From 387ebce2166e95c81e7c348374ab1c3b9c7bc13f Mon Sep 17 00:00:00 2001
From: cchavez-msft <136099320+cchavez-msft@users.noreply.github.com>
Date: Fri, 18 Oct 2024 14:38:40 -0400
Subject: [PATCH 1/5] endNotesUpdate1018
---
.../cloud-services-protect-your-personal-information.md | 2 +-
.../book/cloud-services-protect-your-work-information.md | 2 +-
windows/security/book/conclusion.md | 7 +++----
.../book/identity-protection-passwordless-sign-in.md | 2 +-
4 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/windows/security/book/cloud-services-protect-your-personal-information.md b/windows/security/book/cloud-services-protect-your-personal-information.md
index 0f52cedfc5..c650bf5189 100644
--- a/windows/security/book/cloud-services-protect-your-personal-information.md
+++ b/windows/security/book/cloud-services-protect-your-personal-information.md
@@ -33,7 +33,7 @@ When location services and *Find my device* settings are turned on, basic system
## OneDrive for personal
-Microsoft OneDrive for personal[\[11\]](conclusion.md#footnote11) offers enhanced security, backup, and restore options for important personal files. Users can access their data from anywhere, since their files are stored and protected in the cloud. OneDrive provides an excellent solution for backing up folders, ensuring that:
+Microsoft OneDrive for personal[\[10\]](conclusion.md#footnote10) offers enhanced security, backup, and restore options for important personal files. Users can access their data from anywhere, since their files are stored and protected in the cloud. OneDrive provides an excellent solution for backing up folders, ensuring that:
- If a device is lost or stolen, users can quickly recover all their important files from the cloud
- If a user is targeted by a ransomware attack, OneDrive enables recovery. With configured backups, users have more options to mitigate and recover from such attacks
diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md
index c622bdb045..2bb73b269f 100644
--- a/windows/security/book/cloud-services-protect-your-work-information.md
+++ b/windows/security/book/cloud-services-protect-your-work-information.md
@@ -130,7 +130,7 @@ Microsoft Intune[\[4\]](conclusion.md#footnote4) is a comprehensive c
Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication and conditional access.
-Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies[\[12\]](conclusion.md#footnote12). For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot.
+Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies[\[11\]](conclusion.md#footnote11). For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot.
Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
diff --git a/windows/security/book/conclusion.md b/windows/security/book/conclusion.md
index 07d695befd..2c18b25f3b 100644
--- a/windows/security/book/conclusion.md
+++ b/windows/security/book/conclusion.md
@@ -64,10 +64,9 @@ Enhanced:
|**6**| Commissioned study delivered by Forrester Consulting "The Total Economic Impact™ of Windows 11 Pro Devices", December 2022. Note, quantified benefits reflect results over three years combined into a single composite organization that generates $1 billion in annual revenue, has 2,000 employees, refreshes hardware on a four-year cycle, and migrates the entirety of its workforce to Windows 11 devices.|
|**7**| Feature or functionality delivered using [servicing technology](https://support.microsoft.com/topic/b0aa0a27-ea9a-4365-9224-cb155e517f12).|
|**8**| Email encryption is supported on products such as Microsoft Exchange Server and Microsoft Exchange Online.|
-|**9**| Microsoft internal data.|
-|**10**| Hardware dependent.|
-|**11**|All users with a Microsoft Account get 5GB of OneDrive storage free, and all Microsoft 365 subscriptions include 1TB of OneDrive storage. Additional OneDrive storage is sold separately.|
-|**12**|The Total Economic Impact™ of Windows Pro Device, Forrester study commissioned by Microsoft, June 2020.|
+|**9**| Hardware dependent.|
+|**10**|All users with a Microsoft Account get 5GB of OneDrive storage free, and all Microsoft 365 subscriptions include 1TB of OneDrive storage. Additional OneDrive storage is sold separately.|
+|**11**|The Total Economic Impact™ of Windows Pro Device, Forrester study commissioned by Microsoft, June 2020.|
---
diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md
index 24103f6b00..6d49a6231f 100644
--- a/windows/security/book/identity-protection-passwordless-sign-in.md
+++ b/windows/security/book/identity-protection-passwordless-sign-in.md
@@ -53,7 +53,7 @@ If a peripheral camera is attached to the device after enrollment, it can be use
## Windows presence sensing
-Windows presence sensing[\[10\]](conclusion.md#footnote10) provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment.
+Windows presence sensing[\[9\]](conclusion.md#footnote9) provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment.
Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers can customize and build extensions for the presence sensor.
From 52bdca93514b84cd3ec35f2d38fea064f1913559 Mon Sep 17 00:00:00 2001
From: MokumaPM <105771503+MokumaPM@users.noreply.github.com>
Date: Mon, 21 Oct 2024 13:01:20 -0700
Subject: [PATCH 2/5] Updates
---
.../book/identity-protection-advanced-credential-protection.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md
index d1d0c2d7a7..880daebdbf 100644
--- a/windows/security/book/identity-protection-advanced-credential-protection.md
+++ b/windows/security/book/identity-protection-advanced-credential-protection.md
@@ -19,7 +19,7 @@ By loading only trusted, signed code, LSA provides significant protection agains
[!INCLUDE [new-24h2](includes/new-24h2.md)]
-To help keep these credentials safe, LSA protection is enabled by default on all devices (MSA, Microsoft Entra joined, hybrid, and local). For new installs, LSA protection is enabled immediately, and for upgrades, it's enabled after an evaluation period.
