updates

2025-06-16 10:53:43 +00:00 · 2024-10-04 11:00:49 -04:00
parent 93a18b7b4b
commit f749d53bdd
7 changed files with 19 additions and 16 deletions
--- a/windows/security/book/cloud-services-protect-your-work-information.md
+++ b/windows/security/book/cloud-services-protect-your-work-information.md
@ -15,7 +15,7 @@ Microsoft Entra ID is a comprehensive cloud-based identity management solution t

 Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. For the most seamless and delightful end to end single sign-on (SSO) experience, we recommend users configure Windows Hello for Business during the out of box experience for easy passwordless sign-in to Entra ID .

-For people wanting to connect to Entra on their personal devices, they can do so by using Workplace Join or Add Account – this action registers that users personal device with Microsoft Entra ID and helps- also called Workplace joined - IT admins can support users in bring your own device (BYOD) or mobile device scenarios. Credentials are authenticated and bound to the joined device and cannot be copied to another device without explicit reverification.
+For people wanting to connect to Microsoft Entra on their personal devices, they can do so by using *workplace join* or *add account*.  These two actions registers that user's personal device with Microsoft Entra ID, allowing IT admins to support users in bring your own device (BYOD) scenarios. Credentials are authenticated and bound to the joined device, and cannot be copied to another device without explicit reverification.

 To provide more security and control for IT and a seamless experience for end users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management.

@ -78,24 +78,25 @@ A security baseline is a group of Microsoft-recommended configuration settings t

 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**

- [Windows security baselines you can deploy with Microsoft Intune](/mem/intune/protect/security-baselines)
+- [Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines)

-### MDM security baseline
+### Security baseline for cloud-based device management solutions

-Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices.
+Windows 11 can be configured with Microsoft's security baseline, designed for cloud-based device management solutions like Microsoft Intune. These security baselines function similarly to group policy-based ones and can be easily integrated into existing device management tools.

 The security baseline includes policies for:

- Microsoft inbox security technology such as BitLocker, Microsoft Defender SmartScreen, virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall
+- Microsoft inbox security technologies such as BitLocker, Microsoft Defender SmartScreen, virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall
 - Restricting remote access to devices
 - Setting credential requirements for passwords and PINs
- Restricting use of legacy technology
+- Restricting the use of legacy technology

-The MDM security baseline has been enhanced with over 70 new settings which enable local user rights assignment, services management, and local security policies which were previously only available through Group Policy.  This enables the adoption of cloud-based device management solutions and closer adherence to industry standard benchmarks for security.
+The security baseline has been enhanced with over 70 new settings, enabling local user rights assignment, services management, and local security policies that were previously only available through group policy. This enhancement facilitates the adoption of cloud-based device management solutions and ensures closer adherence to industry-standard security benchmarks.

 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**

- [MDM security baseline](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)
+- [Intune security baseline overview](/mem/intune/protect/security-baselines)
+- [List of the settings in the Windows security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all)

 ## MDM enrollment certificate attestation

--- a/windows/security/book/cloud-services.md
+++ b/windows/security/book/cloud-services.md
@ -11,6 +11,6 @@ ms.date: 09/06/2024

 :::image type="content" source="images/cloud-security-on.png" alt-text="Diagram containing a list of security features." lightbox="images/cloud-security.png" border="false":::

-Today's workforce has more freedom and mobility than ever before, but the risk of data exposure is also at its highest. At Microsoft, we are focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on Zero Trust principles, Windows 11 works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
+Today's workforce has more freedom and mobility than ever before, but the risk of data exposure is also at its highest. At Microsoft, we are focused on getting customers to the cloud to benefit from hybrid workstyles while improving security management. Built on Zero Trust principles, Windows 11 works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.

 From identity and device management to Office apps and data storage, Windows 11 and integrated cloud services can help improve productivity, security, and resilience anywhere.
--- a/windows/security/book/hardware-security-silicon-assisted-security.md
+++ b/windows/security/book/hardware-security-silicon-assisted-security.md
@ -79,7 +79,9 @@ System Management Mode (SMM) isolation is an execution mode in x86-based process

 ### Configuration lock

-In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a noncompliant state can be vulnerable until the next sync, when configuration is reset with the mobile device management (MDM) solution. Secured-core PC configuration lock is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that are supported and reverts to the IT-desired SCPC state in seconds after detecting a drift.
+In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a noncompliant state can be vulnerable until the next sync, when configuration is reset with the device management solution.
+
+Configuration lock is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With configuration lock, Windows monitors supported registry keys and reverts to the IT-desired SCPC state in seconds after detecting a drift.

