-cloud.png" alt-text="Diagram of chip-to-cloud containing a list of security features." lightbox="images/chip-to-cloud.png" border="false":::
@ -15,31 +15,30 @@ We will continue to bring you new features to protect against evolving threats,
New:
- Config Refresh
- 5G and eSIM
- Win32 apps in isolation (public preview)
- Passkey
- Sign-in Session Token Protection
- Windows Local Administrator Password Solution (LAPS) (public preview)
- Microsoft Intune Suite Endpoint Privilège Management (EPM)
- Microsoft Intune Suite Endpoint Privilege Management (EPM)
- [Administrator protection](application-security-application-and-driver-control.md#-administrator-protection)
- [Config Refresh](operating-system-security-system-security.md#-config-refresh)
- [Rust for Windows](operating-system-security-system-security.md#-rust-for-windows)
- [Trusted Signing](application-security-application-and-driver-control.md#-trusted-signing)
- [VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection)
- [Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves)
- [Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation)
- [Windows Hotpatch](cloud-services-protect-your-work-information.md#-windows-hotpatch)
- [Windows protected print](operating-system-security-system-security.md#-windows-protected-print)
Enhanced:
- Hardware security user experience
- BitLocker to go
- Device encryption
- Windows Firewall
- Server Message Block direct
- Smart App Control (SAC) going into Enforcement mode
- Application Control for Business
- Enhanced Sign-in security (ESS)
- Windows Hello for Business
- Presence Detection
- Wake on approach, lock on leave
- Universal Print
- Lockout policies for local admin
- Enhanced Phishing protection
- [BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)
- [Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)
- [Device encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
- [Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
- [Passkeys](identity-protection-passwordless-sign-in.md#passkeys)
- [Personal data encryption](operating-system-security-encryption-and-data-protection.md#personal-data-encryption)
- [Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)
- [Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
- [Windows Hello PIN](identity-protection-passwordless-sign-in.md#windows-hello-pin)
- [Windows Firewall](operating-system-security-network-security.md#windows-firewall)
- [Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)
- [Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)
## Document revision history
@ -48,30 +47,27 @@ Enhanced:
|November 2021 |Link updates and formatting.|
|February 2022 |Revisions to Hardware root-of-trust, Virus and threat protection, and Windows Hello for Business content.|
|April 2022| Added Upcoming features section.|
| September 2022| Updates with Windows 11 2022 Update features and enhancements.|
|September 2022| Updates with Windows 11, version 22H2, features and enhancements.|
|April 2023| Minor edits and updates to edition availability.|
|September 2023| Updates with Windows 11 2023 Update features and enhancement.|
|May 2024| Move form PDF format to web format.|
|September 2023| Updates with Windows 11, version 23H2, features and enhancements.|
|May 2024| Move from PDF format to web format.|
|November 2024| Updates with Windows 11, version 24H2, features and enhancements.|
## Endnotes
<sup><a name="footnote1"></a>1</sup> "2023 Data Breach Investigations Report" - Verizon, 2023.\
<sup><a name="footnote2"></a>2</sup> "Microsoft Digital Defense Report 2022" - Microsoft, 2022.\
<sup><a name="footnote3"></a>3</sup> Compared to Windows 10 devices. "Improve your day-to-day experience with Windows 11 Pro laptops" - Principled Technologies, February 2023.\
<sup><a name="footnote4"></a>4</sup> Based on Monthly Active Device data. "Earnings Release FY23 Q3" - Microsoft, April 2023.\
<sup><a name="footnote5"></a>5</sup> Windows 11 results are in comparison with Windows 10 devices. "Windows 11 Survey Report," Techaisle, February 2022.\
<sup><a name="footnote6"></a>6</sup> Requires developer enablement.\
<sup><a name="footnote7"></a>7</sup> Requires Microsoft Entra ID and Microsoft Intune, or other modern device management solution product required; sold separately.\
<sup><a name="footnote8"></a>8</sup> Commissioned study delivered by Forrester Consulting. "The Total Economic Impact&trade; of Windows 11 Pro Devices", December 2022. Note: quantified benefits reflect results over three years combined into a single composite organization that generates $1 billion in annual revenue, has 2,000 employees, refreshes hardware on a four-year cycle, and migrates the entirety of its workforce to Windows 11 devices.\
<sup><a name="footnote9"></a>9</sup> Sold separately.\
<sup><a name="footnote"></a>10</sup> Email encryption is supported on products such as Microsoft Exchange Server and Microsoft Exchange Online.\
<sup><a name="footnote"></a>11</sup> Microsoft internal data.\
<sup><a name="footnote"></a>12</sup> Microsoft Entra ID Basic is included with Microsoft Azure and Microsoft 365 subscriptions, and other commercial services subscriptions.\
<sup><a name="footnote"></a>13</sup> Requires Microsoft Entra ID (formerly AAD) Premium; sold separately.\
<sup><a name="footnote"></a>14</sup> Hardware dependent.\
<sup><a name="footnote"></a>15</sup> Microsoft 365 E3 or E5 required; sold separately.\
<sup><a name="footnote"></a>16</sup> The Total Economic Impact&trade; of Windows Pro Device, Forrester study commissioned by Microsoft, June 2020.\
<sup><a name="footnote"></a>17</sup> All users with a Microsoft Account get 5GB of OneDrive storage free, and all Microsoft 365 subscriptions include 1TB of OneDrive storage. Additional OneDrive storage is sold separately.
||Details|
|-|-|
|**<sup><a name="footnote1"></a>1</sup>**| [Microsoft digital defense report, CISO executive summary, October 2023](https://www.microsoft.com/security/security-insider/microsoft-digital-defense-report-2023).|
|**<sup><a name="footnote2"></a>2</sup>**| Windows 11 Survey Report. Techaisle, September 2024. Windows 11 results are in comparison with Windows 10 devices.|
|**<sup><a name="footnote3"></a>3</sup>**| Requires developer enablement.|
|**<sup><a name="footnote4"></a>4</sup>**| Sold separately.|
|**<sup><a name="footnote5"></a>5</sup>**| The Passkey can be saved locally to the Windows device and authenticated via Windows Hello or Windows Hello for Business. Hardware dependent.|
|**<sup><a name="footnote6"></a>6</sup>**| Commissioned study delivered by Forrester Consulting "The Total Economic Impact&trade; of Windows 11 Pro Devices", December 2022. Note, quantified benefits reflect results over three years combined into a single composite organization that generates $1 billion in annual revenue, has 2,000 employees, refreshes hardware on a four-year cycle, and migrates the entirety of its workforce to Windows 11 devices.|
|**<sup><a name="footnote7"></a>7</sup>**| Feature or functionality delivered using [servicing technology](https://support.microsoft.com/topic/b0aa0a27-ea9a-4365-9224-cb155e517f12).|
|**<sup><a name="footnote8"></a>8</sup>**| Email encryption is supported on products such as Microsoft Exchange Server and Microsoft Exchange Online.|
|**<sup><a name="footnote9"></a>9</sup>**| Hardware dependent.|
|**<sup><a name="footnote10"></a>10</sup>**|All users with a Microsoft account get 5GB of OneDrive storage free, and all Microsoft 365 subscriptions include 1TB of OneDrive storage. Additional OneDrive storage is sold separately.|
|**<sup><a name="footnote11"></a>11</sup>**|The Total Economic Impact&trade; of Windows Pro Device, Forrester study commissioned by Microsoft, June 2020.|
---
@ -89,4 +85,4 @@ Enhanced:
>
> The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
>
> Part No. May 2024
> Part No. November 2024

10
windows/security/book/features-index.md Normal file
View File

File diff suppressed because one or more lines are too long

44
windows/security/book/hardware-security-hardware-root-of-trust.md
View File

@ -1,35 +1,47 @@
---
title: Hardware root-of-trust
description: Windows 11 security book - Hardware root-of-trust.
title: Windows 11 security book - Hardware root-of-trust
description: Hardware root-of-trust.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 11/18/2024
---
# Hardware root-of-trust
:::image type="content" source="images/hardware.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
:::image type="content" source="images/hardware.png" alt-text="Diagram containing a list of security features." lightbox="images/hardware.png" border="false":::
## Trusted Platform Module (TPM)
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, System Guard (previously called Windows Defender System Guard), and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. These capabilities in turn help organizations strengthen the protection of their identities and data. The 2.0 version of TPM includes support for newer algorithms, which provides improvements like support for stronger cryptography. To upgrade to Windows 11, existing Windows 10 devices much meet minimum system requirements for CPU, RAM, storage, firmware, TPM, and more. All new Windows 11 devices come with TPM 2.0 built in. With Windows 11, both new and upgraded devices must have TPM 2.0. The requirement strengthens the security posture across all Windows 11 devices and helps ensure that these devices can benefit from future security capabilities that depend on a hardware root-of-trust.
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. These capabilities in turn help organizations strengthen the protection of their identities and data. The 2.0 version of TPM includes support for newer algorithms, which provides improvements like support for stronger cryptography. To upgrade to Windows 11, existing Windows 10 devices much meet minimum system requirements for CPU, RAM, storage, firmware, TPM, and more. All new Windows 11 devices come with TPM 2.0 built-in. With Windows 11, both new and upgraded devices must have TPM 2.0. The requirement strengthens the security posture across all Windows 11 devices and helps ensure that these devices can benefit from future security capabilities that depend on a hardware root-of-trust.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Windows 11 TPM specifications](https://www.microsoft.com/windows/windows-11-specifications)
- [Enabling TPM 2.0 on your PC](https://support.microsoft.com/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c)
- [Trusted Platform Module Technology Overview](../hardware-security/tpm/trusted-platform-module-overview.md)
- [Windows 11 TPM specifications][LINK-1]
- [Enable TPM 2.0 on your PC][LINK-2]
- [Trusted Platform Module Technology Overview][LINK-3]
## Microsoft Pluton security processor
The Microsoft Pluton security processor is the result of Microsoft's close partnership with silicon partners. Pluton enhances the protection of Windows 11 devices, including Secured-core PCs, with a hardware security processor that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface by integrating the security chip directly into the processor. It can be used as a TPM 2.0 or as a standalone security processor. When a security processor is located on a separate, discrete chip on the motherboard, the communication path between the hardware root-of-trust and the CPU can be vulnerable to physical attack. Embedding Pluton into the CPU makes it harder to exploit the communication path.
The Microsoft Pluton security processor is the result of Microsoft's close partnership with silicon partners. Pluton enhances the protection of Windows 11 devices with a hardware security processor that provides extra protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface by integrating the security chip directly into the processor. It can be used as a TPM 2.0 or as a standalone security processor. When a security processor is located on a separate, discrete chip on the motherboard, the communication path between the hardware root-of-trust and the CPU can be vulnerable to physical attack. Embedding Pluton into the CPU makes it harder to exploit the communication path.
Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs, including BitLocker, Windows Hello, and System Guard. Pluton can also support other security functionality beyond what is possible with the TPM 2.0 specification. This extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update.
Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs, including BitLocker, Windows Hello, and System Guard. Pluton can also support other security functionality beyond what is possible with the TPM 2.0 specification. This extensibility allows for more Pluton firmware and OS features to be delivered over time via Windows Update.
As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers cannot access sensitive data - even if attackers use emerging techniques like speculative execution.
As with other TPMs, credentials, encryption keys, and other sensitive information can't be easily extracted from Pluton even if an attacker installed malware or has physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers can't access sensitive data - even if attackers use emerging techniques like speculative execution.
Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for customers to get alerts about security updates, keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs.
Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive security firmware updates from different sources, which might make it difficult to get alerts about security updates, and keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
Pluton aims to ensure long-term security resilience. With the rising threat landscape influenced by artificial intelligence, memory safety will become ever more critical. To meet these demands, in addition to facilitating reliable updates to security processor firmware, we chose the open-source Tock system as the Rust-based foundation to develop the Pluton security processor firmware and actively contribute back to the Tock community. This collaboration with an open community ensures rigorous security scrutiny, and using Rust mitigates memory safety threats.
- [Meet the Microsoft Pluton processor - The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/)
- [Microsoft Pluton security processor](../hardware-security/pluton/microsoft-pluton-security-processor.md)
Ultimately, Pluton establishes the security backbone for Copilot + PC, thanks to tight partnerships with our silicon collaborators and OEMs. The Qualcomm Snapdragon X, AMD Ryzen AI, and Intel Core Ultra 200V mobile processors(codenamed Lunar Lake) processor platforms all incorporate Pluton as their security subsystem .
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Microsoft Pluton processor - The security chip designed for the future of Windows PCs][LINK-4]
- [Microsoft Pluton security processor][LINK-5]
<!--links-->
[LINK-1]: https://www.microsoft.com/windows/windows-11-specifications
[LINK-2]: https://support.microsoft.com/topic/1fd5a332-360d-4f46-a1e7-ae6b0c90645c
[LINK-3]: /windows/security/hardware-security/tpm/trusted-platform-module-overview
[LINK-4]: https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/
[LINK-5]: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor

108
windows/security/book/hardware-security-silicon-assisted-security.md
View File

