From 1eda9b66045ccbdab77e0582b3977ec7b038e109 Mon Sep 17 00:00:00 2001 From: Docs Allowlist Management Date: Mon, 24 Feb 2025 19:13:28 +0000 Subject: [PATCH 01/12] Project Junk Drawer - changing to ms.topic article --- .../deployment/update/catalog-checkpoint-cumulative-updates.md | 2 +- windows/deployment/update/eval-infra-tools.md | 2 +- windows/deployment/update/get-started-updates-channels-tools.md | 2 +- windows/deployment/update/how-windows-update-works.md | 2 +- windows/deployment/update/optional-content.md | 2 +- windows/deployment/update/plan-define-readiness.md | 2 +- windows/deployment/update/plan-define-strategy.md | 2 +- windows/deployment/update/release-cycle.md | 2 +- windows/deployment/update/safeguard-holds.md | 2 +- windows/deployment/update/safeguard-opt-out.md | 2 +- windows/deployment/update/servicing-stack-updates.md | 2 +- windows/deployment/update/update-baseline.md | 2 +- windows/deployment/update/update-policies.md | 2 +- windows/deployment/update/waas-branchcache.md | 2 +- windows/deployment/update/waas-configure-wufb.md | 2 +- windows/deployment/update/waas-quick-start.md | 2 +- windows/deployment/update/windows-update-security.md | 2 +- windows/deployment/update/wufb-compliancedeadlines.md | 2 +- windows/deployment/update/wufb-reports-admin-center.md | 2 +- windows/deployment/update/wufb-reports-configuration-script.md | 2 +- windows/deployment/update/wufb-reports-do.md | 2 +- windows/deployment/update/wufb-reports-prerequisites.md | 2 +- windows/whats-new/extended-security-updates.md | 2 +- windows/whats-new/windows-11-requirements.md | 2 +- 24 files changed, 24 insertions(+), 24 deletions(-) diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md index ce4b36fd45..c2b9c9452a 100644 --- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -3,7 +3,7 @@ title: Checkpoint cumulative updates and the Microsoft Update Catalog description: This article describes how to handle checkpoint cumulative updates when you use the Microsoft Update Catalog to update devices and images. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article ms.author: mstewart author: mestew manager: aaroncz diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md index 920952b771..d12a78f404 100644 --- a/windows/deployment/update/eval-infra-tools.md +++ b/windows/deployment/update/eval-infra-tools.md @@ -3,7 +3,7 @@ title: Evaluate infrastructure and tools description: Review the steps to ensure your infrastructure is ready to deploy updates to clients in your organization. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md index 46dca308f1..f05a593282 100644 --- a/windows/deployment/update/get-started-updates-channels-tools.md +++ b/windows/deployment/update/get-started-updates-channels-tools.md @@ -3,7 +3,7 @@ title: Windows client updates, channels, and tools description: Brief summary of the kinds of Windows updates, the channels they're served through, and the tools for managing them ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index 70f2c18280..b8165cc86a 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -3,7 +3,7 @@ title: How Windows Update works description: In this article, learn about the process Windows Update uses to download and install updates on Windows client devices. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md index d91a00bbc2..430ed73a59 100644 --- a/windows/deployment/update/optional-content.md +++ b/windows/deployment/update/optional-content.md @@ -3,7 +3,7 @@ title: Migrating and acquiring optional Windows content description: How to keep language resources and Features on Demand during operating system updates for your organization. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md index dcc9544f7e..47a408ee3e 100644 --- a/windows/deployment/update/plan-define-readiness.md +++ b/windows/deployment/update/plan-define-readiness.md @@ -3,7 +3,7 @@ title: Define readiness criteria description: Identify important roles and figure out how to classify apps so you can plan and manage your deployment ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md index e2175c7b40..37900735dd 100644 --- a/windows/deployment/update/plan-define-strategy.md +++ b/windows/deployment/update/plan-define-strategy.md @@ -3,7 +3,7 @@ title: Define update strategy description: Example of using a calendar-based approach to achieve consistent update installation in your organization. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md index ef01bc96d7..5e08f00c11 100644 --- a/windows/deployment/update/release-cycle.md +++ b/windows/deployment/update/release-cycle.md @@ -3,7 +3,7 @@ title: Update release cycle for Windows clients description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md index 3472db7106..69db899de5 100644 --- a/windows/deployment/update/safeguard-holds.md +++ b/windows/deployment/update/safeguard-holds.md @@ -3,7 +3,7 @@ title: Safeguard holds for Windows description: What are safeguard holds? How to can you tell if a safeguard hold is in effect, and what to do about it. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/safeguard-opt-out.md b/windows/deployment/update/safeguard-opt-out.md index 0e0a112ae1..0855d446f3 100644 --- a/windows/deployment/update/safeguard-opt-out.md +++ b/windows/deployment/update/safeguard-opt-out.md @@ -3,7 +3,7 @@ title: Opt out of safeguard holds description: How to install an update in your organization even when a safeguard hold for a known issue has been applied to it. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index f8476b518e..392ee59e6e 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -3,7 +3,7 @@ title: Servicing stack updates description: In this article, learn how servicing stack updates improve the code that installs the other updates. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md index 28b05bb90e..e625088cb2 100644 --- a/windows/deployment/update/update-baseline.md +++ b/windows/deployment/update/update-baseline.md @@ -3,7 +3,7 @@ title: Windows 10 Update Baseline description: Use an update baseline to optimize user experience and meet monthly update goals in your organization. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md index 0e1a4c7d47..cfa5ff37f5 100644 --- a/windows/deployment/update/update-policies.md +++ b/windows/deployment/update/update-policies.md @@ -3,7 +3,7 @@ title: Policies for update compliance and user experience description: Explanation and recommendations for update compliance, activity, and user experience for your organization. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index 11732bc1ca..8bae58b073 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -3,7 +3,7 @@ title: Configure BranchCache for Windows client updates description: In this article, learn how to use BranchCache to optimize network bandwidth during update deployment. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index cf98c00264..a3325adef6 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -6,7 +6,7 @@ ms.service: windows-client author: mestew ms.localizationpriority: medium ms.author: mstewart -ms.topic: conceptual +ms.topic: article ms.subservice: itpro-updates ms.collection: - tier1 diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index bc88925736..44a8b3df30 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -3,7 +3,7 @@ title: Quick guide to Windows as a service description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md index 013dcffe27..7ae6ec0103 100644 --- a/windows/deployment/update/windows-update-security.md +++ b/windows/deployment/update/windows-update-security.md @@ -4,7 +4,7 @@ manager: aaroncz description: Overview of the security for Windows Update including security for the metadata exchange and content download. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart appliesto: diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index e574086aa8..a348c98869 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business description: This article contains information on how to enforce compliance deadlines using Windows Update for Business. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.localizationpriority: medium ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md index 37d01729ad..ee1df9351e 100644 --- a/windows/deployment/update/wufb-reports-admin-center.md +++ b/windows/deployment/update/wufb-reports-admin-center.md @@ -5,7 +5,7 @@ manager: aaroncz description: Microsoft admin center populates Windows Update for Business reports data into the software updates page. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart ms.localizationpriority: medium diff --git a/windows/deployment/update/wufb-reports-configuration-script.md b/windows/deployment/update/wufb-reports-configuration-script.md index 2d3b3f14b0..8452c0087f 100644 --- a/windows/deployment/update/wufb-reports-configuration-script.md +++ b/windows/deployment/update/wufb-reports-configuration-script.md @@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports description: How to get and use the Windows Update for Business reports configuration script to configure devices for Windows Update for Business reports. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index 04291e8ef2..cef5beedc7 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports description: This article provides information about Delivery Optimization data in Windows Update for Business reports. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index 8bd8aec2da..5878b42548 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports description: List of prerequisites for enabling and using Windows Update for Business reports in your organization. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/whats-new/extended-security-updates.md b/windows/whats-new/extended-security-updates.md index e5f8535abe..0a74721232 100644 --- a/windows/whats-new/extended-security-updates.md +++ b/windows/whats-new/extended-security-updates.md @@ -7,7 +7,7 @@ ms.author: mstewart author: mestew manager: aaroncz ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.date: 02/19/2025 ms.collection: - highpri diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index a348f85ad3..909814ca56 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -6,7 +6,7 @@ author: mestew ms.author: mstewart ms.service: windows-client ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: article ms.collection: - highpri - tier1 From 0ed02e5ce3e2101ece08eeb22fc7cec3c104d504 Mon Sep 17 00:00:00 2001 From: Docs Allowlist Management Date: Mon, 24 Feb 2025 19:26:04 +0000 Subject: [PATCH 02/12] Project Junk Drawer - changing to ms.topic concept-article --- windows/client-management/client-tools/windows-libraries.md | 2 +- windows/client-management/understanding-admx-backed-policies.md | 2 +- .../appcontrol-and-applocker-overview.md | 2 +- .../applocker/plan-for-applocker-policy-management.md | 2 +- .../applocker/understand-applocker-policy-design-decisions.md | 2 +- ...rules-and-enforcement-setting-inheritance-in-group-policy.md | 2 +- .../understand-the-applocker-policy-deployment-process.md | 2 +- .../understanding-applocker-allow-and-deny-actions-on-rules.md | 2 +- .../applocker/understanding-applocker-default-rules.md | 2 +- .../applocker/understanding-applocker-rule-behavior.md | 2 +- .../applocker/understanding-applocker-rule-collections.md | 2 +- .../applocker/understanding-applocker-rule-exceptions.md | 2 +- .../understanding-the-file-hash-rule-condition-in-applocker.md | 2 +- .../understanding-the-path-rule-condition-in-applocker.md | 2 +- .../understanding-the-publisher-rule-condition-in-applocker.md | 2 +- .../app-control-for-business/applocker/what-is-applocker.md | 2 +- .../app-control-for-business/design/script-enforcement.md | 2 +- .../design/select-types-of-rules-to-create.md | 2 +- .../design/understand-appcontrol-policy-design-decisions.md | 2 +- .../design/understanding-appcontrol-policy-settings.md | 2 +- .../tpm/switch-pcr-banks-on-tpm-2-0-devices.md | 2 +- .../hardware-security/tpm/trusted-platform-module-overview.md | 2 +- .../mbsa-removal-and-guidance.md | 2 +- .../security-compliance-toolkit-10.md | 2 +- 24 files changed, 24 insertions(+), 24 deletions(-) diff --git a/windows/client-management/client-tools/windows-libraries.md b/windows/client-management/client-tools/windows-libraries.md index 65a263719f..9efea447c0 100644 --- a/windows/client-management/client-tools/windows-libraries.md +++ b/windows/client-management/client-tools/windows-libraries.md @@ -1,7 +1,7 @@ --- title: Windows Libraries description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. -ms.topic: conceptual +ms.topic: concept-article ms.date: 07/01/2024 --- diff --git a/windows/client-management/understanding-admx-backed-policies.md b/windows/client-management/understanding-admx-backed-policies.md index f327359fe3..26f9a581c9 100644 --- a/windows/client-management/understanding-admx-backed-policies.md +++ b/windows/client-management/understanding-admx-backed-policies.md @@ -1,7 +1,7 @@ --- title: Understanding ADMX policies description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices. -ms.topic: conceptual +ms.topic: concept-article ms.date: 07/08/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md index 5520d9161c..c29cba2822 100644 --- a/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md +++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview.md @@ -3,7 +3,7 @@ title: App Control and AppLocker Overview description: Compare Windows application control technologies. ms.localizationpriority: medium ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: concept-article --- # App Control for Business and AppLocker Overview diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/plan-for-applocker-policy-management.md b/windows/security/application-security/application-control/app-control-for-business/applocker/plan-for-applocker-policy-management.md index 51f30ea841..369cd12de6 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/plan-for-applocker-policy-management.md @@ -2,7 +2,7 @@ title: Plan for AppLocker policy management description: This article describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-policy-design-decisions.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-policy-design-decisions.md index 3cc00fdf6e..4cca71d421 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-policy-design-decisions.md @@ -2,7 +2,7 @@ title: Understand AppLocker policy design decisions description: Review some common considerations while you're planning to use AppLocker to deploy application control policies within a Windows environment. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index 89f62e0cb9..28f45a1745 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -2,7 +2,7 @@ title: Understand AppLocker rules and enforcement setting inheritance in Group Policy description: This article for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-the-applocker-policy-deployment-process.md index 43e63220e5..74fde9a437 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understand-the-applocker-policy-deployment-process.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understand-the-applocker-policy-deployment-process.md @@ -2,7 +2,7 @@ title: Understand the AppLocker policy deployment process description: This planning and deployment article for the IT professional describes the process for using AppLocker when deploying application control policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md index 86c795601f..042da1bb93 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -2,7 +2,7 @@ title: Understanding AppLocker allow and deny actions on rules description: This article explains the differences between allow and deny actions on AppLocker rules. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-default-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-default-rules.md index 67b52608e3..d1ebca2a82 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-default-rules.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-default-rules.md @@ -2,7 +2,7 @@ title: Understanding AppLocker default rules description: This article for IT professional describes the set of rules that can be used to ensure that required Windows system files continue to run when the policy is applied. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-behavior.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-behavior.md index 0d9b08e51c..bb26a44584 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-behavior.