From eac069762953869743531ec6c2e04f3e6be19987 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 11 Nov 2024 15:51:56 -0500 Subject: [PATCH 01/16] updates --- education/windows/take-tests-in-windows.md | 2 +- windows/configuration/taskbar/xsd.md | 2 +- windows/security/identity-protection/remote-credential-guard.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/education/windows/take-tests-in-windows.md b/education/windows/take-tests-in-windows.md index 8c46ac4b93..55856b5df0 100644 --- a/education/windows/take-tests-in-windows.md +++ b/education/windows/take-tests-in-windows.md @@ -1,7 +1,7 @@ --- title: Take tests and assessments in Windows description: Learn about the built-in Take a Test app for Windows and how to use it. -ms.date: 02/29/2024 +ms.date: 11/11/2024 ms.topic: how-to --- diff --git a/windows/configuration/taskbar/xsd.md b/windows/configuration/taskbar/xsd.md index c6d5ded3aa..b6e5d620fe 100644 --- a/windows/configuration/taskbar/xsd.md +++ b/windows/configuration/taskbar/xsd.md @@ -2,7 +2,7 @@ title: Taskbar XML Schema Definition (XSD) description: Taskbar XSD reference article. ms.topic: reference -ms.date: 02/15/2024 +ms.date: 11/11/2024 --- # Taskbar XML Schema Definition (XSD) diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 494d9a4978..f7dbf10cd7 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -2,7 +2,7 @@ title: Remote Credential Guard description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device. ms.topic: how-to -ms.date: 03/12/2024 +ms.date: 11/11/2024 appliesto: - ✅ Windows 11 - ✅ Windows 10 From 2e454254b72b8116e1e823cb688abc5b2910b015 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 22 Nov 2024 06:55:55 -0500 Subject: [PATCH 02/16] freshness review --- ...-services-protect-your-work-information.md | 8 +-- windows/security/book/features-index.md | 2 +- .../book/images/azure-attestation.svg | 16 +++--- .../book/images/defender-for-endpoint.svg | 4 +- .../images/endpoint-privilege-management.svg | 46 ----------------- .../book/images/microsoft-cloud-pki.svg | 19 ------- .../book/images/microsoft-entra-id.svg | 2 +- .../microsoft-entra-internet-access.svg | 28 ----------- .../images/microsoft-entra-private-access.svg | 49 ------------------- .../security/book/images/microsoft-intune.svg | 22 ++++----- windows/security/book/images/onedrive.svg | 23 +++++---- .../security/book/images/universal-print.svg | 24 ++++----- .../security/book/images/windows-security.svg | 18 +++---- windows/security/docfx.json | 7 +-- .../hello-for-business/deploy/cloud-only.md | 2 +- .../deploy/hybrid-cloud-kerberos-trust.md | 2 +- .../deploy/hybrid-key-trust-enroll.md | 2 +- .../deploy/hybrid-key-trust.md | 2 +- .../deploy/includes/adfs-mfa.md | 5 +- .../deploy/on-premises-cert-trust-adfs.md | 2 +- .../deploy/on-premises-key-trust-adfs.md | 2 +- .../deploy/prepare-users.md | 2 +- .../hello-for-business/dual-enrollment.md | 2 +- .../hello-deployment-issues.md | 2 +- .../hello-errors-during-pin-creation.md | 2 +- .../hello-feature-dynamic-lock.md | 2 +- .../hello-hybrid-aadj-sso-cert.md | 2 +- .../hello-hybrid-aadj-sso.md | 2 +- .../how-it-works-authentication.md | 2 +- .../how-it-works-provisioning.md | 2 +- .../hello-for-business/how-it-works.md | 2 +- .../hello-for-business/index.md | 2 +- .../hello-for-business/multifactor-unlock.md | 2 +- .../hello-for-business/pin-reset.md | 2 +- .../hello-for-business/policy-settings.md | 2 +- .../hello-for-business/webauthn-apis.md | 2 +- 36 files changed, 89 insertions(+), 226 deletions(-) delete mode 100644 windows/security/book/images/endpoint-privilege-management.svg delete mode 100644 windows/security/book/images/microsoft-cloud-pki.svg delete mode 100644 windows/security/book/images/microsoft-entra-internet-access.svg delete mode 100644 windows/security/book/images/microsoft-entra-private-access.svg diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index c695db60bd..dd2b7d9961 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -49,7 +49,7 @@ Every Windows device has a built-in local administrator account that must be sec - [Microsoft Entra ID documentation][LINK-1] - [Microsoft Entra plans and pricing][LINK-2] -### :::image type="icon" source="images/microsoft-entra-private-access.svg" border="false"::: Microsoft Entra Private Access +### Microsoft Entra Private Access Microsoft Entra Private Access provides organizations the ability to manage and give users access to private or internal fully qualified domain names (FQDNs) and IP addresses. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need. @@ -57,7 +57,7 @@ Microsoft Entra Private Access provides organizations the ability to manage and - [Microsoft Entra Private Access][LINK-4] -### :::image type="icon" source="images/microsoft-entra-internet-access.svg" border="false"::: Microsoft Entra Internet Access +### Microsoft Entra Internet Access Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. @@ -168,7 +168,7 @@ With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certif - [Windows enrollment attestation][LINK-13] -### :::image type="icon" source="images/microsoft-cloud-pki.svg" border="false"::: Microsoft Cloud PKI +### Microsoft Cloud PKI Microsoft Cloud PKI is a cloud-based service included in the Microsoft Intune Suite[\[4\]](conclusion.md#footnote4) that simplifies and automates the management of a Public Key Infrastructure (PKI) for organizations. It eliminates the need for on-premises servers, hardware, and connectors, making it easier to set up and manage a PKI compared to, for instance, Microsoft Active Directory Certificate Services (AD CS) combined with the Certificate Connector for Microsoft Intune. @@ -185,7 +185,7 @@ With Microsoft Cloud PKI, organizations can accelerate their digital transformat - [Overview of Microsoft Cloud PKI for Microsoft Intune](/mem/intune/protect/microsoft-cloud-pki-overview) -### :::image type="icon" source="images/endpoint-privilege-management.svg" border="false"::: Endpoint Privilege Management (EPM) +### Endpoint Privilege Management (EPM) Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run elevated tasks allowed by the organization to remain productive. diff --git a/windows/security/book/features-index.md b/windows/security/book/features-index.md index 478367613e..18f194e763 100644 --- a/windows/security/book/features-index.md +++ b/windows/security/book/features-index.md @@ -7,4 +7,4 @@ ms.date: 11/18/2024 # Features index -[5G and eSIM](operating-system-security-network-security.md#5g-and-esim)
[Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control)
[Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies)
[Administrator protection](application-security-application-and-driver-control.md#-administrator-protection)
[App containers](application-security-application-isolation.md#app-containers)
[App Control for Business](application-security-application-and-driver-control.md#app-control-for-business)
[Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules)
[Azure Attestation service](cloud-services-protect-your-work-information.md#-azure-attestation-service)
[BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go)
[BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)
[Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection)
[Certificates](operating-system-security-system-security.md#certificates)
[Cloud-native device management](cloud-services-protect-your-work-information.md#cloud-native-device-management)
[Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity)
[Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc)
[Config Refresh](operating-system-security-system-security.md#-config-refresh)
[Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access)
[Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)
[Cryptography](operating-system-security-system-security.md#cryptography)
[Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
[Device Health Attestation](operating-system-security-system-security.md#device-health-attestation)
[Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security)
[Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption)
[Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive)
[Enhanced phishing protection in Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-in-microsoft-defender-smartscreen)
[Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess)
[Exploit Protection](operating-system-security-virus-and-threat-protection.md#exploit-protection)
[Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips)
[Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in)
[FIDO2](identity-protection-passwordless-sign-in.md#fido2)
[Find my device](cloud-services-protect-your-personal-information.md#find-my-device)
[Kernel direct memory access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection)
[Kiosk mode](operating-system-security-system-security.md#kiosk-mode)
[Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
[Microsoft account](cloud-services-protect-your-personal-information.md#microsoft-account)
[Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator)
[Microsoft Cloud PKI](cloud-services-protect-your-work-information.md#-microsoft-cloud-pki)
[Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus)
[Microsoft Defender for Endpoint](cloud-services-protect-your-work-information.md#-microsoft-defender-for-endpoint)
[Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen)
[Microsoft Entra ID](cloud-services-protect-your-work-information.md#-microsoft-entra-id)
[Microsoft Intune](cloud-services-protect-your-work-information.md#-microsoft-intune)
[Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering)
[Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor)
[Microsoft Privacy Dashboard](privacy-controls.md#microsoft-privacy-dashboard)
[Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl)
[Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist)
[Network protection](operating-system-security-virus-and-threat-protection.md#network-protection)
[OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal)
[OneDrive for work or school](cloud-services-protect-your-work-information.md#-onedrive-for-work-or-school)
[OneFuzz service](security-foundation-offensive-research.md#onefuzz-service)
[Personal Data Encryption](operating-system-security-encryption-and-data-protection.md#personal-data-encryption)
[Personal Vault](cloud-services-protect-your-personal-information.md#personal-vault)
[Privacy resource usage](privacy-controls.md#privacy-resource-usage)
[Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls)
[Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard)
[Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe)
[Rust for Windows](operating-system-security-system-security.md#-rust-for-windows)
[Secure Future Initiative (SFI)](security-foundation-offensive-research.md#secure-future-initiative-sfi)
[Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)
[Secured-core PC and Edge Secured-Core](hardware-security-silicon-assisted-security.md#secured-core-pc-and-edge-secured-core)
[Security baselines](cloud-services-protect-your-work-information.md#security-baselines)
[Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
[Smart App Control](application-security-application-and-driver-control.md#smart-app-control)
[Smart cards](identity-protection-passwordless-sign-in.md#smart-cards)
[Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom)
[Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection)
[Token protection (preview)](identity-protection-advanced-credential-protection.md#token-protection-preview)
[Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls)
[Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot)
[Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm)
[Trusted Signing](application-security-application-and-driver-control.md#-trusted-signing)
