diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index 5d4c8be0cb..0bfa6d278a 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,6 +2,14 @@ +## Week of July 31, 2023 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 8/3/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified | + + ## Week of July 24, 2023 diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index df025d2857..0ef3e1439d 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -2,7 +2,7 @@ title: Windows 11 SE Overview description: Learn about Windows 11 SE, and the apps that are included with the operating system. ms.topic: overview -ms.date: 07/25/2023 +ms.date: 08/03/2023 appliesto: - ✅ Windows 11 SE ms.collection: @@ -35,11 +35,11 @@ The following table lists the different application types available in Windows o | --- | --- | :---: | ---| |Progressive Web Apps (PWAs) | PWAs are web-based applications that can run in a browser and that can be installed as standalone apps. |✅|PWAs are enabled by default in Windows 11 SE.| | Web apps | Web apps are web-based applications that run in a browser. | ✅ | Web apps are enabled by default in Windows 11 SE. | -|Win32| Win32 applications are Windows classic applications that may require installation |⛔| If users try to install or execute Win32 applications that haven't been allowed to run, they'll fail.| -|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they'll fail.| +|`Win32`| `Win32` applications are Windows classic applications that may require installation |⛔| If users try to install or execute `Win32` applications that haven't been allowed to run, they fail.| +|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they fail.| > [!IMPORTANT] -> If there are specific Win32 or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications). +> If there are specific `Win32` or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications). ## Applications included in Windows 11 SE @@ -50,10 +50,10 @@ The following table lists all the applications included in Windows 11 SE and the | Alarm & Clock | UWP | | | | Calculator | UWP | ✅ | | | Camera | UWP | ✅ | | -| Microsoft Edge | Win32 | ✅ | ✅ | -| Excel | Win32 | ✅ | | +| Microsoft Edge | `Win32` | ✅ | ✅ | +| Excel | `Win32` | ✅ | | | Feedback Hub | UWP | | | -| File Explorer | Win32 | | ✅ | +| File Explorer | `Win32` | | ✅ | | FlipGrid | PWA | | | | Get Help | UWP | | | | Media Player | UWP | ✅ | | @@ -61,20 +61,20 @@ The following table lists all the applications included in Windows 11 SE and the | Minecraft: Education Edition | UWP | | | | Movies & TV | UWP | | | | News | UWP | | | -| Notepad | Win32 | | | -| OneDrive | Win32 | | | -| OneNote | Win32 | ✅ | | +| Notepad | `Win32` | | | +| OneDrive | `Win32` | | | +| OneNote | `Win32` | ✅ | | | Outlook | PWA | ✅ | | -| Paint | Win32 | ✅ | | +| Paint | `Win32` | ✅ | | | Photos | UWP | | | -| PowerPoint | Win32 | ✅ | | +| PowerPoint | `Win32` | ✅ | | | Settings | UWP | ✅ | | | Snip & Sketch | UWP | | | | Sticky Notes | UWP | | | -| Teams | Win32 | ✅ | | +| Teams | `Win32` | ✅ | | | To Do | UWP | | | | Whiteboard | UWP | ✅ | | -| Word | Win32 | ✅ | | +| Word | `Win32` | ✅ | | ## Available applications @@ -82,98 +82,98 @@ The following applications can also run on Windows 11 SE, and can be deployed us | Application | Supported version | App Type | Vendor | |-------------------------------------------|-------------------|----------|-------------------------------------------| -| `3d builder` | 18.0.1931.0 | Win32 | `Microsoft` | -| `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation` | -| `AirSecure` | 8.0.0 | Win32 | `AIR` | -| `Alertus Desktop` | 5.4.48.0 | Win32 | `Alertus technologies` | -| `Brave Browser` | 106.0.5249.119 | Win32 | `Brave` | +| `3d builder` | 18.0.1931.0 | `Win32` | `Microsoft` | +| `Absolute Software Endpoint Agent` | 7.20.0.1 | `Win32` | `Absolute Software Corporation` | +| `AirSecure` | 8.0.0 | `Win32` | `AIR` | +| `Alertus Desktop` | 5.4.48.0 | `Win32` | `Alertus technologies` | +| `Brave Browser` | 106.0.5249.119 | `Win32` | `Brave` | | `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` | -| `CA Secure Browser` | 14.0.0 | Win32 | `Cambium Development` | -| `Cisco Umbrella` | 3.0.110.0 | Win32 | `Cisco` | -| `CKAuthenticator` | 3.6+ | Win32 | `ContentKeeper` | -| `Class Policy` | 116.0.0 | Win32 | `Class Policy` | -| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` | +| `CA Secure Browser` | 14.0.0 | `Win32` | `Cambium Development` | +| `Cisco Umbrella` | 3.0.110.0 | `Win32` | `Cisco` | +| `CKAuthenticator` | 3.6+ | `Win32` | `ContentKeeper` | +| `Class Policy` | 116.0.0 | `Win32` | `Class Policy` | +| `Classroom.cloud` | 1.40.0004 | `Win32` | `NetSupport` | | `Clipchamp` | 2.5.2. | `Store` | `Microsoft` | -| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` | -| `ColorVeil` | 4.0.0.175 | Win32 | `East-Tec` | -| `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` | -| `DigiExam` | 14.0.6 | Win32 | `Digiexam` | -| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` | +| `CoGat Secure Browser` | 11.0.0.19 | `Win32` | `Riverside Insights` | +| `ColorVeil` | 4.0.0.175 | `Win32` | `East-Tec` | +| `ContentKeeper Cloud` | 9.01.45 | `Win32` | `ContentKeeper Technologies` | +| `DigiExam` | 14.0.6 | `Win32` | `Digiexam` | +| `Dragon Professional Individual` | 15.00.100 | `Win32` | `Nuance Communications` | | `DRC INSIGHT Online Assessments` | 13.0.0.0 | `Store` | `Data recognition Corporation` | -| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` | -| `Dyknow` | 7.9.13.7 | Win32 | `Dyknow` | -| `e-Speaking Voice and Speech recognition` | 4.4.0.11 | Win32 | `e-speaking` | -| `EasyReader` | 10.0.4.498 | Win32 | `Dolphin Computer Access` | -| `Easysense 2` | 1.32.0001 | Win32 | `Data Harvest` | -| `Epson iProjection` | 3.31 | Win32 | `Epson` | -| `eTests` | 4.0.25 | Win32 | `CASAS` | -| `Exam Writepad` | 22.10.14.1834 | Win32 | `Sheldnet` | -| `FirstVoices Keyboard` | 15.0.270 | Win32 | `SIL International` | -| `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` | -| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` | -| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` | -| `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` | -| `Google Chrome` | 110.0.5481.178 | Win32 | `Google` | -| `GuideConnect` | 1.24 | Win32 | `Dolphin Computer Access` | -| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` | -| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` | -| `Impero Backdrop Client` | 5.0.87 | Win32 | `Impero Software` | -| `IMT Lazarus` | 2.86.0 | Win32 | `IMTLazarus` | -| `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` | -| `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` | -| `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` | -| `Keyman` | 16.0.138 | Win32 | `SIL International` | +| `Duo from Cisco` | 3.0.0 | `Win32` | `Cisco` | +| `Dyknow` | 7.9.13.7 | `Win32` | `Dyknow` | +| `e-Speaking Voice and Speech recognition` | 4.4.0.11 | `Win32` | `e-speaking` | +| `EasyReader` | 10.0.4.498 | `Win32` | `Dolphin Computer Access` | +| `Easysense 2` | 1.32.0001 | `Win32` | `Data Harvest` | +| `Epson iProjection` | 3.31 | `Win32` | `Epson` | +| `eTests` | 4.0.25 | `Win32` | `CASAS` | +| `Exam Writepad` | 22.10.14.1834 | `Win32` | `Sheldnet` | +| `FirstVoices Keyboard` | 15.0.270 | `Win32` | `SIL International` | +| `FortiClient` | 7.2.0.4034+ | `Win32` | `Fortinet` | +| `Free NaturalReader` | 16.1.2 | `Win32` | `Natural Soft` | +| `Ghotit Real Writer & Reader` | 10.14.2.3 | `Win32` | `Ghotit Ltd` | +| `GoGuardian` | 1.4.4 | `Win32` | `GoGuardian` | +| `Google Chrome` | 110.0.5481.178 | `Win32` | `Google` | +| `GuideConnect` | 1.24 | `Win32` | `Dolphin Computer Access` | +| `Illuminate Lockdown Browser` | 2.0.5 | `Win32` | `Illuminate Education` | +| `Immunet` | 7.5.8.21178 | `Win32` | `Immunet` | +| `Impero Backdrop Client` | 5.0.87 | `Win32` | `Impero Software` | +| `IMT Lazarus` | 2.86.0 | `Win32` | `IMTLazarus` | +| `Inspiration 10` | 10.11 | `Win32` | `TechEdology Ltd` | +| `JAWS for Windows` | 2022.2112.24 | `Win32` | `Freedom Scientific` | +| `Kite Student Portal` | 9.0.0.0 | `Win32` | `Dynamic Learning Maps` | +| `Keyman` | 16.0.138 | `Win32` | `SIL International` | | `Kortext` | 2.3.433.0 | `Store` | `Kortext` | -| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | Win32 | `Kurzweil Educational Systems` | -| `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` | -| `LanSchool Air` | 2.0.13312 | Win32 | `Stoneware, Inc.` | -| `Lightspeed Smart Agent` | 1.9.1 | Win32 | `Lightspeed Systems` | -| `Lightspeed Filter Agent` | 2.3.4 | Win32 | `Lightspeed Systems` | +| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | `Win32` | `Kurzweil Educational Systems` | +| `LanSchool Classic` | 9.1.0.46 | `Win32` | `Stoneware, Inc.` | +| `LanSchool Air` | 2.0.13312 | `Win32` | `Stoneware, Inc.` | +| `Lightspeed Smart Agent` | 1.9.1 | `Win32` | `Lightspeed Systems` | +| `Lightspeed Filter Agent` | 2.3.4 | `Win32` | `Lightspeed Systems` | | `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` | | `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` | -| `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` | +| `Mozilla Firefox` | 105.0.0 | `Win32` | `Mozilla` | | `Mobile Plans` | 5.1911.3171.0 | `Store` | `Microsoft Corporation` | -| `NAPLAN` | 5.2.2 | Win32 | `NAP` | -| `Netref Student` | 23.1.0 | Win32 | `NetRef` | -| `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` | -| `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` | -| `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` | -| `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` | -| `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` | -| `NWEA Secure Testing Browser` | 5.4.387.0 | Win32 | `NWEA` | -| `PC Talker Neo` | 2209 | Win32 | `Kochi System Development` | -| `PC Talker Neo Plus` | 2209 | Win32 | `Kochi System Development` | -| `PaperCut` | 22.0.6 | Win32 | `PaperCut Software International Pty Ltd` | +| `NAPLAN` | 5.2.2 | `Win32` | `NAP` | +| `Netref Student` | 23.1.0 | `Win32` | `NetRef` | +| `NetSupport Manager` | 12.01.0014 | `Win32` | `NetSupport` | +| `NetSupport Notify` | 5.10.1.215 | `Win32` | `NetSupport` | +| `NetSupport School` | 14.00.0012 | `Win32` | `NetSupport` | +| `NextUp Talker` | 1.0.49 | `Win32` | `NextUp Technologies` | +| `NonVisual Desktop Access` | 2021.3.1 | `Win32` | `NV Access` | +| `NWEA Secure Testing Browser` | 5.4.387.0 | `Win32` | `NWEA` | +| `PC Talker Neo` | 2209 | `Win32` | `Kochi System Development` | +| `PC Talker Neo Plus` | 2209 | `Win32` | `Kochi System Development` | +| `PaperCut` | 22.0.6 | `Win32` | `PaperCut Software International Pty Ltd` | | `Pearson TestNav` | 1.11.3 | `Store` | `Pearson` | | `Project Monarch Outlook` | 1.2022.2250001 | `Store` | `Microsoft` | -| `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` | -| `ReadAndWriteForWindows` | 12.0.74 | Win32 | `Texthelp Ltd.