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-behavior.md @@ -2,7 +2,7 @@ title: Understanding AppLocker rule behavior description: This article describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-collections.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-collections.md index 8ee9ed92d5..a90d6b8933 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-collections.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-collections.md @@ -2,7 +2,7 @@ title: Understanding AppLocker rule collections description: This article explains the five different types of AppLocker rule collections used to enforce AppLocker policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-exceptions.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-exceptions.md index b95fadae6e..1b3ef8493e 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-exceptions.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-exceptions.md @@ -2,7 +2,7 @@ title: Understanding AppLocker rule exceptions description: This article describes the result of applying AppLocker rule exceptions to rule collections. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-file-hash-rule-condition-in-applocker.md index b9460ff54a..690672cd30 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-file-hash-rule-condition-in-applocker.md @@ -2,7 +2,7 @@ title: Understanding the file hash rule condition in AppLocker description: This article explains how to use the AppLocker file hash rule condition and its advantages and disadvantages. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-path-rule-condition-in-applocker.md index 4175eba0ef..608669ebc2 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-path-rule-condition-in-applocker.md @@ -2,7 +2,7 @@ title: Understanding the path rule condition in AppLocker description: This article explains how to apply the AppLocker path rule condition and its advantages and disadvantages. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-publisher-rule-condition-in-applocker.md index be3c3767d4..4250c2c57b 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-the-publisher-rule-condition-in-applocker.md @@ -2,7 +2,7 @@ title: Understanding the publisher rule condition in AppLocker description: This article explains how to apply the AppLocker publisher rule condition and what controls are available. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker.md index 9fa362969d..9ea3549d83 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker.md @@ -2,7 +2,7 @@ title: What Is AppLocker description: This article for the IT professional describes what AppLocker is. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: concept-article ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md b/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md index 16b4739600..ede02fb018 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md @@ -3,7 +3,7 @@ title: Understand App Control script enforcement description: App Control script enforcement ms.manager: jsuther ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: concept-article ms.localizationpriority: medium --- diff --git a/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md index 0c9fb3469f..c35d1b5431 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create.md @@ -3,7 +3,7 @@ title: Understand App Control for Business policy rules and file rules description: Learn how App Control policy rules and file rules can control your Windows 10 and Windows 11 computers. ms.localizationpriority: medium ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: concept-article --- # Understand App Control for Business policy rules and file rules diff --git a/windows/security/application-security/application-control/app-control-for-business/design/understand-appcontrol-policy-design-decisions.md b/windows/security/application-security/application-control/app-control-for-business/design/understand-appcontrol-policy-design-decisions.md index f808763724..6bbb22ad79 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/understand-appcontrol-policy-design-decisions.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/understand-appcontrol-policy-design-decisions.md @@ -3,7 +3,7 @@ title: Understand App Control for Business policy design decisions description: Understand App Control for Business policy design decisions. ms.localizationpriority: medium ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: concept-article --- # Understand App Control for Business policy design decisions diff --git a/windows/security/application-security/application-control/app-control-for-business/design/understanding-appcontrol-policy-settings.md b/windows/security/application-security/application-control/app-control-for-business/design/understanding-appcontrol-policy-settings.md index 995deda446..f4cb6a9205 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/understanding-appcontrol-policy-settings.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/understanding-appcontrol-policy-settings.md @@ -3,7 +3,7 @@ title: Understanding App Control for Business secure settings description: Learn about secure settings in App Control for Business. ms.localizationpriority: medium ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: concept-article --- # Understanding App Control Policy Settings diff --git a/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index c3cd7b4d47..d33b3d16c9 100644 --- a/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -1,7 +1,7 @@ --- title: Understand PCR banks on TPM 2.0 devices description: Learn about what happens when you switch PCR banks on TPM 2.0 devices. -ms.topic: conceptual +ms.topic: concept-article ms.date: 07/10/2024 --- diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md index 372d8ad9ee..65628f0704 100644 --- a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md +++ b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md @@ -1,7 +1,7 @@ --- title: Trusted Platform Module Technology Overview description: Learn about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. -ms.topic: conceptual +ms.topic: concept-article ms.date: 07/10/2024 ms.collection: - tier1 diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md index 08bb94eda4..1d9af2fdd1 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md @@ -3,7 +3,7 @@ title: Guide to removing Microsoft Baseline Security Analyzer (MBSA) description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions. ms.localizationpriority: medium ms.date: 07/10/2024 -ms.topic: conceptual +ms.topic: concept-article --- # What is Microsoft Baseline Security Analyzer and its uses? diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md index 3556919a26..704206929a 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -1,7 +1,7 @@ --- title: Microsoft Security Compliance Toolkit Guide description: This article describes how to use Security Compliance Toolkit in your organization. -ms.topic: conceptual +ms.topic: concept-article ms.date: 10/01/2024 --- From 55a6576d2dd4dccc7ba1271e1885cccdbc75f3f7 Mon Sep 17 00:00:00 2001 From: Docs Allowlist Management Date: Mon, 24 Feb 2025 19:26:38 +0000 Subject: [PATCH 03/12] Project Junk Drawer - changing to ms.topic how-to --- .../bulk-enrollment-using-windows-provisioning-tool.md | 2 +- .../certificate-authentication-device-enrollment.md | 2 +- windows/client-management/certificate-renewal-windows-mdm.md | 2 +- .../change-default-removal-policy-external-storage-media.md | 2 +- .../client-management/client-tools/connect-to-remote-aadj-pc.md | 2 +- .../manage-device-installation-with-group-policy.md | 2 +- .../client-tools/manage-settings-app-with-group-policy.md | 2 +- .../client-management/client-tools/mandatory-user-profile.md | 2 +- windows/client-management/client-tools/quick-assist.md | 2 +- .../client-management/client-tools/windows-version-search.md | 2 +- windows/client-management/enable-admx-backed-policies-in-mdm.md | 2 +- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- .../implement-server-side-mobile-application-management.md | 2 +- windows/client-management/mdm-collect-logs.md | 2 +- windows/client-management/mdm-enrollment-of-windows-devices.md | 2 +- windows/client-management/push-notification-windows-mdm.md | 2 +- .../client-management/structure-of-oma-dm-provisioning-files.md | 2 +- .../AppIdTagging/design-create-appid-tagging-policies.md | 2 +- .../app-control-for-business/applocker/administer-applocker.md | 2 +- .../applocker/configure-an-applocker-policy-for-audit-only.md | 2 +- .../configure-an-applocker-policy-for-enforce-rules.md | 2 +- .../applocker/configure-exceptions-for-an-applocker-rule.md | 2 +- .../applocker/configure-the-appLocker-reference-device.md | 2 +- .../applocker/configure-the-application-identity-service.md | 2 +- .../applocker/create-a-rule-for-packaged-apps.md | 2 +- .../applocker/create-a-rule-that-uses-a-file-hash-condition.md | 2 +- .../applocker/create-a-rule-that-uses-a-path-condition.md | 2 +- .../applocker/create-a-rule-that-uses-a-publisher-condition.md | 2 +- .../applocker/create-applocker-default-rules.md | 2 +- .../applocker/create-your-applocker-policies.md | 2 +- .../applocker/create-your-applocker-rules.md | 2 +- .../applocker/delete-an-applocker-rule.md | 2 +- ...applications-are-digitally-signed-on-a-reference-computer.md | 2 +- ...m-url-message-when-users-try-to-run-a-blocked-application.md | 2 +- ...ent-group-policy-structure-and-applocker-rule-enforcement.md | 2 +- .../applocker/document-your-applocker-rules.md | 2 +- .../applocker/edit-an-applocker-policy.md | 2 +- .../app-control-for-business/applocker/edit-applocker-rules.md | 2 +- .../applocker/enable-the-dll-rule-collection.md | 2 +- .../applocker/export-an-applocker-policy-from-a-gpo.md | 2 +- .../applocker/export-an-applocker-policy-to-an-xml-file.md | 2 +- .../import-an-applocker-policy-from-another-computer.md | 2 +- .../applocker/import-an-applocker-policy-into-a-gpo.md | 2 +- .../applocker/maintain-applocker-policies.md | 2 +- .../applocker/manage-packaged-apps-with-applocker.md | 2 +- .../merge-applocker-policies-by-using-set-applockerpolicy.md | 2 +- .../applocker/merge-applocker-policies-manually.md | 2 +- .../applocker/monitor-application-usage-with-applocker.md | 2 +- .../applocker/refresh-an-applocker-policy.md | 2 +- .../applocker/run-the-automatically-generate-rules-wizard.md | 2 +- .../test-an-applocker-policy-by-using-test-applockerpolicy.md | 2 +- .../applocker/test-and-update-an-applocker-policy.md | 2 +- ...erence-computer-to-create-and-maintain-applocker-policies.md | 2 +- .../deployment/audit-appcontrol-policies.md | 2 +- .../deployment/create-code-signing-cert-for-appcontrol.md | 2 +- ...e-signed-policies-to-protect-appcontrol-against-tampering.md | 2 +- .../create-appcontrol-policy-for-fully-managed-devices.md | 2 +- .../create-appcontrol-policy-for-lightly-managed-devices.md | 2 +- .../design/plan-appcontrol-management.md | 2 +- .../enable-virtualization-based-protection-of-code-integrity.md | 2 +- windows/security/hardware-security/tpm/manage-tpm-commands.md | 2 +- windows/security/hardware-security/tpm/manage-tpm-lockout.md | 2 +- ...ets-by-controlling-the-health-of-windows-10-based-devices.md | 2 +- .../system-security/secure-the-windows-10-boot-process.md | 2 +- 64 files changed, 64 insertions(+), 64 deletions(-) diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md index c248120cff..6ddf688ccc 100644 --- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md @@ -1,7 +1,7 @@ --- title: Bulk enrollment description: Bulk enrollment is an efficient way to set up an MDM server to manage a large number of devices without the need to reimage the devices. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/client-management/certificate-authentication-device-enrollment.md b/windows/client-management/certificate-authentication-device-enrollment.md index 2cea712e44..fb2030f3b1 100644 --- a/windows/client-management/certificate-authentication-device-enrollment.md +++ b/windows/client-management/certificate-authentication-device-enrollment.md @@ -1,7 +1,7 @@ --- title: Certificate authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md index 66d42a4d90..8123971c28 100644 --- a/windows/client-management/certificate-renewal-windows-mdm.md +++ b/windows/client-management/certificate-renewal-windows-mdm.md @@ -1,7 +1,7 @@ --- title: Certificate Renewal description: Learn how to find all the resources that you need to provide continuous access to client certificates. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md index 725c23927a..dcc696bef2 100644 --- a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md @@ -2,7 +2,7 @@ title: Windows default media removal policy description: Manage default media removal policy in Windows. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to --- # Manage default media removal policy diff --git a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md index c08492c201..ec535d0f88 100644 --- a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md +++ b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md @@ -3,7 +3,7 @@ title: Connect to remote Microsoft Entra joined device description: Learn how to use Remote Desktop Connection to connect to a Microsoft Entra joined device. ms.localizationpriority: medium ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to ms.collection: - highpri - tier2 diff --git a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md index 052dc9e72a..8c545751a6 100644 --- a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md +++ b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md @@ -2,7 +2,7 @@ title: Manage Device Installation with Group Policy description: Find out how to manage Device Installation Restrictions with Group Policy. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to --- # Manage Device Installation with Group Policy diff --git a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md index fb091f005b..b96a1bb4ac 100644 --- a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md +++ b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md @@ -2,7 +2,7 @@ title: Manage the Settings app with Group Policy description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to --- # Manage the Settings app with Group Policy diff --git a/windows/client-management/client-tools/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md index 5e64dd2f66..6313cbca68 100644 --- a/windows/client-management/client-tools/mandatory-user-profile.md +++ b/windows/client-management/client-tools/mandatory-user-profile.md @@ -2,7 +2,7 @@ title: Create mandatory user profiles description: A mandatory user profile is a special type of preconfigured roaming user profile that administrators can use to specify settings for users. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to --- # Create mandatory user profiles diff --git a/windows/client-management/client-tools/quick-assist.md b/windows/client-management/client-tools/quick-assist.md index 91ab1b998a..2123212ab0 100644 --- a/windows/client-management/client-tools/quick-assist.md +++ b/windows/client-management/client-tools/quick-assist.md @@ -2,7 +2,7 @@ title: Use Quick Assist to help users description: Learn how IT Pros can use Quick Assist to help users. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to ms.collection: - highpri - tier1 diff --git a/windows/client-management/client-tools/windows-version-search.md b/windows/client-management/client-tools/windows-version-search.md index 2c34266131..579d7155d0 100644 --- a/windows/client-management/client-tools/windows-version-search.md +++ b/windows/client-management/client-tools/windows-version-search.md @@ -2,7 +2,7 @@ title: What version of Windows am I running? description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. ms.date: 07/01/2024 -ms.topic: conceptual +ms.topic: how-to --- # What version of Windows am I running? diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md index db0f36a085..39777e659b 100644 --- a/windows/client-management/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md @@ -1,7 +1,7 @@ --- title: Enable ADMX policies in MDM description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). -ms.topic: conceptual +ms.topic: how-to ms.localizationpriority: medium ms.date: 07/08/2024 --- diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index 409c283821..ea24cc6e80 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -1,7 +1,7 @@ --- title: Enroll a Windows device automatically using Group Policy description: Learn how to use a Group Policy to trigger autoenrollment to MDM for Active Directory (AD) domain-joined devices. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 ms.collection: - highpri diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md index f5969415ed..1e0c5d005e 100644 --- a/windows/client-management/implement-server-side-mobile-application-management.md +++ b/windows/client-management/implement-server-side-mobile-application-management.md @@ -1,7 +1,7 @@ --- title: Support for Windows Information Protection (WIP) on Windows description: Learn about implementing the Windows version of Windows Information Protection (WIP), which is a lightweight solution for managing company data access and security on personal devices. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/client-management/mdm-collect-logs.md b/windows/client-management/mdm-collect-logs.md index 0a3b883dcd..1a1d05ff3c 100644 --- a/windows/client-management/mdm-collect-logs.md +++ b/windows/client-management/mdm-collect-logs.md @@ -1,7 +1,7 @@ --- title: Collect MDM logs description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows devices managed by an MDM server. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 ms.collection: - highpri diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index f57170b82c..b8023a8c8f 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -1,7 +1,7 @@ --- title: MDM enrollment of Windows devices description: Learn about mobile device management (MDM) enrollment of Windows devices to simplify access to your organization's resources. -ms.topic: conceptual +ms.topic: how-to ms.collection: - highpri - tier2 diff --git a/windows/client-management/push-notification-windows-mdm.md b/windows/client-management/push-notification-windows-mdm.md index e0842698e8..9d21cb1322 100644 --- a/windows/client-management/push-notification-windows-mdm.md +++ b/windows/client-management/push-notification-windows-mdm.md @@ -1,7 +1,7 @@ --- title: Push notification support for device management description: The DMClient CSP supports the ability to configure push-initiated device management sessions. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/client-management/structure-of-oma-dm-provisioning-files.md b/windows/client-management/structure-of-oma-dm-provisioning-files.md index a1fcf0777c..2079c53f5a 100644 --- a/windows/client-management/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/structure-of-oma-dm-provisioning-files.md @@ -1,7 +1,7 @@ --- title: Structure of OMA DM provisioning files description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/08/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md index 363d4b5dd8..ccd3ac9b0f 100644 --- a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md @@ -3,7 +3,7 @@ title: Create your App Control for Business AppId Tagging Policies description: Create your App Control for Business AppId tagging policies for Windows devices. ms.localizationpriority: medium ms.date: 09/23/2024 -ms.topic: conceptual +ms.topic: how-to --- # Creating your App Control AppId Tagging Policies diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md index d2e0c1da1e..f4251d5025 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/administer-applocker.md @@ -2,7 +2,7 @@ title: Administer AppLocker description: This article for IT professionals provides links to specific procedures to use when administering AppLocker policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-audit-only.md index 422f3a9acd..3d09c7ce9a 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-audit-only.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-audit-only.md @@ -2,7 +2,7 @@ title: Configure an AppLocker policy for audit only description: This article for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-enforce-rules.md index 07c51af5bb..8055479a03 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-an-applocker-policy-for-enforce-rules.md @@ -2,7 +2,7 @@ title: Configure an AppLocker policy for enforce rules description: This article for IT professionals describes the steps to enable the AppLocker policy enforcement setting. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-exceptions-for-an-applocker-rule.md index 11900e02c0..8e24b48f1d 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-exceptions-for-an-applocker-rule.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-exceptions-for-an-applocker-rule.md @@ -2,7 +2,7 @@ title: Add exceptions for an AppLocker rule description: This article for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-appLocker-reference-device.md b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-appLocker-reference-device.md index f6acca16ba..95d762964d 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-appLocker-reference-device.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-appLocker-reference-device.md @@ -2,7 +2,7 @@ title: Configure the AppLocker reference device description: This article for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-application-identity-service.md b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-application-identity-service.md index c4156e9b57..b9668e661e 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-application-identity-service.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/configure-the-application-identity-service.md @@ -2,7 +2,7 @@ title: Configure the Application Identity service description: This article for IT professionals shows how to configure the Application Identity service to start automatically or manually. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-for-packaged-apps.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-for-packaged-apps.md index 07fd6f2866..2122d84f16 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-for-packaged-apps.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-for-packaged-apps.md @@ -2,7 +2,7 @@ title: Create a rule for packaged apps description: This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-file-hash-condition.md index b764bb0493..e0c5ec4e77 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-file-hash-condition.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-file-hash-condition.md @@ -2,7 +2,7 @@ title: Create a rule that uses a file hash condition description: This article for IT professionals shows how to create an AppLocker rule with a file hash condition. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-path-condition.md index fe26c1ee6a..97e052584c 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-path-condition.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-path-condition.md @@ -2,7 +2,7 @@ title: Create a rule that uses a path condition description: This article for IT professionals shows how to create an AppLocker rule with a path condition. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-publisher-condition.md index 9b07438ec7..bebb1b7c3e 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-publisher-condition.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-a-rule-that-uses-a-publisher-condition.md @@ -2,7 +2,7 @@ title: Create a rule that uses a publisher condition description: This article for IT professionals shows how to create an AppLocker rule with a publisher condition. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-applocker-default-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-applocker-default-rules.md index fd2aa8e292..fa3029ebd9 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-applocker-default-rules.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-applocker-default-rules.md @@ -2,7 +2,7 @@ title: Create AppLocker default rules description: This article for IT professionals describes the steps to create a standard set of AppLocker rules that allow Windows system files to run. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-policies.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-policies.md index 69119137f4..0b361247b2 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-policies.md @@ -2,7 +2,7 @@ title: Create Your AppLocker policies description: This overview article for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-rules.md index 415e9582f8..be793460ce 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-rules.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/create-your-applocker-rules.md @@ -2,7 +2,7 @@ title: Create Your AppLocker rules description: This article for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/delete-an-applocker-rule.md b/windows/security/application-security/application-control/app-control-for-business/applocker/delete-an-applocker-rule.md index 95836e5b28..24a0f10b39 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/delete-an-applocker-rule.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/delete-an-applocker-rule.md @@ -2,7 +2,7 @@ title: Delete an AppLocker rule description: This article for IT professionals describes the steps to delete an AppLocker rule. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/application-security/application-control/app-control-for-business/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index e1c6c88c0a..232f42ee6b 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -2,7 +2,7 @@ title: Find digitally signed apps on a reference device description: This article for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/application-security/application-control/app-control-for-business/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index bf1a962a76..e3764dc3cf 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -2,7 +2,7 @@ title: Display a custom URL message when users try to run a blocked app description: This article for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy blocks an app. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/application-security/application-control/app-control-for-business/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md index b440a69b68..4493170c14 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -2,7 +2,7 @@ title: Document Group Policy structure & AppLocker rule enforcement description: This planning article describes what you need to include in your plan when you use AppLocker. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-applocker-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-applocker-rules.md index efd0c0211f..1748c76b96 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-applocker-rules.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/document-your-applocker-rules.md @@ -2,7 +2,7 @@ title: Document your AppLocker rules description: Learn how to document your AppLocker rules and associate rule conditions with files, permissions, rule source, and implementation. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy.md index 3ebf404dc6..0b3a920b1e 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy.md @@ -2,7 +2,7 @@ title: Edit an AppLocker policy description: This article for IT professionals describes the steps required to modify an AppLocker policy. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/edit-applocker-rules.md b/windows/security/application-security/application-control/app-control-for-business/applocker/edit-applocker-rules.md index 7ae6e91083..ca8f3762b4 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/edit-applocker-rules.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/edit-applocker-rules.md @@ -2,7 +2,7 @@ title: Edit AppLocker rules description: This article for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/enable-the-dll-rule-collection.md b/windows/security/application-security/application-control/app-control-for-business/applocker/enable-the-dll-rule-collection.md index c2569a0918..4cfe8b0a77 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/enable-the-dll-rule-collection.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/enable-the-dll-rule-collection.md @@ -2,7 +2,7 @@ title: Enable the DLL rule collection description: This article for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-from-a-gpo.md index c9fe560838..29c9cb278a 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-from-a-gpo.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-from-a-gpo.md @@ -2,7 +2,7 @@ title: Export an AppLocker policy from a GPO description: This article for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-to-an-xml-file.md index 106a4d836e..26be647e22 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-to-an-xml-file.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/export-an-applocker-policy-to-an-xml-file.md @@ -2,7 +2,7 @@ title: Export an AppLocker policy to an XML file description: This article for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-from-another-computer.md index 2472b7892c..65c625d6c9 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-from-another-computer.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-from-another-computer.md @@ -2,7 +2,7 @@ title: Import an AppLocker policy from another computer description: This article for IT professionals describes how to import an AppLocker policy. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-into-a-gpo.md index 039d978649..787dd87c42 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-into-a-gpo.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/import-an-applocker-policy-into-a-gpo.md @@ -2,7 +2,7 @@ title: Import an AppLocker policy into a GPO description: This article for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/maintain-applocker-policies.md b/windows/security/application-security/application-control/app-control-for-business/applocker/maintain-applocker-policies.md index a4926c5f73..52f968351b 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/maintain-applocker-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/maintain-applocker-policies.md @@ -2,7 +2,7 @@ title: Maintain AppLocker policies description: Learn how to maintain rules within AppLocker policies. View common AppLocker maintenance scenarios and see the methods to use to maintain AppLocker policies. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/manage-packaged-apps-with-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/manage-packaged-apps-with-applocker.md index b3e041a0f1..a8a538ae01 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/manage-packaged-apps-with-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/manage-packaged-apps-with-applocker.md @@ -2,7 +2,7 @@ title: Manage packaged apps with AppLocker description: Learn concepts and lists procedures to help you manage packaged apps with AppLocker as part of your overall application control strategy. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index 4df24222a0..cb352b0eaa 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -2,7 +2,7 @@ title: Merge AppLocker policies by using Set-ApplockerPolicy description: This article for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md b/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md index 324bef3248..c28de87a29 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/merge-applocker-policies-manually.md @@ -2,7 +2,7 @@ title: Merge AppLocker policies manually description: This article for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/monitor-application-usage-with-applocker.md b/windows/security/application-security/application-control/app-control-for-business/applocker/monitor-application-usage-with-applocker.md index 14b704afe3..a77f07e9a4 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/monitor-application-usage-with-applocker.md @@ -2,7 +2,7 @@ title: Monitor app usage with AppLocker description: This article for IT professionals describes how to monitor app usage when AppLocker policies are applied. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/refresh-an-applocker-policy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/refresh-an-applocker-policy.md index 5d2df1f250..78ddebd7b1 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/refresh-an-applocker-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/refresh-an-applocker-policy.md @@ -2,7 +2,7 @@ title: Refresh an AppLocker policy description: This article for IT professionals describes the steps to force an update for an AppLocker policy. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/application-security/application-control/app-control-for-business/applocker/run-the-automatically-generate-rules-wizard.md index 3108458c0f..d503b89562 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/run-the-automatically-generate-rules-wizard.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/run-the-automatically-generate-rules-wizard.md @@ -2,7 +2,7 @@ title: Run the Automatically Generate Rules wizard description: This article for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md index c7042db13e..88e65e3da6 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md @@ -2,7 +2,7 @@ title: Test an AppLocker policy by using Test-AppLockerPolicy description: This article for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/test-and-update-an-applocker-policy.md b/windows/security/application-security/application-control/app-control-for-business/applocker/test-and-update-an-applocker-policy.md index 00e03f5081..4b23691309 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/test-and-update-an-applocker-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/test-and-update-an-applocker-policy.md @@ -2,7 +2,7 @@ title: Test and update an AppLocker policy description: This article discusses the steps required to test an AppLocker policy prior to deployment. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/application-security/application-control/app-control-for-business/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index 8bc76ea93a..d9101a04ea 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -2,7 +2,7 @@ title: Use a reference device to create and maintain AppLocker policies description: This article for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md b/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md index 6f8919e77d..5689af4c35 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/audit-appcontrol-policies.md @@ -3,7 +3,7 @@ title: Use audit events to create App Control policy rules description: Audits allow admins to discover apps, binaries, and scripts that should be added to the App Control policy. ms.localizationpriority: medium ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: how-to --- # Use audit events to create App Control policy rules diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol.md index 773daf6a82..3629311b66 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/create-code-signing-cert-for-appcontrol.md @@ -2,7 +2,7 @@ title: Create a code signing cert for App Control for Business description: Learn how to set up a publicly issued code signing certificate, so you can sign catalog files or App Control policies internally. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/use-signed-policies-to-protect-appcontrol-against-tampering.md b/windows/security/application-security/application-control/app-control-for-business/deployment/use-signed-policies-to-protect-appcontrol-against-tampering.md index 6aa667b28a..af4b9ec7a8 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/use-signed-policies-to-protect-appcontrol-against-tampering.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/use-signed-policies-to-protect-appcontrol-against-tampering.md @@ -2,7 +2,7 @@ title: Use signed policies to protect App Control for Business against tampering description: Signed App Control for Business policies give organizations the highest level of malware protection available in Windows 10 and Windows 11. ms.localizationpriority: medium -ms.topic: conceptual +ms.topic: how-to ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md index 1563a69a95..427333b080 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md @@ -1,7 +1,7 @@ --- title: Create an App Control policy for fully managed devices description: App Control for Business restricts which applications users are allowed to run and the code that runs in system core. -ms.topic: conceptual +ms.topic: how-to ms.localizationpriority: medium ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md index b7c6837954..44d3e45252 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices.md @@ -1,7 +1,7 @@ --- title: Create an App Control policy for lightly managed devices description: App Control for Business restricts which applications users are allowed to run and the code that runs in the system core. -ms.topic: conceptual +ms.topic: how-to ms.localizationpriority: medium ms.date: 09/11/2024 --- diff --git a/windows/security/application-security/application-control/app-control-for-business/design/plan-appcontrol-management.md b/windows/security/application-security/application-control/app-control-for-business/design/plan-appcontrol-management.md index ff41a98da8..90bef6240f 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/plan-appcontrol-management.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/plan-appcontrol-management.md @@ -3,7 +3,7 @@ title: Plan for App Control policy management description: Learn about the decisions you need to make to establish the processes for managing and maintaining App Control for Business policies. ms.localizationpriority: medium ms.date: 09/11/2024 -ms.topic: conceptual +ms.topic: how-to --- # Plan for App Control for Business lifecycle policy management diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md index f89ec506b2..928f69bd65 100644 --- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md @@ -1,7 +1,7 @@ --- title: Enable memory integrity description: This article explains the steps to opt in to using memory integrity on Windows devices. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/10/2024 appliesto: - "âś… Windows 11" diff --git a/windows/security/hardware-security/tpm/manage-tpm-commands.md b/windows/security/hardware-security/tpm/manage-tpm-commands.md index fc2bcfb404..f65591233c 100644 --- a/windows/security/hardware-security/tpm/manage-tpm-commands.md +++ b/windows/security/hardware-security/tpm/manage-tpm-commands.md @@ -1,7 +1,7 @@ --- title: Manage TPM commands description: This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/10/2024 --- diff --git a/windows/security/hardware-security/tpm/manage-tpm-lockout.md b/windows/security/hardware-security/tpm/manage-tpm-lockout.md index 7dfa150354..070cfc617b 100644 --- a/windows/security/hardware-security/tpm/manage-tpm-lockout.md +++ b/windows/security/hardware-security/tpm/manage-tpm-lockout.md @@ -1,7 +1,7 @@ --- title: Manage TPM lockout description: This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/10/2024 --- diff --git a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index 1c997805c4..f25f5692a9 100644 --- a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -2,7 +2,7 @@ title: Control the health of Windows devices description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows devices. ms.date: 07/10/2024 -ms.topic: conceptual +ms.topic: how-to --- # Control the health of Windows devices diff --git a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md index c931ca2dcb..39e6da5648 100644 --- a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md +++ b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md @@ -1,7 +1,7 @@ --- title: Secure the Windows boot process description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications. -ms.topic: conceptual +ms.topic: how-to ms.date: 07/10/2024 ms.collection: - tier1 From d49c0971d9be90436a6eb71ec0ef2f000e3ba5fa Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 24 Feb 2025 16:54:18 -0500 Subject: [PATCH 04/12] split content --- ...-services-protect-your-work-information.md | 372 +----------------- .../includes/azure-attestation-service.md | 23 ++ .../cloud-native-device-management.md | 34 ++ .../microsoft-defender-for-endpoint.md | 28 ++ .../book/includes/microsoft-entra-id.md | 84 ++++ .../book/includes/microsoft-intune.md | 66 ++++ .../includes/onedrive-for-work-or-school.md | 26 ++ .../book/includes/security-baselines.md | 33 ++ .../security/book/includes/universal-print.md | 51 +++ .../book/includes/windows-autopatch.md | 20 + .../book/includes/windows-autopilot.md | 27 ++ .../book/includes/windows-hotpatch.md | 17 + .../security/book/includes/windows-laps.md | 21 + .../includes/windows-update-for-business.md | 19 + 14 files changed, 462 insertions(+), 359 deletions(-) create mode 100644 windows/security/book/includes/azure-attestation-service.md create mode 100644 windows/security/book/includes/cloud-native-device-management.md create mode 100644 windows/security/book/includes/microsoft-defender-for-endpoint.md create mode 100644 windows/security/book/includes/microsoft-entra-id.md create mode 100644 windows/security/book/includes/microsoft-intune.md create mode 100644 windows/security/book/includes/onedrive-for-work-or-school.md create mode 100644 windows/security/book/includes/security-baselines.md create mode 100644 windows/security/book/includes/universal-print.md create mode 100644 windows/security/book/includes/windows-autopatch.md create mode 100644 windows/security/book/includes/windows-autopilot.md create mode 100644 windows/security/book/includes/windows-hotpatch.md create mode 100644 windows/security/book/includes/windows-laps.md create mode 100644 windows/security/book/includes/windows-update-for-business.md diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index 033200a8f1..d29800ce98 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -9,374 +9,28 @@ ms.date: 11/04/2024 :::image type="content" source="images/cloud-security.png" alt-text="Diagram containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false"::: -## :::image type="icon" source="images/microsoft-entra-id.svg" border="false"::: Microsoft Entra ID +[!INCLUDE [microsoft-entra-id](includes/microsoft-entra-id.md)] -Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies. +[!INCLUDE [azure-attestation-service](includes/azure-attestation-service.md)] -Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. For the most seamless and delightful end to end single sign-on (SSO) experience, we recommend users configure Windows Hello for Business during the out of box experience for easy passwordless sign-in to Entra ID . +[!INCLUDE [microsoft-defender-for-endpoint](includes/microsoft-defender-for-endpoint.md)] -:::row::: - :::column::: - For users wanting to connect to Microsoft Entra on their personal devices, they can do so by adding their work or school account to Windows. This action registers the user's personal device with Microsoft Entra ID, allowing IT admins to support users in bring your own device (BYOD) scenarios. Credentials are authenticated and bound to the joined device, and can't be copied to another device without explicit reverification. - :::column-end::: - :::column::: -:::image type="content" source="images/device-registration.png" alt-text="Screenshot of the Entra account registration page." border="false" lightbox="images/device-registration.png"::: - :::column-end::: -:::row-end::: +[!INCLUDE [cloud-native-device-management](includes/cloud-native-device-management.md)] -To provide more security and control for IT and a seamless experience for users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management. +[!INCLUDE [microsoft-intune](includes/microsoft-intune.md)] -Windows 11 works with Microsoft Entra ID to provide secure access, identity management, and single sign-on to apps and services from anywhere. Windows has built-in settings to add work or school accounts by syncing the device configuration to an Active Directory domain or Microsoft Entra ID tenant. +[!INCLUDE [security-baselines](includes/security-baselines.md)] -:::image type="content" source="images/access-work-or-school.png" alt-text="Screenshot of the add work or school account in Settings." border="false"::: +[!INCLUDE [windows-laps](includes/windows-laps.md)] -When a device is Microsoft Entra ID joined and managed with Microsoft Intune[\[4\]](conclusion.md#footnote4), it receives the following security benefits: +[!INCLUDE [windows-autopilot](includes/windows-autopilot.md)] -- Default managed user and device settings and policies -- Single sign-in to all Microsoft Online Services -- Full suite of authentication management capabilities using Windows Hello for Business -- Single sign-on (SSO) to enterprise and SaaS applications -- No use of consumer Microsoft account identity +[!INCLUDE [windows-update-for-business](includes/windows-update-for-business.md)] -Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can set up Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication. +[!INCLUDE [windows-autopatch](includes/windows-autopatch.md)] -In combination with Microsoft Intune, Microsoft Entra ID offers powerful security control through Conditional Access to restrict access to organizational resources to healthy and compliant devices. Note that Microsoft Entra ID is only supported on Windows Pro and Enterprise editions. +[!INCLUDE [windows-hotpatch](includes/windows-hotpatch.md)] -Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID. +[!INCLUDE [onedrive-for-work-or-school](includes/onedrive-for-work-or-school.md)] -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Entra ID documentation][LINK-1] -- [Microsoft Entra plans and pricing][LINK-2] - -### Microsoft Entra Private Access - -Microsoft Entra Private Access provides organizations the ability to manage and give users access to private or internal fully qualified domain names (FQDNs) and IP addresses. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Entra Private Access][LINK-4] - -### Microsoft Entra Internet Access - -Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. - -> [!NOTE] -> Both Microsoft Entra Private Access and Microsoft Entra Internet Access requires Microsoft Entra ID and Microsoft Entra Joined devices for deployment. The two solutions use the Global Secure Access client for Windows, which secures and controls the features. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Entra Internet Access][LINK-3] -- [Global Secure Access client for Windows][LINK-6] -- [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept][LINK-5] - -### Enterprise State Roaming - -Available to any organization with a Microsoft Entra ID Premium[\[4\]](conclusion.md#footnote4) license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Enterprise State Roaming in Microsoft Entra ID][LINK-7] - -## :::image type="icon" source="images/azure-attestation.svg" border="false"::: Azure Attestation service - -Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they're allowed to access resources. Microsoft Intune[\[4\]](conclusion.md#footnote4) integrates with Azure Attestation service to review Windows device health comprehensively and connect this information with Microsoft Entra ID[\[4\]](conclusion.md#footnote4) Conditional Access. - -**Attestation policies are configured in the Azure Attestation service which can then:** - -- Verify the integrity of evidence provided by the Windows Attestation component by validating the signature and ensuring the Platform Configuration Registers (PCRs) match the values recomputed by replaying the measured boot log -- Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM -- Verify that security features are in the expected states - -Once this verification is complete, the attestation service returns a signed report with the security features state to the relying party - such as Microsoft Intune - to assess the trustworthiness of the platform relative to the admin-configured device compliance specifications. Conditional access is then granted or denied based on the device's compliance. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Azure Attestation overview][LINK-8] - -## :::image type="icon" source="images/defender-for-endpoint.svg" border="false"::: Microsoft Defender for Endpoint - -Microsoft Defender for Endpoint[\[4\]](conclusion.md#footnote4) is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. - -Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: - -- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated cloud instance of Microsoft Defender for Endpoint -- With Automatic Attack Disruption uses AI, machine learning, and Microsoft Security Intelligence to analyze the entire attack and respond at the incident level, where it's able to contain a device, and/or a user which reduces the impact of attacks such as ransomware, human-operated attacks, and other advanced attacks. -- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365[\[4\]](conclusion.md#footnote4), and online assets -- Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours, yielding a deep and broad view into the evolving threat landscape. Combined with our global team of security experts and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. This threat intelligence helps provide unparalleled protection for our customers. The protections built into our platforms and products blocked attacks that include 31 billion identity threats and 32 billion email threats -- Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate, remediate, and remote into machines to further investigate and stop active threats in their environment, as well as block files, network destinations, and create alerts for them. In addition, Automated Investigation and Remediation can help reduce the load on the SOC by automatically performing otherwise manual steps towards remediation and providing -detailed investigation outcomes - -Defender for Endpoint is also part of Microsoft Defender XDR, our end-to-end, cloud-native extended detection and response (XDR) solution that combines best-of-breed endpoint, email, and identity security products. It enables organizations to prevent, detect, investigate, and remediate attacks by delivering deep visibility, granular context, and actionable insights generated from raw signals harnessed across the Microsoft 365 environment and other -platforms, all synthesized into a single dashboard. This solution offers tremendous value to organizations of any size, especially those that are looking to break away from the added complexity of multiple point solutions, keeping them protected from sophisticated attacks and saving IT and security teams' time and resources. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint) -- [Microsoft 365 Defender](/defender-xdr/microsoft-365-defender) - -## Cloud-native device management - -Microsoft recommends cloud-based device management so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With cloud-native device management solutions like Microsoft Intune[\[4\]](conclusion.md#footnote4), IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate device management client. - -Windows 11 built-in management features include: - -- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server -- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Mobile device management overview][LINK-9] - -### Remote wipe - -When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user. - -Windows 11 supports the Remote Wipe configuration service provider (CSP) so that device management solutions can remotely initiate any of the following operations: - -- Reset the device and remove user accounts and data -- Reset the device and clean the drive -- Reset the device but persist user accounts and data - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Remote wipe CSP][LINK-10] - -## :::image type="icon" source="images/microsoft-intune.svg" border="false"::: Microsoft Intune - -Microsoft Intune[\[4\]](conclusion.md#footnote4) is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization. - -Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication and conditional access. - -Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies[\[11\]](conclusion.md#footnote11). For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot. - -Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices. - -Customers have asked for App Control for Business (previously called *Windows Defender Application Control*) to support manage installer for a long time. Now it's possible to enable allowlisting of Win32 apps to proactively reduce the number of malware infections. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [What is Microsoft Intune][LINK-12] - -### Windows enrollment attestation - -When a device enrolls into device management, the administrator expects it to receive the appropriate policies to secure and manage the PC. However, in some cases, malicious actors can remove enrollment certificates and use them on unmanaged PCs, making them appear enrolled but without the intended security and management policies. - -With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certificates are bound to a device using the Trusted Platform Module (TPM). This ensures that the certificates can't be transferred from one device to another, maintaining the integrity of the enrollment process. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows enrollment attestation][LINK-13] - -### Microsoft Cloud PKI - -Microsoft Cloud PKI is a cloud-based service included in the Microsoft Intune Suite[\[4\]](conclusion.md#footnote4) that simplifies and automates the management of a Public Key Infrastructure (PKI) for organizations. It eliminates the need for on-premises servers, hardware, and connectors, making it easier to set up and manage a PKI compared to, for instance, Microsoft Active Directory Certificate Services (AD CS) combined with the Certificate Connector for Microsoft Intune. - -Key features include: - -- Certificate lifecycle management: automates the lifecycle of certificates, including issuance, renewal, and revocation, for all devices managed by Intune -- Multi-platform support: supports certificate management for Windows, iOS/iPadOS, macOS, and Android devices -- Enhanced security: enables certificate-based authentication for Wi-Fi, VPN, and other scenarios, improving security over traditional password-based methods. All certificate requests leverage Simple Certificate Enrollment Protocol (SCEP), making sure that the private key never leaves the requesting client -- Simplified management: provides easy management of certification authorities (CAs), registration authorities (RAs), certificate revocation lists (CRLs), monitoring, and reporting - -With Microsoft Cloud PKI, organizations can accelerate their digital transformation and achieve a fully managed cloud PKI service with minimal effort. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Overview of Microsoft Cloud PKI for Microsoft Intune](/mem/intune/protect/microsoft-cloud-pki-overview) - -### Endpoint Privilege Management (EPM) - -Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run elevated tasks allowed by the organization to remain productive. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Endpoint Privilege Management][LINK-14] - -### Mobile application management (MAM) - -With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Data protection for Windows MAM][LINK-15] - -## Security baselines - -Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company might focus on protecting its internet-facing web apps, while a hospital on confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. - -A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Security baselines][LINK-11] - -### Security baseline for cloud-based device management solutions - -Windows 11 can be configured with Microsoft's security baseline, designed for cloud-based device management solutions like Microsoft Intune[\[4\]](conclusion.md#footnote4). These security baselines function similarly to group policy-based ones and can be easily integrated into existing device management tools. - -The security baseline includes policies for: - -- Microsoft inbox security technologies such as BitLocker, Microsoft Defender SmartScreen, Virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall -- Restricting remote access to devices -- Setting credential requirements for passwords and PINs -- Restricting the use of legacy technology - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Intune security baseline overview][LINK-16] -- [List of the settings in the Windows security baseline in Intune][LINK-17] - -## Windows Local Administrator Password Solution (LAPS) - -Windows Local Administrator Password Solution (LAPS) is a feature that automatically manages and backs up the password of a local administrator account on Microsoft Entra joined and Active Directory-joined devices. It helps enhance security by regularly rotating and managing local administrator account passwords, protecting against pass-the-hash and lateral-traversal attacks. - -Windows LAPS can be configured via group policy or with a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4). - -[!INCLUDE [new-24h2](includes/new-24h2.md)] - -Several enhancements have been made to improve manageability and security. Administrators can now configure LAPS to automatically create managed local accounts, integrating with existing policies to enhance security and efficiency. Policy settings have been updated to generate more readable passwords by ignoring certain characters and to support the generation of readable passphrases, with options to choose from three separate word source list and control passphrase length. Additionally, LAPS can detect when a computer rolls back to a previous image, ensuring password consistency between the computer and Active Directory. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows LAPS overview][LINK-18] - -## Windows Autopilot - -Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. If you're purchasing new devices or managing device refresh cycles, you can use Windows Autopilot to set up and preconfigure new devices, getting them ready for productive use. Autopilot helps you ensure your devices are delivered locked down and compliant with corporate security policies. The solution can also be used to reset, repurpose, and recover devices with zero touch by your IT team and no infrastructure to manage, enhancing efficiency with a process that's both easy and simple. - -With Windows Autopilot, there's no need to reimage or manually set-up devices before giving them to the users. Your hardware vendor can ship them, ready to go, directly to the users. From a user perspective, they turn on their device, go online, and Windows Autopilot delivers apps and settings. - -Windows Autopilot enables you to: - -- Automatically join devices to Microsoft Entra ID or Active Directory via Microsoft Entra hybrid join -- Autoenroll devices into a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4) (requires a Microsoft Entra ID Premium subscription for configuration) -- Create and autoassignment of devices to configuration groups based on a device's profile -- Customize of the out-of-box experience (OOBE) content specific to your organization - -Existing devices can also be quickly prepared for a new user with Windows Autopilot Reset. The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Autopilot][LINK-19] -- [Windows Autopilot Reset][LINK-20] - -## Windows Update for Business - -Windows Update for Business empowers IT administrators to ensure that their organization's Windows client devices are consistently up to date with the latest security updates and features. By directly connecting these systems to the Windows Update service, administrators can maintain a high level of security and functionality. - -Administrators can utilize group policy or a device management solution like Microsoft Intune[\[4\]](conclusion.md#footnote4), to configure Windows Update for Business settings. These settings control the timing and manner in which updates are applied, allowing for thorough reliability and performance testing on a subset of devices before deploying updates across the entire organization. - -This approach not only provides control over the update process but also ensures a seamless and positive update experience for all users within the organization. By using Windows Update for Business, organizations can achieve a more secure and efficient operational environment. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Update for Business documentation][LINK-21] - -## Windows Autopatch - -Cybercriminals commonly exploit obsolete or unpatched software to infiltrate networks. It's essential to maintain current updates to seal security gaps. Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates so your IT Admins can focus on other activities and tasks. - -There's a lot more to learn about Windows Autopatch: this [Forrester Consulting Total Economic Impact™ Study][LINK-22] commissioned by Microsoft, features insights from customers who deployed Windows Autopatch and its impact on their organizations. You can also find out more information about new Autopatch features and the future of the service in the regularly published Windows IT Pro Blog and Windows Autopatch community. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/) -- [Windows updates API overview](/graph/windowsupdates-concept-overview) -- [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows-ITPro-blog/label-name/Windows%20Autopatch) -- [Windows Autopatch community](https://techcommunity.microsoft.com/t5/windows-autopatch/bd-p/Windows-Autopatch) - -## :::image type="icon" source="images/soon-button-title.svg" border="false"::: Windows Hotpatch - -Windows Hotpatch is a feature designed to enhance security and minimize disruptions. With Windows Hotpatch, organizations can apply critical security updates without requiring a system restart, reducing the time to adopt a security update by 60% from the moment the update is offered. Hotpatch updates streamline the installation process, enhance compliance efficiency, and provide a per-policy level view of update statuses for all devices. - -By utilizing hotpatching through Windows Autopatch, the number of system restarts for Windows updates can be reduced from 12 times a year to just 4, ensuring consistent protection and uninterrupted productivity. This means less downtime, a streamlined experience for users, and a reduction in security risks. This technology, proven in the Azure Server environment, is now expanding to Windows 11, offering immediate security from day one without the need for a restart. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/) - -## :::image type="icon" source="images/onedrive.svg" border="false"::: OneDrive for work or school - -OneDrive for work or school is a cloud storage service that allows users to store, share, and collaborate on files. It's a part of Microsoft 365 and is designed to help organizations protect their data and comply with regulations. OneDrive for work or school is protected both in transit and at rest. - -When data transits either into the service from clients or between datacenters, it's protected using transport layer security (TLS) encryption. OneDrive only permits secure access. - -Authenticated connections aren't allowed over HTTP and instead redirect to HTTPS. - -There are several ways that OneDrive for work or school is protected at rest: - -- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security). -- Network protection: The networks and identities are isolated from the corporate network. Firewalls limit traffic into the environment from unauthorized locations -- Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The [Microsoft Security Response Center](https://technet.microsoft.com/security/dn440717.aspx) helps triage incoming vulnerability reports and evaluate mitigations. Through the [Microsoft Cloud Bug Bounty Terms](https://technet.microsoft.com/dn800983), people across the world can earn money by reporting vulnerabilities -- Content protection: Each file is encrypted at rest with a unique AES-256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/topic/23c6ea94-3608-48d7-8bf0-80e142edd1e1) - -## :::image type="icon" source="images/universal-print.svg" border="false"::: Universal Print - -Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models][LINK-23]. It also supports existing printers by using the connector software that comes with Universal Print. - -Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices don't need to be on the same local network as the printers or the Universal Print connector. - -Universal Print supports Zero Trust security by requiring that: - -- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID[\[4\]](conclusion.md#footnote4). A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service -- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data -- Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data -- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it's highly recommended that only cloud applications use application authentication -- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant -- Each authentication with Microsoft Entra ID from an acting application can't extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached - -Additionally, Windows 11 includes