mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-13 22:07:22 +00:00
Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into fr-boot-image-patching
This commit is contained in:
Frank Rojas
commit
beffa7e907
@ -170,6 +170,16 @@
|
||||
"redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/identity.md",
|
||||
"redirect_url": "/windows/security/identity-protection",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/identity-protection/hello-for-business/hello-overview.md",
|
||||
"redirect_url": "/windows/security/identity-protection/hello-for-business",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md",
|
||||
"redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-top-node",
|
||||
@ -645,6 +655,11 @@
|
||||
"redirect_url": "/troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md",
|
||||
"redirect_url": "/windows/security/identity-protection",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md",
|
||||
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues",
|
||||
@ -810,6 +825,11 @@
|
||||
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/faq",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/operating-system-security/data-protection/index.md",
|
||||
"redirect_url": "/windows/security/operating-system-security/#data-protection",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/operating-system.md",
|
||||
"redirect_url": "/windows/security/operating-system-security",
|
||||
@ -7204,6 +7224,13 @@
|
||||
"source_path": "windows/security/trusted-boot.md",
|
||||
"redirect_url": "/windows/security/operating-system-security/system-security/trusted-boot",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/identity-protection/password-support-policy.md",
|
||||
"redirect_url": "https://support.microsoft.com/help/4490115",
|
||||
"redirect_document_id": false
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
|
||||
|
||||
@ -29,7 +29,7 @@ When the PIN is created, it establishes a trusted relationship with the identity
|
||||
Even though local passwords are local to the device, they're less secure than a PIN, as described in the next section.
|
||||
|
||||
>[!NOTE]
|
||||
>For details on how Hello uses asymmetric key pairs for authentication, see [Windows Hello for Business](hello-overview.md#benefits-of-windows-hello).
|
||||
>For details on how Hello uses asymmetric key pairs for authentication, see [Windows Hello for Business](index.md#benefits-of-windows-hello).
|
||||
|
||||
## PIN is backed by hardware
|
||||
|
||||
|
||||
@ -1,110 +0,0 @@
|
||||
### YamlMime:Landing
|
||||
|
||||
title: Windows Hello for Business documentation
|
||||
summary: Learn how to manage and deploy Windows Hello for Business.
|
||||
|
||||
metadata:
|
||||
title: Windows Hello for Business documentation
|
||||
description: Learn how to manage and deploy Windows Hello for Business.
|
||||
ms.topic: landing-page
|
||||
ms.date: 03/09/2023
|
||||
ms.collection:
|
||||
- highpri
|
||||
- tier1
|
||||
|
||||
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new
|
||||
|
||||
landingContent:
|
||||
# Cards and links should be based on top customer tasks or top subjects
|
||||
# Start card title with a verb
|
||||
# Card
|
||||
- title: About Windows Hello For Business
|
||||
linkLists:
|
||||
- linkListType: overview
|
||||
links:
|
||||
- text: Windows Hello for Business Overview
|
||||
url: hello-overview.md
|
||||
- linkListType: concept
|
||||
links:
|
||||
- text: Passwordless Strategy
|
||||
url: passwordless-strategy.md
|
||||
- text: Why a PIN is better than a password
|
||||
url: hello-why-pin-is-better-than-password.md
|
||||
- text: Windows Hello biometrics in the enterprise
|
||||
url: hello-biometrics-in-enterprise.md
|
||||
