From 943dddb05271f3ff02b025c3afca210a1bca4b2b Mon Sep 17 00:00:00 2001 From: hilal-asmat-msft Date: Thu, 11 Jul 2024 10:41:51 -0700 Subject: [PATCH 1/4] Updated VBS Enclaves and HVPT sentences. --- .../book/hardware-security-silicon-assisted-security.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/book/hardware-security-silicon-assisted-security.md b/windows/security/book/hardware-security-silicon-assisted-security.md index 5a65ad9e76..3cbbe8093d 100644 --- a/windows/security/book/hardware-security-silicon-assisted-security.md +++ b/windows/security/book/hardware-security-silicon-assisted-security.md @@ -24,11 +24,11 @@ Since more privileged virtual trust levels (VTLs) can enforce their own memory p - [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) -**Virtualization-based security enclaves**, a tool to allow developers to use VBS by building a secure enclave within their applications, which lives in secure memory. +A [**Virtualization-based security enclave**](https://learn.microsoft.com/en-us/windows/win32/trusted-execution/vbs-enclaves), is a software-based trusted execution environment (TEE) inside a host application. VBS enclaves enable developers to leverage VBS to protect their application's secrets from admin-level attacks. VBS enclaves are available on Windows 10 onwards on both x64 and ARM64. -**Hypervisor-enforced Paging Translation (HVPT)**, overall security enhancement for the system. Protects linear address translations from being tampered with. +**Hypervisor-enforced Paging Translation (HVPT)** is an overall security enhancement for the system. HVPT protects linear address translations from being tampered with, to protect sensitive system structures from write-what-where attacks. HVPT will be available on x64 machines as of Fall 2024. -**Memory integrity**, also called Hypervisor-protected code integrity (HVCI), uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it's allowed to run. Memory integrity ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that hasn't been first validated by the code integrity subsystem. Memory integrity protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. Memory integrity can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs. +**Hypervisor-protected code integrity (HVCI)**, also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs. With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. From 011de9478eb9e5b8a6f4801ad2184b9b6ca94402 Mon Sep 17 00:00:00 2001 From: annashott-msft <97127709+annashott-msft@users.noreply.github.com> Date: Mon, 15 Jul 2024 11:14:32 -0600 Subject: [PATCH 2/4] Update identity-protection-advanced-credential-protection.md update VBS key protection verbiage to include developer action --- .../book/identity-protection-advanced-credential-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md index 83606ffc5d..8c803c6252 100644 --- a/windows/security/book/identity-protection-advanced-credential-protection.md +++ b/windows/security/book/identity-protection-advanced-credential-protection.md @@ -57,7 +57,7 @@ Administrator credentials are highly privileged and must be protected. When Remo ## VBS Key Protection -VBS key protection helps secure Windows keys using virtualization-based security (VBS). VBS uses the virtualization extension capability of the CPU to create an isolated runtime outside of the normal OS. When in use, VBS keys are isolated in a secure process, allowing key operations to occur without ever exposing the private key material outside of this space. At rest, private key material is encrypted by a TPM key which binds VBS keys to the device. Keys protected in this way cannot be dumped from process memory or exported in plain text from a user’s machine, preventing exfiltration attacks by any admin-level attacker. +VBS key protection enables developers to secure cryptographic keys using virtualization-based security (VBS). VBS uses the virtualization extension capability of the CPU to create an isolated runtime outside of the normal OS. When in use, VBS keys are isolated in a secure process, allowing key operations to occur without ever exposing the private key material outside of this space. At rest, private key material is encrypted by a TPM key which binds VBS keys to the device. Keys protected in this way cannot be dumped from process memory or exported in plain text from a user’s machine, preventing exfiltration attacks by any admin-level attacker. ## Token protection From d5cf7db80860e1cfb8a39cca61110d8e8d491417 Mon Sep 17 00:00:00 2001 From: cchavez-msft <136099320+cchavez-msft@users.noreply.github.com> Date: Mon, 15 Jul 2024 13:56:09 -0400 Subject: [PATCH 3/4] IdentityUganSivagnanenthirarajahV1 --- .../security/book/identity-protection-passwordless-sign-in.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md index 00ee61f822..20e84ff4e3 100644 --- a/windows/security/book/identity-protection-passwordless-sign-in.md +++ b/windows/security/book/identity-protection-passwordless-sign-in.md @@ -102,6 +102,8 @@ Privacy is top of mind and more important than ever. Customers want to have grea Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We are also supporting developers with new APIs for presence sensing for thirdparty applications. Third-party applications can now access user presence information on devices with modern presence sensors. +Newer presence sensors can support multi-person detection making them able to detect people looking at your screen and with Privacy Screen Dim intelligently dim it to warn you. + :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** - [Presence sensing](/windows-hardware/design/device-experiences/sensors-presence-sensing) From 39e333eff04ae32fb11ef0aab7a5fa561117d89c Mon Sep 17 00:00:00 2001 From: cchavez-msft <136099320+cchavez-msft@users.noreply.github.com> Date: Wed, 17 Jul 2024 10:12:54 -0400 Subject: [PATCH 4/4] ApplicationIanMcMillan --- ...pplication-security-application-and-driver-control.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/security/book/application-security-application-and-driver-control.md b/windows/security/book/application-security-application-and-driver-control.md index 76c079d89d..35029d3cfa 100644 --- a/windows/security/book/application-security-application-and-driver-control.md +++ b/windows/security/book/application-security-application-and-driver-control.md @@ -70,3 +70,12 @@ The Windows kernel is the most privileged software and is therefore a compelling :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** - [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules) + +## Trusted signing + +It is a Microsoft fully managed end-to-end signing solution that simplifies the signing process and empowers 3rd party developers to easily build and distribute applications. This feature is currently in public preview and is part of Microsoft’s commitment to an open, inclusive, and secure ecosystem. + +:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** + +- [What is Trusted Signing](https://learn.microsoft.com/en-us/azure/trusted-signing/overview) +- [Public Preview Blog](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/trusted-signing-is-in-public-preview/ba-p/4103457)