device management support to simplify printer setup for users. With support from Microsoft Intune[\[4\]](conclusion.md#footnote4), admins can now configure policy settings to provision specific printers onto the user's Windows devices. - -Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft 365 products. - -More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here][LINK-24]. - -The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here][LINK-25]. - -Universal Print supports Administrative Units in Microsoft Entra ID to enable the assignments of a *Printer Administrator* role to specific teams in the organization. The assigned team can configure only the printers that are part of the same Administrative Unit. - -For customers who want to stay on print servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM. - -[!INCLUDE [learn-more](includes/learn-more.md)] - -- [Universal Print][LINK-26] -- [Data handling in Universal Print][LINK-27] -- [Delegate Printer Administration with Administrative Units][LINK-28] -- [Print support app design guide][LINK-29] - - - -[LINK-1]: /entra -[LINK-2]: https://www.microsoft.com/security/business/microsoft-entra-pricing -[LINK-3]: /entra/global-secure-access/concept-internet-access -[LINK-4]: /entra/global-secure-access/concept-private-access -[LINK-5]: /entra/architecture/sse-deployment-guide-internet-access -[LINK-6]: /entra/global-secure-access/how-to-install-windows-client -[LINK-7]: /entra/identity/devices/enterprise-state-roaming-enable -[LINK-8]: /azure/attestation/overview -[LINK-9]: /windows/client-management/mdm-overview -[LINK-10]: /windows/client-management/mdm/remotewipe-csp -[LINK-11]: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines -[LINK-12]: /mem/intune/fundamentals/what-is-intune -[LINK-13]: /mem/intune/enrollment/windows-enrollment-attestation -[LINK-14]: /mem/intune/protect/epm-overview?formCode=MG0AV3 -[LINK-15]: /mem/intune/apps/protect-mam-windows?formCode=MG0AV3 -[LINK-16]: /mem/intune/protect/security-baselines -[LINK-17]: /mem/intune/protect/security-baseline-settings-mdm-all -[LINK-18]: /windows-server/identity/laps/laps-overview -[LINK-19]: /autopilot/overview -[LINK-20]: /mem/autopilot/windows-autopilot-reset -[LINK-21]: /windows/deployment/update/waas-manage-updates-wufb -[LINK-22]: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW10vlw -[LINK-23]: /universal-print/fundamentals/universal-print-partner-integrations -[LINK-24]: /microsoft-365/enterprise/m365-dr-overview -[LINK-25]: /universal-print/fundamentals/universal-print-qrcode -[LINK-26]: https://www.microsoft.com/microsoft-365/windows/universal-print -[LINK-27]: /universal-print/data-handling -[LINK-28]: /universal-print/portal/delegated-admin -[LINK-29]: /windows-hardware/drivers/devapps/print-support-app-design-guide +[!INCLUDE [universal-print](includes/universal-print.md)] diff --git a/windows/security/book/includes/azure-attestation-service.md b/windows/security/book/includes/azure-attestation-service.md new file mode 100644 index 0000000000..e233d321fd --- /dev/null +++ b/windows/security/book/includes/azure-attestation-service.md @@ -0,0 +1,23 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## :::image type="icon" source="../images/azure-attestation.svg" border="false"::: Azure Attestation service + +Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they're allowed to access resources. Microsoft Intune[\[4\]](../conclusion.md#footnote4) integrates with Azure Attestation service to review Windows device health comprehensively and connect this information with Microsoft Entra ID[\[4\]](../conclusion.md#footnote4) Conditional Access. + +**Attestation policies are configured in the Azure Attestation service which can then:** + +- Verify the integrity of evidence provided by the Windows Attestation component by validating the signature and ensuring the Platform Configuration Registers (PCRs) match the values recomputed by replaying the measured boot log +- Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM +- Verify that security features are in the expected states + +Once this verification is complete, the attestation service returns a signed report with the security features state to the relying party - such as Microsoft Intune - to assess the trustworthiness of the platform relative to the admin-configured device compliance specifications. Conditional access is then granted or denied based on the device's compliance. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Azure Attestation overview](/azure/attestation/overview) diff --git a/windows/security/book/includes/cloud-native-device-management.md b/windows/security/book/includes/cloud-native-device-management.md new file mode 100644 index 0000000000..33a7b3fe8c --- /dev/null +++ b/windows/security/book/includes/cloud-native-device-management.md @@ -0,0 +1,34 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## Cloud-native device management + +Microsoft recommends cloud-based device management so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With cloud-native device management solutions like Microsoft Intune[\[4\]](../conclusion.md#footnote4), IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate device management client. + +Windows 11 built-in management features include: + +- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server +- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT + +[!INCLUDE [learn-more](learn-more.md)] + +- [Mobile device management overview](/windows/client-management/mdm-overview) + +### Remote wipe + +When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user. + +Windows 11 supports the Remote Wipe configuration service provider (CSP) so that device management solutions can remotely initiate any of the following operations: + +- Reset the device and remove user accounts and data +- Reset the device and clean the drive +- Reset the device but persist user accounts and data + +[!INCLUDE [learn-more](learn-more.md)] + +- [Remote wipe CSP](/windows/client-management/mdm/remotewipe-csp) diff --git a/windows/security/book/includes/microsoft-defender-for-endpoint.md b/windows/security/book/includes/microsoft-defender-for-endpoint.md new file mode 100644 index 0000000000..dbe7d1f270 --- /dev/null +++ b/windows/security/book/includes/microsoft-defender-for-endpoint.md @@ -0,0 +1,28 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## :::image type="icon" source="../images/defender-for-endpoint.svg" border="false"::: Microsoft Defender for Endpoint + +Microsoft Defender for Endpoint[\[4\]](../conclusion.md#footnote4) is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. + +Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: + +- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated cloud instance of Microsoft Defender for Endpoint +- With Automatic Attack Disruption uses AI, machine learning, and Microsoft Security Intelligence to analyze the entire attack and respond at the incident level, where it's able to contain a device, and/or a user which reduces the impact of attacks such as ransomware, human-operated attacks, and other advanced attacks. +- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365[\[4\]](../conclusion.md#footnote4), and online assets +- Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours, yielding a deep and broad view into the evolving threat landscape. Combined with our global team of security experts and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. This threat intelligence helps provide unparalleled protection for our customers. The protections built into our platforms and products blocked attacks that include 31 billion identity threats and 32 billion email threats +- Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate, remediate, and remote into machines to further investigate and stop active threats in their environment, as well as block files, network destinations, and create alerts for them. In addition, Automated Investigation and Remediation can help reduce the load on the SOC by automatically performing otherwise manual steps towards remediation and providing +detailed investigation outcomes + +Defender for Endpoint is also part of Microsoft Defender XDR, our end-to-end, cloud-native extended detection and response (XDR) solution that combines best-of-breed endpoint, email, and identity security products. It enables organizations to prevent, detect, investigate, and remediate attacks by delivering deep visibility, granular context, and actionable insights generated from raw signals harnessed across the Microsoft 365 environment and other +platforms, all synthesized into a single dashboard. This solution offers tremendous value to organizations of any size, especially those that are looking to break away from the added complexity of multiple point solutions, keeping them protected from sophisticated attacks and saving IT and security teams' time and resources. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint) +- [Microsoft 365 Defender](/defender-xdr/microsoft-365-defender) diff --git a/windows/security/book/includes/microsoft-entra-id.md b/windows/security/book/includes/microsoft-entra-id.md new file mode 100644 index 0000000000..e9bfd270c6 --- /dev/null +++ b/windows/security/book/includes/microsoft-entra-id.md @@ -0,0 +1,84 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## :::image type="icon" source="../images/microsoft-entra-id.svg" border="false"::: Microsoft Entra ID + +Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies. + +Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. For the most seamless and delightful end to end single sign-on (SSO) experience, we recommend users configure Windows Hello for Business during the out of box experience for easy passwordless sign-in to Entra ID . + +:::row::: + :::column::: + For users wanting to connect to Microsoft Entra on their personal devices, they can do so by adding their work or school account to Windows. This action registers the user's personal device with Microsoft Entra ID, allowing IT admins to support users in bring your own device (BYOD) scenarios. Credentials are authenticated and bound to the joined device, and can't be copied to another device without explicit reverification. + :::column-end::: + :::column::: +:::image type="content" source="../images/device-registration.png" alt-text="Screenshot of the Entra account registration page." border="false" lightbox="images/device-registration.png"::: + :::column-end::: +:::row-end::: + +To provide more security and control for IT and a seamless experience for users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management. + +Windows 11 works with Microsoft Entra ID to provide secure access, identity management, and single sign-on to apps and services from anywhere. Windows has built-in settings to add work or school accounts by syncing the device configuration to an Active Directory domain or Microsoft Entra ID tenant. + +:::image type="content" source="../images/access-work-or-school.png" alt-text="Screenshot of the add work or school account in Settings." border="false"::: + +When a device is Microsoft Entra ID joined and managed with Microsoft Intune[\[4\]](../conclusion.md#footnote4), it receives the following security benefits: + +- Default managed user and device settings and policies +- Single sign-in to all Microsoft Online Services +- Full suite of authentication management capabilities using Windows Hello for Business +- Single sign-on (SSO) to enterprise and SaaS applications +- No use of consumer Microsoft account identity + +Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can set up Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication. + +In combination with Microsoft Intune, Microsoft Entra ID offers powerful security control through Conditional Access to restrict access to organizational resources to healthy and compliant devices. Note that Microsoft Entra ID is only supported on Windows Pro and Enterprise editions. + +Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Entra ID documentation][LINK-1] +- [Microsoft Entra plans and pricing][LINK-2] + +### Microsoft Entra Private Access + +Microsoft Entra Private Access provides organizations the ability to manage and give users access to private or internal fully qualified domain names (FQDNs) and IP addresses. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Entra Private Access][LINK-4] + +### Microsoft Entra Internet Access + +Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. + +> [!NOTE] +> Both Microsoft Entra Private Access and Microsoft Entra Internet Access requires Microsoft Entra ID and Microsoft Entra Joined devices for deployment. The two solutions use the Global Secure Access client for Windows, which secures and controls the features. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Microsoft Entra Internet Access][LINK-3] +- [Global Secure Access client for Windows][LINK-6] +- [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept][LINK-5] + +### Enterprise State Roaming + +Available to any organization with a Microsoft Entra ID Premium[\[4\]](../conclusion.md#footnote4) license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Enterprise State Roaming in Microsoft Entra ID][LINK-7] + +[LINK-1]: /entra +[LINK-2]: https://www.microsoft.com/security/business/microsoft-entra-pricing +[LINK-3]: /entra/global-secure-access/concept-internet-access +[LINK-4]: /entra/global-secure-access/concept-private-access +[LINK-5]: /entra/architecture/sse-deployment-guide-internet-access +[LINK-6]: /entra/global-secure-access/how-to-install-windows-client +[LINK-7]: /entra/identity/devices/enterprise-state-roaming-enable diff --git a/windows/security/book/includes/microsoft-intune.md b/windows/security/book/includes/microsoft-intune.md new file mode 100644 index 0000000000..e0ca22fcd7 --- /dev/null +++ b/windows/security/book/includes/microsoft-intune.md @@ -0,0 +1,66 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## :::image type="icon" source="../images/microsoft-intune.svg" border="false"::: Microsoft Intune + +Microsoft Intune[\[4\]](../conclusion.md#footnote4) is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization. + +Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication and conditional access. + +Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies[\[11\]](../conclusion.md#footnote11). For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot. + +Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices. + +Customers have asked for App Control for Business (previously called *Windows Defender Application Control*) to support manage installer for a long time. Now it's possible to enable allowlisting of Win32 apps to proactively reduce the number of malware infections. + +[!INCLUDE [learn-more](learn-more.md)] + +- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) + +### Windows enrollment attestation + +When a device enrolls into device management, the administrator expects it to receive the appropriate policies to secure and manage the PC. However, in some cases, malicious actors can remove enrollment certificates and use them on unmanaged PCs, making them appear enrolled but without the intended security and management policies. + +With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certificates are bound to a device using the Trusted Platform Module (TPM). This ensures that the certificates can't be transferred from one device to another, maintaining the integrity of the enrollment process. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows enrollment attestation](/mem/intune/enrollment/windows-enrollment-attestation) + +### Microsoft Cloud PKI + +Microsoft Cloud PKI is a cloud-based service included in the Microsoft Intune Suite[\[4\]](../conclusion.md#footnote4) that simplifies and automates the management of a Public Key Infrastructure (PKI) for organizations. It eliminates the need for on-premises servers, hardware, and connectors, making it easier to set up and manage a PKI compared to, for instance, Microsoft Active Directory Certificate Services (AD CS) combined with the Certificate Connector for Microsoft Intune. + +Key features include: + +- Certificate lifecycle management: automates the lifecycle of certificates, including issuance, renewal, and revocation, for all devices managed by Intune +- Multi-platform support: supports certificate management for Windows, iOS/iPadOS, macOS, and Android devices +- Enhanced security: enables certificate-based authentication for Wi-Fi, VPN, and other scenarios, improving security over traditional password-based methods. All certificate requests leverage Simple Certificate Enrollment Protocol (SCEP), making sure that the private key never leaves the requesting client +- Simplified management: provides easy management of certification authorities (CAs), registration authorities (RAs), certificate revocation lists (CRLs), monitoring, and reporting + +With Microsoft Cloud PKI, organizations can accelerate their digital transformation and achieve a fully managed cloud PKI service with minimal effort. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Overview of Microsoft Cloud PKI for Microsoft Intune](/mem/intune/protect/microsoft-cloud-pki-overview) + +### Endpoint Privilege Management (EPM) + +Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run elevated tasks allowed by the organization to remain productive. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Endpoint Privilege Management](/mem/intune/protect/epm-overview?formCode=MG0AV3) + +### Mobile application management (MAM) + +With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Data protection for Windows MAM](/mem/intune/apps/protect-mam-windows?formCode=MG0AV3) diff --git a/windows/security/book/includes/onedrive-for-work-or-school.md b/windows/security/book/includes/onedrive-for-work-or-school.md new file mode 100644 index 0000000000..2abb36a1a1 --- /dev/null +++ b/windows/security/book/includes/onedrive-for-work-or-school.md @@ -0,0 +1,26 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## :::image type="icon" source="../images/onedrive.svg" border="false"::: OneDrive for work or school + +OneDrive for work or school is a cloud storage service that allows users to store, share, and collaborate on files. It's a part of Microsoft 365 and is designed to help organizations protect their data and comply with regulations. OneDrive for work or school is protected both in transit and at rest. + +When data transits either into the service from clients or between datacenters, it's protected using transport layer security (TLS) encryption. OneDrive only permits secure access. + +Authenticated connections aren't allowed over HTTP and instead redirect to HTTPS. + +There are several ways that OneDrive for work or school is protected at rest: + +- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security). +- Network protection: The networks and identities are isolated from the corporate network. Firewalls limit traffic into the environment from unauthorized locations +- Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The [Microsoft Security Response Center](https://technet.microsoft.com/security/dn440717.aspx) helps triage incoming vulnerability reports and evaluate mitigations. Through the [Microsoft Cloud Bug Bounty Terms](https://technet.microsoft.com/dn800983), people across the world can earn money by reporting vulnerabilities +- Content protection: Each file is encrypted at rest with a unique AES-256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault + +[!INCLUDE [learn-more](learn-more.md)] + +- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/topic/23c6ea94-3608-48d7-8bf0-80e142edd1e1) diff --git a/windows/security/book/includes/security-baselines.md b/windows/security/book/includes/security-baselines.md new file mode 100644 index 0000000000..5473219e28 --- /dev/null +++ b/windows/security/book/includes/security-baselines.md @@ -0,0 +1,33 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## Security baselines + +Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company might focus on protecting its internet-facing web apps, while a hospital on confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. + +A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines) + +### Security baseline for cloud-based device management solutions + +Windows 11 can be configured with Microsoft's security baseline, designed for cloud-based device management solutions like Microsoft Intune[\[4\]](../conclusion.md#footnote4). These security baselines function similarly to group policy-based ones and can be easily integrated into existing device management tools. + +The security baseline includes policies for: + +- Microsoft inbox security technologies such as BitLocker, Microsoft Defender SmartScreen, Virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall +- Restricting remote access to devices +- Setting credential requirements for passwords and PINs +- Restricting the use of legacy technology + +[!INCLUDE [learn-more](learn-more.md)] + +- [Intune security baseline overview](/mem/intune/protect/security-baselines) +- [List of the settings in the Windows security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all) diff --git a/windows/security/book/includes/universal-print.md b/windows/security/book/includes/universal-print.md new file mode 100644 index 0000000000..7e61d82121 --- /dev/null +++ b/windows/security/book/includes/universal-print.md @@ -0,0 +1,51 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## :::image type="icon" source="../images/universal-print.svg" border="false"::: Universal Print + +Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models][LINK-23]. It also supports existing printers by using the connector software that comes with Universal Print. + +Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices don't need to be on the same local network as the printers or the Universal Print connector. + +Universal Print supports Zero Trust security by requiring that: + +- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID[\[4\]](../conclusion.md#footnote4). A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service +- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data +- Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data +- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it's highly recommended that only cloud applications use application authentication +- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant +- Each authentication with Microsoft Entra ID from an acting application can't extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached + +Additionally, Windows 11 includes device management support to simplify printer setup for users. With support from Microsoft Intune[\[4\]](../conclusion.md#footnote4), admins can now configure policy settings to provision specific printers onto the user's Windows devices. + +Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft 365 products. + +More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here][LINK-24]. + +The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here][LINK-25]. + +Universal Print supports Administrative Units in Microsoft Entra ID to enable the assignments of a *Printer Administrator* role to specific teams in the organization. The assigned team can configure only the printers that are part of the same Administrative Unit. + +For customers who want to stay on print servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Universal Print][LINK-26] +- [Data handling in Universal Print][LINK-27] +- [Delegate Printer Administration with Administrative Units][LINK-28] +- [Print support app design guide][LINK-29] + + + +[LINK-23]: /universal-print/fundamentals/universal-print-partner-integrations +[LINK-24]: /microsoft-365/enterprise/m365-dr-overview +[LINK-25]: /universal-print/fundamentals/universal-print-qrcode +[LINK-26]: https://www.microsoft.com/microsoft-365/windows/universal-print +[LINK-27]: /universal-print/data-handling +[LINK-28]: /universal-print/portal/delegated-admin +[LINK-29]: /windows-hardware/drivers/devapps/print-support-app-design-guide diff --git a/windows/security/book/includes/windows-autopatch.md b/windows/security/book/includes/windows-autopatch.md new file mode 100644 index 0000000000..b6d04f951b --- /dev/null +++ b/windows/security/book/includes/windows-autopatch.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## Windows Autopatch + +Cybercriminals commonly exploit obsolete or unpatched software to infiltrate networks. It's essential to maintain current updates to seal security gaps. Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates so your IT Admins can focus on other activities and tasks. + +There's a lot more to learn about Windows Autopatch: this [Forrester Consulting Total Economic Impact™ Study](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW10vlw) commissioned by Microsoft, features insights from customers who deployed Windows Autopatch and its impact on their organizations. You can also find out more information about new Autopatch features and the future of the service in the regularly published Windows IT Pro Blog and Windows Autopatch community. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/) +- [Windows updates API overview](/graph/windowsupdates-concept-overview) +- [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows-ITPro-blog/label-name/Windows%20Autopatch) +- [Windows Autopatch community](https://techcommunity.microsoft.com/t5/windows-autopatch/bd-p/Windows-Autopatch) diff --git a/windows/security/book/includes/windows-autopilot.md b/windows/security/book/includes/windows-autopilot.md new file mode 100644 index 0000000000..4fc3ca74c7 --- /dev/null +++ b/windows/security/book/includes/windows-autopilot.md @@ -0,0 +1,27 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## Windows Autopilot + +Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. If you're purchasing new devices or managing device refresh cycles, you can use Windows Autopilot to set up and preconfigure new devices, getting them ready for productive use. Autopilot helps you ensure your devices are delivered locked down and compliant with corporate security policies. The solution can also be used to reset, repurpose, and recover devices with zero touch by your IT team and no infrastructure to manage, enhancing efficiency with a process that's both easy and simple. + +With Windows Autopilot, there's no need to reimage or manually set-up devices before giving them to the users. Your hardware vendor can ship them, ready to go, directly to the users. From a user perspective, they turn on their device, go online, and Windows Autopilot delivers apps and settings. + +Windows Autopilot enables you to: + +- Automatically join devices to Microsoft Entra ID or Active Directory via Microsoft Entra hybrid join +- Autoenroll devices into a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4) (requires a Microsoft Entra ID Premium subscription for configuration) +- Create and autoassignment of devices to configuration groups based on a device's profile +- Customize of the out-of-box experience (OOBE) content specific to your organization + +Existing devices can also be quickly prepared for a new user with Windows Autopilot Reset. The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Autopilot](/autopilot/overview) +- [Windows Autopilot Reset](/mem/autopilot/windows-autopilot-reset) diff --git a/windows/security/book/includes/windows-hotpatch.md b/windows/security/book/includes/windows-hotpatch.md new file mode 100644 index 0000000000..c084cb0939 --- /dev/null +++ b/windows/security/book/includes/windows-hotpatch.md @@ -0,0 +1,17 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## :::image type="icon" source="../images/soon-button-title.svg" border="false"::: Windows Hotpatch + +Windows Hotpatch is a feature designed to enhance security and minimize disruptions. With Windows Hotpatch, organizations can apply critical security updates without requiring a system restart, reducing the time to adopt a security update by 60% from the moment the update is offered. Hotpatch updates streamline the installation process, enhance compliance efficiency, and provide a per-policy level view of update statuses for all devices. + +By utilizing hotpatching through Windows Autopatch, the number of system restarts for Windows updates can be reduced from 12 times a year to just 4, ensuring consistent protection and uninterrupted productivity. This means less downtime, a streamlined experience for users, and a reduction in security risks. This technology, proven in the Azure Server environment, is now expanding to Windows 11, offering immediate security from day one without the need for a restart. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/) diff --git a/windows/security/book/includes/windows-laps.md b/windows/security/book/includes/windows-laps.md new file mode 100644 index 0000000000..7c2d30bc84 --- /dev/null +++ b/windows/security/book/includes/windows-laps.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## Windows Local Administrator Password Solution (LAPS) + +Windows Local Administrator Password Solution (LAPS) is a feature that automatically manages and backs up the password of a local administrator account on Microsoft Entra joined and Active Directory-joined devices. It helps enhance security by regularly rotating and managing local administrator account passwords, protecting against pass-the-hash and lateral-traversal attacks. + +Windows LAPS can be configured via group policy or with a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4). + +[!INCLUDE [new-24h2](new-24h2.md)] + +Several enhancements have been made to improve manageability and security. Administrators can now configure LAPS to automatically create managed local accounts, integrating with existing policies to enhance security and efficiency. Policy settings have been updated to generate more readable passwords by ignoring certain characters and to support the generation of readable passphrases, with options to choose from three separate word source list and control passphrase length. Additionally, LAPS can detect when a computer rolls back to a previous image, ensuring password consistency between the computer and Active Directory. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows LAPS overview](/windows-server/identity/laps/laps-overview) diff --git a/windows/security/book/includes/windows-update-for-business.md b/windows/security/book/includes/windows-update-for-business.md new file mode 100644 index 0000000000..a52459c919 --- /dev/null +++ b/windows/security/book/includes/windows-update-for-business.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 12/11/2024 +ms.topic: include +ms.service: windows-client +--- + +## Windows Update for Business + +Windows Update for Business empowers IT administrators to ensure that their organization's Windows client devices are consistently up to date with the latest security updates and features. By directly connecting these systems to the Windows Update service, administrators can maintain a high level of security and functionality. + +Administrators can utilize group policy or a device management solution like Microsoft Intune[\[4\]](../conclusion.md#footnote4), to configure Windows Update for Business settings. These settings control the timing and manner in which updates are applied, allowing for thorough reliability and performance testing on a subset of devices before deploying updates across the entire organization. + +This approach not only provides control over the update process but also ensures a seamless and positive update experience for all users within the organization. By using Windows Update for Business, organizations can achieve a more secure and efficient operational environment. + +[!INCLUDE [learn-more](learn-more.md)] + +- [Windows Update for Business documentation](/windows/deployment/update/waas-manage-updates-wufb) From 87286af40b2b3279cda1d1f853a02122edbe2b56 Mon Sep 17 00:00:00 2001 From: Robert Durff <43757104+MSRobertD@users.noreply.github.com> Date: Mon, 24 Feb 2025 13:55:55 -0800 Subject: [PATCH 05/12] Remove broken links on cc-windows-server-previous.md Removing 3 broken links per email thread w/ Aaron Czechowski and Paolo Matarazzo --- .../validations/cc-windows-server-previous.