@ -1,82 +1,114 @@
---
title: Silicon assisted security
description: Windows 11 security book - Silicon assisted security.
title: Windows 11 security book - Silicon assisted security
description: Silicon assisted security.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 11/18/2024
---
# Silicon assisted security
:::image type="content" source="images/hardware.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
:::image type="content" source="images/hardware.png" alt-text="Diagram containing a list of security features." lightbox="images/hardware.png" border="false":::
In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats by protecting the boot process, safeguarding the integrity of memory, isolating security-sensitive compute logic, and more.
In addition to a modern hardware root-of-trust, there are multiple capabilities in the latest chips that harden the operating system against threats. These capabilities protect the boot process, safeguard the integrity of memory, isolate security-sensitive compute logic, and more.
## Secured kernel
To secure the kernel we have two key features: virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices will support HVCI and most new devices will come with VBS and HVCI protection turned on by default.
To secure the kernel, we have two key features: Virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices support HVCI and come with VBS and HVCI protection turned on by default on most/all devices.
Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS
implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel.
### Virtualization-based security (VBS)
Since more privileged VTLs can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
:::row:::
:::column:::
Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel.
:::column-end:::
:::column:::
:::image type="content" source="images/vbs-diagram.png" alt-text="Diagram of VBS architecture." lightbox="images/vbs-diagram.png" border="false":::
:::column-end:::
:::row-end:::
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
Since more privileged virtual trust levels (VTLs) can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
- [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)
[!INCLUDE [learn-more](includes/learn-more.md)]
Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
- [Virtualization-based security (VBS)][LINK-1]
### Hypervisor-protected code integrity (HVCI)
Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it's allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor uses processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that hasn't been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Enable virtualization-based protection of code integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
- [Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)
- [Enable virtualization-based protection of code integrity][LINK-2]
## Hardware-enforced stack protection
### :::image type="icon" source="images/new-button-title.svg" border="false"::: Hypervisor-enforced Paging Translation (HVPT)
Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats like memory corruption and zero-day exploits. Based on Control- flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack.
Hypervisor-enforced Paging Translation (HVPT) is a security enhancement to enforce the integrity of guest virtual address to guest physical address translations. HVPT helps protect critical system data from write-what-where attacks where the attacker can write an arbitrary value to an arbitrary location often as the result of a buffer overflow. HVPT helps to protect page tables that configure critical system data structures.
Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called stack smashing. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate "shadow stack" for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support.
### Hardware-enforced stack protection
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats like memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack.
- [Understanding Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)
- [Developer Guidance for Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-kernel-internals/developer-guidance-for-hardware-enforced-stack-protection/ba-p/2163340)
Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called *stack smashing*. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate *shadow stack* for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support.
## Kernel Direct Memory Access (DMA) protection
[!INCLUDE [learn-more](includes/learn-more.md)]
Windows 11 protects against physical threats such as drive-by Direct Memory Access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that do not require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work.
- [Understanding Hardware-enforced Stack Protection][LINK-3]
- [Developer Guidance for hardware-enforced stack protection][LINK-4]
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
## Kernel direct memory access (DMA) protection
- [Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)
Windows 11 protects against physical threats such as drive-by direct memory access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices, including Thunderbolt, USB4, and CFexpress, enable users to connect a wide variety of external peripherals to their PCs with the same plug-and-play convenience as USB. These devices encompass graphics cards and other PCI components. Since PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that don't require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work.
## Secured-core PC
[!INCLUDE [learn-more](includes/learn-more.md)]
The March 2021 Security Signals report found that more than 80% of enterprises have experienced at least one firmware attack in the past two years. For customers in data-sensitive industries like financial services, government, and healthcare, Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs (SCPCs). The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows.
- [Kernel direct memory access (DMA) protection][LINK-5]
Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root-of-trust. Virtualization-based security comes enabled by default. With built-in hypervisor-protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all kernel executable code is signed only by known and approved authorities. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks with kernel DMA protection.
## Secured-core PC and Edge Secured-Core
Secured-core PCs provide multiple layers of robust protection against hardware and firmware attacks. Sophisticated malware attacks may commonly attempt to install "bootkits" or "rootkits" on the system to evade detection and achieve persistence. This malicious software may run at the firmware level prior to Windows being loaded or during the Windows boot process itself, enabling the system to start with the highest level of privilege. Because critical subsystems in Windows leverage virtualization-based security, protecting the hypervisor becomes increasingly important. To ensure that no unauthorized firmware or software can start before the Windows bootloader, Windows PCs rely on the Unified Extensible Firmware Interface (UEFI) Secure Boot standard, a baseline security feature of all Windows 11 PCs. Secure Boot helps ensure that only authorized firmware and software with trusted digital signatures can execute. In addition, measurements of all boot components are securely stored in the TPM to help establish a non-repudiable audit log of the boot called the Static Root of Trust for Measurement (SRTM).
The March 2021 Security Signals report found that more than 80% of enterprises have experienced at least one firmware attack in the past two years. For customers in data-sensitive industries like financial services, government, and healthcare, Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs (SCPCs), and an equivalent category of embedded IoT devices called Edge Secured-Core (ESc). The devices ship with more security measures enabled at the firmware layer, or device core, that underpins Windows.
Thousands of PC vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements.
Secured-core PCs and edge devices help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root-of-trust. Virtualization-based security comes enabled by default. Built-in hypervisor-protected code integrity (HVCI) shield system memory, ensuring that all kernel executable code is signed only by known and approved authorities. Secured-core PCs and edge devices also protect against physical threats such as drive-by direct memory access (DMA) attacks with kernel DMA protection.
In Secured-core PCs, [System Guard Secure Launch](/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection) protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit or bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. [Firmware Attack Surface Reduction (FASR) technology](/windows-hardware/drivers/bringup/firmware-attack-surface-reduction) can be used instead of DRTM on supported devices, such as Microsoft Surface.
Secured-core PCs and edge devices provide multiple layers of robust protection against hardware and firmware attacks. Sophisticated malware attacks commonly attempt to install *bootkits* or *rootkits* on the system to evade detection and achieve persistence. This malicious software may run at the firmware level prior to Windows being loaded or during the Windows boot process itself, enabling the system to start with the highest level of privilege. Because critical subsystems in Windows use Virtualization-based security, protecting the hypervisor becomes increasingly important. To ensure that no unauthorized firmware or software can start before the Windows bootloader, Windows PCs rely on the Unified Extensible Firmware Interface (UEFI) Secure Boot standard, a baseline security feature of all Windows 11 PCs. Secure Boot helps ensure that only authorized firmware and software with trusted digital signatures can execute. In addition, measurements of all boot components are securely stored in the TPM to help establish a nonrepudiable audit log of the boot called the Static Root of Trust for Measurement (SRTM).
Thousands of OEM vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements.
### Dynamic Root of Trust for Measurement (DRTM)
In secured-core PCs and edge devices, System Guard Secure Launch protects bootup with a technology known as the *Dynamic Root of Trust for Measurement (DRTM)*. With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU down a hardware-secured code path. If a malware rootkit or bootkit bypasses UEFI Secure Boot and resides in memory, DRTM prevents it from accessing secrets and critical code protected by the Virtualization-based security environment. Firmware Attack Surface Reduction (FASR) technology can be used instead of DRTM on supported devices, such as Microsoft Surface.
System Management Mode (SMM) isolation is an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. SMM complements the protections provided by DRTM by helping to reduce the attack surface. Relying on capabilities provided by silicon providers like Intel and AMD, SMM isolation enforces policies that implement restrictions such as preventing SMM code from accessing OS memory. The SMM isolation policy is included as part of the DRTM measurements that can be sent to a verifier like Microsoft Azure Remote Attestation.
:::image type="content" source="images/secure-launch.png" alt-text="Diagram of secure launch components." lightbox="images/secure-launch.png" border="false":::
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Dynamic Root of Trust measure and SMM isolation](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/)
- [Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)
- [System Guard Secure Launch][LINK-6]
- [Firmware Attack Surface Reduction][LINK-7]
- [Windows 11 secured-core PCs][LINK-8]
- [Edge Secured-Core][LINK-9]
## Secured-core configuration lock
### Configuration lock
In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync, when configuration is reset with the mobile device management (MDM) solution. Secured-core configuration lock (config lock) is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that are supported and reverts to the IT-desired SCPC state in seconds after detecting a drift.
In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a noncompliant state can be vulnerable until the next sync, when configuration is reset with the device management solution.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
Configuration lock is a secured-core PC and edge device feature that prevents users from making unwanted changes to security settings. With configuration lock, Windows monitors supported registry keys and reverts to the IT-desired state in seconds after detecting a drift.
- [Windows 11 with config lock](/windows/client-management/mdm/config-lock)
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Secured-core PC configuration lock][LINK-10]
<!--links-->
[LINK-1]: /windows-hardware/design/device-experiences/oem-vbs
[LINK-2]: /windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
[LINK-3]: https://techcommunity.microsoft.com/blog/windowsosplatform/understanding-hardware-enforced-stack-protection/1247815
[LINK-4]: https://techcommunity.microsoft.com/blog/windowsosplatform/developer-guidance-for-hardware-enforced-stack-protection/2163340
[LINK-5]: /windows/security/hardware-security/kernel-dma-protection-for-thunderbolt
[LINK-6]: /windows/security/hardware-security/system-guard-secure-launch-and-smm-protection
[LINK-7]: /windows-hardware/drivers/bringup/firmware-attack-surface-reduction
[LINK-8]: /windows-hardware/design/device-experiences/oem-highly-secure-11
[LINK-9]: /en-us/azure/certification/overview
[LINK-10]: /windows/client-management/mdm/config-lock

12
windows/security/book/hardware-security.md
View File

@ -1,16 +1,16 @@
---
title: Hardware security
description: Windows 11 security book - Hardware security chapter.
title: Windows 11 security book - Hardware security
description: Hardware security chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 11/18/2024
---
# Hardware security
:::image type="content" source="images/hardware-security-cover.png" alt-text="Cover of the hardware security chapter." border="false":::
:::image type="content" source="images/hardware-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
Today's ever-evolving threats require strong alignment between hardware and software to keep users, data, and devices protected. The operating system and software alone can't defend against the wide range of tools used by cybercriminals to steal credentials, take data, and implant malware.
Today's ever-evolving threats require strong alignment between hardware and software technologies to keep users, data, and devices protected. The operating system alone cannot defend against the wide range of tools and techniques cybercriminals use to compromise a computer. Once they gain a foothold, intruders can be difficult to detect as they engage in multiple nefarious activities ranging from stealing important data and credentials to implanting malware into low-level device firmware. Once malware is installed in firmware, it becomes difficult to identify and remove. These new threats call for computing hardware that is secure down to the very core, including the hardware chips and processors that store sensitive business information. With hardware-based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to thwart with software alone. Hardware-based protection can also improve the system's overall security without measurably slowing performance, compared to implementing the same capability in software.
In partnership with our silicon and device manufacturing partners, Windows 11 devices shield software, hardware, and firmware with features like Trusted Platform Module (TPM) 2.0, Microsoft Pluton, and Virtualization-based security (VBS). Windows 11 devices provide hardware-backed protection by default to significantly improve security while maintaining the performance that users expect.
With Windows 11, Microsoft has raised the hardware security bar to design the most secure version of Windows ever from chip to cloud. We have carefully chosen the hardware requirements and default security features based on threat intelligence, global regulatory requirements, and our own Microsoft Security team's expertise. We have worked with our chip and device manufacturing partners to integrate advanced security capabilities across software, firmware, and hardware. Through a powerful combination of hardware root-of-trust and silicon-assisted security, Windows 11 delivers built-in hardware protection out of the box.
:::image type="content" source="images/hardware-on.png" alt-text="Diagram containing a list of security features." lightbox="images/hardware.png" border="false":::

107
windows/security/book/identity-protection-advanced-credential-protection.md
View File

@ -1,85 +1,98 @@
---
title: Identity protection - Advanced credential protection
description: Windows 11 security book -Identity protection chapter.
title: Windows 11 security book - Advanced credential protection
description: Identity protection chapter - Advanced credential protection.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 11/18/2024
---
# Advanced credential protection
:::image type="content" source="images/identity-protection.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
:::image type="content" source="images/identity-protection.png" alt-text="Diagram containing a list of security features." lightbox="images/identity-protection.png" border="false":::
In addition to adopting passwordless sign-in, organizations can strengthen security for user and domain credentials in Windows 11 with Credential Guard and Remote Credential Guard.
## Enhanced phishing protection with Microsoft Defender SmartScreen
As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing has emerged as a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business.
However, people who are still using passwords can also benefit from powerful credential protection in Windows 11. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Enhanced phishing protection in Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)
## Local Security Authority (LSA) protection
Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single sign-on to a Microsoft account and Azure services.
Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users, and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single sign-on to a Microsoft account and Entra ID account.
To help keep these credentials safe, additional LSA protection will be enabled by default on new, enterprise-joined Windows 11 devices. By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection also now supports configuration using Group Policy and modern device management.
By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection supports configuration using group policy and other device management solutions.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [new-24h2](includes/new-24h2.md)]
- [Configuring additional LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)
To help keep these credentials safe, LSA protection is enabled by default on all devices (MSA, Microsoft Entra joined, hybrid, and local). For new installs, it is enabled immediately. For upgrades, it is enabled after rebooting after an evaluation period of 10 days.
Users have the ability to manage the LSA protection state in the Windows Security application under **Device Security** > **Core Isolation** > **Local Security Authority protection**.
To ensure a seamless transition and enhanced security for all users, the enterprise policy for LSA protection takes precedence over enablement on upgrade.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Configuring additional LSA protection][LINK-2]
## Credential Guard
Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-backed, virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
:::row:::
:::column:::
Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
By protecting the LSA process with virtualization-based security, Credential Guard shields systems from credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges.
By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from user credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges.
:::column-end:::
:::column:::
:::image type="content" source="images/credential-guard-architecture.png" alt-text="Diagram of the Credential Guard's architecture." lightbox="images/credential-guard-architecture.png" border="false":::
:::column-end:::
:::row-end:::
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [new-24h2](includes/new-24h2.md)]
- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)
Credential Guard protections are expanded to optionally include machine account passwords for Active Directory-joined devices. Administrators can enable audit mode or enforcement of this capability using Credential Guard policy settings.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Protect derived domain credentials with Credential Guard][LINK-3]
## Remote Credential Guard
Remote Credential Guard helps organizations protect credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
Administrator credentials are highly privileged and must be protected. When Remote Credential Guard is configured and enabled to connect during Remote Desktop sessions, the credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, the credentials aren't exposed.
Administrator credentials are highly privileged and must be protected. When Remote Credential Guard is configured to connect during Remote Desktop sessions, the credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, the credentials aren't exposed.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Remote Credential Guard - Windows Security | Microsoft Learn](/windows/security/identity-protection/remote-credential-guard?tabs=intune)
- [Remote Credential Guard][LINK-4]
## Token protection
## :::image type="icon" source="images/new-button-title.svg" border="false"::: VBS key protection
Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies<sup>[\[9\]](conclusion.md#footnote9)</sup> can be configured to require token protection when using sign-in tokens for specific services.
VBS key protection enables developers to secure cryptographic keys using Virtualization-based security (VBS). VBS uses the virtualization extension capability of the CPU to create an isolated runtime outside of the normal OS. When in use, VBS keys are isolated in a secure process, allowing key operations to occur without ever exposing the private key material outside of this space. At rest, private key material is encrypted by a TPM key, which binds VBS keys to the device. Keys protected in this way can't be dumped from process memory or exported in plain text from a user's machine, preventing exfiltration attacks by any admin-level attacker.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Token protection in Entra ID Conditional Access](/azure/active-directory/conditional-access/concept-token-protection)
- [Advancing key protection in Windows using VBS][LINK-8]
## Sign-in session token protection policy
## Token protection (preview)
At the inaugural Microsoft Secure event in March 2023, we announced the public preview of token protection for sign-ins. This feature allows applications and services to cryptographically bind security tokens to the device, restricting attackers' ability to impersonate users on a different device if tokens are stolen.
Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies<sup>[\[4\]](conclusion.md#footnote4)</sup> can be configured to require token protection when using sign-in tokens for specific services.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Conditional Access: Token protection (preview)](/azure/active-directory/conditional-access/concept-token-protection)
- [Token protection in Entra ID Conditional Access][LINK-5]
### Sign-in session token protection policy
This feature allows applications and services to cryptographically bind security tokens to the device, restricting attackers' ability to impersonate users on a different device if tokens are stolen.
## Account lockout policies
New devices with Windows 11 installed will have account lockout policies that are secure by default. These policies will mitigate brute-force attacks such as hackers attempting to access Windows devices via the Remote Desktop Protocol (RDP).
New devices with Windows 11 installed will have account lockout policies that are secure by default. These policies mitigate brute-force attacks such as hackers attempting to access Windows devices via the Remote Desktop Protocol (RDP).
The account lockout threshold policy is now set to 10 failed sign-in attempts by default, with the account lockout duration set to 10 minutes. The Allow Administrator account lockout is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default as well.
The account lockout threshold policy is now set to 10 failed sign-in attempts by default, with the account lockout duration set to 10 minutes. The *Allow Administrator account lockout* is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default as well.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Account lockout policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)
- [Account lockout policy][LINK-6]
## Access management and control
Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.
Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage the access of users, groups, and computers to objects and assets on a network or computer. After a user is authenticated, Windows implements the second phase of protecting resources with built-in authorization and access control technologies. These technologies determine if an authenticated user has the correct permissions.
Access Control Lists (ACLs) describe the permissions for a specific object and can also contain System Access Control Lists (SACLs). SACLs provide a way to audit specific system level events, such as when a user attempts to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack.
@ -87,10 +100,20 @@ IT administrators can refine the application and management of access to:
- Protect a greater number and variety of network resources from misuse
- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. Organizations can implement the principle of least-privilege access, which asserts that users should be granted access only to the data and operations they require to perform their jobs
- Update users' ability to access resources on a regular basis as an organization's policies change or as users' jobs change
- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and mobile phones
- Update users' ability to access resources regularly, as an organization's policies change or as users' jobs change
- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and phones
- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Access control](/windows/security/identity-protection/access-control/access-control)
- [Access control][LINK-7]
<!--links-->
[LINK-2]: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
[LINK-3]: /windows/security/identity-protection/credential-guard
[LINK-4]: /windows/security/identity-protection/remote-credential-guard
[LINK-5]: /azure/active-directory/conditional-access/concept-token-protection
[LINK-6]: /windows/security/threat-protection/security-policy-settings/account-lockout-policy
[LINK-7]: /windows/security/identity-protection/access-control/access-control
[LINK-8]: https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-key-protection-in-windows-using-vbs/4050988