[Universal Print](cloud-services-protect-your-work-information.md#-universal-print)
[VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection)
[Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn)
[Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves)
[Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in)
[Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections)
[Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation)
[Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch)
[Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot)
[Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration)
[Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation)
[Windows Firewall](operating-system-security-network-security.md#windows-firewall)
[Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business)
[Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello)
[Windows Hotpatch](cloud-services-protect-your-work-information.md#-windows-hotpatch)
[Windows Insider and Microsoft Bug Bounty Programs](security-foundation-offensive-research.md#windows-insider-and-microsoft-bug-bounty-programs)
[Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)
[Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing)
[Windows protected print](operating-system-security-system-security.md#-windows-protected-print)
[Windows Sandbox](application-security-application-isolation.md#windows-sandbox)
[Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing)
[Windows Security](operating-system-security-system-security.md#windows-security)
[Windows Software Development Kit (SDK)](security-foundation-secure-supply-chain.md#windows-software-development-kit-sdk)
[Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)
[Windows Update for Business](cloud-services-protect-your-work-information.md#windows-update-for-business) \ No newline at end of file +[5G and eSIM](operating-system-security-network-security.md#5g-and-esim)
[Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control)
[Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies)
[Administrator protection](application-security-application-and-driver-control.md#-administrator-protection)
[App containers](application-security-application-isolation.md#app-containers)
[App Control for Business](application-security-application-and-driver-control.md#app-control-for-business)
[Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules)
[Azure Attestation service](cloud-services-protect-your-work-information.md#-azure-attestation-service)
[BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go)
[BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)
[Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection)
[Certificates](operating-system-security-system-security.md#certificates)
[Cloud-native device management](cloud-services-protect-your-work-information.md#cloud-native-device-management)
[Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity)
[Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc)
[Config Refresh](operating-system-security-system-security.md#-config-refresh)
[Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access)
[Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)
[Cryptography](operating-system-security-system-security.md#cryptography)
[Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
[Device Health Attestation](operating-system-security-system-security.md#device-health-attestation)
[Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security)
[Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption)
[Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive)
[Enhanced phishing protection in Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-in-microsoft-defender-smartscreen)
[Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess)
[Exploit Protection](operating-system-security-virus-and-threat-protection.md#exploit-protection)
[Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips)
[Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in)
[FIDO2](identity-protection-passwordless-sign-in.md#fido2)
[Find my device](cloud-services-protect-your-personal-information.md#find-my-device)
[Kernel direct memory access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection)
[Kiosk mode](operating-system-security-system-security.md#kiosk-mode)
[Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
[Microsoft account](cloud-services-protect-your-personal-information.md#microsoft-account)
[Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator)
[Microsoft Cloud PKI](cloud-services-protect-your-work-information.md#microsoft-cloud-pki)
[Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus)
[Microsoft Defender for Endpoint](cloud-services-protect-your-work-information.md#-microsoft-defender-for-endpoint)
[Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen)
[Microsoft Entra ID](cloud-services-protect-your-work-information.md#-microsoft-entra-id)
[Microsoft Intune](cloud-services-protect-your-work-information.md#-microsoft-intune)
[Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering)
[Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor)
[Microsoft Privacy Dashboard](privacy-controls.md#microsoft-privacy-dashboard)
[Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl)
[Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist)
[Network protection](operating-system-security-virus-and-threat-protection.md#network-protection)
[OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal)
[OneDrive for work or school](cloud-services-protect-your-work-information.md#-onedrive-for-work-or-school)
[OneFuzz service](security-foundation-offensive-research.md#onefuzz-service)
[Personal Data Encryption](operating-system-security-encryption-and-data-protection.md#personal-data-encryption)
[Personal Vault](cloud-services-protect-your-personal-information.md#personal-vault)
[Privacy resource usage](privacy-controls.md#privacy-resource-usage)
[Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls)
[Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard)
[Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe)
[Rust for Windows](operating-system-security-system-security.md#-rust-for-windows)
[Secure Future Initiative (SFI)](security-foundation-offensive-research.md#secure-future-initiative-sfi)
[Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)
[Secured-core PC and Edge Secured-Core](hardware-security-silicon-assisted-security.md#secured-core-pc-and-edge-secured-core)
[Security baselines](cloud-services-protect-your-work-information.md#security-baselines)
[Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
[Smart App Control](application-security-application-and-driver-control.md#smart-app-control)
[Smart cards](identity-protection-passwordless-sign-in.md#smart-cards)
[Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom)
[Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection)
[Token protection (preview)](identity-protection-advanced-credential-protection.md#token-protection-preview)
[Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls)
[Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot)
[Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm)
[Trusted Signing](application-security-application-and-driver-control.md#-trusted-signing)
[Universal Print](cloud-services-protect-your-work-information.md#-universal-print)
[VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection)
[Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn)
[Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves)
[Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in)
[Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections)
[Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation)
[Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch)
[Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot)
[Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration)
[Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation)
[Windows Firewall](operating-system-security-network-security.md#windows-firewall)
[Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business)
[Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello)
[Windows Hotpatch](cloud-services-protect-your-work-information.md#-windows-hotpatch)
[Windows Insider and Microsoft Bug Bounty Programs](security-foundation-offensive-research.md#windows-insider-and-microsoft-bug-bounty-programs)
[Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)
[Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing)
[Windows protected print](operating-system-security-system-security.md#-windows-protected-print)
[Windows Sandbox](application-security-application-isolation.md#windows-sandbox)
[Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing)
[Windows Security](operating-system-security-system-security.md#windows-security)
[Windows Software Development Kit (SDK)](security-foundation-secure-supply-chain.md#windows-software-development-kit-sdk)
[Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)
[Windows Update for Business](cloud-services-protect-your-work-information.md#windows-update-for-business) \ No newline at end of file diff --git a/windows/security/book/images/azure-attestation.svg b/windows/security/book/images/azure-attestation.svg index 0d5ef702de..c4df2e11d2 100644 --- a/windows/security/book/images/azure-attestation.svg +++ b/windows/security/book/images/azure-attestation.svg @@ -1,17 +1,17 @@ - - - - - - + + + + + + - + - + diff --git a/windows/security/book/images/defender-for-endpoint.svg b/windows/security/book/images/defender-for-endpoint.svg index 35ff9ff372..bf135a593b 100644 --- a/windows/security/book/images/defender-for-endpoint.svg +++ b/windows/security/book/images/defender-for-endpoint.svg @@ -1,3 +1,3 @@ - - + + diff --git a/windows/security/book/images/endpoint-privilege-management.svg b/windows/security/book/images/endpoint-privilege-management.svg deleted file mode 100644 index 7efbd9c1f1..0000000000 --- a/windows/security/book/images/endpoint-privilege-management.svg +++ /dev/null @@ -1,46 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/windows/security/book/images/microsoft-cloud-pki.svg b/windows/security/book/images/microsoft-cloud-pki.svg deleted file mode 100644 index e3e369770f..0000000000 --- a/windows/security/book/images/microsoft-cloud-pki.