diff --git a/education/windows/take-tests-in-windows.md b/education/windows/take-tests-in-windows.md index 8c46ac4b93..b43345436f 100644 --- a/education/windows/take-tests-in-windows.md +++ b/education/windows/take-tests-in-windows.md @@ -1,7 +1,7 @@ --- title: Take tests and assessments in Windows description: Learn about the built-in Take a Test app for Windows and how to use it. -ms.date: 02/29/2024 +ms.date: 11/11/2024 ms.topic: how-to --- @@ -9,11 +9,11 @@ ms.topic: how-to Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. To help schools with testing, Windows provides an application called **Take a Test**. The application is a secure browser that provides different features to help with testing, and can be configured to only allow access a specific URL or a list of URLs. When using Take a Test, students can't: -- print, use screen capture, or text suggestions (unless enabled by the teacher or administrator) -- access other applications -- change system settings, such as display extension, notifications, updates -- access Cortana -- access content copied to the clipboard +- Print, use screen capture, or text suggestions (unless enabled by the teacher or administrator) +- Access other applications +- Change system settings, such as display extension, notifications, updates +- Access Cortana +- Access content copied to the clipboard ## How to use Take a Test @@ -22,7 +22,7 @@ There are different ways to use Take a Test, depending on the use case: - For lower stakes assessments, such a quick quiz in a class, a teacher can generate a *secure assessment URL* and share it with the students. Students can then open the URL to access the assessment through Take a Test. To learn more, see the next section: [Create a secure assessment link](#create-a-secure-assessment-link) - For higher stakes assessments, you can configure Windows devices to use a dedicated account for testing and execute Take a Test in a locked-down mode, called **kiosk mode**. Once signed in with the dedicated account, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. For more information, see [Configure Take a Test in kiosk mode](edu-take-a-test-kiosk-mode.md) -:::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false"::: + :::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false"::: ## Create a secure assessment link @@ -37,9 +37,9 @@ To create a secure assessment link to the test, there are two options: For this option, copy the assessment URL and open the web application Customize your assessment URL, where you can: -- Paste the link to the assessment URL -- Select the options you want to allow during the test -- Generate the link by selecting the button Create link +- Paste the link to the assessment URL. +- Select the options you want to allow during the test. +- Generate the link by selecting the button Create link. This is an ideal option for teachers who want to create a link to a specific assessment and share it with students using OneNote, for example. @@ -67,7 +67,7 @@ To enable permissive mode, don't include `enforceLockdown` in the schema paramet ## Distribute the secure assessment link -Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choosing. +Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choice. For example, you can create and copy the shortcut to the assessment URL to the students' desktop. @@ -85,4 +85,4 @@ To take the test, have the students open the link. Teachers can use **Microsoft Forms** to create tests. For more information, see [Create tests using Microsoft Forms](https://support.microsoft.com/en-us/office/create-a-quiz-with-microsoft-forms-a082a018-24a1-48c1-b176-4b3616cdc83d). -To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md). \ No newline at end of file +To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md). diff --git a/windows/configuration/taskbar/xsd.md b/windows/configuration/taskbar/xsd.md index 351c262871..da97f38e11 100644 --- a/windows/configuration/taskbar/xsd.md +++ b/windows/configuration/taskbar/xsd.md @@ -2,7 +2,7 @@ title: Windows Taskbar XML Schema Definition (XSD) description: Reference article about the Taskbar XML schema definition (XSD). ms.topic: reference -ms.date: 11/07/2024 +ms.date: 11/11/2024 --- # Taskbar XML Schema Definition (XSD) diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md index 9984fc897b..d91a00bbc2 100644 --- a/windows/deployment/update/optional-content.md +++ b/windows/deployment/update/optional-content.md @@ -70,9 +70,9 @@ Most commercial organizations understand the pain points outlined above, and dis Windows Update for Business solves the optional content problem. Optional content is published and available for acquisition by Windows Setup from a nearby Microsoft content delivery network and acquired using the Unified Update Platform. Optional content migration and acquisition scenarios just work when the device is connected to an update service that uses the Unified Update Platform, such as Windows Update or Windows Update for Business. If for some reason a language pack fails to install during the update, the update will automatically roll back. -The [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/) is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is *unified* because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens. +The [Unified Update Platform](https://blogs.windows.com/windows-insider/2016/11/03/introducing-unified-update-platform-uup/) is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is *unified* because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens. -Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes. Further, devices are immune to the challenge of upgrading Windows when the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more information about this issue, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) and the [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002). +Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes. Further, devices are immune to the challenge of upgrading Windows when the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more information about this issue, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/blog/windows-itpro-blog/upgrading-windows-10-devices-with-installation-media-different-than-the-original/746126). ### Option 2: Use WSUS with UUP Integration @@ -115,7 +115,7 @@ You can customize the Windows image in these ways: - Adding or removing languages - Adding or removing Features on Demand -The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where `Setup.exe` is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and the [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Dynamic Update, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there's a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed. +The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where `Setup.exe` is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/blog/windows-itpro-blog/updating-windows-10-media-with-dynamic-update-packages/982477). Also like Dynamic Update, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there's a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed. ### Option 5: Install language features during deployment @@ -151,11 +151,9 @@ For more information about the Unified Update Platform and the approaches outlin - [/DynamicUpdate](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) - [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source) - [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) -- [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/) +- [Unified Update Platform](https://blogs.windows.com/windows-insider/2016/11/03/introducing-unified-update-platform-uup/) - [Updating Windows installation media with Dynamic Update packages](media-dynamic-update.md) -- [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) -- [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073) -- [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002) +- [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) ## Sample scripts diff --git a/windows/security/book/application-security-application-and-driver-control.md b/windows/security/book/application-security-application-and-driver-control.md index 6435037d78..9efc2c0f96 100644 --- a/windows/security/book/application-security-application-and-driver-control.md +++ b/windows/security/book/application-security-application-and-driver-control.md @@ -1,6 +1,6 @@ --- -title: Application and driver control -description: Windows 11 security book - Application and driver control. +title: Windows 11 security book - Application and driver control +description: Application and driver control. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md index 6bc9c40284..de10e3941e 100644 --- a/windows/security/book/application-security-application-isolation.md +++ b/windows/security/book/application-security-application-isolation.md @@ -1,6 +1,6 @@ --- -title: Application isolation -description: Windows 11 security book - Application isolation. +title: Windows 11 security book - Application isolation +description: Application isolation. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/application-security.md b/windows/security/book/application-security.md index 450a054437..da054a7d5d 100644 --- a/windows/security/book/application-security.md +++ b/windows/security/book/application-security.md @@ -1,6 +1,6 @@ --- -title: Application security -description: Windows 11 security book - Application security chapter. +title: Windows 11 security book - Application security +description: Application security chapter. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/cloud-services-protect-your-personal-information.md b/windows/security/book/cloud-services-protect-your-personal-information.md index 855a3e1e34..36707a697b 100644 --- a/windows/security/book/cloud-services-protect-your-personal-information.md +++ b/windows/security/book/cloud-services-protect-your-personal-information.md @@ -1,6 +1,6 @@ --- -title: Cloud services - Protect your personal information -description: Windows 11 security book - Cloud services chapter - Protect your personal information. +title: Windows 11 security book - Cloud services - Protect your personal information +description: Cloud services chapter - Protect your personal information. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index c695db60bd..033200a8f1 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -1,6 +1,6 @@ --- -title: Cloud services - Protect your work information -description: Windows 11 security book - Cloud services chapter - Protect your work information. +title: Windows 11 security book - Cloud services - Protect your work information +description: Cloud services chapter - Protect your work information. ms.topic: overview ms.date: 11/04/2024 --- @@ -49,7 +49,7 @@ Every Windows device has a built-in local administrator account that must be sec - [Microsoft Entra ID documentation][LINK-1] - [Microsoft Entra plans and pricing][LINK-2] -### :::image type="icon" source="images/microsoft-entra-private-access.svg" border="false"::: Microsoft Entra Private Access +### Microsoft Entra Private Access Microsoft Entra Private Access provides organizations the ability to manage and give users access to private or internal fully qualified domain names (FQDNs) and IP addresses. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need. @@ -57,7 +57,7 @@ Microsoft Entra Private Access provides organizations the ability to manage and - [Microsoft Entra Private Access][LINK-4] -### :::image type="icon" source="images/microsoft-entra-internet-access.svg" border="false"::: Microsoft Entra Internet Access +### Microsoft Entra Internet Access Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. @@ -168,7 +168,7 @@ With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certif - [Windows enrollment attestation][LINK-13] -### :::image type="icon" source="images/microsoft-cloud-pki.svg" border="false"::: Microsoft Cloud PKI +### Microsoft Cloud PKI Microsoft Cloud PKI is a cloud-based service included in the Microsoft Intune Suite[\[4\]](conclusion.md#footnote4) that simplifies and automates the management of a Public Key Infrastructure (PKI) for organizations. It eliminates the need for on-premises servers, hardware, and connectors, making it easier to set up and manage a PKI compared to, for instance, Microsoft Active Directory Certificate Services (AD CS) combined with the Certificate Connector for Microsoft Intune. @@ -185,7 +185,7 @@ With Microsoft Cloud PKI, organizations can accelerate their digital transformat - [Overview of Microsoft Cloud PKI for Microsoft Intune](/mem/intune/protect/microsoft-cloud-pki-overview) -### :::image type="icon" source="images/endpoint-privilege-management.svg" border="false"::: Endpoint Privilege Management (EPM) +### Endpoint Privilege Management (EPM) Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run elevated tasks allowed by the organization to remain productive. diff --git a/windows/security/book/cloud-services.md b/windows/security/book/cloud-services.md index 4b525daacc..cd8be85df1 100644 --- a/windows/security/book/cloud-services.md +++ b/windows/security/book/cloud-services.md @@ -1,6 +1,6 @@ --- -title: Cloud services -description: Windows 11 security book - Cloud services chapter. +title: Windows 11 security book - Cloud services +description: Cloud services chapter. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/conclusion.md b/windows/security/book/conclusion.md index 47c50c6916..7a9d69992d 100644 --- a/windows/security/book/conclusion.md +++ b/windows/security/book/conclusion.md @@ -1,5 +1,5 @@ --- -title: Conclusion +title: Windows 11 security book - Conclusion description: Windows 11 security book conclusion. ms.topic: overview ms.date: 11/18/2024 diff --git a/windows/security/book/features-index.md b/windows/security/book/features-index.md index 478367613e..09081404bf 100644 --- a/windows/security/book/features-index.md +++ b/windows/security/book/features-index.md @@ -1,5 +1,5 @@ --- -title: Features index +title: Windows 11 security book - Features index description: Windows security book features index. ms.topic: overview ms.date: 11/18/2024 @@ -7,4 +7,4 @@ ms.date: 11/18/2024 # Features index -[5G and eSIM](operating-system-security-network-security.md#5g-and-esim)
[Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control)
[Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies)
[Administrator protection](application-security-application-and-driver-control.md#-administrator-protection)
[App containers](application-security-application-isolation.md#app-containers)
[App Control for Business](application-security-application-and-driver-control.md#app-control-for-business)
[Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules)
[Azure Attestation service](cloud-services-protect-your-work-information.md#-azure-attestation-service)
[BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go)
[BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)
[Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection)
[Certificates](operating-system-security-system-security.md#certificates)
[Cloud-native device management](cloud-services-protect-your-work-information.md#cloud-native-device-management)
[Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity)
[Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc)
[Config Refresh](operating-system-security-system-security.md#-config-refresh)
[Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access)
[Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)
[Cryptography](operating-system-security-system-security.md#cryptography)
[Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
[Device Health Attestation](operating-system-security-system-security.md#device-health-attestation)
[Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security)
[Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption)
[Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive)
[Enhanced phishing protection in Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-in-microsoft-defender-smartscreen)
[Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess)
[Exploit Protection](operating-system-security-virus-and-threat-protection.md#exploit-protection)
[Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips)
[Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in)
[FIDO2](identity-protection-passwordless-sign-in.md#fido2)
[Find my device](cloud-services-protect-your-personal-information.md#find-my-device)
[Kernel direct memory access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection)
[Kiosk mode](operating-system-security-system-security.md#kiosk-mode)
[Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
[Microsoft account](cloud-services-protect-your-personal-information.md#microsoft-account)
[Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator)
[Microsoft Cloud PKI](cloud-services-protect-your-work-information.md#-microsoft-cloud-pki)
[Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus)
[Microsoft Defender for Endpoint](cloud-services-protect-your-work-information.md#-microsoft-defender-for-endpoint)
[Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen)
[Microsoft Entra ID](cloud-services-protect-your-work-information.md#-microsoft-entra-id)
[Microsoft Intune](cloud-services-protect-your-work-information.md#-microsoft-intune)
[Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering)
[Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor)
[Microsoft Privacy Dashboard](privacy-controls.md#microsoft-privacy-dashboard)
[Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl)
[Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist)
[Network protection](operating-system-security-virus-and-threat-protection.md#network-protection)
[OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal)
[OneDrive for work or school](cloud-services-protect-your-work-information.md#-onedrive-for-work-or-school)
[OneFuzz service](security-foundation-offensive-research.md#onefuzz-service)
[Personal Data Encryption](operating-system-security-encryption-and-data-protection.md#personal-data-encryption)
[Personal Vault](cloud-services-protect-your-personal-information.md#personal-vault)
[Privacy resource usage](privacy-controls.md#privacy-resource-usage)
[Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls)
[Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard)
[Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe)
[Rust for Windows](operating-system-security-system-security.md#-rust-for-windows)
[Secure Future Initiative (SFI)](security-foundation-offensive-research.md#secure-future-initiative-sfi)
[Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)
[Secured-core PC and Edge Secured-Core](hardware-security-silicon-assisted-security.md#secured-core-pc-and-edge-secured-core)
[Security baselines](cloud-services-protect-your-work-information.md#security-baselines)
[Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
[Smart App Control](application-security-application-and-driver-control.md#smart-app-control)
[Smart cards](identity-protection-passwordless-sign-in.md#smart-cards)
[Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom)
[Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection)
[Token protection (preview)](identity-protection-advanced-credential-protection.md#token-protection-preview)
[Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls)
[Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot)
[Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm)
[Trusted Signing](application-security-application-and-driver-control.md#-trusted-signing)
[Universal Print](cloud-services-protect-your-work-information.md#-universal-print)
[VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection)
[Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn)
[Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves)
[Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in)
[Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections)
[Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation)
[Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch)
[Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot)
[Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration)
[Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation)
[Windows Firewall](operating-system-security-network-security.md#windows-firewall)
[Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business)
[Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello)
[Windows Hotpatch](cloud-services-protect-your-work-information.md#-windows-hotpatch)
[Windows Insider and Microsoft Bug Bounty Programs](security-foundation-offensive-research.md#windows-insider-and-microsoft-bug-bounty-programs)
[Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)
[Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing)
[Windows protected print](operating-system-security-system-security.md#-windows-protected-print)
[Windows Sandbox](application-security-application-isolation.md#windows-sandbox)
[Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing)
[Windows Security](operating-system-security-system-security.md#windows-security)
[Windows Software Development Kit (SDK)](security-foundation-secure-supply-chain.md#windows-software-development-kit-sdk)
[Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)
[Windows Update for Business](cloud-services-protect-your-work-information.md#windows-update-for-business) \ No newline at end of file +[5G and eSIM](operating-system-security-network-security.md#5g-and-esim)
[Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control)
[Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies)
[Administrator protection](application-security-application-and-driver-control.md#-administrator-protection)
[App containers](application-security-application-isolation.md#app-containers)
[App Control for Business](application-security-application-and-driver-control.md#app-control-for-business)
[Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules)
[Azure Attestation service](cloud-services-protect-your-work-information.md#-azure-attestation-service)
[BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go)
[BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)
[Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection)
[Certificates](operating-system-security-system-security.md#certificates)
[Cloud-native device management](cloud-services-protect-your-work-information.md#cloud-native-device-management)
[Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity)
[Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc)
[Config Refresh](operating-system-security-system-security.md#-config-refresh)
[Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access)
[Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)
[Cryptography](operating-system-security-system-security.md#cryptography)
[Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
[Device Health Attestation](operating-system-security-system-security.md#device-health-attestation)
[Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security)
[Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption)
[Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive)
[Enhanced phishing protection in Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-in-microsoft-defender-smartscreen)
[Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess)
[Exploit Protection](operating-system-security-virus-and-threat-protection.md#exploit-protection)
[Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips)
[Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in)
[FIDO2](identity-protection-passwordless-sign-in.md#fido2)