` | -| `Remote Desktop client (MSRDC)` | 1.2.4066.0 | Win32 | `Microsoft` | -| `Remote Help` | 4.0.1.13 | Win32 | `Microsoft` | -| `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` | -| `Safe Exam Browser` | 3.5.0.544 | Win32 | `Safe Exam Browser` | -|`SchoolYear` | 3.4.21 | Win32 |`SchoolYear` | -|`School Manager` | 3.6.8.1109 | Win32 |`School Manager` | -| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` | -| `Skoolnext` | 2.19 | Win32 | `Skool.net` | -| `Smoothwall Monitor` | 2.9.2 | Win32 | `Smoothwall Ltd` | -| `SuperNova Magnifier & Screen Reader` | 22.02 | Win32 | `Dolphin Computer Access` | -| `SuperNova Magnifier & Speech` | 21.03 | Win32 | `Dolphin Computer Access` | -|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` | -| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` | -| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` | -| `WordQ` | 5.4.29 | Win32 | `WordQ` | -| `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` | -| `ZoomText Fusion` | 2023.2303.77.400 | Win32 | `Freedom Scientific` | -| `ZoomText Magnifier/Reader` | 2023.2303.33.400 | Win32 | `Freedom Scientific` | +| `Questar Secure Browser` | 5.0.1.456 | `Win32` | `Questar, Inc` | +| `ReadAndWriteForWindows` | 12.0.74 | `Win32` | `Texthelp Ltd.` | +| `Remote Desktop client (MSRDC)` | 1.2.4066.0 | `Win32` | `Microsoft` | +| `Remote Help` | 4.0.1.13 | `Win32` | `Microsoft` | +| `Respondus Lockdown Browser` | 2.0.9.03 | `Win32` | `Respondus` | +| `Safe Exam Browser` | 3.5.0.544 | `Win32` | `Safe Exam Browser` | +|`SchoolYear` | 3.4.21 | `Win32` |`SchoolYear` | +|`School Manager` | 3.6.8.1109 | `Win32` |`School Manager` | +| `Senso.Cloud` | 2021.11.15.0 | `Win32` | `Senso.Cloud` | +| `Skoolnext` | 2.19 | `Win32` | `Skool.net` | +| `Smoothwall Monitor` | 2.9.2 | `Win32` | `Smoothwall Ltd` | +| `SuperNova Magnifier & Screen Reader` | 22.02 | `Win32` | `Dolphin Computer Access` | +| `SuperNova Magnifier & Speech` | 21.03 | `Win32` | `Dolphin Computer Access` | +|`TX Secure Browser` | 15.0.0 | `Win32` | `Cambium Development` | +| `VitalSourceBookShelf` | 10.2.26.0 | `Win32` | `VitalSource Technologies Inc` | +| `Winbird` | 19 | `Win32` | `Winbird Co., Ltd.` | +| `WordQ` | 5.4.29 | `Win32` | `WordQ` | +| `Zoom` | 5.12.8 (10232) | `Win32` | `Zoom` | +| `ZoomText Fusion` | 2023.2303.77.400 | `Win32` | `Freedom Scientific` | +| `ZoomText Magnifier/Reader` | 2023.2303.33.400 | `Win32` | `Freedom Scientific` | ## Add your own applications -If the applications you need aren't in the [available applications list](#available-applications), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account. +If the applications you need aren't in the [available applications list](#available-applications), you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account. Microsoft reviews every app request to make sure each app meets the following requirements: -- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more +- Apps can be any native Windows app type, such as a Microsoft Store app, `Win32` app, `.MSIX`, `.APPX`, and more - Apps must be in one of the following app categories: - Content Filtering apps - Test Taking solutions diff --git a/includes/licensing/_edition-requirements.md b/includes/licensing/_edition-requirements.md index 5f7bfddd78..b7a06b9836 100644 --- a/includes/licensing/_edition-requirements.md +++ b/includes/licensing/_edition-requirements.md @@ -1,18 +1,21 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- | Feature name | Windows Pro | Windows Enterprise | Windows Pro Education/SE | Windows Education | |:---|:---:|:---:|:---:|:---:| -|**[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes| +|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes| |**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes| |**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|❌|Yes| +|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes| +|**[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)**|Yes|Yes|Yes|Yes| |**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes| |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes| |**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes| +|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes| |**[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes| |**[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)**|Yes|Yes|Yes|Yes| |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes| @@ -28,21 +31,24 @@ ms.topic: include |**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes| |**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes| |**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes| -|**[Hypervisor-protected Code Integrity (HVCI)](../../windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md)**|Yes|Yes|Yes|Yes| -|**[Kernel Direct Memory Access (DMA) protection](../../windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md)**|Yes|Yes|Yes|Yes| -|**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes| -|**[Manage by Mobile Device Management (MDM) and group policy](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes| +|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes| +|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes| +|**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes| |**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes| |**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes| |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|❌|Yes| -|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)**|❌|Yes|❌|Yes| -|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)**|Yes|Yes|Yes|Yes| +|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|❌|Yes| +|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes| |**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|Yes|❌|Yes| |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|❌|Yes| |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes| |**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes| -|**[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes| -|**[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes| +|**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes| +|**[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)**|Yes|Yes|Yes|Yes| +|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes| +|**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes| +|**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes| +|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes| |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes| |**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|❌|Yes| |**Privacy Resource Usage**|Yes|Yes|Yes|Yes| @@ -50,31 +56,32 @@ ms.topic: include |**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes| |**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes| |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes| -|**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes| -|**[Security baselines](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes| +|**[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes| +|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes| |**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes| |**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes| |**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes| |**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes| +|**Software Bill of Materials (SBOM)**|Yes|Yes|Yes|Yes| |**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes| |**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes| -|**[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes| +|**[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes| |**[Universal Print](/universal-print/)**|Yes|Yes|Yes|Yes| -|**[User Account Control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview)**|Yes|Yes|Yes|Yes| -|**[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes| +|**[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)**|Yes|Yes|Yes|Yes| +|**[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes| |**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes| |**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes| +|**[Windows application software development kit (SDK)](/windows/security/security-foundations/certification/windows-platform-common-criteria%23security-and-privacy)**|Yes|Yes|Yes|Yes| |**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|❌|Yes| |**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes| -|**[Windows containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes| |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes| |**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes| |**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes| -|**[Windows Defender System Guard](../../windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)**|Yes|Yes|Yes|Yes| +|**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes| |**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes| |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes| |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes| |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes| |**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes| -|**[Windows Sandbox](../../windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)**|Yes|Yes|Yes|Yes| -|**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes| +|**[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes| +|**[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes| diff --git a/includes/licensing/_licensing-requirements.md b/includes/licensing/_licensing-requirements.md index 0f604cb58f..0021be3c39 100644 --- a/includes/licensing/_licensing-requirements.md +++ b/includes/licensing/_licensing-requirements.md @@ -1,18 +1,21 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- |Feature name|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| |:---|:---:|:---:|:---:|:---:|:---:| -|**[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes| +|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes| |**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|Yes| |**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|Yes|Yes|Yes| +|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes| +|**[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)**|❌|Yes|Yes|Yes|Yes| |**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes| |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes| |**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|Yes| +|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|Yes| |**[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|Yes| |**[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)**|❌|Yes|Yes|Yes|Yes| |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|Yes| @@ -28,21 +31,24 @@ ms.topic: include |**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes| |**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|❌|Yes|Yes| |**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|Yes| -|**[Hypervisor-protected Code Integrity (HVCI)](../../windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md)**|Yes|Yes|Yes|Yes|Yes| -|**[Kernel Direct Memory Access (DMA) protection](../../windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md)**|Yes|Yes|Yes|Yes|Yes| -|**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes|Yes| -|**[Manage by Mobile Device Management (MDM) and group policy](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|Yes| +|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|Yes| +|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|Yes| +|**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|Yes| |**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|Yes| |**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|Yes| |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|Yes|Yes|Yes| -|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)**|❌|Yes|Yes|Yes|Yes| -|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)**|Yes|Yes|Yes|Yes|Yes| +|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|Yes|Yes|Yes| +|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes| |**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|❌|❌|❌|❌| |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|Yes|Yes|Yes| |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes| |**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|Yes| -|**[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|Yes| -|**[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes| +|**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|Yes| +|**[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)**|Yes|Yes|Yes|Yes|Yes| +|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes| +|**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|Yes| +|**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|Yes| +|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|Yes| |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes| |**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|Yes|Yes|Yes| |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes| @@ -50,31 +56,32 @@ ms.topic: include |**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|Yes| |**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes| |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|Yes| -|**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|Yes| -|**[Security baselines](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|Yes| +|**[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|Yes| +|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes| |**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|Yes| |**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|Yes| |**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes| |**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|Yes| +|**Software Bill of Materials (SBOM)**|Yes|Yes|Yes|Yes|Yes| |**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|Yes| |**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|Yes| -|**[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|Yes| +|**[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|Yes| |**[Universal Print](/universal-print/)**|❌|Yes|Yes|Yes|Yes| -|**[User Account Control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview)**|Yes|Yes|Yes|Yes|Yes| -|**[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|Yes| +|**[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)**|Yes|Yes|Yes|Yes|Yes| +|**[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|Yes| |**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|Yes| |**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|Yes| +|**[Windows application software development kit (SDK)](/windows/security/security-foundations/certification/windows-platform-common-criteria%23security-and-privacy)**|Yes|Yes|Yes|Yes|Yes| |**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|Yes|❌|❌| |**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|Yes| -|**[Windows containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes| |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes| |**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes| |**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes| -|**[Windows Defender System Guard](../../windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)**|Yes|Yes|Yes|Yes|Yes| +|**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes| |**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes| |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|Yes| |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes| |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes| |**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes| -|**[Windows Sandbox](../../windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)**|Yes|Yes|Yes|Yes|Yes| -|**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|Yes| +|**[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|Yes| +|**[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|Yes| diff --git a/includes/licensing/access-control-aclsacl.md b/includes/licensing/access-control-aclsacl.md new file mode 100644 index 0000000000..8adad0309e --- /dev/null +++ b/includes/licensing/access-control-aclsacl.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/02/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Access Control (ACL/SACL): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Access Control (ACL/SACL) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/access-control-aclsscals.md b/includes/licensing/access-control-aclsscals.md index 74b2f49090..9d8830c6cd 100644 --- a/includes/licensing/access-control-aclsscals.md +++ b/includes/licensing/access-control-aclsscals.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/account-lockout-policy.md b/includes/licensing/account-lockout-policy.md index f73aa4228c..1e7a0d8661 100644 --- a/includes/licensing/account-lockout-policy.md +++ b/includes/licensing/account-lockout-policy.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/always-on-vpn-device-tunnel.md b/includes/licensing/always-on-vpn-device-tunnel.md index 74b2333a3d..08d98ed800 100644 --- a/includes/licensing/always-on-vpn-device-tunnel.md +++ b/includes/licensing/always-on-vpn-device-tunnel.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/app-containers.md b/includes/licensing/app-containers.md new file mode 100644 index 0000000000..0d698a7bfb --- /dev/null +++ b/includes/licensing/app-containers.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/02/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support App containers: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +App containers license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/applocker.md b/includes/licensing/applocker.md new file mode 100644 index 0000000000..54cc165d41 --- /dev/null +++ b/includes/licensing/applocker.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/02/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support AppLocker: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +AppLocker license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|No|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/assigned-access-kiosk-mode.md b/includes/licensing/assigned-access-kiosk-mode.md index a2f4b745bb..066c7badc4 100644 --- a/includes/licensing/assigned-access-kiosk-mode.md +++ b/includes/licensing/assigned-access-kiosk-mode.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/attack-surface-reduction-asr.md b/includes/licensing/attack-surface-reduction-asr.md index 666af08c54..7d481ce4bf 100644 --- a/includes/licensing/attack-surface-reduction-asr.md +++ b/includes/licensing/attack-surface-reduction-asr.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md b/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md index b093cd8faa..5ae19412dd 100644 --- a/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md +++ b/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/windows-containers.md b/includes/licensing/azure-code-signing.md similarity index 76% rename from includes/licensing/windows-containers.md rename to includes/licensing/azure-code-signing.md index f3f9962827..dc29a35e27 100644 --- a/includes/licensing/windows-containers.md +++ b/includes/licensing/azure-code-signing.md @@ -1,19 +1,19 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- ## Windows edition and licensing requirements -The following table lists the Windows editions that support Windows containers: +The following table lists the Windows editions that support Azure Code Signing: |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| |:---:|:---:|:---:|:---:| |Yes|Yes|Yes|Yes| -Windows containers license entitlements are granted by the following licenses: +Azure Code Signing license entitlements are granted by the following licenses: |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| |:---:|:---:|:---:|:---:|:---:| diff --git a/includes/licensing/bitlocker-enablement.md b/includes/licensing/bitlocker-enablement.md index 4f0645fe52..56f85845aa 100644 --- a/includes/licensing/bitlocker-enablement.md +++ b/includes/licensing/bitlocker-enablement.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/bitlocker-management.md b/includes/licensing/bitlocker-management.md index af3034bd8b..a0c68f72ee 100644 --- a/includes/licensing/bitlocker-management.md +++ b/includes/licensing/bitlocker-management.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/bluetooth-pairing-and-connection-protection.md b/includes/licensing/bluetooth-pairing-and-connection-protection.md index 494fee6609..171fe3f9b2 100644 --- a/includes/licensing/bluetooth-pairing-and-connection-protection.md +++ b/includes/licensing/bluetooth-pairing-and-connection-protection.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/common-criteria-certifications.md b/includes/licensing/common-criteria-certifications.md index dbb9d1669a..528a497f37 100644 --- a/includes/licensing/common-criteria-certifications.md +++ b/includes/licensing/common-criteria-certifications.