- text: How Windows Hello for Business works
|
||||
url: hello-how-it-works.md
|
||||
- linkListType: learn
|
||||
links:
|
||||
- text: Technical Deep Dive - Device Registration
|
||||
url: hello-how-it-works-device-registration.md
|
||||
- text: Technical Deep Dive - Provisioning
|
||||
url: hello-how-it-works-provisioning.md
|
||||
- text: Technical Deep Dive - Authentication
|
||||
url: hello-how-it-works-authentication.md
|
||||
- text: Technology and Terminology
|
||||
url: hello-how-it-works-technology.md
|
||||
- text: Frequently Asked Questions (FAQ)
|
||||
url: hello-faq.yml
|
||||
|
||||
# Card
|
||||
- title: Configure and manage Windows Hello for Business
|
||||
linkLists:
|
||||
- linkListType: concept
|
||||
links:
|
||||
- text: Windows Hello for Business Deployment Overview
|
||||
url: hello-deployment-guide.md
|
||||
- text: Planning a Windows Hello for Business Deployment
|
||||
url: hello-planning-guide.md
|
||||
- text: Deployment Prerequisite Overview
|
||||
url: hello-identity-verification.md
|
||||
- linkListType: how-to-guide
|
||||
links:
|
||||
- text: Hybrid Cloud Kerberos Trust Deployment
|
||||
url: hello-hybrid-cloud-kerberos-trust.md
|
||||
- text: Hybrid Azure AD Joined Key Trust Deployment
|
||||
url: hello-hybrid-key-trust.md
|
||||
- text: Hybrid Azure AD Joined Certificate Trust Deployment
|
||||
url: hello-hybrid-cert-trust.md
|
||||
- text: On-premises SSO for Azure AD Joined Devices
|
||||
url: hello-hybrid-aadj-sso.md
|
||||
- text: On-premises Key Trust Deployment
|
||||
url: hello-deployment-key-trust.md
|
||||
- text: On-premises Certificate Trust Deployment
|
||||
url: hello-deployment-cert-trust.md
|
||||
- linkListType: learn
|
||||
links:
|
||||
- text: Manage Windows Hello for Business in your organization
|
||||
url: hello-manage-in-organization.md
|
||||
- text: Windows Hello and password changes
|
||||
url: hello-and-password-changes.md
|
||||
- text: Prepare people to use Windows Hello
|
||||
url: hello-prepare-people-to-use.md
|
||||
|
||||
# Card
|
||||
- title: Windows Hello for Business Features
|
||||
linkLists:
|
||||
- linkListType: how-to-guide
|
||||
links:
|
||||
- text: Conditional Access
|
||||
url: hello-feature-conditional-access.md
|
||||
- text: PIN Reset
|
||||
url: hello-feature-pin-reset.md
|
||||
- text: Dual Enrollment
|
||||
url: hello-feature-dual-enrollment.md
|
||||
- text: Dynamic Lock
|
||||
url: hello-feature-dynamic-lock.md
|
||||
- text: Multi-factor Unlock
|
||||
url: feature-multifactor-unlock.md
|
||||
- text: Remote Desktop
|
||||
url: hello-feature-remote-desktop.md
|
||||
|
||||
# Card
|
||||
- title: Windows Hello for Business Troubleshooting
|
||||
linkLists:
|
||||
- linkListType: how-to-guide
|
||||
links:
|
||||
- text: Known Deployment Issues
|
||||
url: hello-deployment-issues.md
|
||||
- text: Errors During PIN Creation
|
||||
url: hello-errors-during-pin-creation.md
|
||||
@ -1,11 +1,9 @@
|
||||
items:
|
||||
- name: Windows Hello for Business documentation
|
||||
href: index.yml
|
||||
- name: Overview
|
||||
href: index.md
|
||||
- name: Concepts
|
||||
expanded: true
|
||||
items:
|
||||
- name: Windows Hello for Business overview
|
||||
href: hello-overview.md
|
||||
- name: Passwordless strategy
|
||||
href: passwordless-strategy.md
|
||||
- name: Why a PIN is better than a password
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: WebAuthn APIs
|
||||
description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps.
|
||||
ms.date: 03/09/2023
|
||||
ms.date: 07/27/2023
|
||||
ms.topic: article
|
||||
---
|
||||
# WebAuthn APIs for passwordless authentication on Windows
|
||||
@ -14,7 +14,7 @@ Starting in **Windows 11, version 22H2**, WebAuthn APIs support ECC algorithms.