259
windows/security/book/identity-protection-passwordless-sign-in.md
View File

@ -1,172 +1,243 @@
---
title: Identity protection - Passwordless sign-in
description: Windows 11 security book -Identity protection chapter.
title: Windows 11 security book - Passwordless sign-in
description: Identity protection chapter - Passwordless sign-in.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 11/18/2024
---
# Passwordless sign-in
:::image type="content" source="images/identity-protection.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
:::image type="content" source="images/identity-protection.png" alt-text="Diagram containing a list of security features." lightbox="images/identity-protection.png" border="false":::
Passwords are inconvenient to use and prime targets for cybercriminals - and they've been an important part of digital security for years. That changes with the passwordless protection available with Windows 11. After a secure authorization process, credentials are protected behind layers of hardware and software security, giving users secure, passwordless access to their apps and cloud services.
Passwords are a fundamental part of digital security, but they're often inconvenient and vulnerable to cyberattacks. With Windows 11, users can enjoy passwordless protection, which offers a more secure and user-friendly alternative. After a secure authorization process, credentials are safeguarded by multiple layers of hardware and software security, providing users with seamless, passwordless access to their apps and cloud services.
## Windows Hello
Too often, passwords are weak, stolen, or forgotten. Organizations are moving toward passwordless sign-in to reduce the risk of breaches, lower the cost of managing passwords, and improve productivity and satisfaction for their employees and customers. Microsoft is committed to helping customers move toward a secure, passwordless future with Windows Hello, a cornerstone of Windows security and identity protection.
Too often, passwords are weak, stolen, or forgotten. Organizations are moving toward passwordless sign-in to reduce the risk of breaches, lower the cost of managing passwords, and improve productivity and satisfaction for their users and customers. Microsoft is committed to helping organizations move toward a secure, passwordless future with Windows Hello, a cornerstone of Windows security and identity protection.
[Windows Hello](/windows/security/identity-protection/hello-for-business/passwordless-strategy) can enable passwordless sign-in using biometric or PIN verification and provides built-in support for the FIDO2 passwordless industry standard. As a result, people no longer need to carry external hardware like a security key for authentication.
Windows Hello can enable passwordless sign-in using biometric or PIN verification and provides built-in support for the FIDO2 passwordless industry standard. As a result, people no longer need to carry external hardware like a security key for authentication.
The secure, convenient sign-in experience can augment or replace passwords with a stronger authentication model based on a PIN or biometric data such as facial or fingerprint recognition secured by the Trusted Platform Module (TPM). Step-by-step guidance makes setup easy.
Using asymmetric keys provisioned in the TPM, Windows Hello protects authentication by binding a user's credentials to their device. Windows Hello validates the user based on either a PIN or biometrics match and only then allows the use of cryptographic keys bound to that user in the TPM.
PIN and biometric data stay on the device and cannot be stored or accessed externally. Since the data cannot be accessed by anyone without physical access to the device, credentials are protected against replay attacks, phishing, and spoofing as well as password reuse and leaks.
PIN and biometric data stay on the device and can't be stored or accessed externally. Since the data can't be accessed by anyone without physical access to the device, credentials are protected against replay attacks, phishing, and spoofing as well as password reuse and leaks.
Windows Hello can authenticate users to a Microsoft account (MSA), identity provider services, or the relying parties that also implement the FIDO2 or WebAuthn standards.
## Windows Hello for Business
[!INCLUDE [learn-more](includes/learn-more.md)]
Windows Hello for Business extends Windows Hello to work with an organization's Active Directory and Microsoft Entra ID accounts. It provides single sign-on access to work or school resources such as OneDrive for Business, work email, and other business apps. Windows Hello for Business also give IT admins the ability to manage PIN and other sign-in requirements for devices connecting to work or school resources.
- [Configure Windows Hello][LINK-1]
## Windows Hello for Business Passwordless
Windows 11 devices with Windows Hello for Business can protect user identities by removing the need to use passwords from day one.
IT can now set a policy for Microsoft Entra ID joined machines so users no longer see the option to enter a password when accessing company resources.12 Once the policy is set, passwords are removed from the Windows user experience, both for device unlock as well as in-session authentication scenarios via CredUI. However, passwords are not eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can leverage passwordless recovery mechanisms such as Windows Hello for Business PIN reset or Web Sign-in.
During a device's lifecycle, a password may only need to be used once during the provisioning process. After that, people can use a PIN, face, or fingerprint to unlock credentials and sign into the device.
Provisioning methods include:
- Temporary Access Pass (TAP), a time-limited passcode with strong authentication requirements issued through Microsoft Entra ID
- Existing multifactor authentication with Microsoft Entra ID, including authentication methods like the Microsoft Authenticator app
Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometric data and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business depending on an organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers.
Organizations with hybrid scenarios can eliminate the need for on-premises domain controllers and simplify passwordless adoption by using Windows Hello for Business cloud Kerberos trust.13 This solution uses security keys and replaces on-premises domain controllers with a cloud-based root-of-trust. As a result, organizations can take advantage of Windows Hello for Business and deploy passwordless security keys with minimal additional setup or infrastructure.
Users will authenticate directly with Microsoft Entra ID, helping speed access to on- premises applications and other resources.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows Hello for Business overview](/windows/security/identity-protection/hello-for-business/)
## Windows Hello PIN
### Windows Hello PIN
The Windows Hello PIN, which can only be entered by someone with physical access to the device, can be used for strong multifactor authentication. The PIN is protected by the TPM and, like biometric data, never leaves the device. When a user enters their PIN, an authentication key is unlocked and used to sign a request sent to the authenticating server.
The TPM protects against threats including PIN brute-force attacks on lost or stolen devices. After too many incorrect guesses, the device locks. IT admins can set security policies for PINs, such as complexity, length, and expiration requirements.
## Windows Hello biometric sign-in
[!INCLUDE [new-24h2](includes/new-24h2.md)]
Windows Hello biometric sign-in enhances both security and productivity with a quick, convenient sign-in experience. There's no need to enter a password every time when a face or fingerprint is the credential.
If your device doesn't have built-in biometrics, Windows Hello has been enhanced to use Virtualization-based Security (VBS) by default to isolate credentials. This added layer of protection helps guard against admin-level attacks. Even when you sign in with a PIN, your credentials are stored in a secure container, ensuring protection on devices with or without built-in biometric sensors.
Windows devices that support biometric hardware such as fingerprint or facial recognition cameras integrate directly with Windows Hello, enabling access to Windows client resources and services. Biometric readers for both face and fingerprint must comply with [Microsoft](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements). Windows Hello facial recognition is designed to only authenticate from trusted cameras used at the time of enrollment.
### Windows Hello biometric
If a peripheral camera is attached to the device after enrollment, that camera will only be allowed for facial authentication after it has been validated by signing in with the internal camera. For additional security, external cameras can be disabled for use with Windows Hello facial recognition.
Windows Hello biometric sign-in enhances both security and productivity with a quick and convenient sign-in experience. There's no need to enter your PIN; just use your biometric data for an easy and delightful sign-in.
## Windows Hello Enhanced Sign-in Security
Windows devices that support biometric hardware, such as fingerprint or facial recognition cameras, integrate directly with Windows Hello, enabling access to Windows client resources and services. Biometric readers for both face and fingerprint must comply with Windows Hello biometric requirements. Windows Hello facial recognition is designed to authenticate only from trusted cameras used at the time of enrollment.
Windows Hello biometrics also supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in.
If a peripheral camera is attached to the device after enrollment, it can be used for facial authentication once validated by signing in with the internal camera. For added security, external cameras can be disabled for use with Windows Hello facial recognition.
Enhanced Sign-in Security biometrics uses virtualization-based security (VBS) and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated.
[!INCLUDE [learn-more](includes/learn-more.md)]
These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional attack classes.
Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in Secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations - please check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Please reach out to specific OEMs for support details.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
## Windows Hello for Business multi-factor unlock
For organizations that need an extra layer of sign-in security, multi-factor unlock enables IT admins to configure Windows by requiring a combination of two unique trusted signals to sign in. Trusted signal examples include a PIN or biometric data (face or fingerprint) combined with either a PIN, Bluetooth, IP configuration, or Wi-Fi.
Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Multi-factor unlock](/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock)
- [Windows Hello biometric requirements][LINK-4]
## Windows presence sensing
Windows presence sensing14 provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment.
Windows presence sensing<sup>[\[9\]](conclusion.md#footnote9)</sup> provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment.
Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers will be able to customize and build extensions for the presence sensor.
Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers can customize and build extensions for the presence sensor.
## Developer APIs and app privacy support for presence sensing
Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. The new app privacy settings enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup.
Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. We are pleased to announce new app privacy settings that enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup.
Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We're also supporting developers with new APIs for presence sensing for third-party applications. Third-party applications can now access user presence information on devices with presence sensors.
Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We are also supporting developers with new APIs for presence sensing for thirdparty applications. Third-party applications can now access user presence information on devices with modern presence sensors.
[!INCLUDE [learn-more](includes/learn-more.md)]
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Presence sensing][LINK-7]
- [Manage presence sensing settings in Windows 11][LINK-8]
- [Presence sensing](/windows-hardware/design/device-experiences/sensors-presence-sensing)
- [Manage presence sensing settings in Windows 11](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)
## Windows Hello for Business
## FIDO support
Windows Hello for Business extends Windows Hello to work with an organization's Active Directory and Microsoft Entra ID accounts. It provides single sign-on access to work or school resources such as OneDrive, work email, and other business apps. Windows Hello for Business also gives IT admins the ability to manage PIN and other sign-in requirements for devices connecting to work or school resources.
The FIDO Alliance, the Fast Identity Online industry standards body, was established to promote authentication technologies and standards that reduce reliance on passwords. FIDO Alliance and World Wide Web Consortium (W3C) have worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications, which are the industry standard for providing strong, phishing-resistant, user friendly, and privacy preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
After Windows Hello for Business is provisioned, users can use a PIN, face, or fingerprint to unlock credentials and sign into their Windows device.
Windows 11 can also use passkeys from external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services.
Provisioning methods include:
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- Passkeys (preview), which provide a seamless way for users to authenticate to Microsoft Entra ID without entering a username or password
- Temporary Access Pass (TAP), a time-limited passcode with strong authentication requirements issued through Microsoft Entra ID
- Existing multifactor authentication with Microsoft Entra ID, including the Microsoft Authenticator app
- [Passwordless security key sign-in](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
Windows Hello for Business enhances security by replacing traditional usernames and passwords with a combination of a security key or certificate and a PIN or biometric data. This setup securely maps the credentials to a user account.
## Passkeys
There are various deployment models available for Windows Hello for Business, providing flexibility to meet the diverse needs of different organizations. Among these, the *Hybrid cloud Kerberos trust* model is recommended and considered the simplest for organizations operating in hybrid environments.
Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the crossplatform future of secure sign-in. Microsoft and other technology leaders are supporting passkeys across their platforms and services.
[!INCLUDE [learn-more](includes/learn-more.md)]
A passkey is a unique, unguessable cryptographic secret that is securely stored on the device. Instead of using a username and password to sign in to a website or application, Windows 11 users can create and use a passkey from Windows Hello, an external security provider, or their mobile device.
- [Windows Hello for Business overview][LINK-2]
- [Enable passkeys (FIDO2) for your organization][LINK-9]
Passkeys on Windows 11 are protected by Windows Hello or Windows Hello for Business. This enables users to sign in to the site or app using their face, fingerprint, or device PIN. Passkeys on Windows work in any browser or app that supports them for sign in. Users can manage passkeys on their device on Windows 11 account settings.
### PIN reset
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
The Microsoft PIN Reset Service allows users to reset their forgotten Windows Hello PINs without requiring re-enrollment. After registering the service in the Microsoft Entra ID tenant, the capability must be enabled on the Windows devices using group policy or a device management solution like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>.
- [Passkeys (passkey authentication)](https://fidoalliance.org/passkeys/)
Users can initiate a PIN reset from the Windows lock screen or from the sign-in options in Settings. The process involves authenticating and completing multifactor authentication to reset the PIN.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [PIN reset][LINK-15]
### Multi-factor unlock
For organizations that need an extra layer of sign-in security, multi-factor unlock enables IT admins to configure Windows to require a combination of two unique trusted signals to sign in. Trusted signal examples include a PIN or biometric data (face or fingerprint) combined with either a PIN, Bluetooth, IP configuration, or Wi-Fi.
Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Multi-factor unlock][LINK-6]
### Windows passwordless experience
**Windows Hello for Business now support a fully passwordless experience.**
IT admins can configure a policy on Microsoft Entra ID joined machines so users no longer see the option to enter a password when accessing company resources. Once the policy is configured, passwords are removed from the Windows user experience, both for device unlock and in-session authentication scenarios. However, passwords aren't eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can use passwordless recovery mechanisms such as Microsoft PIN reset service or web sign-in.
Users authenticate directly with Microsoft Entra ID, helping speed access to on-premises applications and other resources.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Windows passwordless experience][LINK-3]
## Enhanced Sign-in Security (ESS)
Windows Hello supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in.
Enhanced Sign-in Security biometrics uses Virtualization-based security (VBS) and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated.
These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent more attack classes.
Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations - check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Reach out to specific OEMs for support details.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Windows Hello Enhanced Sign-in Security][LINK-5]
## FIDO2
The FIDO Alliance, the Fast Identity Online industry standards body, was established to promote authentication technologies and standards that reduce reliance on passwords. FIDO Alliance and World Wide Web Consortium (W3C) worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications. These specifications are the industry standard for providing strong, phishing-resistant, user friendly, and privacy preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
Windows 11 can also use external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services.
### Passkeys
Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the cross-platform future of secure sign-in. Microsoft and other technology leaders are supporting passkeys across their platforms and services.
A passkey is a unique, unguessable cryptographic secret that is securely stored on the device. Instead of using a username and password to sign in to a website or application, Windows 11 users can create and use a passkey with Windows Hello, a third-party passkey provider, an external FIDO2 security key, or their mobile device. Passkeys on Windows work in any browsers or apps that support them for sign in.
Passkeys created and saved with Windows Hello are protected by Windows Hello or Windows Hello for Business. Users can sign in to the site or app using their face, fingerprint, or device PIN. Users can manage their passkeys from **Settings** > **Accounts** > **Passkeys**.
:::row:::
:::column span="2":::
[!INCLUDE [coming-soon](includes/coming-soon.md)]
The plug-in model for third-party passkey providers enables users to manage their passkeys with third-party passkey managers. This model ensures a seamless platform experience, regardless of whether passkeys are managed directly by Windows or by a third-party authenticator. When a third-party passkey provider is used, the passkeys are securely protected and managed by the third-party provider.
:::column-end:::
:::column span="2":::
:::image type="content" border="false" source="images/passkey-save-3p.png" alt-text="Screenshot of the save passkey dialog box showing third-party providers." lightbox="images/passkey-save-3p.png":::
:::column-end:::
:::row-end:::
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Support for passkeys in Windows][LINK-10]
- [Enable passkeys (FIDO2) for your organization][LINK-9]
## Microsoft Authenticator
The Microsoft Authenticator app, which runs on iOS and Android devices, helps keep
The Microsoft Authenticator app, which runs on iOS and Android devices, helps keeping Windows 11 users secure and productive. Microsoft Authenticator with Microsoft Entra passkeys can be used as a phish-resistant method to bootstrap Windows Hello for Business.
Windows 11 users secure and productive. Microsoft Authenticator can be used to bootstrap Windows Hello for Business, which removes the need for a password to get started on Windows 11.
Microsoft Authenticator also enables easy, secure sign-in for all online accounts using multifactor authentication, passwordless phone sign-in, or password autofill. The accounts in the Authenticator app are secured with a public/private key pair in hardware-backed storage such as the Keychain in iOS and Keystore on Android. IT admins can leverage different tools to nudge their users to set up the Authenticator app, provide them with extra context about where the authentication is coming from, and ensure that they are actively using it.
Microsoft Authenticator also enables easy, secure sign-in for all online accounts using multifactor authentication, passwordless phone sign-in, phishing-resistant authentication (passkeys), or password autofill. The accounts in the Authenticator app are secured with a public/private key pair in hardware-backed storage such as the Keychain in iOS and Keystore on Android. IT admins can use different tools to nudge their users to set up the Authenticator app, provide them with extra context about where the authentication is coming from, and ensure that they're actively using it.
Individual users can back up their credentials to the cloud by enabling the encrypted backup option in settings. They can also see their sign-in history and security settings for Microsoft personal, work, or school accounts.
Using this secure app for authentication and authorization enables people to be in control of how, where, and when their credentials are used. To keep up with an ever-changing security landscape, the app is constantly updated, and new capabilities are added to stay ahead of emerging threat vectors.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Microsoft Authenticator](/azure/active-directory/authentication/concept-authentication-authenticator-app)
- [Authentication methods in Microsoft Entra ID - Microsoft Authenticator app][LINK-11]
## Smart cards for Windows service
## Web sign-in
Organizations also have the option of using smart cards, an authentication method that predates biometric authentication. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating users, signing code, securing e-mail, and signing in with Windows domain accounts.
With the support of web sign-in, users can sign in without a password using the Microsoft Authenticator app or a Temporary Access Pass (TAP). Web sign in also enables federated sign in with a SAML-P identity provider.
**Smart cards provide:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- Ease of use in scenarios such as healthcare where employees need to sign in and out quickly without using their hands or when sharing a workstation
- [Web sign-in for Windows][LINK-13]
## Federated sign-in
Windows 11 supports federated sign-in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign-in through methods like QR codes or pictures.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Configure federated sign-in for Windows devices][LINK-14]
## Smart cards
Organizations can also opt for smart cards, an authentication method that existed before biometric authentication. These tamper-resistant, portable storage devices enhance Windows security by authenticating users, signing code, securing e-mails, and signing in with Windows domain accounts.
Smart cards provide:
- Ease of use in scenarios such as healthcare, where users need to sign in and out quickly without using their hands or when sharing a workstation
- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card
- Portability of credentials and other private information between computers at work, home, or on the road
Smart cards can only be used to sign in to domain accounts or Microsoft Entra ID accounts.
When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Entra ID certificate-based authentication. Smart cards cannot be used with local accounts.
When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Microsoft Entra ID certificate-based authentication. Smart cards can't be used with local accounts.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
Windows Hello for Business and FIDO2 security keys are modern, two-factor authentication methods for Windows. Customers using virtual smart cards are encouraged to move to Windows Hello for Business or FIDO2. For new Windows installations, we recommend Windows Hello for Business or FIDO2 security keys.
- [Smart Card technical reference](/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference)
[!INCLUDE [learn-more](includes/learn-more.md)]
## Federated sign-in
- [Smart Card technical reference][LINK-12]
Windows 11 supports federated sign-in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign-in through methods like QR codes or pictures. Additionally, we have added shared device support. It allows multiple students (one at a time) to use the device throughout the school day.
## Enhanced phishing protection in Microsoft Defender SmartScreen
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing is a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business.
- [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in)
We know that people are in different parts of their passwordless journey. To help on that journey for people still using passwords, Windows 11 offers powerful credential protection. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Enhanced phishing protection in Microsoft Defender SmartScreen][LINK-16]
<!--links-->
[LINK-1]: https://support.microsoft.com/topic/dae28983-8242-bb2a-d3d1-87c9d265a5f0
[LINK-2]: /windows/security/identity-protection/hello-for-business
[LINK-3]: /windows/security/identity-protection/passwordless-experience
[LINK-4]: /windows-hardware/design/device-experiences/windows-hello-biometric-requirements
[LINK-5]: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
[LINK-6]: /windows/security/identity-protection/hello-for-business/feature-multifactor-unlock
[LINK-7]: /windows-hardware/design/device-experiences/sensors-presence-sensing
[LINK-8]: https://support.microsoft.com/topic/82285c93-440c-4e15-9081-c9e38c1290bb
[LINK-9]: /entra/identity/authentication/how-to-enable-passkey-fido2
[LINK-10]: /windows/security/identity-protection/passkeys
[LINK-11]: /entra/identity/authentication/concept-authentication-authenticator-app
[LINK-12]: /windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference
[LINK-13]: /windows/security/identity-protection/web-sign-in
[LINK-14]: /education/windows/federated-sign-in
[LINK-15]: /windows/security/identity-protection/hello-for-business/pin-reset
[LINK-16]: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection

12
windows/security/book/identity-protection.md
View File

@ -1,16 +1,16 @@
---
title: Identity protection
description: Windows 11 security book -Identity protection chapter.
title: Windows 11 security book - Identity protection
description: Identity protection chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 11/18/2024
---
# Identity protection
:::image type="content" source="images/identity-protection-cover.png" alt-text="Cover of the identity protection chapter." border="false":::
:::image type="content" source="images/identity-protection-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
Employes are increasingly targets for cyberattacks in organizations, making identity protection a priority. Weak or reused passwords, password spraying, social engineering, and phishing are just a few of the risks businesses face today.
Today's flexible workstyles and the security of your organization depend on secure access to corporate resources, including strong identity protection. Weak or reused passwords, password spraying, social engineering, and phishing are some of the top attack vectors. In the last 12 months, we saw an average of more than 4,000 password attacks per second.11 And phishing threats have increased, making identity a continuous battleground. As Bret Arsenault, Chief Information Security Officer at Microsoft says, *Hackers don't break in, they log in.*
Identity protection in Windows 11 continuously evolves to provide organizations with the latest defenses, including Windows Hello for Business passwordless and Windows Hello Enhanced Sign-in Security (ESS). By leveraging these powerful identity safeguards, organizations of all sizes can reduce the risk of credential theft and unauthorized access to devices, data, and other company resources.
Because threats are constantly evolving and often difficult for employees to detect, organizations need proactive protection, including effortlessly secure authentication and features that defend users in real time while they work. Windows 11 is designed with powerful identity protection from chip to cloud, keeping identities and personal and business data safe anywhere people work.
:::image type="content" source="images/identity-protection-on.png" alt-text="Diagram containing a list of security features." lightbox="images/identity-protection.png" border="false":::

BIN
windows/security/book/images/access-work-or-school.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 246 KiB

After

Width:  |  Height:  |  Size: 83 KiB

BIN
windows/security/book/images/application-security-cover.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 257 KiB

After

Width:  |  Height:  |  Size: 262 KiB

BIN
windows/security/book/images/application-security-on.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.4 MiB

After

Width:  |  Height:  |  Size: 566 KiB

BIN
windows/security/book/images/application-security.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 212 KiB

After

Width:  |  Height:  |  Size: 195 KiB

20
windows/security/book/images/azure-attestation.svg Normal file
View File

@ -0,0 +1,20 @@
<svg width="54" height="32" viewBox="0 0 54 32" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M40.4071 14.9238C40.4071 23.516 30.0194 30.4344 27.7622 31.8367C27.6329 31.9175 27.4835 31.9603 27.331 31.9603C27.1787 31.9603 27.0293 31.9175 26.9 31.8367C24.6427 30.4344 14.2551 23.516 14.2551 14.9238V4.58328C14.256 4.36919 14.3403 4.16388 14.4902 4.01099C14.6401 3.85807 14.8436 3.76964 15.0577 3.76446C23.1373 3.54525 21.2768 0 27.331 0C33.3854 0 31.525 3.54525 39.6044 3.76446C39.8185 3.76964 40.0222 3.85807 40.172 4.01099C40.3219 4.16388 40.4062 4.36919 40.4071 4.58328V14.9238Z" fill="url(#paint0_linear_1073_1117)"/>
<path d="M39.322 15.0107C39.322 22.891 29.7969 29.2352 27.7279 30.5214C27.6094 30.5951 27.4725 30.6341 27.3331 30.6341C27.1934 30.6341 27.0565 30.5951 26.938 30.5214C24.8674 29.2352 15.344 22.891 15.344 15.0107V5.52891C15.344 5.33247 15.421 5.14387 15.5585 5.00365C15.696 4.8634 15.8831 4.78271 16.0795 4.77892C23.4852 4.57783 21.7787 1.32605 27.3311 1.32605C32.8836 1.32605 31.1773 4.5869 38.5865 4.77892C38.7829 4.78271 38.97 4.8634 39.1075 5.00365C39.245 5.14387 39.322 5.33247 39.322 5.52891V15.0107Z" fill="url(#paint1_linear_1073_1117)"/>
<path d="M33.1681 18.0669H21.4942C21.1656 18.0669 20.8504 18.1974 20.6181 18.4298C20.3857 18.6622 20.2551 18.9774 20.2551 19.306V20.8422C20.2551 20.897 20.2769 20.9495 20.3156 20.9883C20.3543 21.027 20.4069 21.0487 20.4616 21.0487H34.2007C34.2278 21.0487 34.2545 21.0434 34.2797 21.033C34.3048 21.0226 34.3276 21.0074 34.3468 20.9883C34.3657 20.9691 34.381 20.9463 34.3913 20.9213C34.4017 20.8962 34.4072 20.8693 34.4072 20.8422V19.306C34.4072 18.9774 34.2766 18.6622 34.0442 18.4298C33.8118 18.1974 33.4967 18.0669 33.1681 18.0669Z" fill="white"/>
<path d="M33.1173 22.5795H21.545C21.506 22.5795 21.4687 22.5951 21.4412 22.6225C21.4137 22.6501 21.3982 22.6874 21.3982 22.7262V23.5017C21.3982 23.7357 21.4911 23.9601 21.6566 24.1254C21.8221 24.2909 22.0464 24.3838 22.2804 24.3838H32.3817C32.6159 24.3838 32.8401 24.2909 33.0056 24.1254C33.1711 23.9601 33.264 23.7357 33.264 23.5017V22.7262C33.264 22.6874 33.2486 22.6501 33.221 22.6225C33.1936 22.5951 33.1561 22.5795 33.1173 22.5795Z" fill="white"/>
<path d="M30.0194 11.3205C30.8364 10.1339 31.4089 10.3586 30.9435 7.61766C30.4778 4.87673 27.429 4.90028 27.2423 4.90028C27.0558 4.90028 24.0068 4.8713 23.5413 7.61766C23.0757 10.364 23.6481 10.1339 24.4634 11.3205C24.9897 12.9829 25.2413 14.7201 25.2079 16.4636H29.2768C29.2435 14.7203 29.4944 12.9832 30.0194 11.3205Z" fill="white"/>
<defs>
<linearGradient id="paint0_linear_1073_1117" x1="27.331" y1="-1.57607" x2="27.331" y2="34.976" gradientUnits="userSpaceOnUse">
<stop stop-color="#5E9624"/>
<stop offset="0.316" stop-color="#619A25"/>
<stop offset="0.659" stop-color="#69A728"/>
<stop offset="0.999" stop-color="#76BC2D"/>
</linearGradient>
<linearGradient id="paint1_linear_1073_1117" x1="27.3311" y1="31.9" x2="27.3311" y2="-2.07428" gradientUnits="userSpaceOnUse">
<stop stop-color="#5E9624"/>
<stop offset="0.546" stop-color="#6DAD2A"/>
<stop offset="0.999" stop-color="#76BC2D"/>
</linearGradient>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.0 KiB

BIN
windows/security/book/images/chip-to-cloud.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 928 KiB

After

Width:  |  Height:  |  Size: 1.9 MiB

BIN
windows/security/book/images/cloud-security-on.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.5 MiB

After

Width:  |  Height:  |  Size: 574 KiB

BIN
windows/security/book/images/cloud-security.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 220 KiB

After

Width:  |  Height:  |  Size: 269 KiB

BIN
windows/security/book/images/cloud-services-cover.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 255 KiB

After

Width:  |  Height:  |  Size: 262 KiB

BIN
windows/security/book/images/cover.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 419 KiB

After

Width:  |  Height:  |  Size: 432 KiB

BIN
windows/security/book/images/credential-guard-architecture.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 575 KiB

3
windows/security/book/images/defender-for-endpoint.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/security/book/images/device-registration.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 61 KiB

BIN
windows/security/book/images/hardware-on.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.4 MiB

After

Width:  |  Height:  |  Size: 574 KiB

BIN
windows/security/book/images/hardware-security-cover.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 257 KiB

After

Width:  |  Height:  |  Size: 262 KiB

BIN
windows/security/book/images/hardware.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 228 KiB

After

Width:  |  Height:  |  Size: 254 KiB

BIN
windows/security/book/images/identity-protection-cover.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 254 KiB

After

Width:  |  Height:  |  Size: 272 KiB

BIN
windows/security/book/images/identity-protection-on.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.4 MiB

After

Width:  |  Height:  |  Size: 564 KiB

BIN
windows/security/book/images/identity-protection.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 328 KiB