[Find my device](cloud-services-protect-your-personal-information.md#find-my-device)
[Kernel direct memory access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection)
[Kiosk mode](operating-system-security-system-security.md#kiosk-mode)
[Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
[Microsoft account](cloud-services-protect-your-personal-information.md#microsoft-account)
[Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator)
[Microsoft Cloud PKI](cloud-services-protect-your-work-information.md#microsoft-cloud-pki)
[Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus)
[Microsoft Defender for Endpoint](cloud-services-protect-your-work-information.md#-microsoft-defender-for-endpoint)
[Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen)
[Microsoft Entra ID](cloud-services-protect-your-work-information.md#-microsoft-entra-id)
[Microsoft Intune](cloud-services-protect-your-work-information.md#-microsoft-intune)
[Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering)
[Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor)
[Microsoft Privacy Dashboard](privacy-controls.md#microsoft-privacy-dashboard)
[Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl)
[Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist)
[Network protection](operating-system-security-virus-and-threat-protection.md#network-protection)
[OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal)
[OneDrive for work or school](cloud-services-protect-your-work-information.md#-onedrive-for-work-or-school)
[OneFuzz service](security-foundation-offensive-research.md#onefuzz-service)
[Personal Data Encryption](operating-system-security-encryption-and-data-protection.md#personal-data-encryption)
[Personal Vault](cloud-services-protect-your-personal-information.md#personal-vault)
[Privacy resource usage](privacy-controls.md#privacy-resource-usage)
[Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls)
[Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard)
[Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe)
[Rust for Windows](operating-system-security-system-security.md#-rust-for-windows)
[Secure Future Initiative (SFI)](security-foundation-offensive-research.md#secure-future-initiative-sfi)
[Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)
[Secured-core PC and Edge Secured-Core](hardware-security-silicon-assisted-security.md#secured-core-pc-and-edge-secured-core)
[Security baselines](cloud-services-protect-your-work-information.md#security-baselines)
[Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
[Smart App Control](application-security-application-and-driver-control.md#smart-app-control)
[Smart cards](identity-protection-passwordless-sign-in.md#smart-cards)
[Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom)
[Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection)
[Token protection (preview)](identity-protection-advanced-credential-protection.md#token-protection-preview)
[Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls)
[Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot)
[Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm)
[Trusted Signing](application-security-application-and-driver-control.md#-trusted-signing)
[Universal Print](cloud-services-protect-your-work-information.md#-universal-print)
[VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection)
[Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn)
[Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves)
[Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in)
[Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections)
[Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation)
[Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch)
[Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot)
[Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration)
[Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation)
[Windows Firewall](operating-system-security-network-security.md#windows-firewall)
[Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business)
[Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello)
[Windows Hotpatch](cloud-services-protect-your-work-information.md#-windows-hotpatch)
[Windows Insider and Microsoft Bug Bounty Programs](security-foundation-offensive-research.md#windows-insider-and-microsoft-bug-bounty-programs)
[Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)
[Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing)
[Windows protected print](operating-system-security-system-security.md#-windows-protected-print)
[Windows Sandbox](application-security-application-isolation.md#windows-sandbox)
[Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing)
[Windows Security](operating-system-security-system-security.md#windows-security)
[Windows Software Development Kit (SDK)](security-foundation-secure-supply-chain.md#windows-software-development-kit-sdk)
[Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)
[Windows Update for Business](cloud-services-protect-your-work-information.md#windows-update-for-business) \ No newline at end of file diff --git a/windows/security/book/hardware-security-hardware-root-of-trust.md b/windows/security/book/hardware-security-hardware-root-of-trust.md index fb31256cfc..1b2345a22b 100644 --- a/windows/security/book/hardware-security-hardware-root-of-trust.md +++ b/windows/security/book/hardware-security-hardware-root-of-trust.md @@ -1,6 +1,6 @@ --- -title: Hardware root-of-trust -description: Windows 11 security book - Hardware root-of-trust. +title: Windows 11 security book - Hardware root-of-trust +description: Hardware root-of-trust. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/hardware-security-silicon-assisted-security.md b/windows/security/book/hardware-security-silicon-assisted-security.md index 40d2e4935b..da7cf92de1 100644 --- a/windows/security/book/hardware-security-silicon-assisted-security.md +++ b/windows/security/book/hardware-security-silicon-assisted-security.md @@ -1,6 +1,6 @@ --- -title: Silicon assisted security -description: Windows 11 security book - Silicon assisted security. +title: Windows 11 security book - Silicon assisted security +description: Silicon assisted security. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/hardware-security.md b/windows/security/book/hardware-security.md index f9acd73d1e..7d1f8669b1 100644 --- a/windows/security/book/hardware-security.md +++ b/windows/security/book/hardware-security.md @@ -1,6 +1,6 @@ --- -title: Hardware security -description: Windows 11 security book - Hardware security chapter. +title: Windows 11 security book - Hardware security +description: Hardware security chapter. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md index 7194409637..0e35e41bc8 100644 --- a/windows/security/book/identity-protection-advanced-credential-protection.md +++ b/windows/security/book/identity-protection-advanced-credential-protection.md @@ -1,6 +1,6 @@ --- -title: Identity protection - Advanced credential protection -description: Windows 11 security book - Identity protection chapter. +title: Windows 11 security book - Advanced credential protection +description: Identity protection chapter - Advanced credential protection. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md index a8a6104572..5187c49058 100644 --- a/windows/security/book/identity-protection-passwordless-sign-in.md +++ b/windows/security/book/identity-protection-passwordless-sign-in.md @@ -1,6 +1,6 @@ --- -title: Identity protection - Passwordless sign-in -description: Windows 11 security book - Identity protection chapter. +title: Windows 11 security book - Passwordless sign-in +description: Identity protection chapter - Passwordless sign-in. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/identity-protection.md b/windows/security/book/identity-protection.md index 03248b2db3..41d1b6bca6 100644 --- a/windows/security/book/identity-protection.md +++ b/windows/security/book/identity-protection.md @@ -1,6 +1,6 @@ --- -title: Identity protection -description: Windows 11 security book - Identity protection chapter. +title: Windows 11 security book - Identity protection +description: Identity protection chapter. ms.topic: overview ms.date: 11/18/2024 --- @@ -9,7 +9,7 @@ ms.date: 11/18/2024 :::image type="content" source="images/identity-protection-cover.png" alt-text="Cover of the identity protection chapter." border="false"::: -Employes are increasingly targets for cyberattacks in organizations, making identity protection a priority. Weak or reused passwords, password spraying, social engineering, and phishing are just a few of the risks businesses face today. +Employes are increasingly targets for cyberattacks in organizations, making identity protection a priority. Weak or reused passwords, password spraying, social engineering, and phishing are just a few of the risks businesses face today. Identity protection in Windows 11 continuously evolves to provide organizations with the latest defenses, including Windows Hello for Business passwordless and Windows Hello Enhanced Sign-in Security (ESS). By leveraging these powerful identity safeguards, organizations of all sizes can reduce the risk of credential theft and unauthorized access to devices, data, and other company resources. diff --git a/windows/security/book/images/azure-attestation.svg b/windows/security/book/images/azure-attestation.svg index 0d5ef702de..c4df2e11d2 100644 --- a/windows/security/book/images/azure-attestation.svg +++ b/windows/security/book/images/azure-attestation.svg @@ -1,17 +1,17 @@ - - - - - - + + + + + + - + - + diff --git a/windows/security/book/images/defender-for-endpoint.svg b/windows/security/book/images/defender-for-endpoint.svg index 35ff9ff372..bf135a593b 100644 --- a/windows/security/book/images/defender-for-endpoint.svg +++ b/windows/security/book/images/defender-for-endpoint.svg @@ -1,3 +1,3 @@ - - + + diff --git a/windows/security/book/images/endpoint-privilege-management.svg b/windows/security/book/images/endpoint-privilege-management.svg deleted file mode 100644 index 7efbd9c1f1..0000000000 --- a/windows/security/book/images/endpoint-privilege-management.svg +++ /dev/null @@ -1,46 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/windows/security/book/images/microsoft-cloud-pki.svg b/windows/security/book/images/microsoft-cloud-pki.svg deleted file mode 100644 index e3e369770f..0000000000 --- a/windows/security/book/images/microsoft-cloud-pki.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/windows/security/book/images/microsoft-entra-id.svg b/windows/security/book/images/microsoft-entra-id.svg index 7a9eff4282..5cb2cfe7be 100644 --- a/windows/security/book/images/microsoft-entra-id.svg +++ b/windows/security/book/images/microsoft-entra-id.svg @@ -1,4 +1,4 @@ - + diff --git a/windows/security/book/images/microsoft-entra-internet-access.svg b/windows/security/book/images/microsoft-entra-internet-access.svg deleted file mode 100644 index f4a72a686f..0000000000 --- a/windows/security/book/images/microsoft-entra-internet-access.svg +++ /dev/null @@ -1,28 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/windows/security/book/images/microsoft-entra-private-access.svg b/windows/security/book/images/microsoft-entra-private-access.svg deleted file mode 100644 index e28e5fff69..0000000000 --- a/windows/security/book/images/microsoft-entra-private-access.svg +++ /dev/null @@ -1,49 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/windows/security/book/images/microsoft-intune.svg b/windows/security/book/images/microsoft-intune.svg index 4651f1db01..714722c739 100644 --- a/windows/security/book/images/microsoft-intune.svg +++ b/windows/security/book/images/microsoft-intune.svg @@ -1,21 +1,21 @@ - - - - - - - - + + + + + + + + - + - + - + diff --git a/windows/security/book/images/onedrive.svg b/windows/security/book/images/onedrive.svg index 2f9f35ede0..6f9ac42e61 100644 --- a/windows/security/book/images/onedrive.svg +++ b/windows/security/book/images/onedrive.svg @@ -1,24 +1,29 @@ - - - - - + + + + + + + - + - + - + - + + + + diff --git a/windows/security/book/images/universal-print.svg b/windows/security/book/images/universal-print.svg index d91cd2a276..3c5d0761a2 100644 --- a/windows/security/book/images/universal-print.svg +++ b/windows/security/book/images/universal-print.svg @@ -1,22 +1,22 @@ - - - - - - - - - + + + + + + + + + - + - + - + diff --git a/windows/security/book/images/windows-security.svg b/windows/security/book/images/windows-security.svg index f8574a500f..7882c89525 100644 --- a/windows/security/book/images/windows-security.svg +++ b/windows/security/book/images/windows-security.svg @@ -1,22 +1,22 @@ - - - - - + + + + + - + - + - + - + diff --git a/windows/security/book/index.md b/windows/security/book/index.md index 350e25f172..3ee48c98ad 100644 --- a/windows/security/book/index.md +++ b/windows/security/book/index.md @@ -1,6 +1,6 @@ --- -title: Windows security book introduction -description: Windows security book introduction +title: Windows 11 security book - Windows security book introduction +description: Windows 11 security book introduction. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/operating-system-security-encryption-and-data-protection.md b/windows/security/book/operating-system-security-encryption-and-data-protection.md index 238afa439c..d9ab85a02b 100644 --- a/windows/security/book/operating-system-security-encryption-and-data-protection.md +++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md @@ -1,6 +1,6 @@ --- -title: Operating System security -description: Windows 11 security book - Operating System security chapter. +title: Windows 11 security book - Encryption and data protection +description: Operating System security chapter - Encryption and data protection. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/operating-system-security-network-security.md b/windows/security/book/operating-system-security-network-security.md index 5be1a004aa..fff427b5b2 100644 --- a/windows/security/book/operating-system-security-network-security.md +++ b/windows/security/book/operating-system-security-network-security.md @@ -1,6 +1,6 @@ --- -title: Operating System security -description: Windows 11 security book - Operating System security chapter. +title: Windows 11 security book - Network security +description: Operating System security chapter - Network security. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/operating-system-security-system-security.md b/windows/security/book/operating-system-security-system-security.md index 649ebdbe4b..dd056f219e 100644 --- a/windows/security/book/operating-system-security-system-security.md +++ b/windows/security/book/operating-system-security-system-security.md @@ -1,6 +1,6 @@ --- -title: Operating System security -description: Windows 11 security book - Operating System security chapter. +title: Windows 11 security book - System security +description: Operating System security chapter - System security. ms.topic: overview ms.date: 11/18/2024 --- @@ -139,7 +139,7 @@ Config Refresh can also be paused for a configurable period of time, after which Windows allows you to restrict functionality to specific applications using built-in features, making it ideal for public-facing or shared devices like kiosks. You can set up Windows as a kiosk either locally on the device, or through a cloud-based device management solution like Microsoft Intune[\[7\]](conclusion.md#footnote7). Kiosk mode can be configured to run a single app, multiple apps, or a full-screen web browser. You can also configure the device to automatically sign in and launch the designated kiosk app at startup. :::column-end::: :::column span="2"::: -:::image type="content" source="images/kiosk.png" alt-text="Screenshot of the Windows Security