|
||||
|
||||
## What does this mean?
|
||||
|
||||
By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.yml) or [FIDO2 Security Keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to implement passwordless multi-factor authentication for their applications on Windows devices.
|
||||
By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.md) or [FIDO2 Security Keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to implement passwordless multi-factor authentication for their applications on Windows devices.
|
||||
|
||||
Users of these apps or sites can use any browser that supports WebAuthn APIs for passwordless authentication. Users will have a familiar and consistent experience on Windows, no matter which browser they use.
|
||||
|
||||
|
||||
@ -1,26 +1,14 @@
|
||||
---
|
||||
title: Identity and access management
|
||||
description: Learn more about identity and access protection technologies in Windows.
|
||||
title: Windows identity protection
|
||||
description: Learn more about identity protection technologies in Windows.
|
||||
ms.topic: article
|
||||
ms.date: 05/31/2023
|
||||
ms.date: 07/27/2023
|
||||
---
|
||||
|
||||
# Identity and access management
|
||||
# Windows identity protection
|
||||
|
||||
Learn more about identity and access management technologies in Windows.
|
||||
Learn more about identity protection technologies in Windows.
|
||||
|
||||
[!INCLUDE [virtual-smart-card-deprecation-notice](../includes/virtual-smart-card-deprecation-notice.md)]
|
||||
|
||||
| Section | Description |
|
||||
|-|-|
|
||||
| [Windows Hello for Business](hello-for-business/index.yml) | Windows Hello replaces passwords with strong two-factor authentication on client devices. The authentication consists of a type of user credential that is tied to a device and a biometric or PIN. |
|
||||
| [Windows Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview) | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices.
|
||||
| [Technical support policy for lost or forgotten passwords](password-support-policy.md)| Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. |
|
||||
| [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
|
||||
| [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) | Credential Guard uses Virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them. Unauthorized access to the secrets can lead to credential theft attacks, such as *pass the hash* or *pass the ticket*. Credential Guard helps prevent such attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
|
||||
| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
|
||||
| [User Account Control](../application-security/application-control/user-account-control/index.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
|
||||
| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references articles about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
|
||||
| [Windows Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows. |
|
||||
| [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
|
||||
| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](../threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) |
|
||||
[!INCLUDE [identity](../includes/sections/identity.md)]
|
||||
|
||||
@ -1,46 +0,0 @@
|
||||
---
|
||||
title: Technical support policy for lost or forgotten passwords
|
||||
description: Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so.
|
||||
ms.topic: article
|
||||
ms.date: 11/20/2019
|
||||
---
|
||||
|
||||
# Technical support policy for lost or forgotten passwords
|
||||
|
||||
Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating system, and other Microsoft products include passwords to help secure your information. This article provides some options that you can use to reset or recover your password if you forget it. If these options don't work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password.
|
||||
|
||||
If you lose or forget a password, you can use the links in this article to find published support information that will help you reset the password.
|
||||
|
||||
## How to reset a password for a domain account
|
||||
|
||||
If you lose or forget the password for a domain account, contact your IT administrator or Helpdesk. For more information, see [Change or reset your Windows password](https://support.microsoft.com/help/4490115).
|
||||
|
||||
## How to reset a password for a Microsoft account
|
||||
|
||||
If you lose or forget the password for your Microsoft Account, use the [Recover your account](https://account.live.com/ResetPassword.aspx) wizard.
|
||||
|
||||
This wizard requests your security proofs. If you've forgotten your security proofs, or no longer have access to them, select **I no longer have these anymore**. After you select this option, fill out a form for the Microsoft Account team. Provide as much information as you can on this form. The Microsoft Account team reviews the information that you provide to determine whether you're the account holder. This decision is final. Microsoft doesn't influence the team's choice of action.
|
||||
|
||||
## How to reset a password for a local account on a Windows device
|
||||
|
||||
Local accounts on a device include the device's Administrator account.