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/controlled-folder-access.md b/includes/licensing/controlled-folder-access.md index 855d0cf28f..25d04b1c49 100644 --- a/includes/licensing/controlled-folder-access.md +++ b/includes/licensing/controlled-folder-access.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/device-health-attestation-service.md b/includes/licensing/device-health-attestation-service.md index f8fdb1e381..7ed2add45f 100644 --- a/includes/licensing/device-health-attestation-service.md +++ b/includes/licensing/device-health-attestation-service.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/direct-access.md b/includes/licensing/direct-access.md index f1b2da9ef5..057c5a2cea 100644 --- a/includes/licensing/direct-access.md +++ b/includes/licensing/direct-access.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/email-encryption-smime.md b/includes/licensing/email-encryption-smime.md index 07e14851b2..6895c5b618 100644 --- a/includes/licensing/email-encryption-smime.md +++ b/includes/licensing/email-encryption-smime.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/encrypted-hard-drive.md b/includes/licensing/encrypted-hard-drive.md index e365c0d71c..16225d6ee6 100644 --- a/includes/licensing/encrypted-hard-drive.md +++ b/includes/licensing/encrypted-hard-drive.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/enhanced-phishing-protection-with-smartscreen.md b/includes/licensing/enhanced-phishing-protection-with-smartscreen.md index 4f4c059f8b..ae4cd8568a 100644 --- a/includes/licensing/enhanced-phishing-protection-with-smartscreen.md +++ b/includes/licensing/enhanced-phishing-protection-with-smartscreen.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/exploit-protection.md b/includes/licensing/exploit-protection.md index c774cb4f5e..7a46f2cc0a 100644 --- a/includes/licensing/exploit-protection.md +++ b/includes/licensing/exploit-protection.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/fast-identity-online-fido2-security-key.md b/includes/licensing/fast-identity-online-fido2-security-key.md index b47385e2f5..9985309552 100644 --- a/includes/licensing/fast-identity-online-fido2-security-key.md +++ b/includes/licensing/fast-identity-online-fido2-security-key.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/federal-information-processing-standard-fips-140-validation.md b/includes/licensing/federal-information-processing-standard-fips-140-validation.md index ff0563a439..a06133b313 100644 --- a/includes/licensing/federal-information-processing-standard-fips-140-validation.md +++ b/includes/licensing/federal-information-processing-standard-fips-140-validation.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/federated-sign-in.md b/includes/licensing/federated-sign-in.md index 5a1a787e06..0d01c1968f 100644 --- a/includes/licensing/federated-sign-in.md +++ b/includes/licensing/federated-sign-in.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/hardware-enforced-stack-protection.md b/includes/licensing/hardware-enforced-stack-protection.md index 50ae05045a..8a2fe75e78 100644 --- a/includes/licensing/hardware-enforced-stack-protection.md +++ b/includes/licensing/hardware-enforced-stack-protection.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/hypervisor-protected-code-integrity-hvci.md b/includes/licensing/hypervisor-protected-code-integrity-hvci.md index 8f6b16cf28..a6800d9403 100644 --- a/includes/licensing/hypervisor-protected-code-integrity-hvci.md +++ b/includes/licensing/hypervisor-protected-code-integrity-hvci.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/kernel-direct-memory-access-dma-protection.md b/includes/licensing/kernel-direct-memory-access-dma-protection.md index 7c805915cb..52b159827e 100644 --- a/includes/licensing/kernel-direct-memory-access-dma-protection.md +++ b/includes/licensing/kernel-direct-memory-access-dma-protection.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/local-security-authority-lsa-protection.md b/includes/licensing/local-security-authority-lsa-protection.md index af4fb5b47f..fafa59de66 100644 --- a/includes/licensing/local-security-authority-lsa-protection.md +++ b/includes/licensing/local-security-authority-lsa-protection.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md b/includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md deleted file mode 100644 index 7330817deb..0000000000 --- a/includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 05/04/2023 -ms.topic: include ---- - -## Windows edition and licensing requirements - -The following table lists the Windows editions that support Manage by Mobile Device Management (MDM) and group policy: - -|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:---:|:---:|:---:|:---:| -|Yes|Yes|Yes|Yes| - -Manage by Mobile Device Management (MDM) and group policy license entitlements are granted by the following licenses: - -|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:---:|:---:|:---:|:---:|:---:| -|Yes|Yes|Yes|Yes|Yes| - -For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/measured-boot.md b/includes/licensing/measured-boot.md index 39c560d47f..407e64eefe 100644 --- a/includes/licensing/measured-boot.md +++ b/includes/licensing/measured-boot.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/microsoft-defender-antivirus.md b/includes/licensing/microsoft-defender-antivirus.md index ba5bb932ea..357e6daa39 100644 --- a/includes/licensing/microsoft-defender-antivirus.md +++ b/includes/licensing/microsoft-defender-antivirus.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md b/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md index 453b5db930..bd87e59e22 100644 --- a/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md +++ b/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md index 36c1c33234..8e546d7248 100644 --- a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md +++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md index 23bf14013f..5d3024ffc9 100644 --- a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md +++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md index 2ccf97f2da..6284c03484 100644 --- a/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md +++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md b/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md index bf903c766f..de70847881 100644 --- a/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md +++ b/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/microsoft-defender-for-endpoint.md b/includes/licensing/microsoft-defender-for-endpoint.md index be03daf05e..56edc6e24e 100644 --- a/includes/licensing/microsoft-defender-for-endpoint.md +++ b/includes/licensing/microsoft-defender-for-endpoint.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/microsoft-defender-smartscreen.md b/includes/licensing/microsoft-defender-smartscreen.md index a946b12155..d5b7aae9bd 100644 --- a/includes/licensing/microsoft-defender-smartscreen.md +++ b/includes/licensing/microsoft-defender-smartscreen.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/microsoft-pluton-security-processor.md b/includes/licensing/microsoft-pluton.md similarity index 79% rename from includes/licensing/microsoft-pluton-security-processor.md rename to includes/licensing/microsoft-pluton.md index 2190c8a4ab..31058f139d 100644 --- a/includes/licensing/microsoft-pluton-security-processor.md +++ b/includes/licensing/microsoft-pluton.md @@ -1,19 +1,19 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- ## Windows edition and licensing requirements -The following table lists the Windows editions that support Microsoft Pluton security processor: +The following table lists the Windows editions that support Microsoft Pluton: |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| |:---:|:---:|:---:|:---:| |Yes|Yes|Yes|Yes| -Microsoft Pluton security processor license entitlements are granted by the following licenses: +Microsoft Pluton license entitlements are granted by the following licenses: |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| |:---:|:---:|:---:|:---:|:---:| diff --git a/includes/licensing/microsoft-security-development-lifecycle-sdl.md b/includes/licensing/microsoft-security-development-lifecycle-sdl.md new file mode 100644 index 0000000000..7b9411b126 --- /dev/null +++ b/includes/licensing/microsoft-security-development-lifecycle-sdl.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/02/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Microsoft Security Development Lifecycle (SDL): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Microsoft Security Development Lifecycle (SDL) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/microsoft-vulnerable-driver-blocklist.md b/includes/licensing/microsoft-vulnerable-driver-blocklist.md index 39e258739c..449ac22b52 100644 --- a/includes/licensing/microsoft-vulnerable-driver-blocklist.md +++ b/includes/licensing/microsoft-vulnerable-driver-blocklist.md @@ -1,19 +1,19 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- ## Windows edition and licensing requirements -The following table lists the Windows editions that support Microsoft Vulnerable Driver Blocklist: +The following table lists the Windows editions that support Microsoft vulnerable driver blocklist: |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| |:---:|:---:|:---:|:---:| |Yes|Yes|Yes|Yes| -Microsoft Vulnerable Driver Blocklist license entitlements are granted by the following licenses: +Microsoft vulnerable driver blocklist license entitlements are granted by the following licenses: |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| |:---:|:---:|:---:|:---:|:---:| diff --git a/includes/licensing/microsoft-windows-insider-preview-bounty-program.md b/includes/licensing/microsoft-windows-insider-preview-bounty-program.md new file mode 100644 index 0000000000..c3cd9dbaf1 --- /dev/null +++ b/includes/licensing/microsoft-windows-insider-preview-bounty-program.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/02/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Microsoft Windows Insider Preview bounty program: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Microsoft Windows Insider Preview bounty program license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/modern-device-management-through-mdm.md b/includes/licensing/modern-device-management-through-mdm.md new file mode 100644 index 0000000000..f2a71b791d --- /dev/null +++ b/includes/licensing/modern-device-management-through-mdm.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/02/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Modern device management through (MDM): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Modern device management through (MDM) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/onefuzz-service.md b/includes/licensing/onefuzz-service.md new file mode 100644 index 0000000000..25e6a5ef43 --- /dev/null +++ b/includes/licensing/onefuzz-service.