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md b/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md index 392c293fd2..d41e015648 100644 --- a/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md +++ b/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md @@ -1,7 +1,7 @@ --- title: Common Criteria certifications for previous Windows Server releases description: Learn about the completed Common Criteria certifications for previous Windows Server releases. -ms.date: 2/1/2024 +ms.date: 2/24/2025 ms.topic: reference --- @@ -28,16 +28,16 @@ The following tables list the completed Common Criteria certifications for Windo |Product details |Date |Scope |Documents | |---------|---------|---------|---------| -|Validated editions: Standard, Enterprise, Datacenter, Itanium. |March 24, 2011 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Administrative Guide][admin-guide-march-2011]; [Certification Report][certification-report-march-2011] | +|Validated editions: Standard, Enterprise, Datacenter, Itanium. |March 24, 2011 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Certification Report][certification-report-march-2011] | |Server Core 2008 R2: Hyper-V Server Role|July 24, 2009 |(Hyper-V certification.) Common Criteria for Information Technology Security Evaluation Version 3.1 Revision 3. It is CC Part 2 extended and Part 3 conformant, with a claimed Evaluation Assurance Level of EAL4, augmented by ALC_FLR.3. |[Security Target][security-target-july-2009]; [Administrative Guide][admin-guide-july-2009]; [Certification Report][certification-report-july-2009] | ## Windows Server 2008 |Product details |Date |Scope |Documents | |---------|---------|---------|---------| -|Validated edition: Standard, Enterprise, Datacenter. |August 15, 2009 |Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 4. |[Security Target][security-target-august-2009]; [Administrative Guide][admin-guide-august-2009]; [Certification Report][certification-report-august-2009] | +|Validated edition: Standard, Enterprise, Datacenter. |August 15, 2009 |Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 4. |[Security Target][security-target-august-2009]; [Certification Report][certification-report-august-2009] | |Microsoft Windows Server Core 2008: Hyper-V Server Role. |July 24, 2009 |CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 4. |[Security Target][security-target-july-2009-hyperv]; [Administrative Guide][admin-guide-july-2009-hyperv]; [Certification Report][certification-report-july-2009-hyperv] | -|Validated edition: Standard, Enterprise, Datacenter. |September 17, 2008 |CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 1. |[Security Target][security-target-september-2008]; [Administrative Guide][admin-guide-september-2008]; [Certification Report][certification-report-september-2008] | +|Validated edition: Standard, Enterprise, Datacenter. |September 17, 2008 |CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 1. |[Security Target][security-target-september-2008]; [Certification Report][certification-report-september-2008] | ## Windows Server 2003 Certificate Server @@ -77,11 +77,8 @@ The following tables list the completed Common Criteria certifications for Windo [admin-guide-january-2015-pro]: https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx [admin-guide-april-2014]: https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf [admin-guide-january-2014]: https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx -[admin-guide-march-2011]: https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00 [admin-guide-july-2009]: https://www.microsoft.com/download/en/details.aspx?id=29308 [admin-guide-july-2009-hyperv]: https://www.microsoft.com/en-us/download/details.aspx?id=14252 -[admin-guide-august-2009]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567 -[admin-guide-september-2008]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567 From c522341feecf2aedf384046d5519ea8ae05723b8 Mon Sep 17 00:00:00 2001 From: Robert Durff <43757104+MSRobertD@users.noreply.github.com> Date: Mon, 24 Feb 2025 14:02:01 -0800 Subject: [PATCH 06/12] Fix link in fips-140-windows10.md Fixing one incorrect link URL for BitLocker Dump Filter Security Policy. --- .../certification/validations/fips-140-windows10.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/security-foundations/certification/validations/fips-140-windows10.md b/windows/security/security-foundations/certification/validations/fips-140-windows10.md index 9bf64e0084..e7cecf69e6 100644 --- a/windows/security/security-foundations/certification/validations/fips-140-windows10.md +++ b/windows/security/security-foundations/certification/validations/fips-140-windows10.md @@ -1,7 +1,7 @@ --- title: FIPS 140 validated modules for Windows 10 description: This topic lists the completed FIPS 140 cryptographic module validations for Windows 10. -ms.date: 11/13/2024 +ms.date: 2/24/2025 ms.topic: reference --- @@ -339,6 +339,6 @@ Build: 10.0.10240. Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, M [sp-4515]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4515.pdf [sp-4536]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4536.pdf [sp-4537]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf -[sp-4538]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf +[sp-4538]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4538.pdf [sp-4766]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4766.pdf [sp-4825]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4825.pdf From 3549f64622c220be206b3d11c467a70e38da68c8 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 24 Feb 2025 17:05:04 -0500 Subject: [PATCH 07/12] update --- windows/security/book/includes/microsoft-entra-id.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/book/includes/microsoft-entra-id.md b/windows/security/book/includes/microsoft-entra-id.md index e9bfd270c6..f0b400b0dd 100644 --- a/windows/security/book/includes/microsoft-entra-id.md +++ b/windows/security/book/includes/microsoft-entra-id.md @@ -17,7 +17,7 @@ Organizations can deploy Microsoft Entra ID joined devices to enable access to b For users wanting to connect to Microsoft Entra on their personal devices, they can do so by adding their work or school account to Windows. This action registers the user's personal device with Microsoft Entra ID, allowing IT admins to support users in bring your own device (BYOD) scenarios. Credentials are authenticated and bound to the joined device, and can't be copied to another device without explicit reverification. :::column-end::: :::column::: -:::image type="content" source="../images/device-registration.png" alt-text="Screenshot of the Entra account registration page." border="false" lightbox="images/device-registration.png"::: +:::image type="content" source="../images/device-registration.png" alt-text="Screenshot of the Entra account registration page." border="false" lightbox="../images/device-registration.png"::: :::column-end::: :::row-end::: From 0aa7f0159e649606b8725c7190352295f44f9acd Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich <16087112+rjagiewich@users.noreply.github.com> Date: Mon, 24 Feb 2025 14:28:50 -0800 Subject: [PATCH 08/12] Fix typos / acro fix --- windows/deployment/update/update-policies.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md index cfa5ff37f5..8f10fce044 100644 --- a/windows/deployment/update/update-policies.md +++ b/windows/deployment/update/update-policies.md @@ -94,7 +94,7 @@ options must be **Disabled** in order to take advantage of intelligent active ho If you do set active hours, we recommend setting the following policies to **Disabled** in order to increase update velocity: -- [Delay automatic reboot](waas-restart.md#delay-automatic-restart). While it's possible to set the system to delay restarts for users who are logged in, this setting might delay an update indefinitely if a user is always either logged in or shut down. Instead, we recommend setting the following polices to **Disabled**: +- [Delay automatic reboot](waas-restart.md#delay-automatic-restart). While it's possible to set the system to delay restarts for users who are logged in, this setting might delay an update indefinitely if a user is always either logged in or shut down. Instead, we recommend setting the following policies to **Disabled**: - **Turn off auto-restart during active hours** - **No auto-restart with logged on users for scheduled automatic updates** @@ -183,7 +183,7 @@ As administrators, you have set up and expect certain behaviors, so we expressly > expected. For example, if a device is not reacting to your MDM policy changes, check to see if a similar > policy is set in Group Policy with a differing value. > If you find that update velocity is not as high as you expect or if some devices are slower than others, it might be -> time to clear all polices and settings and specify only the recommended update policies. See the Policy and settings reference for a consolidated list of recommended polices. +> time to clear all policies and settings and specify only the recommended update policies. See the Policy and settings reference for a consolidated list of recommended policies. The following are policies that you might want to disable because they could decrease update velocity or there are better policies to use that might conflict: - **Defer Feature Updates Period in Days**. For maximum update velocity, it's best to set this to **0** (no From 9a54e95b97d9cc51c7e87168e22441a1f8638914 Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Tue, 25 Feb 2025 04:08:08 +0530 Subject: [PATCH 09/12] acro fix --- .../applocker/understanding-applocker-rule-collections.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-collections.md b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-collections.md index a90d6b8933..16d2b01891 100644 --- a/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-collections.md +++ b/windows/security/application-security/application-control/app-control-for-business/applocker/understanding-applocker-rule-collections.md @@ -19,11 +19,11 @@ An AppLocker rule collection is a set of rules that apply to one of five types: - Packaged apps and packaged app installers: .appx > [!IMPORTANT] -> Each app can load several DLLs, and AppLocker must check each DLL before it is allowed to run. Be sure you create DLL allow rules for every DLL that is used by any of the allowed apps. Denying some DLLs from running can also create app compatibility problems. +> Each app can load several DLLs, and AppLocker must check each DLL before it's allowed to run. Be sure you create DLL allow rules for every DLL that is used by any of the allowed apps. Denying some DLLs from running can also create app compatibility problems. > > DLL rules might cause performance problems on some computers which are already resource constrained. > -> As a result, the DLL rule collection is not enabled by default. +> As a result, the DLL rule collection isn't enabled by default. For info about how to enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md). From 0b2f8d9c2ef136c43c7fcf198782d359f2ab10c2 Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Tue, 25 Feb 2025 04:10:59 +0530 Subject: [PATCH 10/12] acro fix --- .../app-control-for-business/design/script-enforcement.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md b/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md index ede02fb018..48193d95b6 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] > [!IMPORTANT] -> Option **11 Disabled:Script Enforcement** is not supported on **Windows Server 2016** or on **Windows 10 1607 LTSB** and should not be used on those platforms. Doing so will result in unexpected script enforcement behaviors. +> Option **11 Disabled:Script Enforcement** isn't supported on **Windows Server 2016** or on **Windows 10 1607 LTSB** and shouldn't be used on those platforms. Doing so will result in unexpected script enforcement behaviors. ## Script enforcement overview @@ -23,7 +23,7 @@ Validation for signed scripts is done using the [WinVerifyTrust API](/windows/wi App Control shares the *AppLocker - MSI and Script* event log for all script enforcement events. Whenever a script host asks App Control if a script should be allowed, an event is logged with the answer App Control returned to the script host. For more information on App Control script enforcement events, see [Understanding App Control events](../operations/event-id-explanations.md#app-control-block-events-for-packaged-apps-msi-installers-scripts-and-com-objects). > [!NOTE] -> When a script runs that is not allowed by policy, App Control raises an event indicating that the script was "blocked." However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running. +> When a script runs that isn't allowed by policy, App Control raises an event indicating that the script was "blocked." However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running. > > Also be aware that some script hosts may change how they behave even if an App Control policy is in audit mode only. You should review the script host specific information in this article and test thoroughly within your environment to ensure the scripts you need to run are working properly. From c04f1b6b94ea64e63bf5629c6debb5ae5d62d947 Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich <16087112+rjagiewich@users.noreply.github.com> Date: Mon, 24 Feb 2025 14:50:25 -0800 Subject: [PATCH 11/12] acro fixes --- .../create-appcontrol-policy-for-fully-managed-devices.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md index 427333b080..97c05323c3 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md @@ -10,12 +10,12 @@ ms.date: 09/11/2024 [!INCLUDE [Feature availability note](../includes/feature-availability-note.md)] -This section outlines the process to create an App Control for Business policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-appcontrol-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device can't install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Intune. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access. +This section outlines the process to create an App Control for Business policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-appcontrol-policy-for-lightly-managed-devices.md) is that all software that's deployed to a fully managed device is managed by IT and users of the device can't install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Intune. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access. > [!NOTE] > Some of the App Control for Business options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's App Control policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. -As described in [common App Control for Business deployment scenarios](common-appcontrol-use-cases.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices. +As described in [common App Control for Business deployment scenarios](common-appcontrol-use-cases.md), we use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of App Control to prevent unwanted or unauthorized applications from running on their managed devices. **Alice Pena** is the IT team lead tasked with the rollout of App Control. @@ -55,7 +55,7 @@ Having defined the "circle-of-trust", Alice is ready to generate the initial pol Alice follows these steps to complete this task: > [!NOTE] -> If you do not use Configuration Manager or prefer to use a different [example App Control for Business base policy](example-appcontrol-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy. +> If you don't use Configuration Manager or prefer to use a different [example App Control for Business base policy](example-appcontrol-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy. 1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above, or Windows 11. From e087b8df1756a186249bacf37bf315e7d832b434 Mon Sep 17 00:00:00 2001 From: Andy Rivas <45184653+andyrivMSFT@users.noreply.github.com> Date: Mon, 24 Feb 2025 15:40:20 -0800 Subject: [PATCH 12/12] Update mcc-ent-prerequisites.md Adding Ubuntu 24.04 support --- windows/deployment/do/mcc-ent-prerequisites.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/mcc-ent-prerequisites.md b/windows/deployment/do/mcc-ent-prerequisites.md index f8ddaef129..c2d38c86c0 100644 --- a/windows/deployment/do/mcc-ent-prerequisites.md +++ b/windows/deployment/do/mcc-ent-prerequisites.md @@ -52,7 +52,7 @@ This article details the requirements and recommended specifications for using M ### Additional requirements for Linux host machines - The Linux host machine must be using one of the following operating systems: - - Ubuntu 22.04 + - Ubuntu 22.04, 24.04 - Red Hat Enterprise Linux (RHEL) 8.* or 9.* - If using RHEL, the default container engine (Podman) must be replaced with [Moby](https://github.com/moby/moby#readme)