|
||||
|
||||
### Windows 10
|
||||
|
||||
If you lose or forget the password for a local account on a device that runs Windows 10, see [Reset your Windows 10 local account password](https://support.microsoft.com/help/4028457).
|
||||
|
||||
### Windows 8.1 or Windows 7
|
||||
|
||||
If you lose or forget the password for a local account on a device that runs Windows 8.1 or Windows 7, see [Change or reset your Windows password](https://support.microsoft.com/help/4490115). In that article, you can select your operating system version from the **Select Product Version** menu.
|
||||
|
||||
## How to reset a hardware BIOS password
|
||||
|
||||
If you lose or forget the password for the hardware BIOS of a device, contact the device manufacturer for help and support. If you do contact the manufacturer online, make sure that you visit the manufacturer website and not the website of some third party.
|
||||
|
||||
## How to reset a password for an individual file
|
||||
|
||||
Some applications let you password-protect individual files. If you lose or forget such a password, you can rely on that application only to reset or recover it. Microsoft support engineers can't help you reset, retrieve, or circumvent such passwords.
|
||||
|
||||
## Using third-party password tools
|
||||
|
||||
Some third-party companies claim to be able to circumvent passwords that have been applied to files and features that Microsoft programs use. For legal reasons, we can't recommend or endorse any one of these companies. If you want help to circumvent or reset a password, you can locate and contact a third party for this help. However, you use such third-party products and services at your own risk.
|
||||
@ -1,12 +1,10 @@
|
||||
items:
|
||||
- name: Overview
|
||||
href: ../identity.md
|
||||
- name: Windows credential theft mitigation guide
|
||||
href: windows-credential-theft-mitigation-guide-abstract.md
|
||||
href: index.md
|
||||
- name: Passwordless sign-in
|
||||
items:
|
||||
- name: Windows Hello for Business 🔗
|
||||
href: hello-for-business/index.yml
|
||||
href: hello-for-business/index.md
|
||||
- name: Windows presence sensing
|
||||
href: https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb
|
||||
- name: Windows Hello for Business Enhanced Security Sign-in (ESS) 🔗
|
||||
@ -22,30 +20,24 @@ items:
|
||||
displayName: VSC
|
||||
- name: Enterprise Certificate Pinning
|
||||
href: enterprise-certificate-pinning.md
|
||||
- name: Account Lockout Policy 🔗
|
||||
href: ../threat-protection/security-policy-settings/account-lockout-policy.md
|
||||
- name: Technical support policy for lost or forgotten passwords
|
||||
href: password-support-policy.md
|
||||
- name: Advanced credential protection
|
||||
items:
|
||||
- name: Windows LAPS (Local Administrator Password Solution) 🔗
|
||||
displayName: LAPS
|
||||
href: /windows-server/identity/laps/laps-overview
|
||||
- name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
|
||||
- name: Account Lockout Policy 🔗
|
||||
href: ../threat-protection/security-policy-settings/account-lockout-policy.md
|
||||
- name: Enhanced phishing protection with SmartScreen
|
||||
href: ../operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
|
||||
displayName: EPP
|
||||
- name: Access Control
|
||||
items:
|
||||
- name: Overview
|
||||
href: access-control/access-control.md
|
||||
displayName: ACL
|
||||
- name: Local Accounts
|
||||
href: access-control/local-accounts.md
|
||||
- name: Security policy settings 🔗
|
||||
href: ../threat-protection/security-policy-settings/security-policy-settings.md
|
||||
- name: Advanced credential protection
|
||||
items:
|
||||
- name: Configuring LSA Protection
|
||||
href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
|
||||
displayName: ACL/SACL
|
||||
- name: Windows Defender Credential Guard
|
||||
href: credential-guard/toc.yml
|
||||
- name: Windows Defender Remote Credential Guard
|
||||
href: remote-credential-guard.md
|
||||
- name: LSA Protection
|
||||
href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
|
||||
- name: Local Accounts
|
||||
href: access-control/local-accounts.md
|
||||
|
||||
@ -1,58 +0,0 @@
|
||||
---
|
||||
title: Windows Credential Theft Mitigation Guide Abstract
|
||||
description: Provides a summary of the Windows credential theft mitigation guide.