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/02/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support OneFuzz service: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +OneFuzz service license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/opportunistic-wireless-encryption-owe.md b/includes/licensing/opportunistic-wireless-encryption-owe.md index e0203c3e4d..4629b28a5f 100644 --- a/includes/licensing/opportunistic-wireless-encryption-owe.md +++ b/includes/licensing/opportunistic-wireless-encryption-owe.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/personal-data-encryption-pde.md b/includes/licensing/personal-data-encryption-pde.md index 3ca149f34f..ed0e014d0e 100644 --- a/includes/licensing/personal-data-encryption-pde.md +++ b/includes/licensing/personal-data-encryption-pde.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/privacy-resource-usage.md b/includes/licensing/privacy-resource-usage.md index 054bf054cc..080229688a 100644 --- a/includes/licensing/privacy-resource-usage.md +++ b/includes/licensing/privacy-resource-usage.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/privacy-transparency-and-controls.md b/includes/licensing/privacy-transparency-and-controls.md index 711440f7a5..fd57043298 100644 --- a/includes/licensing/privacy-transparency-and-controls.md +++ b/includes/licensing/privacy-transparency-and-controls.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/remote-wipe.md b/includes/licensing/remote-wipe.md index 5f5e79eeb6..6557c69147 100644 --- a/includes/licensing/remote-wipe.md +++ b/includes/licensing/remote-wipe.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/secure-boot-and-trusted-boot.md b/includes/licensing/secure-boot-and-trusted-boot.md index 8c60a8b048..b29dea38c5 100644 --- a/includes/licensing/secure-boot-and-trusted-boot.md +++ b/includes/licensing/secure-boot-and-trusted-boot.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/secured-core-configuration-lock.md b/includes/licensing/secured-core-configuration-lock.md index 9a2f06088b..8acee3baef 100644 --- a/includes/licensing/secured-core-configuration-lock.md +++ b/includes/licensing/secured-core-configuration-lock.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/secured-core-pc.md b/includes/licensing/secured-core-pc-firmware-protection.md similarity index 79% rename from includes/licensing/secured-core-pc.md rename to includes/licensing/secured-core-pc-firmware-protection.md index f22319bbdb..21a3a0651a 100644 --- a/includes/licensing/secured-core-pc.md +++ b/includes/licensing/secured-core-pc-firmware-protection.md @@ -1,19 +1,19 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- ## Windows edition and licensing requirements -The following table lists the Windows editions that support Secured-core PC: +The following table lists the Windows editions that support Secured-core PC firmware protection: |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| |:---:|:---:|:---:|:---:| |Yes|Yes|Yes|Yes| -Secured-core PC license entitlements are granted by the following licenses: +Secured-core PC firmware protection license entitlements are granted by the following licenses: |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| |:---:|:---:|:---:|:---:|:---:| diff --git a/includes/licensing/security-baselines.md b/includes/licensing/security-baselines.md index a615d3af13..bda8037388 100644 --- a/includes/licensing/security-baselines.md +++ b/includes/licensing/security-baselines.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/server-message-block-direct-smb-direct.md b/includes/licensing/server-message-block-direct-smb-direct.md index ba99c98579..683fa8db2e 100644 --- a/includes/licensing/server-message-block-direct-smb-direct.md +++ b/includes/licensing/server-message-block-direct-smb-direct.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/server-message-block-smb-file-service.md b/includes/licensing/server-message-block-smb-file-service.md index a271907d88..cd9276809b 100644 --- a/includes/licensing/server-message-block-smb-file-service.md +++ b/includes/licensing/server-message-block-smb-file-service.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/smart-app-control.md b/includes/licensing/smart-app-control.md index ff42750aab..fbc05610fb 100644 --- a/includes/licensing/smart-app-control.md +++ b/includes/licensing/smart-app-control.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/smart-cards-for-windows-service.md b/includes/licensing/smart-cards-for-windows-service.md index 98f271770f..eb5061e582 100644 --- a/includes/licensing/smart-cards-for-windows-service.md +++ b/includes/licensing/smart-cards-for-windows-service.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/software-bill-of-materials-sbom.md b/includes/licensing/software-bill-of-materials-sbom.md new file mode 100644 index 0000000000..4d6f832194 --- /dev/null +++ b/includes/licensing/software-bill-of-materials-sbom.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/02/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Software Bill of Materials (SBOM): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Software Bill of Materials (SBOM) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/tamper-protection-settings-for-mde.md b/includes/licensing/tamper-protection-settings-for-mde.md index 95a86ec97c..fe7d7c2314 100644 --- a/includes/licensing/tamper-protection-settings-for-mde.md +++ b/includes/licensing/tamper-protection-settings-for-mde.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/transport-layer-security-tls.md b/includes/licensing/transport-layer-security-tls.md index 9af6799b44..5642121480 100644 --- a/includes/licensing/transport-layer-security-tls.md +++ b/includes/licensing/transport-layer-security-tls.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/trusted-platform-module-tpm-20.md b/includes/licensing/trusted-platform-module-tpm.md similarity index 80% rename from includes/licensing/trusted-platform-module-tpm-20.md rename to includes/licensing/trusted-platform-module-tpm.md index b2e593986b..6f757d623a 100644 --- a/includes/licensing/trusted-platform-module-tpm-20.md +++ b/includes/licensing/trusted-platform-module-tpm.md @@ -1,19 +1,19 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- ## Windows edition and licensing requirements -The following table lists the Windows editions that support Trusted Platform Module (TPM) 2.0: +The following table lists the Windows editions that support Trusted Platform Module (TPM): |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| |:---:|:---:|:---:|:---:| |Yes|Yes|Yes|Yes| -Trusted Platform Module (TPM) 2.0 license entitlements are granted by the following licenses: +Trusted Platform Module (TPM) license entitlements are granted by the following licenses: |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| |:---:|:---:|:---:|:---:|:---:| diff --git a/includes/licensing/universal-print.md b/includes/licensing/universal-print.md index 9c6572d61e..87828b2774 100644 --- a/includes/licensing/universal-print.md +++ b/includes/licensing/universal-print.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/user-account-control-uac.md b/includes/licensing/user-account-control-uac.md index 9da42619fe..c34f82f836 100644 --- a/includes/licensing/user-account-control-uac.md +++ b/includes/licensing/user-account-control-uac.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/virtual-private-network-vpn.md b/includes/licensing/virtual-private-network-vpn.md index aa184cdbb6..eb309a2554 100644 --- a/includes/licensing/virtual-private-network-vpn.md +++ b/includes/licensing/virtual-private-network-vpn.md @@ -1,19 +1,19 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- ## Windows edition and licensing requirements -The following table lists the Windows editions that support Virtual Private Network (VPN): +The following table lists the Windows editions that support Virtual private network (VPN): |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| |:---:|:---:|:---:|:---:| |Yes|Yes|Yes|Yes| -Virtual Private Network (VPN) license entitlements are granted by the following licenses: +Virtual private network (VPN) license entitlements are granted by the following licenses: |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| |:---:|:---:|:---:|:---:|:---:| diff --git a/includes/licensing/virtualization-based-security-vbs.md b/includes/licensing/virtualization-based-security-vbs.md index bab3110e7a..70827aebce 100644 --- a/includes/licensing/virtualization-based-security-vbs.md +++ b/includes/licensing/virtualization-based-security-vbs.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/wifi-security.md b/includes/licensing/wifi-security.md index edb7a92967..3d4a3e17c3 100644 --- a/includes/licensing/wifi-security.md +++ b/includes/licensing/wifi-security.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/windows-application-software-development-kit-sdk.md b/includes/licensing/windows-application-software-development-kit-sdk.md new file mode 100644 index 0000000000..d97a10562a --- /dev/null +++ b/includes/licensing/windows-application-software-development-kit-sdk.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/02/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support Windows application software development kit (SDK): + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +Windows application software development kit (SDK) license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/includes/licensing/windows-autopatch.md b/includes/licensing/windows-autopatch.md index 85f7df53dc..4c866c7106 100644 --- a/includes/licensing/windows-autopatch.md +++ b/includes/licensing/windows-autopatch.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/windows-autopilot.md b/includes/licensing/windows-autopilot.md index e187e7a3fa..1eee13f367 100644 --- a/includes/licensing/windows-autopilot.md +++ b/includes/licensing/windows-autopilot.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/windows-defender-application-control-wdac.md b/includes/licensing/windows-defender-application-control-wdac.md index 66d6ac70dc..86ab8d5f14 100644 --- a/includes/licensing/windows-defender-application-control-wdac.md +++ b/includes/licensing/windows-defender-application-control-wdac.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/windows-defender-credential-guard.md b/includes/licensing/windows-defender-credential-guard.md index c134726708..adf6d74a0e 100644 --- a/includes/licensing/windows-defender-credential-guard.md +++ b/includes/licensing/windows-defender-credential-guard.