app." border="false" lightbox="images/kiosk.png" ::: +:::image type="content" source="images/kiosk.png" alt-text="Screenshot of a Windows kiosk." border="false" lightbox="images/kiosk.png" ::: :::column-end::: :::row-end::: diff --git a/windows/security/book/operating-system-security-virus-and-threat-protection.md b/windows/security/book/operating-system-security-virus-and-threat-protection.md index 44eb24d2c9..cb69b30617 100644 --- a/windows/security/book/operating-system-security-virus-and-threat-protection.md +++ b/windows/security/book/operating-system-security-virus-and-threat-protection.md @@ -1,11 +1,11 @@ --- -title: Operating System security -description: Windows 11 security book - Operating System security chapter. +title: Windows 11 security book - Virus and threat protection +description: Operating System security chapter - Virus and threat protection. ms.topic: overview ms.date: 11/18/2024 --- -# Virus and threat protection +# Virus and threat protection in Windows 11 :::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false"::: diff --git a/windows/security/book/operating-system-security.md b/windows/security/book/operating-system-security.md index cd1f79d3e9..17141c211b 100644 --- a/windows/security/book/operating-system-security.md +++ b/windows/security/book/operating-system-security.md @@ -1,6 +1,6 @@ --- -title: Operating System security -description: Windows 11 security book - Operating System security chapter. +title: Windows 11 security book - Operating System security +description: Operating System security chapter. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/privacy-controls.md b/windows/security/book/privacy-controls.md index 21377d5d8a..9aa5d2bd86 100644 --- a/windows/security/book/privacy-controls.md +++ b/windows/security/book/privacy-controls.md @@ -1,6 +1,6 @@ --- -title: Privacy -description: Windows 11 security book - Privacy chapter. +title: Windows 11 security book - Privacy controls +description: Privacy chapter - Privacy controls. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/privacy.md b/windows/security/book/privacy.md index ef5c623ebb..d4acb2ffed 100644 --- a/windows/security/book/privacy.md +++ b/windows/security/book/privacy.md @@ -1,6 +1,6 @@ --- -title: Privacy -description: Windows 11 security book - Privacy chapter. +title: Windows 11 security book - Privacy +description: Privacy chapter. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/security-foundation-certification.md b/windows/security/book/security-foundation-certification.md index d83dfb1231..1f8c8c878d 100644 --- a/windows/security/book/security-foundation-certification.md +++ b/windows/security/book/security-foundation-certification.md @@ -1,6 +1,6 @@ --- -title: Security foundation -description: Windows 11 security book - Security foundation chapter. +title: Windows 11 security book - Certification +description: Security foundation chapter - Certification. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/security-foundation-offensive-research.md b/windows/security/book/security-foundation-offensive-research.md index 4a1fdf3bbf..f40f549653 100644 --- a/windows/security/book/security-foundation-offensive-research.md +++ b/windows/security/book/security-foundation-offensive-research.md @@ -1,6 +1,6 @@ --- -title: Security foundation -description: Windows 11 security book - Security foundation chapter. +title: Windows 11 security book - Secure Future Initiative and offensive research +description: Security foundation chapter - Secure Future Initiative and offensive research. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/security-foundation-secure-supply-chain.md b/windows/security/book/security-foundation-secure-supply-chain.md index 9cfdaec1f9..9e638bfbc5 100644 --- a/windows/security/book/security-foundation-secure-supply-chain.md +++ b/windows/security/book/security-foundation-secure-supply-chain.md @@ -1,6 +1,6 @@ --- -title: Secure supply chain -description: Windows 11 security book - Security foundation chapter - Secure supply chain. +title: Windows 11 security book - Secure supply chain +description: Security foundation chapter - Secure supply chain. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/security-foundation.md b/windows/security/book/security-foundation.md index 2a370ff6d5..2748af0a55 100644 --- a/windows/security/book/security-foundation.md +++ b/windows/security/book/security-foundation.md @@ -1,14 +1,14 @@ --- -title: Security foundation -description: Windows 11 security book - Security foundation chapter. +title: Windows 11 security book - Security foundation +description: Security foundation chapter. ms.topic: overview ms.date: 11/18/2024 --- -# Security foundation +# Security foundation in Windows 11 :::image type="content" source="images/security-foundation-cover.png" alt-text="Cover of the security foundation chapter." border="false"::: -Microsoft is committed to continuously investing in improving the development process, building highly secure-by-design software, and addressing security compliance requirements. Security and privacy considerations informed by offensive research are built into each phase of our product design and software development process. Microsoft’s security foundation includes not only our development and certification processes, but also our end-to-end supply chain. The comprehensive Windows 11 security foundation also reflects our deep commitment to principles of security by design and security by default. +Microsoft is committed to continuously investing in improving the development process, building highly secure-by-design software, and addressing security compliance requirements. Security and privacy considerations informed by offensive research are built into each phase of our product design and software development process. Microsoft's security foundation includes not only our development and certification processes, but also our end-to-end supply chain. The comprehensive Windows 11 security foundation also reflects our deep commitment to principles of security by design and security by default. :::image type="content" source="images/security-foundation-on.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false"::: diff --git a/windows/security/docfx.json b/windows/security/docfx.json index b7d4db82be..e0cd0064c8 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -150,7 +150,7 @@ "✅ Windows Server 2016" ], "book/**/*.md": [ - "✅ Windows 11" + "Windows 11" ], "hardware-security/**/*.md": [ "✅ Windows 11", @@ -251,7 +251,7 @@ "security-foundations/certification/**/*.md": "paoloma" }, "ms.collection": { - "book/*.md": "tier3", + "book/*.md": "tier1", "identity-protection/hello-for-business/*.md": "tier1", "information-protection/pluton/*.md": "tier1", "information-protection/tpm/*.md": "tier1", @@ -259,9 +259,6 @@ "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1", "security-foundations/certification/**/*.md": "tier3", "threat-protection/auditing/*.md": "tier3" - }, - "ROBOTS": { - "book/*.md": "NOINDEX" } }, "template": [], diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md index 553251974a..f2c4e29919 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md +++ b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business cloud-only deployment guide description: Learn how to deploy Windows Hello for Business in a cloud-only deployment scenario. -ms.date: 03/12/2024 +ms.date: 11/22/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md index 9b2e6325b4..e4312d8684 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business cloud Kerberos trust deployment guide description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario. -ms.date: 03/12/2024 +ms.date: 11/22/2024 ms.topic: tutorial --- @@ -169,8 +169,8 @@ If you deployed Windows Hello for Business using the key trust model, and want t 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings) 1. For Microsoft Entra joined