|
||||
ms.topic: conceptual
|
||||
ms.date: 03/31/2023
|
||||
---
|
||||
|
||||
# Windows Credential Theft Mitigation Guide Abstract
|
||||
|
||||
This article provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx).
|
||||
This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages:
|
||||
|
||||
- Identify high-value assets
|
||||
- Protect against known and unknown threats
|
||||
- Detect pass-the-hash and related attacks
|
||||
- Respond to suspicious activity
|
||||
- Recover from a breach
|
||||
|
||||
|
||||
|
||||
## Attacks that steal credentials
|
||||
|
||||
Learn about the different types of attacks that are used to steal credentials, and the factors that can place your organization at risk.
|
||||
The types of attacks that are covered include:
|
||||
|
||||
- Pass the hash
|
||||
- Kerberos pass the ticket
|
||||
- Kerberos golden ticket and silver ticket
|
||||
- Key loggers
|
||||
- Shoulder surfing
|
||||
|
||||
## Credential protection strategies
|
||||
|
||||
This part of the guide helps you consider the mindset of the attacker, with prescriptive guidance about how to prioritize high-value accounts and computers.
|
||||
You'll learn how to architect a defense against credential theft:
|
||||
|
||||
- Establish a containment model for account privileges
|
||||
- Harden and restrict administrative hosts
|
||||
- Ensure that security configurations and best practices are implemented
|
||||
|
||||
## Technical countermeasures for credential theft
|
||||
|
||||
Objectives and expected outcomes are covered for each of these countermeasures:
|
||||
|
||||
- Use Windows 10 with Credential Guard
|
||||
- Restrict and protect high-privilege domain accounts
|
||||
- Restrict and protect local accounts with administrative privileges
|
||||
- Restrict inbound network traffic
|
||||
|
||||
Many other countermeasures are also covered, such as using Microsoft Passport and Windows Hello, or multifactor authentication.
|
||||
|
||||
## Detecting credential attacks
|
||||
|
||||
This section covers how to detect the use of stolen credentials and how to collect computer events to help you detect credential theft.
|
||||
|
||||
## Responding to suspicious activity
|
||||
|
||||
Learn Microsoft's recommendations for responding to incidents, including how to recover control of compromised accounts, how to investigate attacks, and how to recover from a breach.
|
||||
@ -1,25 +0,0 @@
|
||||
---
|
||||
title: Windows identity and user security
|
||||
description: Get an overview of identity security in Windows 11 and Windows 10
|
||||
ms.reviewer:
|
||||
manager: aaroncz
|
||||
ms.author: paoloma
|
||||
author: paolomatarazzo
|
||||
ms.prod: windows-client
|
||||
ms.technology: itpro-security
|
||||
ms.date: 12/31/2017
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Windows identity and privacy
|
||||
|
||||
Malicious actors launch millions of password attacks every day. Weak passwords, password spraying, and phishing are the entry point for many attacks. Knowing that the right user is accessing the right device and the right data is critical to keeping your business, family, and self, safe and secure. Windows Hello, Windows Hello for Business, and Credential Guard enable customers to move to passwordless multifactor authentication (MFA). MFA can reduce the risk of compromise in organizations.