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/windows-defender-remote-credential-guard.md b/includes/licensing/windows-defender-remote-credential-guard.md index b638a7c661..8d862bdc9d 100644 --- a/includes/licensing/windows-defender-remote-credential-guard.md +++ b/includes/licensing/windows-defender-remote-credential-guard.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/windows-defender-system-guard.md b/includes/licensing/windows-defender-system-guard.md index 0c747b64c5..7e8c06b51d 100644 --- a/includes/licensing/windows-defender-system-guard.md +++ b/includes/licensing/windows-defender-system-guard.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/windows-firewall.md b/includes/licensing/windows-firewall.md index 2e0754b3ac..8e0bc9faf0 100644 --- a/includes/licensing/windows-firewall.md +++ b/includes/licensing/windows-firewall.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md b/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md index 3d0c015bc5..56e03e6bd4 100644 --- a/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md +++ b/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/windows-hello-for-business.md b/includes/licensing/windows-hello-for-business.md index f48b9316b7..95ffbf43a9 100644 --- a/includes/licensing/windows-hello-for-business.md +++ b/includes/licensing/windows-hello-for-business.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/windows-laps.md b/includes/licensing/windows-laps.md index d462168228..eaddd61d61 100644 --- a/includes/licensing/windows-laps.md +++ b/includes/licensing/windows-laps.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/windows-presence-sensing.md b/includes/licensing/windows-presence-sensing.md index c6cc796c33..977c729c0c 100644 --- a/includes/licensing/windows-presence-sensing.md +++ b/includes/licensing/windows-presence-sensing.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/windows-sandbox.md b/includes/licensing/windows-sandbox.md index 7ed933449c..a486fd64de 100644 --- a/includes/licensing/windows-sandbox.md +++ b/includes/licensing/windows-sandbox.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- diff --git a/includes/licensing/windows-security-policy-settings-and-auditing.md b/includes/licensing/windows-security-policy-settings-and-auditing.md index 270d3267ee..a1742270bf 100644 --- a/includes/licensing/windows-security-policy-settings-and-auditing.md +++ b/includes/licensing/windows-security-policy-settings-and-auditing.md @@ -1,19 +1,19 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 05/04/2023 +ms.date: 08/02/2023 ms.topic: include --- ## Windows edition and licensing requirements -The following table lists the Windows editions that support Windows Security policy settings and auditing: +The following table lists the Windows editions that support Windows security policy settings and auditing: |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| |:---:|:---:|:---:|:---:| |Yes|Yes|Yes|Yes| -Windows Security policy settings and auditing license entitlements are granted by the following licenses: +Windows security policy settings and auditing license entitlements are granted by the following licenses: |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| |:---:|:---:|:---:|:---:|:---:| diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index 65a8d393da..0e5da2dd3a 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -56,7 +56,7 @@ For more information about the MDM policies defined in the MDM security baseline For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all). -[!INCLUDE [manage-by-mobile-device-management-mdm-and-group-policy](../../includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md)] +[!INCLUDE [modern-device-management-through-mdm](../../includes/licensing/modern-device-management-through-mdm.md)] ## Frequently Asked Questions diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index da09d3e2d2..ddb2f0861d 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -95,7 +95,7 @@ Each calculated values used in the Delivery Optimization report are listed below In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of original to encoded GroupIDs using the following PowerShell example: ```powershell -$text = "" ; +$text = "`0" ; # The `0 null terminator is required $hashObj = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') ; $dig = $hashObj.ComputeHash([System.Text.Encoding]::Unicode.GetBytes($text)) ; $digB64 = [System.Convert]::ToBase64String($dig) ; Write-Host "$text ==> $digB64" ``` diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index c4991dd0ed..c289d933cc 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -76,7 +76,7 @@ href: operate/windows-autopatch-edge.md - name: Microsoft Teams href: operate/windows-autopatch-teams.md - - name: Windows quality and feature update reports + - name: Windows quality and feature update reports overview href: operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md items: - name: Windows quality update reports diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md index aca5a1a456..880f821953 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md @@ -21,9 +21,10 @@ ms.collection: The Windows quality reports provide you with information about: -Quality update device readiness -Device update health -Device update alerts +- Quality update device readiness +- Device update health +- Device update alerts + Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch. The Windows quality report types are organized into the following focus areas: @@ -106,4 +107,4 @@ Within each 24-hour reporting period, devices that are Not Ready are reevaluated ## Data export -Select **Export devices** to export data for each report type. Only selected columns will be exported. +Select **Export devices** to export data for each report type. Only selected columns are exported. diff --git a/windows/hub/breadcrumb/toc.yml b/windows/hub/breadcrumb/toc.yml index 66795447f6..b8fb1254fb 100644 --- a/windows/hub/breadcrumb/toc.yml +++ b/windows/hub/breadcrumb/toc.yml @@ -37,29 +37,31 @@ items: tocHref: /windows/security/ topicHref: /windows/security/ items: + - name: Hardware security + tocHref: /windows/security/hardware-security/ + topicHref: /windows/security/hardware-security/ + - name: Operating system security + tocHref: /windows/security/operating-system-security/ + topicHref: /windows/security/operating-system-security/ - name: Identity protection tocHref: /windows/security/identity-protection/ topicHref: /windows/security/identity-protection/ + - name: Application security + tocHref: /windows/security/application-security/ + topicHref: /windows/security/application-security/ items: - - name: Windows Hello for Business - tocHref: /windows/security/identity-protection/hello-for-business/ - topicHref: /windows/security/identity-protection/hello-for-business + - name: Application Control for Windows + tocHref: /windows/security/application-security/application-control/windows-defender-application-control/ + topicHref: /windows/security/application-security/application-control/windows-defender-application-control/ + - name: Microsoft Defender Application Guard + tocHref: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/ + topicHref: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview + - name: Security foundations + tocHref: /windows/security/security-foundations/ + topicHref: /windows/security/security-foundations/ - name: Security auditing tocHref: /windows/security/threat-protection/auditing/ topicHref: /windows/security/threat-protection/auditing/security-auditing-overview - - name: Microsoft Defender Application Guard - tocHref: /windows/security/threat-protection/microsoft-defender-application-guard/ - topicHref: /windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview - name: Security policy settings tocHref: /windows/security/threat-protection/security-policy-settings/ - topicHref: /windows/security/threat-protection/security-policy-settings/security-policy-settings - - name: Application Control for Windows - tocHref: /windows/security/threat-protection/windows-defender-application-control/ - topicHref: /windows/security/threat-protection/windows-defender-application-control/ - - name: OS - tocHref: /windows/security/operating-system-security/ - topicHref: /windows/security/operating-system-security/ - - name: Windows Defender Firewall - tocHref: /windows/security/operating-system-security/network-security/windows-firewall/ - topicHref: /windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security - + topicHref: /windows/security/threat-protection/security-policy-settings/security-policy-settings \ No newline at end of file diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md index fd3133539a..7bc080da18 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md @@ -32,7 +32,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **3 Enabled:Audit Mode (Default)** | Instructs WDAC to log information about applications, binaries, and scripts that would have been blocked, if the policy was enforced. You can use this option to identify the potential impact of your WDAC policy, and use the audit events to refine the policy before enforcement. To enforce a WDAC policy, delete this option. | No | | **4 Disabled:Flight Signing** | If enabled, binaries from Windows Insider builds aren't trusted. This option is useful for organizations that only want to run released binaries, not prerelease Windows builds. | No | | **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. | Yes | -| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and any supplemental policies must also be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. Certificates that are trusted for supplemental policies must be identified in the SupplementalPolicySigners section. | Yes | +| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and any supplemental policies must also be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. Certificates that are trusted for supplemental policies must be identified in the SupplementalPolicySigners section. | No | | **7 Allowed:Debug Policy Augmented** | This option isn't currently supported. | Yes | | **8 Required:EV Signers** | This option isn't currently supported. | No | | **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No | diff --git a/windows/security/application-security/index.md b/windows/security/application-security/index.md index bcdb6b5bf2..6d2ac65456 100644 --- a/windows/security/application-security/index.md +++ b/windows/security/application-security/index.md @@ -1,18 +1,14 @@ --- title: Windows application security description: Get an overview of application security in Windows -ms.date: 03/09/2023 -ms.topic: article +ms.date: 08/02/2023 +ms.topic: conceptual --- # Windows application security -Cyber-criminals regularly gain access to valuable data by hacking applications. This can include *code injection* attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows protects your valuable data with layers of application security. +Cybercriminals can take advantage of poorly secured applications to access valuable resources. With Windows, IT admins can combat common application attacks from the moment a device is provisioned. For example, IT can remove local admin rights from user accounts, so that PCs run with least privilege to prevent malicious applications from accessing sensitive resources. -The following table summarizes the Windows security features and capabilities for apps: +Learn more about application security features in Windows. -| Security Measures | Features & Capabilities | -|:---|:---| -| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](application-control/windows-defender-application-control/wdac.md) | -| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md). | -| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](application-isolation/windows-sandbox/windows-sandbox-overview.md) | +[!INCLUDE [application](../includes/sections/application.md)] diff --git a/windows/security/cloud-security/index.md b/windows/security/cloud-security/index.md new file mode 100644 index 0000000000..4a758c6aa6 --- /dev/null +++ b/windows/security/cloud-security/index.md @@ -0,0 +1,18 @@ +--- +title: Windows and cloud security +description: Get an overview of cloud security features in Windows +ms.date: 08/02/2023 +ms.topic: conceptual +author: paolomatarazzo +ms.author: paoloma +--- + +# Windows and cloud security + +Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We are focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats. + +From identity and device management to Office apps and data storage, Windows and integrated cloud services can help improve productivity, security, and resilience anywhere. + +Learn more about cloud security features in Windows. + +[!INCLUDE [cloud-services](../includes/sections/cloud-services.md)] diff --git a/windows/security/cloud-security/toc.yml b/windows/security/cloud-security/toc.yml index 4350280431..7c46b6e146 100644 --- a/windows/security/cloud-security/toc.yml +++ b/windows/security/cloud-security/toc.yml @@ -1,4 +1,6 @@ items: +- name: Overview + href: index.md - name: Join Active Directory and Azure AD with single sign-on (SSO) 🔗 href: /azure/active-directory/devices/concept-azure-ad-join - name: Security baselines with Intune 🔗 diff --git a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md index b1f7221ccc..4a94896198 100644 --- a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md +++ b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md @@ -37,7 +37,7 @@ When the system boots, Pluton hardware initialization is performed by loading th ![Diagram showing the Microsoft Pluton Firmware load flow](../images/pluton/pluton-firmware-load.png) -[!INCLUDE [microsoft-pluton-security-processor](../../../../includes/licensing/microsoft-pluton-security-processor.md)] +[!INCLUDE [microsoft-pluton](../../../../includes/licensing/microsoft-pluton.md)] ## Related topics diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md index b434d6a7d8..8d35f5065b 100644 --- a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md +++ b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md @@ -42,7 +42,7 @@ Anti-malware software can use the boot measurements of the operating system star The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md). -[!INCLUDE [trusted-platform-module-tpm-20](../../../../includes/licensing/trusted-platform-module-tpm-20.md)] +[!INCLUDE [trusted-platform-module-tpm-20](../../../../includes/licensing/trusted-platform-module-tpm.md)] ## New and changed functionality diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index a2c64c37a0..101a50568b 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -1,11 +1,8 @@ --- -ms.date: 12/05/2022 +ms.date: 08/03/2023 title: Local Accounts description: Learn how to secure and manage access to the resources on a standalone or member server for services or users. ms.topic: conceptual -ms.collection: - - highpri - - tier2 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -20,7 +17,7 @@ This article describes the default local user accounts for Windows operating sys ## About local user accounts -Local user accounts are stored locally on the device. These accounts can be assigned rights and permissions on a particular device, but on that device only. Local user accounts are security principals that are used to secure and manage access to the resources on a device, for services or users. +Local user accounts are defined locally on a device, and can be assigned rights and permissions on the device only. Local user accounts are security principals that are used to secure and manage access to the resources on a device, for services or users. ## Default local user accounts @@ -30,9 +27,7 @@ Default local user accounts are used to manage access to the local device's reso Default local user accounts are described in the following sections. Expand each section for more information. -
-
-Administrator +### Administrator The default local Administrator account is a user account for system administration. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation. @@ -44,13 +39,13 @@ Windows setup disables the built-in Administrator account and creates another lo Members of the Administrators groups can run apps with elevated permissions without using the *Run as Administrator* option. Fast User Switching is more secure than using `runas` or different-user elevation. -**Account group membership** +#### Account group membership By default, the Administrator account is a member of the Administrators group. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group have Full Control permissions on the device. The Administrator account can't be removed from the Administrators group. -**Security considerations** +#### Security considerations Because the Administrator account is known to exist on many versions of the Windows operating system, it's a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to the server or client computer. @@ -61,51 +56,42 @@ As a security best practice, use your local (non-Administrator) account to sign Group Policy can be used to control the use of the local Administrators group automatically. For more information about Group Policy, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)). > [!IMPORTANT] -> -> - Blank passwords are not allowed. > -> - Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled. +> - Blank passwords are not allowed +> - Even when the Administrator account is disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it's disabled. -
-
-
-Guest +### Guest The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account is disabled and has a blank password. Since the Guest account can provide anonymous access, it's considered a security risk. For this reason, it's a best practice to leave the Guest account disabled, unless its use is necessary. -**Account group membership** +#### Guest account group membership -By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a device. +By default, the Guest account is the only member of the default Guests group `SID S-1-5-32-546`, which lets a user sign in to a device. -**Security considerations** +#### Guest account security considerations When enabling the Guest account, only grant limited rights and permissions. For security reasons, the Guest account shouldn't be used over the network and made accessible to other computers. In addition, the guest user in the Guest account shouldn't be able to view the event logs. After the Guest account is enabled, it's a best practice to monitor the Guest account frequently to ensure that other users can't use services and other resources. This includes resources that were unintentionally left available by a previous user. -
- -
-
-HelpAssistant +### HelpAssistant The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending. HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it's initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user's invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service. -**Security considerations** +#### HelpAssistant account security considerations The SIDs that pertain to the default HelpAssistant account include: -- SID: `S-1-5--13`, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services is called Terminal Services. - -- SID: `S-1-5--14`, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. +- SID: `S-1-5--13`, display name *Terminal Server User*. This group includes all users who sign in to a server with Remote Desktop Services enabled. +- SID: `S-1-5--14`, display name *Remote Interactive Logon*. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. For the Windows Server operating system, Remote Assistance is an optional component that isn't installed by default. You must install Remote Assistance before it can be used. For details about the HelpAssistant account attributes, see the following table. -**HelpAssistant account attributes** +#### HelpAssistant account attributes |Attribute|Value| |--- |--- | @@ -118,15 +104,11 @@ For details about the HelpAssistant account attributes, see the following table. |Safe to move out of default container?|Can be moved out, but we don't recommend it.| |Safe to delegate management of this group to non-Service admins?|No| -
- -
-