After

Width:  |  Height:  |  Size: 271 KiB

12
windows/security/book/images/information.svg Normal file
View File

@ -0,0 +1,12 @@
<svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
<g clip-path="url(#clip0_789_95)">
<rect x="0.875" y="0.875" width="12.25" height="12.25" rx="4" fill="#00A6ED"/>
<path d="M6.99996 4.36241C7.47793 4.36241 7.8654 3.97494 7.8654 3.49697C7.8654 3.019 7.47793 2.63153 6.99996 2.63153C6.52199 2.63153 6.13452 3.019 6.13452 3.49697C6.13452 3.97494 6.52199 4.36241 6.99996 4.36241Z" fill="white"/>
<path d="M7.70444 6.00159C7.70444 5.57875 7.36166 5.23597 6.93881 5.23597C6.51597 5.23597 6.17319 5.57875 6.17319 6.00159L6.17319 10.635C6.17319 11.0578 6.51597 11.4006 6.93881 11.4006C7.36166 11.4006 7.70444 11.0578 7.70444 10.635L7.70444 6.00159Z" fill="white"/>
</g>
<defs>
<clipPath id="clip0_789_95">
<rect width="14" height="14" fill="white"/>
</clipPath>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 815 B

BIN
windows/security/book/images/kiosk.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 744 KiB

3
windows/security/book/images/learn-more.svg
View File

@ -1,3 +0,0 @@
<svg width="22" height="18" viewBox="0 0 22 18" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M0 2.25C0 1.00736 1.00736 0 2.25 0H12.6C13.8426 0 14.85 1.00736 14.85 2.25V15.075C14.85 15.4478 14.5478 15.75 14.175 15.75H1.35C1.35 16.2471 1.75295 16.65 2.25 16.65H14.175C14.5478 16.65 14.85 16.9522 14.85 17.325C14.85 17.6978 14.5478 18 14.175 18H2.25C1.00736 18 0 16.9926 0 15.75V2.25ZM7.425 5.4C7.92207 5.4 8.325 4.99705 8.325 4.5C8.325 4.00295 7.92207 3.6 7.425 3.6C6.92793 3.6 6.525 4.00295 6.525 4.5C6.525 4.99705 6.92793 5.4 7.425 5.4ZM6.75 6.975V11.475C6.75 11.8478 7.05222 12.15 7.425 12.15C7.79778 12.15 8.1 11.8478 8.1 11.475V6.975C8.1 6.60221 7.79778 6.3 7.425 6.3C7.05222 6.3 6.75 6.60221 6.75 6.975Z" fill="#0883D9"/>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 745 B

8
windows/security/book/images/microsoft-entra-id.svg Normal file
View File

@ -0,0 +1,8 @@
<svg width="54" height="32" viewBox="0 0 54 32" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M15.5281 26.0077C16.3103 26.4912 17.6105 27.0288 18.9854 27.0288C20.2372 27.0288 21.4004 26.669 22.364 26.0558C22.364 26.0558 22.3661 26.0558 22.3681 26.0537L26.0067 23.7999V31.9379C25.4302 31.9379 24.8497 31.7819 24.3458 31.4702L15.5281 26.0077Z" fill="#225086"/>
<path d="M23.7177 1.00992L8.76318 17.8619C7.60869 19.1647 7.90977 21.1327 9.40723 22.0669C9.40723 22.0669 14.9424 25.523 15.6403 25.9593C16.414 26.4412 17.7001 26.9772 19.06 26.9772C20.2982 26.9772 21.4487 26.6185 22.4018 26.007C22.4018 26.007 22.4038 26.007 22.4058 26.0051L26.0049 23.7582L17.3033 18.3241L26.0068 8.51563V0C25.1615 0 24.316 0.336642 23.7177 1.00992Z" fill="#66DDFF"/>
<path d="M17.2561 18.3555L17.3604 18.4193L26.005 23.8002H26.0068V8.52995L26.005 8.52795L17.2561 18.3555Z" fill="#CBF8FF"/>
<path d="M42.6063 22.1159C44.1041 21.1798 44.4052 19.2079 43.2506 17.9026L33.436 6.82337C32.6443 6.45413 31.7566 6.24255 30.8175 6.24255C28.9726 6.24255 27.3231 7.03893 26.2263 8.29034L26.009 8.53584L34.7125 18.3636L26.0068 23.8084V31.9376C26.5793 31.9376 27.1496 31.7821 27.6483 31.4707L42.6063 22.1139V22.1159Z" fill="#074793"/>
<path d="M26.009 0V8.52788L26.2292 8.28252C27.3402 7.03177 29.0108 6.23583 30.8791 6.23583C31.8327 6.23583 32.7297 6.44928 33.5316 6.81633L28.322 1.01337C27.7178 0.339122 26.8614 0.00199492 26.0068 0.00199492L26.009 0Z" fill="#0294E4"/>
<path d="M34.7578 18.356L26.0068 8.52795V23.8002L34.7578 18.356Z" fill="#96BCC2"/>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.5 KiB

23
windows/security/book/images/microsoft-intune.svg Normal file
View File

@ -0,0 +1,23 @@
<svg width="54" height="32" viewBox="0 0 54 32" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M39.9806 0.0206299H10.8709C10.3008 0.0206299 9.83862 0.482788 9.83862 1.05289V19.7574C9.83862 20.3275 10.3008 20.7897 10.8709 20.7897H39.9806C40.5506 20.7897 41.0128 20.3275 41.0128 19.7574V1.05289C41.0128 0.482788 40.5506 0.0206299 39.9806 0.0206299Z" fill="url(#paint0_linear_1073_1098)"/>
<path d="M38.7007 1.75488H12.1511C11.8318 1.75488 11.573 2.01369 11.573 2.33295V18.4981C11.573 18.8174 11.8318 19.0762 12.1511 19.0762H38.7007C39.02 19.0762 39.2788 18.8174 39.2788 18.4981V2.33295C39.2788 2.01369 39.02 1.75488 38.7007 1.75488Z" fill="white"/>
<path d="M31.6814 27.0865C28.5846 26.6117 28.4607 24.382 28.4814 20.8929H22.2878C22.2878 24.4852 22.1639 26.7149 19.0878 27.0865C18.6698 27.1495 18.2874 27.358 18.008 27.6751C17.7285 27.9926 17.5699 28.398 17.5601 28.8207H33.1265C33.1165 28.4109 32.9683 28.0168 32.7059 27.702C32.4437 27.3871 32.0824 27.1701 31.6814 27.0865Z" fill="url(#paint1_linear_1073_1098)"/>
<path d="M44.2541 9.62062H30.0502C29.8149 8.4621 29.1573 7.43231 28.2059 6.73102C27.2541 6.02971 26.0758 5.70692 24.8995 5.82522C23.7232 5.94351 22.6328 6.49448 21.8398 7.37126C21.0468 8.24803 20.6077 9.38811 20.6077 10.5703C20.6077 11.7525 21.0468 12.8926 21.8398 13.7693C22.6328 14.6461 23.7232 15.1971 24.8995 15.3154C26.0758 15.4337 27.2541 15.1109 28.2059 14.4096C29.1573 13.7083 29.8149 12.6785 30.0502 11.52H31.5161V31.298C31.5161 31.4787 31.5878 31.6521 31.7155 31.7799C31.8433 31.9076 32.0167 31.9793 32.1973 31.9793H44.2335C44.4141 31.9793 44.5875 31.9076 44.7153 31.7799C44.843 31.6521 44.9148 31.4787 44.9148 31.298V10.3019C44.9148 10.1248 44.8459 9.95451 44.7225 9.82733C44.5991 9.70013 44.4311 9.62599 44.2541 9.62062Z" fill="#32BEDD"/>
<path d="M43.4284 11.4994H33.0439C32.9071 11.4994 32.7961 11.6103 32.7961 11.7471V29.2129C32.7961 29.3497 32.9071 29.4607 33.0439 29.4607H43.4284C43.5652 29.4607 43.6761 29.3497 43.6761 29.2129V11.7471C43.6761 11.6103 43.5652 11.4994 43.4284 11.4994Z" fill="white"/>
<path opacity="0.9" d="M25.4258 13.6671C27.0906 13.6671 28.44 12.3176 28.44 10.6529C28.44 8.98817 27.0906 7.63867 25.4258 7.63867C23.7611 7.63867 22.4116 8.98817 22.4116 10.6529C22.4116 12.3176 23.7611 13.6671 25.4258 13.6671Z" fill="url(#paint2_linear_1073_1098)"/>
<path d="M39.5264 19.7575L37.2142 17.4452C37.1956 17.4285 37.1726 17.4177 37.1479 17.4144C37.1231 17.411 37.098 17.4151 37.0756 17.4263C37.0534 17.4374 37.0348 17.4551 37.023 17.4769C37.0108 17.4987 37.0054 17.5236 37.0077 17.5484V18.9523C37.0077 18.9852 36.9946 19.0167 36.9713 19.0399C36.9481 19.0631 36.9166 19.0762 36.8839 19.0762H31.5161V20.7897H36.8839C36.9166 20.7897 36.9481 20.8028 36.9713 20.826C36.9946 20.8492 37.0077 20.8808 37.0077 20.9136V22.3381C37.0191 22.3552 37.0343 22.3691 37.0524 22.3788C37.0704 22.3885 37.0906 22.3935 37.1109 22.3935C37.1313 22.3935 37.1515 22.3885 37.1695 22.3788C37.1876 22.3691 37.2028 22.3552 37.2142 22.3381L39.5264 20.1291C39.5528 20.1058 39.5739 20.0772 39.5884 20.0452C39.6028 20.0132 39.6103 19.9784 39.6103 19.9433C39.6103 19.9081 39.6028 19.8734 39.5884 19.8413C39.5739 19.8093 39.5528 19.7807 39.5264 19.7575Z" fill="#0078D4"/>
<defs>
<linearGradient id="paint0_linear_1073_1098" x1="25.4257" y1="20.7897" x2="25.4257" y2="0.0206299" gradientUnits="userSpaceOnUse">
<stop stop-color="#0078D4"/>
<stop offset="0.82" stop-color="#5EA0EF"/>
</linearGradient>
<linearGradient id="paint1_linear_1073_1098" x1="25.4259" y1="28.8207" x2="25.4259" y2="20.7897" gradientUnits="userSpaceOnUse">
<stop stop-color="#1490DF"/>
<stop offset="0.98" stop-color="#1F56A3"/>
</linearGradient>
<linearGradient id="paint2_linear_1073_1098" x1="25.4258" y1="13.6671" x2="25.4258" y2="7.61803" gradientUnits="userSpaceOnUse">
<stop stop-color="#D2EBFF"/>
<stop offset="1" stop-color="#F0FFFD"/>
</linearGradient>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.8 KiB

6
windows/security/book/images/new-button-title.svg Normal file
View File

@ -0,0 +1,6 @@
<svg width="32" height="32" viewBox="0 0 32 32" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M2 6C2 3.79086 3.79086 2 6 2H26C28.2091 2 30 3.79086 30 6V26C30 28.2091 28.2091 30 26 30H6C3.79086 30 2 28.2091 2 26V6Z" fill="#00A6ED"/>
<path d="M6.43434 12.4017C6.2578 12.1169 5.91373 11.9838 5.59145 12.0756C5.26917 12.1673 5.04688 12.4618 5.04688 12.7969V19.25C5.04688 19.6642 5.38266 20 5.79688 20C6.21109 20 6.54688 19.6642 6.54688 19.25V15.8693C6.54688 15.7435 6.71183 15.6965 6.77812 15.8035L9.15941 19.6451C9.33595 19.93 9.68002 20.0631 10.0023 19.9713C10.3246 19.8795 10.5469 19.5851 10.5469 19.25V12.7969C10.5469 12.3827 10.2111 12.0469 9.79688 12.0469C9.38266 12.0469 9.04688 12.3827 9.04688 12.7969V16.1776C9.04688 16.3034 8.88192 16.3504 8.81563 16.2434L6.43434 12.4017Z" fill="white"/>
<path d="M12.7708 12.0866C12.3565 12.0866 12.0208 12.4224 12.0208 12.8366V19.2445C12.0208 19.6587 12.3565 19.9945 12.7708 19.9945H16.4034C16.8176 19.9945 17.1534 19.6587 17.1534 19.2445C17.1534 18.8302 16.8176 18.4945 16.4034 18.4945H13.6458C13.5767 18.4945 13.5208 18.4385 13.5208 18.3695V17.0394C13.5208 16.9704 13.5767 16.9144 13.6458 16.9144H16.3545C16.7687 16.9144 17.1045 16.5786 17.1045 16.1644C17.1045 15.7502 16.7687 15.4144 16.3545 15.4144H13.6458C13.5767 15.4144 13.5208 15.3585 13.5208 15.2894V13.7116C13.5208 13.6426 13.5767 13.5866 13.6458 13.5866H16.4034C16.8176 13.5866 17.1534 13.2508 17.1534 12.8366C17.1534 12.4224 16.8176 12.0866 16.4034 12.0866H12.7708Z" fill="white"/>
<path d="M18.7518 12.1369C19.1508 12.0257 19.5644 12.2591 19.6756 12.6581L20.601 15.9799C20.6348 16.1011 20.8063 16.1021 20.8415 15.9813L21.8111 12.6498C21.9038 12.3311 22.195 12.1113 22.5269 12.1094C22.8588 12.1075 23.1525 12.324 23.2489 12.6416L24.2587 15.9692C24.2953 16.0898 24.4671 16.0866 24.4992 15.9648L25.3685 12.6682C25.4741 12.2676 25.8844 12.0286 26.2849 12.1342C26.6854 12.2398 26.9245 12.6501 26.8189 13.0506L25.1627 19.3319C25.0771 19.6562 24.7866 19.8843 24.4513 19.8905C24.1159 19.8967 23.8172 19.6794 23.7198 19.3584L22.6684 15.8939C22.6323 15.775 22.4635 15.7759 22.4287 15.8953L21.4232 19.3502C21.3295 19.672 21.0338 19.8925 20.6988 19.8906C20.3637 19.8887 20.0705 19.6647 19.9806 19.3419L18.2306 13.0607C18.1194 12.6617 18.3528 12.2481 18.7518 12.1369Z" fill="white"/>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.2 KiB