devices, sign out and sign in to the device using Windows Hello for Business -> [!NOTE] -> For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. + > [!NOTE] + > For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. ## Migrate from certificate trust deployment model to cloud Kerberos trust @@ -179,11 +179,11 @@ If you deployed Windows Hello for Business using the key trust model, and want t If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps: -1. Disable the certificate trust policy -1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings) -1. Remove the certificate trust credential using the command `certutil.exe -deletehellocontainer` from the user context -1. Sign out and sign back in -1. Provision Windows Hello for Business using a method of your choice +1. Disable the certificate trust policy. +1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings). +1. Remove the certificate trust credential using the command `certutil.exe -deletehellocontainer` from the user context. +1. Sign out and sign back in. +1. Provision Windows Hello for Business using a method of your choice. > [!NOTE] > For Microsoft Entra hybrid joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC. diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md index c97ec8cde9..742939bf9d 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md @@ -1,7 +1,7 @@ --- title: Configure and enroll in Windows Hello for Business in a hybrid key trust model description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario. -ms.date: 03/12/2024 +ms.date: 11/22/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md index 2b775003f0..ce6526f4a7 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business hybrid key trust deployment guide description: Learn how to deploy Windows Hello for Business in a hybrid key trust scenario. -ms.date: 03/12/2024 +ms.date: 11/22/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md index 6adbe43c94..11af1ac31c 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md @@ -1,5 +1,5 @@ --- -ms.date: 06/23/2024 +ms.date: 11/22/2024 ms.topic: include --- @@ -19,3 +19,6 @@ Windows Hello for Business requires users perform multifactor authentication (MF For information on available non-Microsoft authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies). + +> [!TIP] +> When you validate the AD FS configuration, verify if you need to update the configuration of user agent strings to support Windows Integrated Authentication (WIA). For more information, see [Change WIASupportedUserAgent settings](/windows-server/identity/ad-fs/operations/configure-ad-fs-browser-wia#change-wiasupporteduseragent-settings). diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md index 7446d01e92..73dd0d6cbf 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md @@ -33,14 +33,14 @@ Windows Hello for Business works exclusively with the Active Directory Federatio Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials. -1. Open the **Certification Authority** management console -1. Expand the parent node from the navigation pane -1. Select **Certificate Templates** in the navigation pane -1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue -1. In the **Enable Certificates Templates** window, select the *WHFB Enrollment Agent* template you created in the previous step. Select **OK** to publish the selected certificate templates to the certification authority -1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list - - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation -1. Close the console +1. Open the **Certification Authority** management console. +1. Expand the parent node from the navigation pane. +1. Select **Certificate Templates** in the navigation pane. +1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue. +1. In the **Enable Certificates Templates** window, select the *WHFB Enrollment Agent* template you created in the previous step. Select **OK** to publish the selected certificate templates to the certification authority. +1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list. + - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation. +1. Close the console. ## Configure the certificate registration authority @@ -55,7 +55,7 @@ Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplat ``` >[!NOTE] -> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA. +> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (_certtmpl.msc_). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA. ### Enrollment agent certificate lifecycle management @@ -89,18 +89,18 @@ For detailed information about the certificate, use `Certutil -q -v [!div class="checklist"] > Before you continue with the deployment, validate your deployment progress by reviewing the following items: > -> - Configure an enrollment agent certificate template -> - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template -> - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance -> - Confirm you properly configured the Windows Hello for Business authentication certificate template -> - Confirm all certificate templates were properly published to the appropriate issuing certificate authorities -> - Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template -> - Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet -> Confirm you restarted the AD FS service -> - Confirm you properly configured load-balancing (hardware or software) -> - Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address -> - Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server -> - Confirm you have deployed a MFA solution for AD FS +> - Configure an enrollment agent certificate template. +> - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template. +> - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance. +> - Confirm you properly configured the Windows Hello for Business authentication certificate template. +> - Confirm all certificate templates were properly published to the appropriate issuing certificate authorities. +> - Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template. +> - Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet. +> - Confirm you restarted the AD FS service. +> - Confirm you properly configured load-balancing (hardware or software). +> - Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address. +> - Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server. +> - Confirm you have deployed a MFA solution for AD FS. > [!div class="nextstepaction"] > [Next: configure and enroll in Windows Hello for Business >](on-premises-cert-trust-enroll.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md index d9e217575b..123d35b434 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md @@ -1,7 +1,7 @@ --- title: Configure Active Directory Federation Services in an on-premises key trust model description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business key trust model. -ms.date: 03/12/2024 +ms.date: 11/22/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md index 0aeded8941..efbea47423 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md +++ b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md @@ -1,7 +1,7 @@ --- title: Prepare users to provision and use Windows Hello for Business description: Learn how to prepare users to enroll and to use Windows Hello for Business. -ms.date: 03/12/2024 +ms.date: 11/22/2024 ms.topic: end-user-help --- diff --git a/windows/security/identity-protection/hello-for-business/dual-enrollment.md b/windows/security/identity-protection/hello-for-business/dual-enrollment.md index 7dd1507298..0d5f859326 100644 --- a/windows/security/identity-protection/hello-for-business/dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/dual-enrollment.md @@ -1,7 +1,7 @@ --- title: Dual enrollment description: Learn how to configure Windows Hello for Business dual enrollment and how to configure Active Directory to support Domain Administrator enrollment. -ms.date: 05/06/2024 +ms.date: 11/22/2024 ms.topic: how-to --- @@ -40,7 +40,7 @@ Active Directory Domain Services uses `AdminSDHolder` to secure privileged users Sign in to a domain controller or management workstation with access equivalent to *domain administrator*. -1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the `Key Admins` group on the `AdminSDHolder` object +1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the `Key Admins` group on the `AdminSDHolder` object. ```cmd dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink @@ -52,21 +52,21 @@ Sign in to a domain controller or management workstation with access equivalent dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink ``` -1. To trigger security descriptor propagation, open `ldp.exe` -1. Select **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and select **OK** -1. Select **Connection** and select **Bind...