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/windows/security/book/images/microsoft-entra-id.svg b/windows/security/book/images/microsoft-entra-id.svg index 7a9eff4282..5cb2cfe7be 100644 --- a/windows/security/book/images/microsoft-entra-id.svg +++ b/windows/security/book/images/microsoft-entra-id.svg @@ -1,4 +1,4 @@ - + diff --git a/windows/security/book/images/microsoft-entra-internet-access.svg b/windows/security/book/images/microsoft-entra-internet-access.svg deleted file mode 100644 index f4a72a686f..0000000000 --- a/windows/security/book/images/microsoft-entra-internet-access.svg +++ /dev/null @@ -1,28 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/windows/security/book/images/microsoft-entra-private-access.svg b/windows/security/book/images/microsoft-entra-private-access.svg deleted file mode 100644 index e28e5fff69..0000000000 --- a/windows/security/book/images/microsoft-entra-private-access.svg +++ /dev/null @@ -1,49 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/windows/security/book/images/microsoft-intune.svg b/windows/security/book/images/microsoft-intune.svg index 4651f1db01..714722c739 100644 --- a/windows/security/book/images/microsoft-intune.svg +++ b/windows/security/book/images/microsoft-intune.svg @@ -1,21 +1,21 @@ - - - - - - - - + + + + + + + + - + - + - + diff --git a/windows/security/book/images/onedrive.svg b/windows/security/book/images/onedrive.svg index 2f9f35ede0..6f9ac42e61 100644 --- a/windows/security/book/images/onedrive.svg +++ b/windows/security/book/images/onedrive.svg @@ -1,24 +1,29 @@ - - - - - + + + + + + + - + - + - + - + + + + diff --git a/windows/security/book/images/universal-print.svg b/windows/security/book/images/universal-print.svg index d91cd2a276..3c5d0761a2 100644 --- a/windows/security/book/images/universal-print.svg +++ b/windows/security/book/images/universal-print.svg @@ -1,22 +1,22 @@ - - - - - - - - - + + + + + + + + + - + - + - + diff --git a/windows/security/book/images/windows-security.svg b/windows/security/book/images/windows-security.svg index f8574a500f..7882c89525 100644 --- a/windows/security/book/images/windows-security.svg +++ b/windows/security/book/images/windows-security.svg @@ -1,22 +1,22 @@ - - - - - + + + + + - + - + - + - + diff --git a/windows/security/docfx.json b/windows/security/docfx.json index b7d4db82be..e0cd0064c8 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -150,7 +150,7 @@ "✅ Windows Server 2016" ], "book/**/*.md": [ - "✅ Windows 11" + "Windows 11" ], "hardware-security/**/*.md": [ "✅ Windows 11", @@ -251,7 +251,7 @@ "security-foundations/certification/**/*.md": "paoloma" }, "ms.collection": { - "book/*.md": "tier3", + "book/*.md": "tier1", "identity-protection/hello-for-business/*.md": "tier1", "information-protection/pluton/*.md": "tier1", "information-protection/tpm/*.md": "tier1", @@ -259,9 +259,6 @@ "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1", "security-foundations/certification/**/*.md": "tier3", "threat-protection/auditing/*.md": "tier3" - }, - "ROBOTS": { - "book/*.md": "NOINDEX" } }, "template": [], diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md index 553251974a..f2c4e29919 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md +++ b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business cloud-only deployment guide description: Learn how to deploy Windows Hello for Business in a cloud-only deployment scenario. -ms.date: 03/12/2024 +ms.date: 11/22/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md index 9b2e6325b4..2db7810665 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business cloud Kerberos trust deployment guide description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario. -ms.date: 03/12/2024 +ms.date: 11/22/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md index c97ec8cde9..742939bf9d 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md @@ -1,7 +1,7 @@ --- title: Configure and enroll in Windows Hello for Business in a hybrid key trust model description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario. -ms.date: 03/12/2024 +ms.date: 11/22/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md index 2b775003f0..ce6526f4a7 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business hybrid key trust deployment guide description: Learn how to deploy Windows Hello for Business in a hybrid key trust scenario. -ms.date: 03/12/2024 +ms.date: 11/22/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md index 6adbe43c94..11af1ac31c 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md @@ -1,5 +1,5 @@ --- -ms.date: 06/23/2024 +ms.date: 11/22/2024 ms.topic: include --- @@ -19,3 +19,6 @@ Windows Hello for Business requires users perform multifactor authentication (MF For information on available non-Microsoft authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies). + +> [!TIP] +> When you validate the AD FS configuration, verify if you need to update the configuration of user agent strings to support Windows Integrated Authentication (WIA). For more information, see [Change WIASupportedUserAgent settings](/windows-server/identity/ad-fs/operations/configure-ad-fs-browser-wia#change-wiasupporteduseragent-settings). diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md index 7446d01e92..8212182c18 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md @@ -96,7 +96,7 @@ For detailed information about the certificate, use `Certutil -q -v - Confirm all certificate templates were properly published to the appropriate issuing certificate authorities > - Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template > - Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet -> Confirm you restarted the AD FS service +> - Confirm you restarted the AD FS service > - Confirm you properly configured load-balancing (hardware or software) > - Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address > - Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md index d9e217575b..123d35b434 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md @@ -1,7 +1,7 @@ --- title: Configure Active Directory Federation Services in an on-premises key trust model description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business key trust model. -ms.date: 03/12/2024 +ms.date: 11/22/2024 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md index 0aeded8941..efbea47423 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md +++ b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md @@ -1,7 +1,7 @@ --- title: Prepare users to provision and use Windows Hello for Business description: Learn how to prepare users to enroll and to use Windows Hello for Business. -ms.date: 03/12/2024 +ms.date: 11/22/2024 ms.topic: end-user-help --- diff --git a/windows/security/identity-protection/hello-for-business/dual-enrollment.md b/windows/security/identity-protection/hello-for-business/dual-enrollment.md index 7dd1507298..6678b0d693 100644 --- a/windows/security/identity-protection/hello-for-business/dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/dual-enrollment.md @@ -1,7 +1,7 @@ --- title: Dual enrollment description: Learn how to configure Windows Hello for Business dual enrollment and how to configure Active Directory to support Domain Administrator enrollment. -ms.date: 05/06/2024 +ms.date: 11/22/2024 ms.topic: how-to --- diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index e6b79420ad..aaed7b870d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business known deployment issues description: This article is a troubleshooting guide for known Windows Hello for Business deployment issues. -ms.date: 03/12/2024 +ms.date: 11/22/2024 ms.topic: troubleshooting --- diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index ef8e864841..8524027332 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -2,7 +2,7 @@ title: Windows Hello errors during PIN creation description: Learn about the Windows Hello error codes that might happen during PIN creation. ms.topic: troubleshooting -ms.date: 03/12/2024 +ms.date: 11/22/2024 --- # Windows Hello errors during PIN creation diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index e1845d9363..920451e027 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -1,7 +1,7 @@ --- title: Dynamic lock description: Learn how to configure dynamic lock on Windows devices via group policies. This feature locks a device when a Bluetooth signal falls below a set value. -ms.date: 04/23/2024 +ms.date: 11/22/2024 ms.topic: how-to --- diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 3d2908e78a..47e86b8b68 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -1,7 +1,7 @@ --- title: Use Certificates to enable SSO for Microsoft Entra join devices description: If you want to use certificates for on-premises single-sign on for Microsoft Entra joined devices, then follow these additional steps. -ms.date: 04/24/2024 +ms.date: 11/22/2024 ms.topic: how-to --- diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index 59a927977d..7b70b0f787 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -1,7 +1,7 @@ --- title: Configure single sign-on (SSO) for Microsoft Entra joined devices description: Learn how to configure single sign-on to on-premises resources for Microsoft Entra joined devices, using Windows Hello for Business. -ms.date: 04/23/2024 +ms.date: 11/22/2024 ms.topic: how-to --- diff --git a/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md index 8e1d1411a3..b5c3c0273f 100644 --- a/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md @@ -1,7 +1,7 @@ --- title: How Windows Hello for Business authentication works description: Learn about the Windows Hello for Business authentication flows. -ms.date: 04/23/2024 +ms.date: 11/22/2024 ms.topic: reference --- # Windows Hello for Business authentication diff --git a/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md index b066524e2f..fcc17cd4d5 100644 --- a/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md @@ -1,7 +1,7 @@ --- title: How Windows Hello for Business provisioning works description: Learn about the provisioning flows for Windows Hello for Business. -ms.date: 04/23/2024 +ms.date: 11/22/2024 ms.topic: reference appliesto: --- diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md index 659f4a0e25..e9dcd47589 100644 --- a/windows/security/identity-protection/hello-for-business/how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/how-it-works.md @@ -1,7 +1,7 @@ --- title: How Windows Hello for Business works description: Learn how Windows Hello for Business works, and how it can help you protect your organization. -ms.date: 04/23/2024 +ms.date: 11/22/2024 ms.topic: concept-article --- diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md index d7af366d19..e51ecfc56e 100644 --- a/windows/security/identity-protection/hello-for-business/index.md +++ b/windows/security/identity-protection/hello-for-business/index.md @@ -2,7 +2,7 @@ title: Windows Hello for Business overview description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices. ms.topic: overview -ms.date: 04/23/2024 +ms.date: 11/22/2024 --- # Windows Hello for Business diff --git a/windows/security/identity-protection/hello-for-business/multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/multifactor-unlock.md index b11627e5b7..426ed39d72 100644 --- a/windows/security/identity-protection/hello-for-business/multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/multifactor-unlock.md @@ -1,7 +1,7 @@ --- title: Multi-factor unlock description: Learn how to configure Windows Hello for Business multi-factor unlock by extending Windows Hello with trusted signals. -ms.date: 04/23/2024 +ms.date: 11/22/2024 ms.topic: how-to --- diff --git a/windows/security/identity-protection/hello-for-business/pin-reset.md b/windows/security/identity-protection/hello-for-business/pin-reset.md index aabf1fc5f2..f73c4bc91e 100644 --- a/windows/security/identity-protection/hello-for-business/pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/pin-reset.md @@ -1,7 +1,7 @@ --- title: PIN reset description: Learn how Microsoft PIN reset service enables your users to recover a forgotten Windows Hello for Business PIN, and how to configure it. -ms.date: 04/23/2024 +ms.date: 11/22/2024 ms.topic: how-to --- diff --git a/windows/security/identity-protection/hello-for-business/policy-settings.md b/windows/security/identity-protection/hello-for-business/policy-settings.md index 300d58e123..3a54d69597 100644 --- a/windows/security/identity-protection/hello-for-business/policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/policy-settings.md @@ -2,7 +2,7 @@ title: Windows Hello for Business policy settings description: Learn about the policy settings to configure Configure Windows Hello for Business. ms.topic: reference -ms.date: 04/23/2024 +ms.date: 11/22/2024 --- # Windows Hello for Business policy settings diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md index d685983a32..234d305178 100644 --- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md +++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md @@ -1,7 +1,7 @@ --- title: WebAuthn APIs description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps. -ms.date: 04/23/2024 +ms.date: 11/22/2024 ms.topic: how-to --- # WebAuthn APIs for passwordless authentication on Windows From 73ec6b240e07941daca2503d174f8a538e389203 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 22 Nov 2024 07:47:23 -0500 Subject: [PATCH 03/16] Fixed descriptions. --- ...otection-advanced-credential-protection.md | 2 +- ...dentity-protection-passwordless-sign-in.md | 2 +- windows/security/book/index.md | 2 +- ...security-encryption-and-data-protection.md | 2 +- ...rating-system-security-network-security.md | 2 +- ...em-security-virus-and-threat-protection.md | 2 +- windows/security/book/privacy-controls.md | 2 +- .../security-foundation-offensive-research.md | 2 +- .../how-it-works-authentication.md | 42 +++++++++---------- 9 files changed, 29 insertions(+), 29 deletions(-) diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md index 7194409637..0fb2174e63 100644 --- a/windows/security/book/identity-protection-advanced-credential-protection.md +++ b/windows/security/book/identity-protection-advanced-credential-protection.md @@ -1,6 +1,6 @@ --- title: Identity protection - Advanced credential protection -description: Windows 11 security book - Identity protection chapter. +description: Windows 11 security book - Identity protection chapter - Advanced credential protection. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md index a8a6104572..4bc197cf11 100644 --- a/windows/security/book/identity-protection-passwordless-sign-in.md +++ b/windows/security/book/identity-protection-passwordless-sign-in.md @@ -1,6 +1,6 @@ --- title: Identity protection - Passwordless sign-in -description: Windows 11 security book - Identity protection chapter. +description: Windows 11 security book - Identity protection chapter - Passwordless sign-in. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/index.md b/windows/security/book/index.md index 350e25f172..9a84dab6f3 100644 --- a/windows/security/book/index.md +++ b/windows/security/book/index.md @@ -1,6 +1,6 @@ --- title: Windows security book introduction -description: Windows security book introduction +description: Windows 11 security book introduction. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/operating-system-security-encryption-and-data-protection.md b/windows/security/book/operating-system-security-encryption-and-data-protection.md index 238afa439c..19cc0e0913 100644 --- a/windows/security/book/operating-system-security-encryption-and-data-protection.md +++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md @@ -1,6 +1,6 @@ --- title: Operating System security -description: Windows 11 security book - Operating System security chapter. +description: Windows 11 security book - Operating System security chapter - Encryption and data protection. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/operating-system-security-network-security.md b/windows/security/book/operating-system-security-network-security.md index 5be1a004aa..b3e953e9b9 100644 --- a/windows/security/book/operating-system-security-network-security.md +++ b/windows/security/book/operating-system-security-network-security.md @@ -1,6 +1,6 @@ --- title: Operating System security -description: Windows 11 security book - Operating System security chapter. +description: Windows 11 security book - Operating System security chapter - Network security. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/operating-system-security-virus-and-threat-protection.md b/windows/security/book/operating-system-security-virus-and-threat-protection.md index 44eb24d2c9..ddf6e12cbc 100644 --- a/windows/security/book/operating-system-security-virus-and-threat-protection.md +++ b/windows/security/book/operating-system-security-virus-and-threat-protection.md @@ -1,6 +1,6 @@ --- title: Operating System security -description: Windows 11 security book - Operating System security chapter. +description: Windows 11 security book - Operating System security chapter - Virus and threat protection. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/privacy-controls.md b/windows/security/book/privacy-controls.md index 21377d5d8a..84c951a710 100644 --- a/windows/security/book/privacy-controls.md +++ b/windows/security/book/privacy-controls.md @@ -1,6 +1,6 @@ --- title: Privacy -description: Windows 11 security book - Privacy chapter. +description: Windows 11 security book - Privacy chapter - Privacy controls. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/security-foundation-offensive-research.md b/windows/security/book/security-foundation-offensive-research.md index 4a1fdf3bbf..b2689d334a 100644 --- a/windows/security/book/security-foundation-offensive-research.md +++ b/windows/security/book/security-foundation-offensive-research.md @@ -1,6 +1,6 @@ --- title: Security foundation -description: Windows 11 security book - Security foundation chapter. +description: Windows 11 security book - Security foundation chapter - Secure Future Initiative and offensive research. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md index b5c3c0273f..2d52ce35bd 100644 --- a/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md @@ -19,11 +19,11 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in | Phase | Description | | :----: | :----------- | -|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.| +|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to LSASS. LSASS passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.| |B | The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.| |C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. Microsoft Entra ID then validates the returned signed nonce, and creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.| |D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.| -|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| +|E | The Cloud AP provider returns a successful authentication response to LSASS. LSASS caches the PRT, and informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| ## Microsoft Entra join authentication to Active Directory using cloud Kerberos trust @@ -31,7 +31,7 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in | Phase | Description | | :----: | :----------- | -|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. +|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in LSASS, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. |B | After locating a domain controller, the Kerberos provider sends a partial TGT that it received from Microsoft Entra ID from a previous Microsoft Entra authentication to the domain controller. The partial TGT contains only the user SID, and it's signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client.| ## Microsoft Entra join authentication to Active Directory using a key @@ -40,9 +40,9 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in | Phase | Description | | :----: | :----------- | -|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.| +|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in LSASS, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.| |B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.| -|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.| +|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to LSASS, where it's cached and used for subsequent service ticket requests.| > [!NOTE] > You might have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Microsoft Entra joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins. @@ -53,9 +53,9 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in | Phase | Description | | :----: | :----------- | -|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.| +|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in LSASS, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.| |B | The Kerberos provider sends the signed preauthentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.| -|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.| +|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to LSASS, where it's cached and used for subsequent service ticket requests.| > [!NOTE] > You may have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation. @@ -66,11 +66,11 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in | Phase | Description | | :----: | :----------- | -|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce. +|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to LSASS. LSASS queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, LSASS passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce. |B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Microsoft Entra ID. |C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Microsoft Entra Kerberos and returns them to Cloud AP. -|D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT. -|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After locating an active domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| +|D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to LSASS. LSASS caches the PRT and the Partial TGT. +|E | The Kerberos security support provider, hosted in LSASS, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After locating an active domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to LSASS, where it's cached and used for subsequent service ticket requests. LSASS informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| ## Microsoft Entra hybrid join authentication using a key @@ -78,13 +78,13 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in | Phase | Description | | :----: | :----------- | -|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.| +|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to LSASS. LSASS passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.| |B | The Kerberos provider sends the signed preauthentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.| |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. -|D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.| -|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| -|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.| -|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.
The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.| +|D | After passing this criteria, Kerberos returns the TGT to LSASS, where it's cached and used for subsequent service ticket requests.| +|E | LSASS informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| +|F | While Windows loads the user's desktop, LSASS passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.| +|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.
The Cloud AP provider returns a successful authentication response to LSASS. LSASS caches the PRT.| > [!IMPORTANT] > In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time. @@ -95,13 +95,13 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in | Phase | Description | | :----: | :----------- | -|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.| +|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to LSASS. LSASS passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.| |B | The Kerberos provider sends the signed preauthentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.| |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. -|D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.| -|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| -|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.| -|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.
The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.| +|D | After passing this criteria, Kerberos returns the TGT to LSASS, where it's cached and used for subsequent service ticket requests.| +|E | LSASS informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| +|F | While Windows loads the user's desktop, LSASS passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.| +|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.