13
windows/security/book/images/new-button.svg Normal file
View File

@ -0,0 +1,13 @@
<svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
<g clip-path="url(#clip0_789_102)">
<path d="M0.875 2.625C0.875 1.6585 1.6585 0.875 2.625 0.875H11.375C12.3415 0.875 13.125 1.6585 13.125 2.625V11.375C13.125 12.3415 12.3415 13.125 11.375 13.125H2.625C1.6585 13.125 0.875 12.3415 0.875 11.375V2.625Z" fill="#00A6ED"/>
<path d="M2.81503 5.42576C2.73779 5.30115 2.58726 5.2429 2.44626 5.28305C2.30526 5.32321 2.20801 5.45202 2.20801 5.59863V8.42187C2.20801 8.60309 2.35491 8.75 2.53613 8.75C2.71735 8.75 2.86426 8.60309 2.86426 8.42187V6.94282C2.86426 6.88777 2.93642 6.86722 2.96543 6.91401L4.00724 8.59474C4.08448 8.71935 4.23501 8.7776 4.37601 8.73745C4.51701 8.69729 4.61426 8.56848 4.61426 8.42187V5.59863C4.61426 5.41741 4.46735 5.27051 4.28613 5.27051C4.10491 5.27051 3.95801 5.41741 3.95801 5.59863V7.07768C3.95801 7.13273 3.88584 7.15328 3.85684 7.10649L2.81503 5.42576Z" fill="white"/>
<path d="M5.5872 5.28789C5.40599 5.28789 5.25908 5.43479 5.25908 5.61601V8.41945C5.25908 8.60067 5.40599 8.74757 5.5872 8.74757H7.17649C7.3577 8.74757 7.50461 8.60067 7.50461 8.41945C7.50461 8.23823 7.3577 8.09132 7.17649 8.09132H5.97002C5.93981 8.09132 5.91533 8.06684 5.91533 8.03663V7.45475C5.91533 7.42454 5.93981 7.40006 5.97002 7.40006H7.15508C7.33629 7.40006 7.4832 7.25315 7.4832 7.07193C7.4832 6.89072 7.33629 6.74381 7.15508 6.74381H5.97002C5.93981 6.74381 5.91533 6.71932 5.91533 6.68912V5.99883C5.91533 5.96862 5.93981 5.94414 5.97002 5.94414H7.17649C7.3577 5.94414 7.50461 5.79723 7.50461 5.61601C7.50461 5.43479 7.3577 5.28789 7.17649 5.28789H5.5872Z" fill="white"/>
<path d="M8.20391 5.30989C8.37847 5.26125 8.55942 5.36334 8.60806 5.53791L9.01295 6.9912C9.02773 7.04423 9.10276 7.04466 9.11814 6.9918L9.54235 5.53428C9.58293 5.39486 9.71032 5.29869 9.85552 5.29786C10.0007 5.29703 10.1292 5.39174 10.1714 5.53069L10.6132 6.98652C10.6292 7.03926 10.7044 7.03788 10.7184 6.98458L11.0987 5.54231C11.1449 5.36709 11.3244 5.26249 11.4997 5.3087C11.6749 5.3549 11.7795 5.53441 11.7333 5.70964L11.0087 8.45768C10.9712 8.59959 10.8442 8.69939 10.6974 8.70209C10.5507 8.70479 10.42 8.60974 10.3774 8.46931L9.91741 6.9536C9.90161 6.90155 9.82777 6.90197 9.81257 6.9542L9.37265 8.46572C9.33168 8.60648 9.20231 8.70299 9.05571 8.70214C8.90911 8.7013 8.78085 8.60331 8.74151 8.46209L7.97588 5.71404C7.92725 5.53947 8.02934 5.35853 8.20391 5.30989Z" fill="white"/>
</g>
<defs>
<clipPath id="clip0_789_102">
<rect width="14" height="14" fill="white"/>
</clipPath>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.5 KiB

29
windows/security/book/images/onedrive.svg Normal file
View File

@ -0,0 +1,29 @@
<svg width="54" height="32" viewBox="0 0 54 32" fill="none" xmlns="http://www.w3.org/2000/svg">
<g clip-path="url(#clip0_1073_1093)">
<path d="M20.2792 8.87548L30.8995 15.2131L37.2289 12.5609C38.477 12.024 39.8555 11.723 41.2991 11.723C41.5357 11.723 41.764 11.7311 41.9927 11.7474C40.247 4.93787 34.056 -0.0980225 26.6821 -0.0980225C21.1602 -0.0980225 16.3068 2.72499 13.4846 6.99618C13.5417 6.99618 13.5907 6.99618 13.6477 6.99618C16.0866 6.99618 18.3624 7.68771 20.2873 8.87548H20.2792Z" fill="url(#paint0_linear_1073_1093)"/>
<path d="M20.2792 8.87555C18.346 7.68775 16.0785 6.99622 13.6396 6.99622C13.5825 6.99622 13.5335 6.99622 13.4764 6.99622C6.56762 7.0857 0.996582 12.6911 0.996582 19.6064C0.996582 22.2911 1.83671 24.7725 3.26416 26.8145L12.6281 22.8851L16.7881 21.1359L26.0543 17.2471L30.8911 15.2132L20.271 8.86743L20.2792 8.87555Z" fill="url(#paint1_linear_1073_1093)"/>
<path d="M41.9924 11.7474C41.7637 11.7312 41.5354 11.723 41.2988 11.723C39.8552 11.723 38.4767 12.024 37.2287 12.561L30.8992 15.2132L32.7343 16.3115L38.7457 19.9074L41.3722 21.4776L50.3449 26.839C51.128 25.3908 51.5766 23.7393 51.5766 21.9739C51.5766 16.5474 47.3432 12.1135 42.0004 11.7556L41.9924 11.7474Z" fill="url(#paint2_linear_1073_1093)"/>
<path d="M41.3724 21.4693L38.7459 19.8992L32.7345 16.3032L30.8994 15.205L26.0622 17.2388L16.7962 21.1277L12.6362 22.8768L3.27222 26.8063C5.55612 30.0687 9.34904 32.2082 13.6476 32.2082H41.3073C45.2142 32.2082 48.6158 30.028 50.3531 26.8226L41.3808 21.4612L41.3724 21.4693Z" fill="url(#paint3_linear_1073_1093)"/>
</g>
<defs>
<linearGradient id="paint0_linear_1073_1093" x1="-90.6774" y1="-2.38413" x2="-83.2674" y2="10.4949" gradientUnits="userSpaceOnUse">
<stop stop-color="#0572C0"/>
<stop offset="0.88" stop-color="#0364B8"/>
</linearGradient>
<linearGradient id="paint1_linear_1073_1093" x1="-100.539" y1="3.35148" x2="-94.0795" y2="14.5525" gradientUnits="userSpaceOnUse">
<stop stop-color="#1885D9"/>
<stop offset="0.89" stop-color="#107AD5"/>
</linearGradient>
<linearGradient id="paint2_linear_1073_1093" x1="-79.3805" y1="6.08505" x2="-72.0599" y2="18.7931" gradientUnits="userSpaceOnUse">
<stop stop-color="#138EDE"/>
<stop offset="0.94" stop-color="#0D7AD5"/>
</linearGradient>
<linearGradient id="paint3_linear_1073_1093" x1="-91.8931" y1="10.0877" x2="-82.6222" y2="26.1845" gradientUnits="userSpaceOnUse">
<stop offset="0.1" stop-color="#29A9EA"/>
<stop offset="0.79" stop-color="#1C94E3"/>
</linearGradient>
<clipPath id="clip0_1073_1093">
<rect width="54" height="32" fill="white"/>
</clipPath>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.5 KiB

BIN
windows/security/book/images/operating-system-on.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.4 MiB

After

Width:  |  Height:  |  Size: 556 KiB

BIN
windows/security/book/images/operating-system-security-cover.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 260 KiB

After

Width:  |  Height:  |  Size: 265 KiB

BIN
windows/security/book/images/operating-system.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 392 KiB

After

Width:  |  Height:  |  Size: 479 KiB

BIN
windows/security/book/images/passkey-save-3p.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
windows/security/book/images/pde.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 174 KiB

BIN
windows/security/book/images/privacy-cover.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 250 KiB

After

Width:  |  Height:  |  Size: 257 KiB

BIN
windows/security/book/images/privacy-on.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.4 MiB

After

Width:  |  Height:  |  Size: 581 KiB

BIN
windows/security/book/images/privacy.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 188 KiB

After

Width:  |  Height:  |  Size: 245 KiB

BIN
windows/security/book/images/secure-launch.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.2 MiB

After

Width:  |  Height:  |  Size: 1.2 MiB

BIN
windows/security/book/images/security-foundation-cover.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 256 KiB

After

Width:  |  Height:  |  Size: 261 KiB

BIN
windows/security/book/images/security-foundation-on.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.4 MiB

After

Width:  |  Height:  |  Size: 572 KiB

BIN
windows/security/book/images/security-foundation.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 250 KiB

After

Width:  |  Height:  |  Size: 242 KiB

BIN
windows/security/book/images/sfi.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 151 KiB

14
windows/security/book/images/soon-arrow.svg Normal file
View File

@ -0,0 +1,14 @@
<svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
<g clip-path="url(#clip0_789_99)">
<path d="M12.9588 4.29655L9.31875 0.98467C9.0475 0.73967 8.61875 0.93217 8.61875 1.29529V2.88779C8.61875 3.04092 8.49187 3.16779 8.33875 3.16779H1.39125C1.10687 3.16342 0.875 3.39967 0.875 3.68405V5.5303C0.875 5.81905 1.10688 6.05092 1.39563 6.05092H8.34312C8.49625 6.05092 8.62312 6.17779 8.62312 6.33092V7.92342C8.62312 8.28655 9.05625 8.47905 9.32312 8.23405L12.9631 4.92217C13.1425 4.75154 13.1425 4.46279 12.9588 4.29655Z" fill="#785DC8"/>
<path d="M5.26313 13.1253C4.50626 13.1253 3.88938 12.5084 3.88938 11.7515V10.4915C3.88938 9.73467 4.50626 9.1178 5.26313 9.1178C6.02001 9.1178 6.63688 9.73467 6.63688 10.4915V11.7515C6.63688 12.5084 6.02001 13.1253 5.26313 13.1253ZM5.26313 9.98842C4.98751 9.98842 4.76001 10.2115 4.76001 10.4915V11.7515C4.76001 12.0272 4.98313 12.2547 5.26313 12.2547C5.53876 12.2547 5.76626 12.0315 5.76626 11.7515V10.4915C5.76626 10.2115 5.53876 9.98842 5.26313 9.98842Z" fill="#785DC8"/>
<path d="M6.99124 11.7515C6.99124 12.5084 7.60812 13.1253 8.36499 13.1253C9.12187 13.1253 9.73874 12.5084 9.73874 11.7515V10.4915C9.73874 9.73467 9.12187 9.1178 8.36499 9.1178C7.60812 9.1178 6.99124 9.73467 6.99124 10.4915V11.7515ZM7.86187 10.4915C7.86187 10.2115 8.08937 9.98842 8.36499 9.98842C8.64062 9.98842 8.86812 10.2115 8.86812 10.4915V11.7515C8.86812 12.0315 8.64062 12.2547 8.36499 12.2547C8.08499 12.2547 7.86187 12.0272 7.86187 11.7515V10.4915Z" fill="#785DC8"/>
<path d="M2.35374 13.1253C1.86374 13.1253 1.39124 12.9459 1.02811 12.6178C0.848739 12.4559 0.831239 12.1803 0.993114 12.0009C1.15499 11.8215 1.43061 11.804 1.60999 11.9659C1.81561 12.1497 2.07811 12.2503 2.35374 12.2503H2.41936C2.54186 12.2415 2.62499 12.1978 2.67749 12.119C2.73874 12.0228 2.72124 11.9309 2.70374 11.8828C2.67311 11.7953 2.60749 11.7253 2.51999 11.6947L1.65374 11.3709C1.32124 11.244 1.06311 10.9815 0.949364 10.6403C0.839989 10.3078 0.879364 9.94905 1.06749 9.6603C1.27311 9.33655 1.60561 9.14842 2.01249 9.12217C2.05186 9.1178 2.09124 9.1178 2.13061 9.1178C2.62061 9.1178 3.09311 9.29717 3.45624 9.6253C3.63561 9.78717 3.65311 10.0628 3.49124 10.2422C3.32936 10.4215 3.05374 10.439 2.87436 10.2772C2.66874 10.0934 2.40624 9.9928 2.13061 9.9928H2.06499C1.94249 10.0015 1.85936 10.0453 1.80686 10.124C1.74561 10.2203 1.76311 10.3122 1.78061 10.3603C1.81124 10.4478 1.87686 10.5178 1.96436 10.5484L2.83061 10.8722C3.16311 10.999 3.42124 11.2615 3.53499 11.6028C3.64436 11.9353 3.60499 12.294 3.41686 12.5828C3.21124 12.9065 2.87874 13.0947 2.47186 13.1209C2.43249 13.1253 2.39311 13.1253 2.35374 13.1253Z" fill="#785DC8"/>
<path d="M12.2981 12.9284C12.3769 13.0553 12.5169 13.1253 12.6612 13.1253C12.7006 13.1253 12.7444 13.1209 12.7881 13.1078C12.9719 13.0509 13.0987 12.8803 13.0987 12.6878V9.55092C13.0987 9.31029 12.9019 9.11342 12.6612 9.11342C12.4206 9.11342 12.2237 9.31029 12.2237 9.55092V11.2265L10.9681 9.31029C10.8631 9.14842 10.6619 9.07404 10.4781 9.13092C10.2944 9.18779 10.1675 9.35842 10.1675 9.55092V12.6878C10.1675 12.9284 10.3644 13.1253 10.605 13.1253C10.8456 13.1253 11.0425 12.9284 11.0425 12.6878V11.0122L12.2981 12.9284Z" fill="#785DC8"/>
</g>
<defs>
<clipPath id="clip0_789_99">
<rect width="14" height="14" fill="white"/>
</clipPath>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.2 KiB

7
windows/security/book/images/soon-button-title.svg Normal file
View File

@ -0,0 +1,7 @@
<svg width="32" height="32" viewBox="0 0 32 32" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M29.62 9.82067L21.3 2.25067C20.68 1.69067 19.7 2.13067 19.7 2.96067V6.60067C19.7 6.95067 19.41 7.24067 19.06 7.24067H3.18C2.53 7.23067 2 7.77067 2 8.42067V12.6407C2 13.3007 2.53 13.8307 3.19 13.8307H19.07C19.42 13.8307 19.71 14.1207 19.71 14.4707V18.1107C19.71 18.9407 20.7 19.3807 21.31 18.8207L29.63 11.2507C30.04 10.8607 30.04 10.2007 29.62 9.82067Z" fill="#785DC8"/>
<path d="M12.03 30.0007C10.3 30.0007 8.89001 28.5907 8.89001 26.8607V23.9807C8.89001 22.2507 10.3 20.8407 12.03 20.8407C13.76 20.8407 15.17 22.2507 15.17 23.9807V26.8607C15.17 28.5907 13.76 30.0007 12.03 30.0007ZM12.03 22.8307C11.4 22.8307 10.88 23.3407 10.88 23.9807V26.8607C10.88 27.4907 11.39 28.0107 12.03 28.0107C12.66 28.0107 13.18 27.5007 13.18 26.8607V23.9807C13.18 23.3407 12.66 22.8307 12.03 22.8307Z" fill="#785DC8"/>
<path d="M15.98 26.8607C15.98 28.5907 17.39 30.0007 19.12 30.0007C20.85 30.0007 22.26 28.5907 22.26 26.8607V23.9807C22.26 22.2507 20.85 20.8407 19.12 20.8407C17.39 20.8407 15.98 22.2507 15.98 23.9807V26.8607ZM17.97 23.9807C17.97 23.3407 18.49 22.8307 19.12 22.8307C19.75 22.8307 20.27 23.3407 20.27 23.9807V26.8607C20.27 27.5007 19.75 28.0107 19.12 28.0107C18.48 28.0107 17.97 27.4907 17.97 26.8607V23.9807Z" fill="#785DC8"/>
<path d="M5.37998 30.0007C4.25998 30.0007 3.17998 29.5907 2.34998 28.8407C1.93998 28.4707 1.89998 27.8407 2.26998 27.4307C2.63998 27.0207 3.26998 26.9807 3.67998 27.3507C4.14998 27.7707 4.74998 28.0007 5.37998 28.0007H5.52998C5.80998 27.9807 5.99998 27.8807 6.11998 27.7007C6.25998 27.4807 6.21998 27.2707 6.17998 27.1607C6.10998 26.9607 5.95998 26.8007 5.75998 26.7307L3.77998 25.9907C3.01998 25.7007 2.42998 25.1007 2.16998 24.3207C1.91998 23.5607 2.00998 22.7407 2.43998 22.0807C2.90998 21.3407 3.66998 20.9107 4.59998 20.8507C4.68998 20.8407 4.77998 20.8407 4.86998 20.8407C5.98998 20.8407 7.06998 21.2507 7.89998 22.0007C8.30998 22.3707 8.34998 23.0007 7.97998 23.4107C7.60998 23.8207 6.97998 23.8607 6.56998 23.4907C6.09998 23.0707 5.49998 22.8407 4.86998 22.8407H4.71998C4.43998 22.8607 4.24998 22.9607 4.12998 23.1407C3.98998 23.3607 4.02998 23.5707 4.06998 23.6807C4.13998 23.8807 4.28998 24.0407 4.48998 24.1107L6.46998 24.8507C7.22998 25.1407 7.81998 25.7407 8.07998 26.5207C8.32998 27.2807 8.23998 28.1007 7.80998 28.7607C7.33998 29.5007 6.57998 29.9307 5.64998 29.9907C5.55998 30.0007 5.46998 30.0007 5.37998 30.0007Z" fill="#785DC8"/>
<path d="M28.11 29.5507C28.29 29.8407 28.61 30.0007 28.94 30.0007C29.03 30.0007 29.13 29.9907 29.23 29.9607C29.65 29.8307 29.94 29.4407 29.94 29.0007V21.8307C29.94 21.2807 29.49 20.8307 28.94 20.8307C28.39 20.8307 27.94 21.2807 27.94 21.8307V25.6607L25.07 21.2807C24.83 20.9107 24.37 20.7407 23.95 20.8707C23.53 21.0007 23.24 21.3907 23.24 21.8307V29.0007C23.24 29.5507 23.69 30.0007 24.24 30.0007C24.79 30.0007 25.24 29.5507 25.24 29.0007V25.1707L28.11 29.5507Z" fill="#785DC8"/>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.9 KiB