** Select **OK** to bind as the currently signed-in user -1. Select **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type `1`. Select **Enter** to add this to the **Entry List** -1. Select **Run** to start the task -1. Close LDP +1. To trigger security descriptor propagation, open `ldp.exe`. +1. Select **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and select **OK**. +1. Select **Connection** and select **Bind...** Select **OK** to bind as the currently signed-in user. +1. Select **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type `1`. Select **Enter** to add this to the **Entry List**. +1. Select **Run** to start the task. +1. Close LDP. ### Configure dual enrollment with group policy You configure Windows to support dual enrollment using the computer configuration portion of a Group Policy object: -1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users -1. Edit the Group Policy object from step 1 +1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users. +1. Edit the Group Policy object from step 1. 1. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business** -1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC -1. Restart computers targeted by this Group Policy object +1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC. +1. Restart computers targeted by this Group Policy object. -The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the nonprivileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users. + The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the nonprivileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index e6b79420ad..aaed7b870d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business known deployment issues description: This article is a troubleshooting guide for known Windows Hello for Business deployment issues. -ms.date: 03/12/2024 +ms.date: 11/22/2024 ms.topic: troubleshooting --- diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index ef8e864841..8524027332 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -2,7 +2,7 @@ title: Windows Hello errors during PIN creation description: Learn about the Windows Hello error codes that might happen during PIN creation. ms.topic: troubleshooting -ms.date: 03/12/2024 +ms.date: 11/22/2024 --- # Windows Hello errors during PIN creation diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index e1845d9363..8c46258086 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -1,7 +1,7 @@ --- title: Dynamic lock description: Learn how to configure dynamic lock on Windows devices via group policies. This feature locks a device when a Bluetooth signal falls below a set value. -ms.date: 04/23/2024 +ms.date: 11/22/2024 ms.topic: how-to --- @@ -19,33 +19,33 @@ You can configure Windows devices to use the **dynamic lock** using a Group Poli 1. Enable the **Configure dynamic lock factors** policy setting located under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. 1. Close the Group Policy Management Editor to save the Group Policy object. -The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value: + The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value: -```xml - - - -``` + ```xml + + + + ``` ->[!IMPORTANT] ->Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. + >[!IMPORTANT] + >Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. -For this policy setting, the `type` and `scenario` attribute values are static and can't change. The `classofDevice` is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table: + For this policy setting, the `type` and `scenario` attribute values are static and can't change. The `classofDevice` is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table: -|Description|Value| -|:-------------|:-------:| -|Miscellaneous|0| -|Computer|256| -|Phone|512| -|LAN/Network Access Point|768| -|Audio/Video|1024| -|Peripheral|1280| -|Imaging|1536| -|Wearable|1792| -|Toy|2048| -|Health|2304| -|Uncategorized|7936| + |Description|Value| + |:-------------|:-------:| + |Miscellaneous|0| + |Computer|256| + |Phone|512| + |LAN/Network Access Point|768| + |Audio/Video|1024| + |Peripheral|1280| + |Imaging|1536| + |Wearable|1792| + |Toy|2048| + |Health|2304| + |Uncategorized|7936| -The `rssiMin` attribute value signal indicates the strength needed for the device to be considered *in-range*. The default value of `-10` enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The `rssiMaxDelta` has a default value of `-10`, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10. + The `rssiMin` attribute value signal indicates the strength needed for the device to be considered *in-range*. The default value of `-10` enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The `rssiMaxDelta` has a default value of `-10`, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10. -RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other. + RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 3d2908e78a..613da4d993 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -1,7 +1,7 @@ --- title: Use Certificates to enable SSO for Microsoft Entra join devices description: If you want to use certificates for on-premises single-sign on for Microsoft Entra joined devices, then follow these additional steps. -ms.date: 04/24/2024 +ms.date: 11/22/2024 ms.topic: how-to --- @@ -62,21 +62,21 @@ To include the on-premises distinguished name in the certificate's subject, Micr Sign-in to computer running Microsoft Entra Connect with access equivalent to *local administrator*. -1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder -1. In the **Synchronization Service Manager**, select **Help** and then select **About** -1. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version +1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder. +1. In the **Synchronization Service Manager**, select **Help** and then select **About**. +1. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version. ### Verify the onPremisesDistinguishedName attribute is synchronized The easiest way to verify that the onPremisesDistingushedNamne attribute is synchronized is to use the Graph Explorer for Microsoft Graph. -1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) -1. Select **Sign in to Graph Explorer** and provide Microsoft Entra ID credentials +1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). +1. Select **Sign in to Graph Explorer** and provide Microsoft Entra ID credentials. > [!NOTE] > To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted 1. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent -1. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query** +1. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query**. > [!NOTE] > Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios. @@ -91,7 +91,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,userPrincipalName,onPremisesDistinguishedName ``` -1. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null** +1. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**. #### Response