The Cloud AP provider returns a successful authentication response to LSASS. LSASS caches the PRT.| > [!IMPORTANT] -> In the above deployment model, a **newly provisioned** user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller. +> In this deployment model, a **newly provisioned** user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller. From bc9fcbdd3fca6f44e1ac265d27e60c08b758b3d1 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 22 Nov 2024 07:56:02 -0500 Subject: [PATCH 04/16] Fixed meta --- .../book/identity-protection-advanced-credential-protection.md | 2 +- .../security/book/identity-protection-passwordless-sign-in.md | 2 +- .../operating-system-security-encryption-and-data-protection.md | 2 +- .../security/book/operating-system-security-network-security.md | 2 +- .../security/book/operating-system-security-system-security.md | 2 +- .../operating-system-security-virus-and-threat-protection.md | 2 +- windows/security/book/privacy-controls.md | 2 +- windows/security/book/security-foundation-certification.md | 2 +- windows/security/book/security-foundation-offensive-research.md | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md index 0fb2174e63..97d9d2ef10 100644 --- a/windows/security/book/identity-protection-advanced-credential-protection.md +++ b/windows/security/book/identity-protection-advanced-credential-protection.md @@ -1,5 +1,5 @@ --- -title: Identity protection - Advanced credential protection +title: Advanced credential protection description: Windows 11 security book - Identity protection chapter - Advanced credential protection. ms.topic: overview ms.date: 11/18/2024 diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md index 4bc197cf11..c76ee980dc 100644 --- a/windows/security/book/identity-protection-passwordless-sign-in.md +++ b/windows/security/book/identity-protection-passwordless-sign-in.md @@ -1,5 +1,5 @@ --- -title: Identity protection - Passwordless sign-in +title: Passwordless sign-in description: Windows 11 security book - Identity protection chapter - Passwordless sign-in. ms.topic: overview ms.date: 11/18/2024 diff --git a/windows/security/book/operating-system-security-encryption-and-data-protection.md b/windows/security/book/operating-system-security-encryption-and-data-protection.md index 19cc0e0913..746cc7e852 100644 --- a/windows/security/book/operating-system-security-encryption-and-data-protection.md +++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md @@ -1,5 +1,5 @@ --- -title: Operating System security +title: Encryption and data protection description: Windows 11 security book - Operating System security chapter - Encryption and data protection. ms.topic: overview ms.date: 11/18/2024 diff --git a/windows/security/book/operating-system-security-network-security.md b/windows/security/book/operating-system-security-network-security.md index b3e953e9b9..7b6acf8859 100644 --- a/windows/security/book/operating-system-security-network-security.md +++ b/windows/security/book/operating-system-security-network-security.md @@ -1,5 +1,5 @@ --- -title: Operating System security +title: Network security description: Windows 11 security book - Operating System security chapter - Network security. ms.topic: overview ms.date: 11/18/2024 diff --git a/windows/security/book/operating-system-security-system-security.md b/windows/security/book/operating-system-security-system-security.md index 649ebdbe4b..fbcb0cdd37 100644 --- a/windows/security/book/operating-system-security-system-security.md +++ b/windows/security/book/operating-system-security-system-security.md @@ -1,5 +1,5 @@ --- -title: Operating System security +title: System security description: Windows 11 security book - Operating System security chapter. ms.topic: overview ms.date: 11/18/2024 diff --git a/windows/security/book/operating-system-security-virus-and-threat-protection.md b/windows/security/book/operating-system-security-virus-and-threat-protection.md index ddf6e12cbc..ab4506235f 100644 --- a/windows/security/book/operating-system-security-virus-and-threat-protection.md +++ b/windows/security/book/operating-system-security-virus-and-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Operating System security +title: Virus and threat protection description: Windows 11 security book - Operating System security chapter - Virus and threat protection. ms.topic: overview ms.date: 11/18/2024 diff --git a/windows/security/book/privacy-controls.md b/windows/security/book/privacy-controls.md index 84c951a710..a55e00c386 100644 --- a/windows/security/book/privacy-controls.md +++ b/windows/security/book/privacy-controls.md @@ -1,5 +1,5 @@ --- -title: Privacy +title: Privacy controls description: Windows 11 security book - Privacy chapter - Privacy controls. ms.topic: overview ms.date: 11/18/2024 diff --git a/windows/security/book/security-foundation-certification.md b/windows/security/book/security-foundation-certification.md index d83dfb1231..8045624db8 100644 --- a/windows/security/book/security-foundation-certification.md +++ b/windows/security/book/security-foundation-certification.md @@ -1,5 +1,5 @@ --- -title: Security foundation +title: Certification description: Windows 11 security book - Security foundation chapter. ms.topic: overview ms.date: 11/18/2024 diff --git a/windows/security/book/security-foundation-offensive-research.md b/windows/security/book/security-foundation-offensive-research.md index b2689d334a..36ec124ceb 100644 --- a/windows/security/book/security-foundation-offensive-research.md +++ b/windows/security/book/security-foundation-offensive-research.md @@ -1,5 +1,5 @@ --- -title: Security foundation +title: Secure Future Initiative and offensive research description: Windows 11 security book - Security foundation chapter - Secure Future Initiative and offensive research. ms.topic: overview ms.date: 11/18/2024 From f178ad5b43d0f590d8e12e7e6475f6bc3437d481 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 22 Nov 2024 08:02:35 -0500 Subject: [PATCH 05/16] Fixed metadata --- .../application-security-application-and-driver-control.md | 4 ++-- .../book/application-security-application-isolation.md | 4 ++-- windows/security/book/application-security.md | 4 ++-- .../cloud-services-protect-your-personal-information.md | 4 ++-- .../book/cloud-services-protect-your-work-information.md | 4 ++-- windows/security/book/cloud-services.md | 4 ++-- windows/security/book/conclusion.md | 2 +- windows/security/book/features-index.md | 2 +- .../book/hardware-security-hardware-root-of-trust.md | 4 ++-- .../book/hardware-security-silicon-assisted-security.md | 4 ++-- windows/security/book/hardware-security.md | 4 ++-- .../identity-protection-advanced-credential-protection.md | 4 ++-- .../book/identity-protection-passwordless-sign-in.md | 4 ++-- windows/security/book/identity-protection.md | 6 +++--- windows/security/book/index.md | 2 +- ...rating-system-security-encryption-and-data-protection.md | 4 ++-- .../book/operating-system-security-network-security.md | 4 ++-- .../book/operating-system-security-system-security.md | 4 ++-- ...operating-system-security-virus-and-threat-protection.md | 4 ++-- windows/security/book/operating-system-security.md | 4 ++-- windows/security/book/privacy-controls.md | 4 ++-- windows/security/book/privacy.md | 4 ++-- windows/security/book/security-foundation-certification.md | 4 ++-- .../security/book/security-foundation-offensive-research.md | 4 ++-- .../book/security-foundation-secure-supply-chain.md | 4 ++-- windows/security/book/security-foundation.md | 6 +++--- 26 files changed, 51 insertions(+), 51 deletions(-) diff --git a/windows/security/book/application-security-application-and-driver-control.md b/windows/security/book/application-security-application-and-driver-control.md index 6435037d78..9efc2c0f96 100644 --- a/windows/security/book/application-security-application-and-driver-control.md +++ b/windows/security/book/application-security-application-and-driver-control.md @@ -1,6 +1,6 @@ --- -title: Application and driver control -description: Windows 11 security book - Application and driver control. +title: Windows 11 security book - Application and driver control +description: Application and driver control. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md index 6bc9c40284..de10e3941e 100644 --- a/windows/security/book/application-security-application-isolation.md +++ b/windows/security/book/application-security-application-isolation.md @@ -1,6 +1,6 @@ --- -title: Application isolation -description: Windows 11 security book - Application isolation. +title: Windows 11 security book - Application isolation +description: Application isolation. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/application-security.md b/windows/security/book/application-security.md index 450a054437..da054a7d5d 100644 --- a/windows/security/book/application-security.md +++ b/windows/security/book/application-security.md @@ -1,6 +1,6 @@ --- -title: Application security -description: Windows 11 security book - Application security chapter. +title: Windows 11 security book - Application security +description: Application security chapter. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/cloud-services-protect-your-personal-information.md b/windows/security/book/cloud-services-protect-your-personal-information.md index 855a3e1e34..36707a697b 100644 --- a/windows/security/book/cloud-services-protect-your-personal-information.md +++ b/windows/security/book/cloud-services-protect-your-personal-information.md @@ -1,6 +1,6 @@ --- -title: Cloud services - Protect your personal information -description: Windows 11 security book - Cloud services chapter - Protect your personal information. +title: Windows 11 security book - Cloud services - Protect your personal information +description: Cloud services chapter - Protect your personal information. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index dd2b7d9961..033200a8f1 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -1,6 +1,6 @@ --- -title: Cloud services - Protect your work information -description: Windows 11 security book - Cloud services chapter - Protect your work information. +title: Windows 11 security book - Cloud services - Protect your work information +description: Cloud services chapter - Protect your work information. ms.topic: overview ms.date: 11/04/2024 --- diff --git a/windows/security/book/cloud-services.md b/windows/security/book/cloud-services.md index 4b525daacc..cd8be85df1 100644 --- a/windows/security/book/cloud-services.md +++ b/windows/security/book/cloud-services.md @@ -1,6 +1,6 @@ --- -title: Cloud services -description: Windows 11 security book - Cloud services chapter. +title: Windows 11 security book - Cloud services +description: Cloud services chapter. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/conclusion.md b/windows/security/book/conclusion.md index 47c50c6916..7a9d69992d 100644 --- a/windows/security/book/conclusion.md +++ b/windows/security/book/conclusion.md @@ -1,5 +1,5 @@ --- -title: Conclusion +title: Windows 11 security book - Conclusion description: Windows 11 security book conclusion. ms.topic: overview ms.date: 11/18/2024 diff --git a/windows/security/book/features-index.md b/windows/security/book/features-index.md index 18f194e763..09081404bf 100644 --- a/windows/security/book/features-index.md +++ b/windows/security/book/features-index.md @@ -1,5 +1,5 @@ --- -title: Features index +title: Windows 11 security book - Features index description: Windows security book features index. ms.topic: overview ms.date: 11/18/2024 diff --git a/windows/security/book/hardware-security-hardware-root-of-trust.md b/windows/security/book/hardware-security-hardware-root-of-trust.md index fb31256cfc..1b2345a22b 100644 --- a/windows/security/book/hardware-security-hardware-root-of-trust.md +++ b/windows/security/book/hardware-security-hardware-root-of-trust.md @@ -1,6 +1,6 @@ --- -title: Hardware root-of-trust -description: Windows 11 security book - Hardware root-of-trust. +title: Windows 11 security book - Hardware root-of-trust +description: Hardware root-of-trust. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/hardware-security-silicon-assisted-security.md b/windows/security/book/hardware-security-silicon-assisted-security.md index 40d2e4935b..da7cf92de1 100644 --- a/windows/security/book/hardware-security-silicon-assisted-security.md +++ b/windows/security/book/hardware-security-silicon-assisted-security.md @@ -1,6 +1,6 @@ --- -title: Silicon assisted security -description: Windows 11 security book - Silicon assisted security. +title: Windows 11 security book - Silicon assisted security +description: Silicon assisted security. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/hardware-security.md b/windows/security/book/hardware-security.md index f9acd73d1e..7d1f8669b1 100644 --- a/windows/security/book/hardware-security.md +++ b/windows/security/book/hardware-security.md @@ -1,6 +1,6 @@ --- -title: Hardware security -description: Windows 11 security book - Hardware security chapter. +title: Windows 11 security book - Hardware security +description: Hardware security chapter. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md index 97d9d2ef10..0e35e41bc8 100644 --- a/windows/security/book/identity-protection-advanced-credential-protection.md +++ b/windows/security/book/identity-protection-advanced-credential-protection.md @@ -1,6 +1,6 @@ --- -title: Advanced credential protection -description: Windows 11 security book - Identity protection chapter - Advanced credential protection. +title: Windows 11 security book - Advanced credential protection +description: Identity protection chapter - Advanced credential protection. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md index c76ee980dc..5187c49058 100644 --- a/windows/security/book/identity-protection-passwordless-sign-in.md +++ b/windows/security/book/identity-protection-passwordless-sign-in.md @@ -1,6 +1,6 @@ --- -title: Passwordless sign-in -description: Windows 11 security book - Identity protection chapter - Passwordless sign-in. +title: Windows 11 security book - Passwordless sign-in +description: Identity protection chapter - Passwordless sign-in. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/identity-protection.md b/windows/security/book/identity-protection.md index 03248b2db3..41d1b6bca6 100644 --- a/windows/security/book/identity-protection.md +++ b/windows/security/book/identity-protection.md @@ -1,6 +1,6 @@ --- -title: Identity protection -description: Windows 11 security book - Identity protection chapter. +title: Windows 11 security book - Identity protection +description: Identity protection chapter. ms.topic: overview ms.date: 11/18/2024 --- @@ -9,7 +9,7 @@ ms.date: 11/18/2024 :::image type="content" source="images/identity-protection-cover.png" alt-text="Cover of the identity protection chapter." border="false"::: -Employes are increasingly targets for cyberattacks in organizations, making identity protection a priority. Weak or reused passwords, password spraying, social engineering, and phishing are just a few of the risks businesses face today. +Employes are increasingly targets for cyberattacks in organizations, making identity protection a priority. Weak or reused passwords, password spraying, social engineering, and phishing are just a few of the risks businesses face today. Identity protection in Windows 11 continuously evolves to provide organizations with the latest defenses, including Windows Hello for Business passwordless and Windows Hello Enhanced Sign-in Security (ESS). By leveraging these powerful identity safeguards, organizations of all sizes can reduce the risk of credential theft and unauthorized access to devices, data, and other company resources. diff --git a/windows/security/book/index.md b/windows/security/book/index.md index 9a84dab6f3..3ee48c98ad 100644 --- a/windows/security/book/index.md +++ b/windows/security/book/index.md @@ -1,5 +1,5 @@ --- -title: Windows security book introduction +title: Windows 11 security book - Windows security book introduction description: Windows 11 security book introduction. ms.topic: overview ms.date: 11/18/2024 diff --git a/windows/security/book/operating-system-security-encryption-and-data-protection.md b/windows/security/book/operating-system-security-encryption-and-data-protection.md index 746cc7e852..d9ab85a02b 100644 --- a/windows/security/book/operating-system-security-encryption-and-data-protection.md +++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md @@ -1,6 +1,6 @@ --- -title: Encryption and data protection -description: Windows 11 security book - Operating System security chapter - Encryption and data protection. +title: Windows 11 security book - Encryption and data protection +description: Operating System security chapter - Encryption and data protection. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/operating-system-security-network-security.md b/windows/security/book/operating-system-security-network-security.md index 7b6acf8859..fff427b5b2 100644 --- a/windows/security/book/operating-system-security-network-security.md +++ b/windows/security/book/operating-system-security-network-security.md @@ -1,6 +1,6 @@ --- -title: Network security -description: Windows 11 security book - Operating System security chapter - Network security. +title: Windows 11 security book - Network security +description: Operating System security chapter - Network security. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/operating-system-security-system-security.md b/windows/security/book/operating-system-security-system-security.md index fbcb0cdd37..3794073b6c 100644 --- a/windows/security/book/operating-system-security-system-security.md +++ b/windows/security/book/operating-system-security-system-security.md @@ -1,6 +1,6 @@ --- -title: System security -description: Windows 11 security book - Operating System security chapter. +title: Windows 11 security book - System security +description: Operating System security chapter. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/operating-system-security-virus-and-threat-protection.md b/windows/security/book/operating-system-security-virus-and-threat-protection.md index ab4506235f..f6da4c2330 100644 --- a/windows/security/book/operating-system-security-virus-and-threat-protection.md +++ b/windows/security/book/operating-system-security-virus-and-threat-protection.md @@ -1,6 +1,6 @@ --- -title: Virus and threat protection -description: Windows 11 security book - Operating System security chapter - Virus and threat protection. +title: Windows 11 security book - Virus and threat protection +description: Operating System security chapter - Virus and threat protection. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/operating-system-security.md b/windows/security/book/operating-system-security.md index cd1f79d3e9..17141c211b 100644 --- a/windows/security/book/operating-system-security.md +++ b/windows/security/book/operating-system-security.md @@ -1,6 +1,6 @@ --- -title: Operating System security -description: Windows 11 security book - Operating System security chapter. +title: Windows 11 security book - Operating System security +description: Operating System security chapter. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/privacy-controls.md b/windows/security/book/privacy-controls.md index a55e00c386..9aa5d2bd86 100644 --- a/windows/security/book/privacy-controls.md +++ b/windows/security/book/privacy-controls.md @@ -1,6 +1,6 @@ --- -title: Privacy controls -description: Windows 11 security book - Privacy chapter - Privacy controls. +title: Windows 11 security book - Privacy controls +description: Privacy chapter - Privacy controls. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/privacy.md b/windows/security/book/privacy.md index ef5c623ebb..d4acb2ffed 100644 --- a/windows/security/book/privacy.md +++ b/windows/security/book/privacy.md @@ -1,6 +1,6 @@ --- -title: Privacy -description: Windows 11 security book - Privacy chapter. +title: Windows 11 security book - Privacy +description: Privacy chapter. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/security-foundation-certification.md b/windows/security/book/security-foundation-certification.md index 8045624db8..c88430562b 100644 --- a/windows/security/book/security-foundation-certification.md +++ b/windows/security/book/security-foundation-certification.md @@ -1,6 +1,6 @@ --- -title: Certification -description: Windows 11 security book - Security foundation chapter. +title: Windows 11 security book - Certification +description: Security foundation chapter. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/security-foundation-offensive-research.md b/windows/security/book/security-foundation-offensive-research.md index 36ec124ceb..f40f549653 100644 --- a/windows/security/book/security-foundation-offensive-research.md +++ b/windows/security/book/security-foundation-offensive-research.md @@ -1,6 +1,6 @@ --- -title: Secure Future Initiative and offensive research -description: Windows 11 security book - Security foundation chapter - Secure Future Initiative and offensive research. +title: Windows 11 security book - Secure Future Initiative and offensive research +description: Security foundation chapter - Secure Future Initiative and offensive research. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/security-foundation-secure-supply-chain.md b/windows/security/book/security-foundation-secure-supply-chain.md index 9cfdaec1f9..9e638bfbc5 100644 --- a/windows/security/book/security-foundation-secure-supply-chain.md +++ b/windows/security/book/security-foundation-secure-supply-chain.md @@ -1,6 +1,6 @@ --- -title: Secure supply chain -description: Windows 11 security book - Security foundation chapter - Secure supply chain. +title: Windows 11 security book - Secure supply chain +description: Security foundation chapter - Secure supply chain. ms.topic: overview ms.date: 11/18/2024 --- diff --git a/windows/security/book/security-foundation.md b/windows/security/book/security-foundation.md index 2a370ff6d5..babed099e2 100644 --- a/windows/security/book/security-foundation.md +++ b/windows/security/book/security-foundation.md @@ -1,6 +1,6 @@ --- -title: Security foundation -description: Windows 11 security book - Security foundation chapter. +title: Windows 11 security book - Security foundation +description: Security foundation chapter. ms.topic: overview ms.date: 11/18/2024 --- @@ -9,6 +9,6 @@ ms.date: 11/18/2024 :::image type="content" source="images/security-foundation-cover.png" alt-text="Cover of the security foundation chapter." border="false"::: -Microsoft is committed to continuously investing in improving the development process, building highly secure-by-design software, and addressing security compliance requirements. Security and privacy considerations informed by offensive research are built into each phase of our product design and software development process. Microsoft’s security foundation includes not only our development and certification processes, but also our end-to-end supply chain. The comprehensive Windows 11 security foundation also reflects our deep commitment to principles of security by design and security by default. +Microsoft is committed to continuously investing in improving the development process, building highly secure-by-design software, and addressing security compliance requirements. Security and privacy considerations informed by offensive research are built into each phase of our product design and software development process. Microsoft's security foundation includes not only our development and certification processes, but also our end-to-end supply chain. The comprehensive Windows 11 security foundation also reflects our deep commitment to principles of security by design and security by default. :::image type="content" source="images/security-foundation-on.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false"::: From 40f213395e88931e61ce06263a43bfc2d10676eb Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 22 Nov 2024 08:10:23 -0500 Subject: [PATCH 06/16] Fix duplicates --- .../book/operating-system-security-system-security.md | 4 ++-- .../operating-system-security-virus-and-threat-protection.md | 2 +- windows/security/book/security-foundation.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/book/operating-system-security-system-security.md b/windows/security/book/operating-system-security-system-security.md index 3794073b6c..dd056f219e 100644 --- a/windows/security/book/operating-system-security-system-security.md +++ b/windows/security/book/operating-system-security-system-security.md @@ -1,6 +1,6 @@ --- title: Windows 11 security book - System security -description: Operating System security chapter. +description: Operating System security chapter - System security. ms.topic: overview ms.date: 11/18/2024 --- @@ -139,7 +139,7 @@ Config Refresh can also be paused for a configurable period of time, after which Windows allows you to restrict functionality to specific applications using built-in features, making it ideal for public-facing or shared devices like kiosks. You can set up Windows as a kiosk either locally on the device, or through a cloud-based device management solution like Microsoft Intune[\[7\]](conclusion.md#footnote7). Kiosk mode can be configured to run a single app, multiple apps, or a full-screen web browser. You can also configure the device to automatically sign in and launch the designated kiosk app at startup. :::column-end::: :::column span="2"::: -:::image type="content" source="images/kiosk.png" alt-text="Screenshot of the Windows Security app." border="false" lightbox="images/kiosk.png" ::: +:::image type="content" source="images/kiosk.png" alt-text="Screenshot of a Windows kiosk." border="false" lightbox="images/kiosk.png" ::: :::column-end::: :::row-end::: diff --git a/windows/security/book/operating-system-security-virus-and-threat-protection.md b/windows/security/book/operating-system-security-virus-and-threat-protection.md index f6da4c2330..cb69b30617 100644 --- a/windows/security/book/operating-system-security-virus-and-threat-protection.md +++ b/windows/security/book/operating-system-security-virus-and-threat-protection.md @@ -5,7 +5,7 @@ ms.topic: overview ms.date: 11/18/2024 --- -# Virus and threat protection +# Virus and threat protection in Windows 11 :::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false"::: diff --git a/windows/security/book/security-foundation.md b/windows/security/book/security-foundation.md index babed099e2..2748af0a55 100644 --- a/windows/security/book/security-foundation.md +++ b/windows/security/book/security-foundation.md @@ -5,7 +5,7 @@ ms.topic: overview ms.date: 11/18/2024 --- -# Security foundation +# Security foundation in Windows 11 :::image type="content" source="images/security-foundation-cover.png" alt-text="Cover of the security foundation chapter." border="false"::: From 46bbcab6538f0dcf8a434d7d2bede904dc690c89 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 22 Nov 2024 08:18:17 -0500 Subject: [PATCH 07/16] fix description --- windows/security/book/security-foundation-certification.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/book/security-foundation-certification.md b/windows/security/book/security-foundation-certification.md index c88430562b..1f8c8c878d 100644 --- a/windows/security/book/security-foundation-certification.md +++ b/windows/security/book/security-foundation-certification.md @@ -1,6 +1,6 @@ --- title: Windows 11 security book - Certification -description: Security foundation chapter. +description: Security foundation chapter - Certification. ms.topic: overview ms.date: 11/18/2024 --- From 67644a14ef135345d641a0fc14a167c406365cc3 Mon Sep 17 00:00:00 2001 From: Padma Jayaraman Date: Fri, 22 Nov 2024 22:44:21 +0530 Subject: [PATCH 08/16] Pencil edit --- education/windows/take-tests-in-windows.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/education/windows/take-tests-in-windows.md b/education/windows/take-tests-in-windows.md index 55856b5df0..b43345436f 100644 --- a/education/windows/take-tests-in-windows.md +++ b/education/windows/take-tests-in-windows.md @@ -9,11 +9,11 @@ ms.topic: how-to Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. To help schools with testing, Windows provides an application called **Take a Test**. The application is a secure browser that provides different features to help with testing, and can be configured to only allow access a specific URL or a list of URLs. When using Take a Test, students can't: -- print, use screen capture, or text suggestions (unless enabled by the teacher or administrator) -- access other applications -- change system settings, such as display extension, notifications, updates -- access Cortana -- access content copied to the clipboard +- Print, use screen capture, or text suggestions (unless enabled by the teacher or administrator) +- Access other applications +- Change system settings, such as display extension, notifications, updates +- Access Cortana +- Access content copied to the clipboard ## How to use Take a Test @@ -22,7 +22,7 @@ There are different ways to use Take a Test, depending on the use case: - For lower stakes assessments, such a quick quiz in a class, a teacher can generate a *secure assessment URL* and share it with the students. Students can then open the URL to access the assessment through Take a Test. To learn more, see the next section: [Create a secure assessment link](#create-a-secure-assessment-link) - For higher stakes assessments, you can configure Windows devices to use a dedicated account for testing and execute Take a Test in a locked-down mode, called **kiosk mode**. Once signed in with the dedicated account, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. For more information, see [Configure Take a Test in kiosk mode](edu-take-a-test-kiosk-mode.md) -:::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false"::: + :::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false"::: ## Create a secure assessment link @@ -37,9 +37,9 @@ To create a secure assessment link to the test, there are two options: For this option, copy the assessment URL and open the web application Customize your assessment URL, where you can: -- Paste the link to the assessment URL -- Select the options you want to allow during the test -- Generate the link by selecting the button Create link +- Paste the link to the assessment URL. +- Select the options you want to allow during the test. +- Generate the link by selecting the button Create link. This is an ideal option for teachers who want to create a link to a specific assessment and share it with students using OneNote, for example. @@ -67,7 +67,7 @@ To enable permissive mode, don't include `enforceLockdown` in the schema paramet ## Distribute the secure assessment link -Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choosing. +Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choice. For example, you can create and copy the shortcut to the assessment URL to the students' desktop. @@ -85,4 +85,4 @@ To take the test, have the students open the link. Teachers can use **Microsoft Forms** to create tests. For more information, see [Create tests using Microsoft Forms](https://support.microsoft.com/en-us/office/create-a-quiz-with-microsoft-forms-a082a018-24a1-48c1-b176-4b3616cdc83d). -To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md). \ No newline at end of file +To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md). From b1aa3b510be8b62c850804c5a4a3edfb0e9e8ea8 Mon Sep 17 00:00:00 2001 From: Padma Jayaraman Date: Sat, 23 Nov 2024 00:05:27 +0530 Subject: [PATCH 09/16] Pencil fix --- .../deploy/hybrid-cloud-kerberos-trust.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md index 2db7810665..e4312d8684 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md @@ -169,8 +169,8 @@ If you deployed Windows Hello for Business using the key trust model, and want t 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings) 1. For Microsoft Entra joined devices, sign out and sign in to the device using Windows Hello for Business -> [!NOTE] -> For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. + > [!NOTE] + > For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. ## Migrate from certificate trust deployment model to cloud Kerberos trust @@ -179,11 +179,11 @@ If you deployed Windows Hello for Business using the key trust model, and want t If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps: -1. Disable the certificate trust policy -1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings) -1. Remove the certificate trust credential using the command `certutil.exe -deletehellocontainer` from the user context -1. Sign out and sign back in -1. Provision Windows Hello for Business using a method of your choice +1. Disable the certificate trust policy. +1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings). +1. Remove the certificate trust credential using the command `certutil.exe -deletehellocontainer` from the user context. +1. Sign out and sign back in. +1. Provision Windows Hello for Business using a method of your choice. > [!NOTE] > For Microsoft Entra hybrid joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC. From 8d89dee99d6745ecbcbc72eed7cb89d000fd6106 Mon Sep 17 00:00:00 2001 From: Padma Jayaraman Date: Sat, 23 Nov 2024 00:22:17 +0530 Subject: [PATCH 10/16] Pencil edit --- .../deploy/on-premises-cert-trust-adfs.md | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md index 8212182c18..73dd0d6cbf 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md @@ -33,14 +33,14 @@ Windows Hello for Business works exclusively with the Active Directory Federatio Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials. -1. Open the **Certification Authority** management console -1. Expand the parent node from the navigation pane -1. Select **Certificate Templates** in the navigation pane -1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue -1. In the **Enable Certificates Templates** window, select the *WHFB Enrollment Agent* template you created in the previous step. Select **OK** to publish the selected certificate templates to the certification authority -1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list - - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation -1. Close the console +1. Open the **Certification Authority** management console. +1. Expand the parent node from the navigation pane. +1. Select **Certificate Templates** in the navigation pane. +1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue. +1. In the **Enable Certificates Templates** window, select the *WHFB Enrollment Agent* template you created in the previous step. Select **OK** to publish the selected certificate templates to the certification authority. +1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list. + - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation. +1. Close the console. ## Configure the certificate registration authority @@ -55,7 +55,7 @@ Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplat ``` >[!NOTE] -> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA. +> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (_certtmpl.msc_). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA. ### Enrollment agent certificate lifecycle management @@ -89,18 +89,18 @@ For detailed information about the certificate, use `Certutil -q -v [!div class="checklist"] > Before you continue with the deployment, validate your deployment progress by reviewing the following items: > -> - Configure an enrollment agent certificate template -> - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template -> - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance -> - Confirm you properly configured the Windows Hello for Business authentication certificate template -> - Confirm all certificate templates were properly published to the appropriate issuing certificate authorities -> - Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template -> - Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet -> - Confirm you restarted the AD FS service -> - Confirm you properly configured load-balancing (hardware or software) -> - Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address -> - Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server -> - Confirm you have deployed a MFA solution for AD FS +> - Configure an enrollment agent certificate template. +> - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template. +> - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance. +> - Confirm you properly configured the Windows Hello for Business authentication certificate template. +> - Confirm all certificate templates were properly published to the appropriate issuing certificate authorities. +> - Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template. +> - Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet. +> - Confirm you restarted the AD FS service. +> - Confirm you properly configured load-balancing (hardware or software). +> - Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address. +> - Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server. +> - Confirm you have deployed a MFA solution for AD FS. > [!div class="nextstepaction"] > [Next: configure and enroll in Windows Hello for Business >](on-premises-cert-trust-enroll.md) From 266136d079eba4736f165fc76a797619b1ef49cc Mon Sep 17 00:00:00 2001 From: Padma Jayaraman Date: Sat, 23 Nov 2024 00:31:02 +0530 Subject: [PATCH 11/16] Pencil edit fix alignment --- .../hello-for-business/dual-enrollment.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/dual-enrollment.md b/windows/security/identity-protection/hello-for-business/dual-enrollment.md index 6678b0d693..0d5f859326 100644 --- a/windows/security/identity-protection/hello-for-business/dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/dual-enrollment.md @@ -40,7 +40,7 @@ Active Directory Domain Services uses `AdminSDHolder` to secure privileged users Sign in to a domain controller or management workstation with access equivalent to *domain administrator*. -1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the `Key Admins` group on the `AdminSDHolder` object +1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the `Key Admins` group on the `AdminSDHolder` object. ```cmd dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink @@ -52,21 +52,21 @@ Sign in to a domain controller or management workstation with access equivalent dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink ``` -1. To trigger security descriptor propagation, open `ldp.exe` -1. Select **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and select **OK** -1. Select **Connection** and select **Bind...** Select **OK** to bind as the currently signed-in user -1. Select **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type `1`. Select **Enter** to add this to the **Entry List** -1. Select **Run** to start the task -1. Close LDP +1. To trigger security descriptor propagation, open `ldp.exe`. +1. Select **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and select **OK**. +1. Select **Connection** and select **Bind...** Select **OK** to bind as the currently signed-in user. +1. Select **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type `1`. Select **Enter** to add this to the **Entry List**. +1. Select **Run** to start the task. +1. Close LDP. ### Configure dual enrollment with group policy You configure Windows to support dual enrollment using the computer configuration portion of a Group Policy object: -1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users -1. Edit the Group Policy object from step 1 +1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users. +1. Edit the Group Policy object from step 1. 1. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business** -1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC -1. Restart computers targeted by this Group Policy object +1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC. +1. Restart computers targeted by this Group Policy object. -The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the nonprivileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users. + The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the nonprivileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users. From 1a0be4eca93f6b3174533bd031d0fc6785a55170 Mon Sep 17 00:00:00 2001 From: Padma Jayaraman Date: Sat, 23 Nov 2024 00:36:50 +0530 Subject: [PATCH 12/16] Pencil edit --- .../hello-feature-dynamic-lock.md | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index 920451e027..8c46258086 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -19,33 +19,33 @@ You can configure Windows devices to use the **dynamic lock** using a Group Poli 1. Enable the **Configure dynamic lock factors** policy setting located under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. 1. Close the Group Policy Management Editor to save the Group Policy object. -The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value: + The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value: -```xml - - - -``` + ```xml + + + + ``` ->[!IMPORTANT] ->Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. + >[!IMPORTANT] + >Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. -For this policy setting, the `type` and `scenario` attribute values are static and can't change. The `classofDevice` is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table: + For this policy setting, the `type` and `scenario` attribute values are static and can't change. The `classofDevice` is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table: -|Description|Value| -|:-------------|:-------:| -|Miscellaneous|0| -|Computer|256| -|Phone|512| -|LAN/Network Access Point|768| -|Audio/Video|1024| -|Peripheral|1280| -|Imaging|1536| -|Wearable|1792| -|Toy|2048| -|Health|2304| -|Uncategorized|7936| + |Description|Value| + |:-------------|:-------:| + |Miscellaneous|0| + |Computer|256| + |Phone|512| + |LAN/Network Access Point|768| + |Audio/Video|1024| + |Peripheral|1280| + |Imaging|1536| + |Wearable|1792| + |Toy|2048| + |Health|2304| + |Uncategorized|7936| -The `rssiMin` attribute value signal indicates the strength needed for the device to be considered *in-range*. The default value of `-10` enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The `rssiMaxDelta` has a default value of `-10`, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10. + The `rssiMin` attribute value signal indicates the strength needed for the device to be considered *in-range*. The default value of `-10` enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The `rssiMaxDelta` has a default value of `-10`, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10. -RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other. + RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other. From 860e50644752dfcf227bcb174cb96c993145e437 Mon Sep 17 00:00:00 2001 From: Padma Jayaraman Date: Sat, 23 Nov 2024 00:42:59 +0530 Subject: [PATCH 13/16] Pencil edit --- .../hello-hybrid-aadj-sso-cert.md | 122 +++++++++--------- 1 file changed, 61 insertions(+), 61 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 47e86b8b68..613da4d993 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -62,21 +62,21 @@ To include the on-premises distinguished name in the certificate's subject, Micr Sign-in to computer running Microsoft Entra Connect with access equivalent to *local administrator*. -1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder -1. In the **Synchronization Service Manager**, select **Help** and then select **About** -1. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version +1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder. +1. In the **Synchronization Service Manager**, select **Help** and then select **About**. +1. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version. ### Verify the onPremisesDistinguishedName attribute is synchronized The easiest way to verify that the onPremisesDistingushedNamne attribute is synchronized is to use the Graph Explorer for Microsoft Graph. -1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) -1. Select **Sign in to Graph Explorer** and provide Microsoft Entra ID credentials +1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). +1. Select **Sign in to Graph Explorer** and provide Microsoft Entra ID credentials. > [!NOTE] > To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted 1. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent -1. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query** +1. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query**. > [!NOTE] > Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios. @@ -91,7 +91,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,userPrincipalName,onPremisesDistinguishedName ``` -1. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null** +1. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**. #### Response