|
||||
|
||||
| Security capabilities | Description |
|
||||
|:---|:---|
|
||||
| Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) |
|
||||
| Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)|
|
||||
| FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). |
|
||||
| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone). |
|
||||
| Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).|
|
||||
| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).|
|
||||
@ -21,7 +21,7 @@ ms.topic: include
|
||||
| **Local Security Authority (LSA) Protection** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.<br><br>LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. |
|
||||
| **[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction (ASR) rules help to prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization.<br><br>Administrators can configure specific ASR rules to help block certain behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, performing behaviors that apps don't usually initiate during normal day-to-day work. |
|
||||
| **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
|
||||
| **[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
|
||||
| **[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt in to enforce the policy from the Windows Security app. |
|
||||
| **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders. <br><br>Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware. |
|
||||
| **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
|
||||
| **[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
|
||||
@ -42,7 +42,7 @@ ms.topic: include
|
||||
| **[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. In Windows 11, the SMB protocol has significant security updates, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of more advanced security or continue to use the more compatible, and still-safe, AES-128 encryption. |
|
||||
| **[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)** | SMB Direct (SMB over remote direct memory access) is a storage protocol that enables direct memory-to-memory data transfers between device and storage, with minimal CPU usage, while using standard RDMA-capable network adapters.<br><br>SMB Direct supports encryption, and now you can operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. |
|
||||
|
||||
## Data Protection
|
||||
## Encryption And Data Protection
|
||||
|
||||
| Security Measures | Features & Capabilities |
|
||||
|:---|:---|
|
||||
|
||||
@ -10,7 +10,6 @@ metadata:
|
||||
ms.prod: windows-client
|
||||
ms.technology: itpro-security
|
||||
ms.collection:
|
||||
- highpri
|
||||
- tier1
|
||||
author: paolomatarazzo
|
||||
ms.author: paoloma
|
||||
@ -62,8 +61,6 @@ landingContent:
|
||||
links:
|
||||
- text: Trusted boot
|
||||
url: operating-system-security\system-security\trusted-boot.md
|
||||
- text: Encryption and data protection
|
||||
url: operating-system-security/data-protection/index.md
|
||||
- text: Windows security baselines
|
||||
url: operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md
|
||||
- text: Virtual private network guide
|
||||
@ -107,9 +104,7 @@ landingContent:
|
||||
- linkListType: concept
|
||||
links:
|
||||
- text: Windows Hello for Business
|
||||
url: identity-protection/hello-for-business/hello-overview.md
|
||||
- text: Windows Credential Theft Mitigation
|
||||
url: identity-protection/windows-credential-theft-mitigation-guide-abstract.md
|
||||
url: identity-protection/hello-for-business/index.md
|
||||
- text: Protect domain credentials
|
||||
url: identity-protection/credential-guard/credential-guard.md
|
||||
- text: Windows Defender Credential Guard
|
||||
|
||||
@ -25,7 +25,7 @@ A Zero Trust security model gives the right people the right access at the right
|
||||
1. When verified, give people and devices access to only necessary resources for the necessary amount of time
|
||||
1. Use continuous analytics to drive threat detection and improve defenses
|
||||
|
||||
For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](../identity-protection/hello-for-business/hello-overview.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
|
||||
For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](../identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
|
||||
|
||||
### Security, by default
|
||||
|
||||
@ -45,7 +45,7 @@ In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/d
|
||||
|
||||
### Secured identities
|
||||
|
||||
Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](../information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](../identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](../identity-protection/hello-for-business/hello-overview.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
|
||||
Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](../information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](../identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](../identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
|
||||
|
||||
### Connecting to cloud services
|
||||
|
||||
|
||||
@ -1,49 +0,0 @@
|
||||
---
|
||||
title: Encryption and data protection in Windows
|
||||
description: Get an overview encryption and data protection in Windows 11 and Windows 10
|
||||
ms.topic: overview
|
||||
ms.date: 09/22/2022
|
||||
ms.reviewer: rafals
|
||||
---
|
||||
|
||||
# Encryption and data protection in Windows client
|
||||
|
||||
When people travel with their computers and devices, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications.
|
||||
Encryption and data protection features include:
|
||||
|
||||
- Encrypted Hard Drive
|
||||
- BitLocker
|
||||
|
||||
## Encrypted Hard Drive
|
||||
|
||||
Encrypted Hard Drive uses the rapid encryption provided by BitLocker Drive Encryption to enhance data security and management.