BIN
windows/security/book/images/uac-settings.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 39 KiB

24
windows/security/book/images/universal-print.svg Normal file
View File

@ -0,0 +1,24 @@
<svg width="54" height="34" viewBox="0 0 54 34" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M45.0294 19.3174C45.0294 17.5547 42.4462 16.975 41.4523 15.6175C40.0841 13.7492 39.9367 11.3573 37.4359 10.95C37.3114 8.06581 36.0494 5.34673 33.924 3.38225C31.7986 1.4178 28.9808 0.36629 26.0813 0.455709C23.739 0.412525 21.4407 1.09418 19.5041 2.40658C17.5676 3.71896 16.0882 5.59733 15.2703 7.7823C12.7912 8.08221 10.5023 9.2565 8.81872 11.0921C7.13516 12.9278 6.16846 15.3032 6.09399 17.7874C6.20281 20.5757 7.41775 23.2073 9.4726 25.1056C11.5274 27.0041 14.2546 28.0144 17.0566 27.9154C17.3836 27.9154 17.7062 27.9004 18.0223 27.8745H35.7774C35.9356 27.8724 36.0928 27.8494 36.2451 27.8055C38.5259 27.7892 40.7126 26.8976 42.349 25.3161C43.9856 23.7348 44.9457 21.5859 45.0294 19.3174Z" fill="url(#paint0_linear_1073_1040)"/>
<path d="M41.9117 11.6353H23.3384C22.9795 11.6353 22.6887 11.9247 22.6887 12.2817V18.9166C22.6887 19.2736 22.9795 19.5631 23.3384 19.5631H41.9117C42.2706 19.5631 42.5613 19.2736 42.5613 18.9166V12.2817C42.5613 11.9247 42.2706 11.6353 41.9117 11.6353Z" fill="#005BA1"/>
<path d="M39.9517 6.66406H25.2997C24.9409 6.66406 24.6501 6.9535 24.6501 7.31053V17.9772C24.6501 18.3342 24.9409 18.6237 25.2997 18.6237H39.9517C40.3106 18.6237 40.6013 18.3342 40.6013 17.9772V7.31053C40.6013 6.9535 40.3106 6.66406 39.9517 6.66406Z" fill="url(#paint1_linear_1073_1040)"/>
<path d="M21.4803 15.1414H43.7693C44.1138 15.1414 44.4443 15.2776 44.6881 15.5201C44.9315 15.7625 45.0685 16.0914 45.0685 16.4343V29.579H20.1833V16.4343C20.1833 16.0918 20.3199 15.7632 20.5631 15.5208C20.8063 15.2784 21.1361 15.1419 21.4803 15.1414Z" fill="#5EA0EF"/>
<path d="M45.0685 27.8832H20.1833V30.0812H45.0685V27.8832Z" fill="#0078D4"/>
<path d="M41.1838 24.0302H24.059C23.7002 24.0302 23.4094 24.3195 23.4094 24.6766V25.9522C23.4094 26.3093 23.7002 26.5987 24.059 26.5987H41.1838C41.5426 26.5987 41.8334 26.3093 41.8334 25.9522V24.6766C41.8334 24.3195 41.5426 24.0302 41.1838 24.0302Z" fill="#83B9F9"/>
<path d="M40.8354 19.854C41.1763 19.854 41.4524 19.579 41.4524 19.2399C41.4524 18.9007 41.1763 18.6257 40.8354 18.6257C40.4947 18.6257 40.2183 18.9007 40.2183 19.2399C40.2183 19.579 40.4947 19.854 40.8354 19.854Z" fill="#C3F1FF"/>
<path d="M24.6503 24.4762H40.6015V32.7142C40.6015 32.8857 40.5331 33.0501 40.4113 33.1714C40.2894 33.2927 40.1241 33.3607 39.9519 33.3607H25.2975C25.1253 33.3607 24.9603 33.2927 24.8384 33.1714C24.7165 33.0501 24.6479 32.8857 24.6479 32.7142V24.4762H24.6503Z" fill="url(#paint2_linear_1073_1040)"/>
<defs>
<linearGradient id="paint0_linear_1073_1040" x1="25.5617" y1="27.9198" x2="25.5617" y2="0.455711" gradientUnits="userSpaceOnUse">
<stop stop-color="#773ADC"/>
<stop offset="0.817" stop-color="#A67AF4"/>
</linearGradient>
<linearGradient id="paint1_linear_1073_1040" x1="32.6246" y1="6.66406" x2="32.6246" y2="18.6258" gradientUnits="userSpaceOnUse">
<stop stop-color="#C3F1FF"/>
<stop offset="0.999" stop-color="#9CEBFF"/>
</linearGradient>
<linearGradient id="paint2_linear_1073_1040" x1="32.6247" y1="33.3607" x2="32.6247" y2="24.4762" gradientUnits="userSpaceOnUse">
<stop stop-color="#C3F1FF"/>
<stop offset="0.999" stop-color="#9CEBFF"/>
</linearGradient>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.1 KiB

BIN
windows/security/book/images/vbs-diagram.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 553 KiB

BIN
windows/security/book/images/windows-security.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 63 KiB

24
windows/security/book/images/windows-security.svg Normal file
View File

@ -0,0 +1,24 @@
<svg width="54" height="32" viewBox="0 0 54 32" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M27.2766 31.8354L24.929 22.8553L27.2766 15.5891L34.1895 12.573L41.2977 15.5891C40.1238 22.2385 35.1676 27.2426 27.7332 31.7667C27.6028 31.7667 27.4724 31.8354 27.2766 31.8354Z" fill="url(#paint0_linear_1073_1125)"/>
<path d="M27.2764 15.5232V31.838C27.0809 31.838 26.9505 31.7693 26.7547 31.7007C19.3203 27.1765 14.4293 22.1724 13.1902 15.5232L19.9725 13.1925L27.2764 15.5232Z" fill="url(#paint1_linear_1073_1125)"/>
<path d="M27.2766 0.441528C29.2983 0.441528 31.059 1.05849 32.4286 2.08673C34.6459 3.66336 36.211 4.48593 40.7109 4.55448C41.2326 4.55448 41.689 5.03432 41.689 5.58272V12.3691C41.689 13.4659 41.5585 14.4941 41.4281 15.5224H27.2766L24.929 7.84483L27.2766 0.441528Z" fill="url(#paint2_linear_1073_1125)"/>
<path d="M13.192 15.5222C12.9964 14.494 12.9312 13.3972 12.9312 12.369V5.58259C12.9312 5.0342 13.3224 4.55436 13.9094 4.55436C18.4092 4.48581 19.9743 3.66323 22.1916 2.0866C23.4959 1.05837 25.322 0.441406 27.3435 0.441406V15.5222H13.192Z" fill="url(#paint3_linear_1073_1125)"/>
<defs>
<linearGradient id="paint0_linear_1073_1125" x1="35.9702" y1="26.7136" x2="28.672" y2="14.6876" gradientUnits="userSpaceOnUse">
<stop stop-color="#114A8B"/>
<stop offset="1" stop-color="#0C59A4"/>
</linearGradient>
<linearGradient id="paint1_linear_1073_1125" x1="28.3417" y1="31.1801" x2="17.3341" y2="13.0417" gradientUnits="userSpaceOnUse">
<stop stop-color="#0669BC"/>
<stop offset="1" stop-color="#0078D4"/>
</linearGradient>
<linearGradient id="paint2_linear_1073_1125" x1="38.2769" y1="17.3893" x2="27.8054" y2="0.134459" gradientUnits="userSpaceOnUse">
<stop stop-color="#0078D4"/>
<stop offset="1" stop-color="#1493DF"/>
</linearGradient>
<linearGradient id="paint3_linear_1073_1125" x1="25.1143" y1="16.8492" x2="16.575" y2="2.77815" gradientUnits="userSpaceOnUse">
<stop stop-color="#28AFEA"/>
<stop offset="1" stop-color="#3CCBF4"/>
</linearGradient>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.9 KiB

9
windows/security/book/includes/coming-soon.md Normal file
View File

@ -0,0 +1,9 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 11/18/2024
ms.topic: include
ms.service: windows-client
---
:::image type="icon" source="../images/soon-arrow.svg" border="false"::: **Coming soon<sup>[\[7\]](..\conclusion.md#footnote7)</sup>**

9
windows/security/book/includes/learn-more.md Normal file
View File

@ -0,0 +1,9 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 11/18/2024
ms.topic: include
ms.service: windows-client
---
:::image type="icon" source="../images/information.svg" border="false"::: **Learn more**

9
windows/security/book/includes/new-24h2.md Normal file
View File

@ -0,0 +1,9 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 11/18/2024
ms.topic: include
ms.service: windows-client
---
:::image type="icon" source="../images/new-button.svg" border="false"::: **New in Windows 11, version 24H2**