 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**

--- a/windows/security/book/identity-protection-advanced-credential-protection.md
+++ b/windows/security/book/identity-protection-advanced-credential-protection.md
@ -92,7 +92,7 @@ IT administrators can refine the application and management of access to:
 - Protect a greater number and variety of network resources from misuse
 - Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. Organizations can implement the principle of least-privilege access, which asserts that users should be granted access only to the data and operations they require to perform their jobs
 - Update users' ability to access resources regularly, as an organization's policies change or as users' jobs change
- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and mobile phones
+- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and phones
 - Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs

 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
--- a/windows/security/book/identity-protection-passwordless-sign-in.md
+++ b/windows/security/book/identity-protection-passwordless-sign-in.md
@ -55,7 +55,7 @@ Windows presence sensing combines presence detection sensors with Windows Hello

 Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. The new app privacy settings enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup.

-Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We're also supporting developers with new APIs for presence sensing for third-party applications. Third-party applications can now access user presence information on devices with modern presence sensors.
+Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We're also supporting developers with new APIs for presence sensing for third-party applications. Third-party applications can now access user presence information on devices with presence sensors.

 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**

--- a/windows/security/book/operating-system-security-encryption-and-data-protection.md
+++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md
@ -54,7 +54,7 @@ Encrypted hard drives enable:

 ## Personal data encryption (PDE)

-Personal Data Encryption refers to a user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container, which houses the encryption keys used by Personal Data Encryption (PDE). When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content.
+Personal Data Encryption refers to a user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the multi-factor authentication mechanism used with PDE. Windows Hello for Business, either with PIN, face, or fingerprint, is used to protect the container, which houses the encryption keys used by Personal Data Encryption (PDE). When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content.

 With the first release of PDE (Windows 11, version 22H2), the PDE API was available, which when adopted by applications can protect data under the purview of the applications. With the next Windows platform release, PDE for Folders will be released. This feature doesn't require updates to any applications, and protects the contents in the Known Windows Folders from bootup until first sign-in.

--- a/windows/security/book/operating-system-security-system-security.md
+++ b/windows/security/book/operating-system-security-system-security.md
@ -117,11 +117,11 @@ Visibility and awareness of device security and health are key to any action tak

 ## Config Refresh

-With traditional Group Policy, policy settings are refreshed on a PC when a user signs in and every 90 minutes by default. Administrators can adjust that timing to be shorter to ensure that the policy settings are compliant with the management settings set by IT.
+With traditional group policy, policy settings are refreshed on a PC when a user signs in and every 90 minutes by default. Administrators can adjust that timing to be shorter to ensure that the policy settings are compliant with the management settings set by IT.

 By contrast, with a device management solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, policies are refreshed when a user signs in and then at eight-hours interval by default. But policy settings are migrated from GPO to a device management solution, one remaining gap is the longer period between the reapplication of a changed policy.

-Config Refresh allows settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to be reset to the value the administrator intended every 90 minutes by default. It's configurable to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that were traditionally set with Group Policy and are now set through Mobile Device Management (MDM) protocols.
+Config Refresh allows settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to be reset to the value the administrator intended every 90 minutes by default. It's configurable to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that were traditionally set with group policy and are now set through Mobile Device Management (MDM) protocols.

 Config Refresh can also be paused for a configurable period of time, after which it will be reenabled. This is to support scenarios where a helpdesk technician might need to reconfigure a device for troubleshooting purposes. It can also be resumed at any time by an administrator.

@ -131,7 +131,7 @@ Config Refresh can also be paused for a configurable period of time, after which

 ## Kiosk mode

-With Assigned Access, Windows devices restrict functionality to pre-selected applications depending on the user and keep individual identities separate, which is ideal for public-facing or shared devices. Configuring a device as a kiosk is a straightforward process. You can do this locally on the device or remotely using mobile device management.
+With Assigned Access and Shell Launcher, you can configure Windows to restrict functionality to pre-selected applications. These features are ideal for public-facing or shared devices like kiosks. Configuring a device as a kiosk is straightforward and can be done locally on the device or through a cloud-based device management solution like Microsoft Intune.

 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**