+To help keep these credentials safe, LSA protection is enabled by default on all devices (MSA, Microsoft Entra joined, hybrid, and local). For new installs, it is enabled immediately. For upgrades, it is enabled after rebooting after an evaluation period of 10 days.
Users have the ability to manage the LSA protection state in the Windows Security application under **Device Security** > **Core Isolation** > **Local Security Authority protection**.
From 6a414e097cace4b0021516ce454d1c1e0c03d48f Mon Sep 17 00:00:00 2001
From: MokumaPM <105771503+MokumaPM@users.noreply.github.com>
Date: Mon, 21 Oct 2024 15:01:09 -0700
Subject: [PATCH 3/5] Updates
---
.../book/hardware-security-silicon-assisted-security.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/book/hardware-security-silicon-assisted-security.md b/windows/security/book/hardware-security-silicon-assisted-security.md
index 6a21c65300..a2220ff2d2 100644
--- a/windows/security/book/hardware-security-silicon-assisted-security.md
+++ b/windows/security/book/hardware-security-silicon-assisted-security.md
@@ -13,7 +13,7 @@ In addition to a modern hardware root-of-trust, there are multiple capabilities
## Secured kernel
-To secure the kernel, we have two key features: Virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices support HVCI and most new devices come with VBS and HVCI protection turned on by default.
+To secure the kernel, we have two key features: Virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices support HVCI and come with VBS and HVCI protection turned on by default on most/all devices.
### Virtualization-based security (VBS)
From a0b9c033d9bd5dc66952dcf25c089d89a4aea1cb Mon Sep 17 00:00:00 2001
From: MokumaPM <105771503+MokumaPM@users.noreply.github.com>
Date: Mon, 21 Oct 2024 17:39:25 -0700
Subject: [PATCH 4/5] Updates
---
.../security/book/hardware-security-hardware-root-of-trust.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/windows/security/book/hardware-security-hardware-root-of-trust.md b/windows/security/book/hardware-security-hardware-root-of-trust.md
index ea812e4cd6..83e657ed0f 100644
--- a/windows/security/book/hardware-security-hardware-root-of-trust.md
+++ b/windows/security/book/hardware-security-hardware-root-of-trust.md
@@ -29,6 +29,10 @@ As with other TPMs, credentials, encryption keys, and other sensitive informatio
Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive security firmware updates from different sources, which might make it difficult to get alerts about security updates, and keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs.
+Pluton aims to ensure long-term security resilience. With the rising threat landscape influenced by artificial intelligence, memory safety will become ever more critical. To meet these demands, in addition to facilitating reliable updates to security processor firmware, we chose the open-source Tock system as the Rust-based foundation to develop the Pluton security processor firmware and actively contribute back to the Tock community. This collaboration with an open community ensures rigorous security scrutiny, and using Rust mitigates memory safety threats.
+
+Ultimately, Pluton establishes the security backbone for Copilot + PC, thanks to tight partnerships with our silicon collaborators and OEMs. The Qualcomm Snapdragon X, AMD Ryzen AI, and Intel Core Ultra 200V mobile processors (codenamed Lunar Lake) processor platforms all incorporate Pluton as their security subsystem .
+
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Microsoft Pluton processor - The security chip designed for the future of Windows PCs][LINK-4]
From 283d4e1ef24456152b84de126ef699c896aad62d Mon Sep 17 00:00:00 2001
From: MokumaPM <105771503+MokumaPM@users.noreply.github.com>
Date: Wed, 23 Oct 2024 12:40:17 -0700
Subject: [PATCH 5/5] Updates
---
.../security/book/identity-protection-passwordless-sign-in.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md
index 6d49a6231f..7657beca15 100644
--- a/windows/security/book/identity-protection-passwordless-sign-in.md
+++ b/windows/security/book/identity-protection-passwordless-sign-in.md
@@ -80,7 +80,9 @@ Provisioning methods include:
Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometric data and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business depending on an organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers.
-Organizations with hybrid scenarios can eliminate the need for on-premises domain controllers and simplify passwordless adoption by using Windows Hello for Business cloud Kerberos trust. This solution uses security keys and replaces on-premises domain controllers with a cloud-based root-of-trust. As a result, organizations can take advantage of Windows Hello for Business and deploy security keys with minimal extra setup or infrastructure.
+Hybrid cloud Kerberos trust is the simplest deployment model for the organizations with hybrid scenarios, as it reduces any additional deployment requirements. It uses the same infrastructure required for FIDO2 security sign-in. This is for enterprises who do not want to issue end-user certificates and have deployed 2016 domain controllers in each site to support authentication. It is simpler to deploy than key trust and does not require Active Directory Certificate Services. As a result, organization can take advantage of Windows Hello for Business and deploy passwordless credentials with minimal additional setup or infrastructure.
+
+This is the recommended deployment model when compared to the key trust. It is also preferred deployment model if you do not need to support certificate authentication scenarios.
[!INCLUDE [learn-more](includes/learn-more.md)]