56
windows/security/book/index.md
View File

@ -1,55 +1,61 @@
---
title: Windows security book introduction
description: Windows security book introduction
title: Windows 11 security book - Windows security book introduction
description: Windows 11 security book introduction.
ms.topic: overview
ms.date: 04/09/2024
ROBOTS:
ms.date: 11/18/2024
---
# Windows 11 Security Book
:::image type="content" source="images/cover.png" alt-text="Cover of the Windows 11 security book.":::
:::image type="content" source="images/cover.png" alt-text="Cover of the Windows 11 security book." border="false":::
## Introduction
Emerging technologies and evolving business trends bring new opportunities and challenges for organizations of all sizes. As technology and workstyles transform, so does the threat landscape with growing numbers of increasingly sophisticated attacks on organizations and employees.
Today's organizations face a world of accelerated change, from marketplace fluctuation and sociopolitical events to the rapid adoption of new AI technologies. However, as organizations and industries innovate, so do increasingly sophisticated cybercriminals. Research shows that employees, including their devices, services, and identities, are at the center of attacks on businesses of all sizes. Some leading threats include identity attacks, ransomware, targeted phishing attempts, and business email compromise<sup>[\[1\]](conclusion.md#footnote1)</sup>.
To thrive, organizations need security to work anywhere. [Microsoft's 2022 Work Trend Index](https://www.microsoft.com/security/blog/2022/04/05/new-security-features-for-windows-11-will-help-protect-hybrid-work/) shows *cybersecurity issues and risks* are top concerns for business decision-makers, who worry about issues like malware, stolen credentials, devices that lack security updates, and physical attacks on lost or stolen devices.
To address the ever-growing and changing threat landscape, we announced the [Secure Future Initiative (SFI)][LINK-1] in November 2023. The SFI endeavors to advance cybersecurity protection across all our company and products.
In the past, a corporate network and software-based security were the first lines of defense. With an increasingly distributed and mobile workforce, attention has shifted to hardware-based endpoint security. People are now the top target for cybercriminals, with 74% of all breaches due to human error, privilege misuses, stolen credentials, or social engineering. Most attacks are financially motivated, and credential theft, phishing, and exploitation of vulnerabilities are the primary attack vectors. Credential theft is the most prevalent attack vector, accounting for 50% of breaches <sup>[\[1\]](conclusion.md#footnote1)</sup>.
Microsoft is committed to putting security above all else, with products and services that are secure by design and secure by default. We synthesize more than 65 trillion signals daily to understand digital threats and criminal cyberactivity<sup>[\[1\]](conclusion.md#footnote1)</sup>. Through the SFI initiative, we've dedicated the equivalent of 34,000 full-time engineers to the highest priority security tasks. We continuously apply what we learn from incidents to improve our security and privacy models, security architecture, and technical controls.
At Microsoft, we work hard to help organizations evolve and stay agile while protecting against modern threats. We're committed to helping businesses and their employees get secure, and stay secure. We [synthesize 43 trillion signals daily](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE5bcRe?culture=en-us&country=us) to understand and protect against digital threats. We have more than 8,500 dedicated security professionals across 77 countries and over 15,000 partners in our security ecosystem striving to increase resilience for our customers <sup>[\[2\]](conclusion.md#footnote2)</sup>.
### Security by design. Security by default.
Businesses worldwide are moving toward [secure-by-design and secure-by-default strategies](https://www.cisa.gov/securebydesign). With these models, organizations choose products from manufacturers that consider security as a business requirement, not just a technical feature. With a secure-by-default strategy, businesses can proactively reduce risk and exposure to threats across their organization because products are shipped with security features already built in and enabled.
Working together with a shared focus is key to improving global security, from individuals and organizations to governments and industries. The world is moving toward a [secure by design and secure by default][LINK-2] approach, where technology producers are tasked with incorporating security during the initial design phase, and offering products that deliver protection right out of the box. As part of our commitment to making the world a safer place, we build security into every innovation. Windows 11 is secure by design and secure by default, with layers of defense enabled on day one to enhance your protection without the need to first configure settings. This secure-by-design approach spans the Windows edition range including Pro, Enterprise, IoT Enterprise, and Education editions. Copilot+ PCs are the fastest, most intelligent Windows devices ever, and they're also the most secure. These groundbreaking AI PCs come with secured-core PC protection and the latest safeguards like Microsoft Pluton and Windows Enhanced Sign-in Security enabled by default.
To help businesses transform and thrive in a new era, we built Windows 11 to be secure by design and secure by default. Windows 11 devices arrive with more security features enabled out of the box. In contrast, Windows 10 devices came with many safeguards turned off unless enabled by IT or employees. The default security provided by Windows 11 elevates protection without needing to configure settings. In addition, Windows 11 devices have been shown to increase malware resistance without impacting performance <sup>[\[3\]](conclusion.md#footnote3)</sup>. Windows 11 is the most secure Windows ever, built in deep partnership with original equipment manufacturers (OEMs) and silicon manufacturers. Discover why organizations of all sizes, including 90% of Fortune 500 companies, are taking advantage of the powerful default protection of Windows 11 <sup>[\[4\]](conclusion.md#footnote4)</sup>.
Except for Windows IoT Long-Term Servicing Channel (LTSC) editions, support for Windows 10 is ending soon on October 14, 2025. Upgrading or replacing outdated devices before Windows 10 support ends is a critical priority for building a strong security posture. Discover why organizations of all sizes, including 90% of Fortune 500 companies, are relying on Windows 11.
## Security priorities and benefits
### Security priorities and benefits
### Security by design and security by default
Windows 11 enables you to focus on your work, not your security settings. Out-of-the-box features such as credential safeguards, malware shields, and application protection led to a reported 62% drop in security incidents, including a 3.0x reduction in firmware attacks<sup>[\[2\]](conclusion.md#footnote2)</sup>.
Windows 11 is designed with layers of security enabled by default, so you can focus on your work, not your security settings. **Out-of-the-box features such as credential safeguards, malware shields, and application protection led to a reported 58% drop in security incidents, including a 3.1x reduction in firmware attacks** <sup>[\[5\]](conclusion.md#footnote5)</sup>.
In Windows 11, hardware and software work together to shrink the attack surface, protect system integrity, and shield valuable data. New and enhanced features are designed for security by default. For example, Win32 apps in isolation<sup>[\[3\]](conclusion.md#footnote3)</sup>, token protection<sup>[\[3\]](conclusion.md#footnote3)</sup>, passkeys, and Microsoft Intune Endpoint Privilege Management<sup>[\[4\]](conclusion.md#footnote4)</sup> are some of the latest capabilities that help protect organizations and individual users against attack. Windows Hello and Windows Hello for Business work with hardware-based features like Trusted Platform Module (TPM) 2.0, biometric scanners, and Windows presence sensing to enable easier, secure sign-on and protection of your data and credentials.
In Windows 11, hardware and software work together to shrink the attack surface, protect system integrity, and shield valuable data. New and enhanced features are designed for security by default. For example, Win32 apps in isolation <sup>[\[6\]](conclusion.md#footnote6)</sup>, token protection <sup>[\[6\]](conclusion.md#footnote6)</sup>, and Microsoft Intune Endpoint Privilege Management <sup>[\[7\]](conclusion.md#footnote7)</sup> are some of the latest capabilities that help protect your organization and employees against attack. Windows Hello and Windows Hello for Business work with hardware-based features like TPM 2.0 and biometric scanners for credential protection and easier, secure sign-on. Existing security features like BitLocker encryption have also been enhanced to optimize both security and performance.
Existing security features are also continuously enhanced across Windows 11. For example, BitLocker encryption has been optimized for additional security and performance, and is available on more devices.
### Protect employees against evolving threats
### Identity protection
With attackers targeting employees and their devices, organizations need stronger security against increasingly sophisticated cyberthreats. Windows 11 provides proactive protection against credential theft. Windows Hello and TPM 2.0 work together to shield identities. Secure biometric sign-in virtually eliminates the risk of lost or stolen passwords. And enhanced phishing protection increases safety. In fact, **businesses reported 2.8x fewer instances of identity theft with the hardware-backed protection in Windows 11** <sup>[\[5\]](conclusion.md#footnote5)</sup>.
Attackers are increasingly targeting employees and their devices, so organizations need stronger security against increasingly sophisticated cyberthreats. Windows 11 provides proactive protection against credential theft. Windows Hello and TPM 2.0 work together to shield identities, and features like passkeys and secure biometric sign-in virtually eliminate the risk of lost or stolen passwords<sup>[\[5\]](conclusion.md#footnote5)</sup>. Enhanced phishing protection also increases safety; in fact, businesses reported 2.9x fewer instances of identity theft with the hardware-backed protection in Windows 11<sup>[\[2\]](conclusion.md#footnote2)</sup>.
### Gain mission-critical application safeguards
### Application safeguards
Help keep business data secure and employees productive with robust safeguards and control for applications. Windows 11 has multiple layers of application security that shield critical data and code integrity. Application protection, privacy controls, and least-privilege principles enable developers to build in security by design. This integrated security protects against breaches and malware, helps keep data private, and gives IT administrators the controls they need. As a result, organizations and regulators can be confident that critical data is protected.
Help keep business data secure and employees productive with robust safeguards and control for applications. Windows 11 has multiple layers of security that shield critical data and defend code integrity. Application protection, privacy controls, and least-privilege principles enable developers to build in security by design. This integrated defense helps protect against breaches and malware, assists in keeping data private, and gives IT administrators the controls they need. As a result, organizations and regulators can be confident that critical data is protected.
### End-to-end protection with modern management
With Trusted Signing, developers can effortlessly sign their applications. This process ensures the authenticity and integrity of the applications while enhancing security features to prevent and mitigate the impacts of malware on Windows.
Increase protection and efficiency with Windows 11 and chip-to-cloud security. Microsoft offers comprehensive cloud services for identity, storage, and access management. In addition, Microsoft also provides the tools needed to attest that Windows 11 devices connecting to your network or accessing your data and resources are trustworthy. You can also enforce compliance and conditional access with modern device management (MDM) solutions such as Microsoft Intune and Microsoft Entra ID. Security by default not only enables people to work securely anywhere, but it also simplifies IT. A streamlined, chip-to-cloud security solution based on Windows 11 has improved productivity for IT and security teams by a reported 25% <sup>[\[8\]](conclusion.md#footnote8)</sup>.
### Device health and access control
## Security by design and default
Increase protection and efficiency with Windows 11 and chip-to-cloud security. Microsoft provides the tools needed to attest that the devices connecting to your network, or accessing your data and resources, are trustworthy. You can enforce security policies and conditional access with cloud-based device management solutions such as Microsoft Intune, Microsoft Entra ID, and a comprehensive security baseline. Security by default not only enables people to work securely anywhere, but it also simplifies IT. A streamlined, chip-to-cloud security solution based on Windows 11 improves productivity for IT and security teams by a reported 25%<sup>[\[6\]](conclusion.md#footnote6)</sup>.
In Windows 11, hardware and software work together to protect sensitive data from the core of your PC all the way to the cloud. Comprehensive protection helps keep your organization secure, no matter where people work. This simple diagram shows the layers of protection in Windows 11, while each chapter provides a layer-by-layer deep dive into features.
### Chip-to-cloud security
In Windows 11, hardware and software work together to protect sensitive data, from the core of the device all the way to the cloud. Comprehensive protection helps keep organizations secure, no matter where people work. The following diagram shows the layers of protection in Windows 11, while each chapter provides a layer-by-layer deep dive into features.
:::image type="content" source="images/chip-to-cloud.png" alt-text="Diagram of chip-to-cloud containing a list of security features." lightbox="images/chip-to-cloud.png" border="false":::
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Windows security features licensing and edition requirements](/windows/security/licensing-and-edition-requirements?tabs=edition)
- [Windows security features licensing and edition requirements](../licensing-and-edition-requirements.md)
<!--links-->
[LINK-1]: https://www.microsoft.com/trust-center/security/secure-future-initiative
[LINK-2]: https://www.cisa.gov/resources-tools/resources/secure-by-design

77
windows/security/book/operating-system-security-encryption-and-data-protection.md
View File

@ -1,74 +1,95 @@
---
title: Operating System security
description: Windows 11 security book - Operating System security chapter.
title: Windows 11 security book - Encryption and data protection
description: Operating System security chapter - Encryption and data protection.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 11/18/2024
---
# Encryption and data protection
:::image type="content" source="images/operating-system.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
:::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::
When people travel with their PCs, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications.
## BitLocker
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses the AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure<sup>[\[9\]](conclusion.md#footnote9)</sup> can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune<sup>[\[6\]](conclusion.md#footnote6)</sup>> using a configuration service provider (CSP)<sup>[\[9\]](conclusion.md#footnote9)</sup>. BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), leveraging technologies like Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. Windows consistently improves data protection by expanding existing options and providing new strategies.
BitLocker is a data protection feature that integrates with the operating system to address the threats of data theft or exposure from lost, stolen, or improperly decommissioned devices. It uses the AES algorithm in XTS or CBC mode with 128-bit or 256-bit key lengths to encrypt data on the volume. During the initial setup, when BitLocker is enabled during OOBE and the user signs into their Microsoft account for the first time, BitLocker automatically saves its recovery password to the Microsoft account for retrieval if needed. Users also have the option to export the recovery password if they manually enable BitLocker. Recovery key content can be saved to cloud storage on OneDrive or Azure<sup>[\[4\]](conclusion.md#footnote4)</sup>.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
For organizations, BitLocker can be managed via group policy or with a device management solution like Microsoft Intune<sup>[\[3\]](conclusion.md#footnote3)</sup>. It provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), using technologies such as Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
[!INCLUDE [new-24h2](includes/new-24h2.md)]
The BitLocker preboot recovery screen includes the Microsoft account (MSA) hint, if the recovery password is saved to an MSA. This hint helps the user to understand which MSA account was used to store recovery key information.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [BitLocker overview](../operating-system-security/data-protection/bitlocker/index.md)
## BitLocker To Go
### BitLocker To Go
BitLocker To Go refers to BitLocker Drive Encryption on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password.
BitLocker To Go refers to BitLocker on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [BitLocker FAQ](../operating-system-security/data-protection/bitlocker/faq.yml)
## Device Encryption
## Device encryption
Device Encryption is consumer-level device encryption that can't be managed. Device Encryption is turned on by default for devices with the right hardware components (for example, TPM 2.0, UEFI Secure Boot, Hardware Security Test Interface, and Modern Standby). However, for a commercial scenario, it's possible for commercial customers to disable Device Encryption in favor of BitLocker Drive Encryption. BitLocker Drive Encryption is manageable through MDM.
Device encryption is a Windows feature that simplifies the process of enabling BitLocker encryption on certain devices. It ensures that only the OS drive and fixed drives are encrypted, while external/USB drives remain unencrypted. Additionally, devices with externally accessible ports that allow DMA access are not eligible for device encryption. Unlike standard BitLocker implementation, device encryption is enabled automatically to ensure continuous protection. Once a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use with encryption already in place.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
Organizations have the option to disable device encryption in favor of a full BitLocker implementation. This allows for more granular control over encryption policies and settings, ensuring that the organization's specific security requirements are met.
[!INCLUDE [new-24h2](includes/new-24h2.md)]
The Device encryption prerequisites of DMA and HSTI/Modern Standby are removed. This change makes more devices eligible for both automatic and manual device encryption.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Device encryption](../operating-system-security/data-protection/bitlocker/index.md#device-encryption)
## Encrypted hard drive
Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full-disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.
Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level. They allow for full-disk hardware encryption and are transparent to the user. These drives combine the security and management benefits provided by BitLocker, with the power of self-encrypting drives.
By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity.
Encrypted hard drives enable:
- Smooth performance: Encryption hardware integrated into the drive controller allows the drive to operate at full data rate without performance degradation
- Strong security based in hardware: Encryption is always "on," and the keys for encryption never leave the hard drive. The drive authenticates the user independently from the operating system before it unlocks
- Ease of use: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using an onboard encryption key. There's no need
to re-encrypt data on the drive
- Lower cost of ownership: There's no need for new infrastructure to manage encryption keys since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process
- Smooth performance: encryption hardware integrated into the drive controller allows the drive to operate at full data rate without performance degradation
- Strong security based in hardware: encryption is always-on, and the keys for encryption never leave the hard drive. The drive authenticates the user independently from the operating system before it unlocks
- Ease of use: encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using an onboard encryption key. There's no need to re-encrypt data on the drive
- Lower cost of ownership: there's no need for new infrastructure to manage encryption keys since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Encrypted hard drive](../operating-system-security/data-protection/encrypted-hard-drive.md)
## Personal data encryption
## Personal Data Encryption
Personal Data Encryption refers to a new user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism, which is used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container, which houses the encryption keys used by Personal Data Encryption (PDE). When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content.
Personal Data Encryption is a user-authenticated encryption mechanism designed to protect user's content. Personal Data Encryption uses Windows Hello for Business as its modern authentication scheme, with PIN or biometric authentication methods. The encryption keys used by Personal Data Encryption are securely stored within the Windows Hello container. When a user signs in with Windows Hello, the container is unlocked, making the keys available to decrypt the user's content.
With the first release of PDE (Windows 11 22H2), the PDE API was available, which when adopted by applications can protect data under the purview of the applications. With the platform release of the next Windows version, PDE for Folders will be released, this feature would require no updates to any applications and protects the contents in the Known Windows Folders from bootup till first login. This reduces the barrier for entry for customers and they'll be able to get PDE security as part of the OS.
The initial release of Personal Data Encryption in Windows 11, version 22H2, introduced a set of public APIs that applications can adopt to safeguard content.
PDE requires Microsoft Entra ID.
[!INCLUDE [new-24h2](includes/new-24h2.md)]
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
Personal Data Encryption is further enhanced with *Personal Data Encryption for known folders*, which extends protection to the Windows folders: Documents, Pictures, and Desktop.
- [Personal Data Encryption (PDE)](../operating-system-security/data-protection/personal-data-encryption/index.md)
:::image type="content" source="images/pde.png" alt-text="Screenshot of files encrypted with Personal Data Encryption showing a padlock." border="false":::
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Personal Data Encryption](../operating-system-security/data-protection/personal-data-encryption/index.md)
## Email encryption
Email encryption enables users to encrypt outgoing email messages and attachments so that only intended recipients with a digital identification (ID) - also called a certificate - can read them.10 Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.
Email encryption allows users to secure email messages and attachments so that only the intended recipients with a digital identification (ID), or certificate, can read them<sup>[\[8\]](conclusion.md#footnote8)</sup>. Users can also *digitally sign* a message, which verifies the sender's identity and ensures the message hasn't been tampered with.
These encrypted messages can be sent by a user to people within their organization as well as external contacts who have proper encryption certificates.
The new Outlook app included in Windows 11 supports various types of email encryption, including Microsoft Purview Message Encryption, S/MIME, and Information Rights Management (IRM).
However, recipients using Windows 11 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. Encrypted messages can be read only by recipients who have a certificate. If an encrypted message is sent to recipients whose encryption certificates are not available, the app will prompt you to remove these recipients before sending the email.
When using Secure/Multipurpose Internet Mail Extensions (S/MIME), users can send encrypted messages to people within their organization and to external contacts who have the proper encryption certificates. Recipients can only read encrypted messages if they have the corresponding decryption keys. If an encrypted message is sent to recipients whose encryption certificates aren't available, Outlook asks you to remove these recipients before sending the email.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [S/MIME for message signing and encryption in Exchange Online](/exchange/security-and-compliance/smime-exo/smime-exo)
- [Get started with the new Outlook for Windows](https://support.microsoft.com/topic/656bb8d9-5a60-49b2-a98b-ba7822bc7627)
- [Email encryption](/purview/email-encryption)

Some files were not shown because too many files have changed in this diff Show More