|
||||
By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
|
||||
|
||||
Encrypted hard drives provide:
|
||||
|
||||
- Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
|
||||
- Strong security based in hardware: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system.
|
||||
- Ease of use: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive.
|
||||
- Lower cost of ownership: There's no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process.
|
||||
|
||||
Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption.
|
||||
|
||||
## BitLocker
|
||||
|
||||
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
|
||||
|
||||
BitLocker provides encryption for the operating system, fixed data, and removable data drives, using technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
|
||||
|
||||
Windows consistently improves data protection by improving existing options and providing new strategies.
|
||||
|
||||
## Personal Data Encryption (PDE)
|
||||
<!-- Max 5963468 OS 32516487 -->
|
||||
(*Applies to: Windows 11, version 22H2 and later*)
|
||||
|
||||
[!INCLUDE [Personal Data Encryption (PDE) description](personal-data-encryption/includes/pde-description.md)]
|
||||
|
||||
## See also
|
||||
|
||||
- [Encrypted Hard Drive](encrypted-hard-drive.md)
|
||||
- [BitLocker](bitlocker/index.md)
|
||||
- [Personal Data Encryption (PDE)](personal-data-encryption/index.md)
|
||||
@ -16,7 +16,7 @@ ms.date: 03/13/2023
|
||||
### Required
|
||||
|
||||
- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
|
||||
- [Windows Hello for Business Overview](../../../identity-protection/hello-for-business/hello-overview.md)
|
||||
- [Windows Hello for Business Overview](../../../identity-protection/hello-for-business/index.md)
|
||||
- Windows 11, version 22H2 and later Enterprise and Education editions
|
||||
|
||||
### Not supported with PDE
|
||||
|
||||
@ -1,13 +1,11 @@
|
||||
items:
|
||||
- name: Overview
|
||||
href: index.md
|
||||
- name: BitLocker
|
||||
href: bitlocker/toc.yml
|
||||
- name: Encrypted Hard Drive
|
||||
href: encrypted-hard-drive.md
|
||||
- name: Personal Data Encryption (PDE)
|
||||
- name: Personal data encryption (PDE)
|
||||
href: personal-data-encryption/toc.yml
|
||||
- name: Configure S/MIME for Windows
|
||||
- name: Email Encryption (S/MIME)
|
||||
href: configure-s-mime.md
|
||||
- name: Windows Information Protection (WIP)
|
||||
href: ../../information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
|
||||
|
||||
@ -38,7 +38,7 @@ Requiring users to use long, complex passwords for authentication enhances netwo
|
||||
|
||||
### Best practices
|
||||
|
||||
- Set **Interactive logon: Require Windows Hello for Business or smart card** to Enabled. All users will have to use smart cards to sign in to the network, or a Windows Hello for Business method. This requirement means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users. For more information about password-less authentication, see [Windows Hello for Business overview](../../identity-protection/hello-for-business/hello-overview.md).
|
||||
- Set **Interactive logon: Require Windows Hello for Business or smart card** to Enabled. All users will have to use smart cards to sign in to the network, or a Windows Hello for Business method. This requirement means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users. For more information about password-less authentication, see [Windows Hello for Business overview](../../identity-protection/hello-for-business/index.md).
|
||||
|
||||
### Location
|
||||
|
||||
@ -92,4 +92,4 @@ All users of a device with this setting enabled must use smart cards or a Window
|
||||
## Related articles
|
||||
|
||||
- [Security Options](security-options.md)
|
||||
- [Windows Hello for Business overview](../../identity-protection/hello-for-business/hello-overview.md)
|
||||
- [Windows Hello for Business overview](../../identity-protection/hello-for-business/index.md)
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
|
||||
items:
|
||||
- name: Windows security
|
||||
href: index.yml
|
||||
expanded: true
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user