-DefaultAccount +### DefaultAccount The DefaultAccount account, also known as the Default System Managed Account (DSMA), is a well-known user account type. DefaultAccount can be used to run processes that are either multi-user aware or user-agnostic. -The DSMA is disabled by default on the desktop SKUs and on the Server operating systems with the desktop experience. +The DSMA is disabled by default on the desktop editions and on the Server operating systems with the desktop experience. The DSMA has a well-known RID of `503`. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: `S-1-5-21-\-503`. @@ -135,19 +117,20 @@ The DSMA is a member of the well-known group **System Managed Accounts Group**, The DSMA alias can be granted access to resources during offline staging even before the account itself has been created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM). #### How Windows uses the DefaultAccount -From a permission perspective, the DefaultAccount is a standard user account. -The DefaultAccount is needed to run multi-user-manifested-apps (MUMA apps). -MUMA apps run all the time and react to users signing in and signing out of the devices. -Unlike Windows Desktop where apps run in context of the user and get terminated when the user signs off, MUMA apps run by using the DSMA. -MUMA apps are functional in shared session SKUs such as Xbox. For example, Xbox shell is a MUMA app. -Today, Xbox automatically signs in as Guest account and all apps run in this context. -All the apps are multi-user-aware and respond to events fired by user manager. +From a permission perspective, the DefaultAccount is a standard user account. +The DefaultAccount is needed to run multi-user-manifested-apps (MUMA apps). +MUMA apps run all the time and react to users signing in and signing out of the devices. +Unlike Windows Desktop where apps run in context of the user and get terminated when the user signs off, MUMA apps run by using the DSMA. + +MUMA apps are functional in shared session SKUs such as Xbox. For example, Xbox shell is a MUMA app. +Today, Xbox automatically signs in as Guest account and all apps run in this context. +All the apps are multi-user-aware and respond to events fired by user manager. The apps run as the Guest account. -Similarly, Phone auto logs in as a *DefApps* account, which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account. +Similarly, Phone auto logs in as a *DefApps* account, which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account. -In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users. +In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users. For this purpose, the system creates DSMA. #### How the DefaultAccount gets created on domain controllers @@ -158,35 +141,25 @@ If the domain was created with domain controllers running an earlier version of #### Recommendations for managing the Default Account (DSMA) Microsoft doesn't recommend changing the default configuration, where the account is disabled. There's no security risk with having the account in the disabled state. Changing the default configuration could hinder future scenarios that rely on this account. -
## Default local system accounts -
-
-SYSTEM +### SYSTEM - -The *SYSTEM* account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account's user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups. +The *SYSTEM* account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account's user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups. On the other hand, the SYSTEM account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the SYSTEM account is granted Full Control permissions to all files on an NTFS volume. Here the SYSTEM account has the same functional rights and permissions as the Administrator account. > [!NOTE] > To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them. -
-
-
-NETWORK SERVICE +### NETWORK SERVICE -The NETWORK SERVICE account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](/windows/desktop/services/networkservice-account). -
-
-
-LOCAL SERVICE +The *NETWORK SERVICE* account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](/windows/desktop/services/networkservice-account). -The LOCAL SERVICE account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network. For more information, see [LocalService Account](/windows/desktop/services/localservice-account). -
+### LOCAL SERVICE + +The *LOCAL SERVICE* account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network. For more information, see [LocalService Account](/windows/desktop/services/localservice-account). ## How to manage local user accounts @@ -203,17 +176,15 @@ You can also manage local users by using NET.EXE USER and manage local groups by ### Restrict and protect local accounts with administrative rights -An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called "lateral movement". +An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called *lateral movement*. The simplest approach is to sign in to your computer with a standard user account, instead of using the Administrator account for tasks. For example, use a standard account to browse the Internet, send email, or use a word processor. When you want to perform administrative tasks such as installing a new program or changing a setting that affects other users, you don't have to switch to an Administrator account. You can use User Account Control (UAC) to prompt you for permission or an administrator password before performing the task, as described in the next section. The other approaches that can be used to restrict and protect user accounts with administrative rights include: -- Enforce local account restrictions for remote access. - -- Deny network logon to all local Administrator accounts. - -- Create unique passwords for local accounts with administrative rights. +- Enforce local account restrictions for remote access +- Deny network logon to all local Administrator accounts +- Create unique passwords for local accounts with administrative rights Each of these approaches is described in the following sections. @@ -224,7 +195,7 @@ Each of these approaches is described in the following sections. User Account Control (UAC) is a security feature that informs you when a program makes a change that requires administrative permissions. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change when UAC notifies you. -UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the **Run as** command. +UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the *Run as* command. In addition, UAC can require administrators to specifically approve applications that make system-wide changes before those applications are granted permission to run, even in the administrator's user session. @@ -234,8 +205,6 @@ For more information about UAC, see [User Account Control](/windows/access-prote The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access. - - |No.|Setting|Detailed Description| |--- |--- |--- | ||Policy location|Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options| @@ -251,7 +220,7 @@ The following table shows the Group Policy and registry settings that are used t > [!NOTE] > You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates. - + #### To enforce local account restrictions for remote access 1. Start the **Group Policy Management** Console (GPMC) @@ -286,6 +255,7 @@ The following table shows the Group Policy and registry settings that are used t 1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy 1. Create links to all other OUs that contain workstations 1. Create links to all other OUs that contain servers + ### Deny network logon to all local Administrator accounts Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that stolen credentials for local accounts from a compromised operating system can't be used to compromise other computers that use the same credentials. diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index cfcd88f924..04b493aa73 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -8,7 +8,7 @@ metadata: - highpri - tier1 ms.topic: faq - ms.date: 03/09/2023 + ms.date: 08/03/2023 title: Common questions about Windows Hello for Business summary: Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Hello for Business. diff --git a/windows/security/includes/sections/application-application-control-overview.md b/windows/security/includes/sections/application-application-control-overview.md deleted file mode 100644 index 00b89b3535..0000000000 --- a/windows/security/includes/sections/application-application-control-overview.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 06/02/2023 -ms.topic: include ---- - -The following table lists the edition applicability for all Application Control features. - -|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:-:|:-:|:-:|:-:|:-:| -|[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)|Yes|Yes|Yes|Yes| -|[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes| -|[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes| - -The following table lists the licensing applicability for all Application Control features. - -|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:-:|:-:|:-:|:-:|:-:|:-:| -|[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)|Yes|Yes|Yes|Yes|Yes| -|[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|Yes| -|[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|Yes| diff --git a/windows/security/includes/sections/application-application-isolation-overview.md b/windows/security/includes/sections/application-application-isolation-overview.md deleted file mode 100644 index 252a6d415b..0000000000 --- a/windows/security/includes/sections/application-application-isolation-overview.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 06/02/2023 -ms.topic: include ---- - -The following table lists the edition applicability for all Application Isolation features. - -|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:-:|:-:|:-:|:-:|:-:| -|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)|Yes|Yes|Yes|Yes| -|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)|❌|Yes|❌|Yes| -|Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|❌|Yes| -|[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|Yes|❌|Yes| -|[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|❌|Yes| -|[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes| -|[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)|Yes|Yes|Yes|Yes| - -The following table lists the licensing applicability for all Application Isolation features. - -|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:-:|:-:|:-:|:-:|:-:|:-:| -|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)|Yes|Yes|Yes|Yes|Yes| -|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)|❌|Yes|Yes|Yes|Yes| -|Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|Yes|Yes|Yes| -|[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|❌|❌|❌|❌| -|[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|Yes|Yes|Yes| -|[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|Yes| -|[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)|Yes|Yes|Yes|Yes|Yes| diff --git a/windows/security/includes/sections/application.md b/windows/security/includes/sections/application.md index 247d4a9ae8..34f9e6a785 100644 --- a/windows/security/includes/sections/application.md +++ b/windows/security/includes/sections/application.md @@ -1,26 +1,28 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 06/06/2023 +ms.date: 08/02/2023 ms.topic: include --- -## Application Control +## Application and driver control -| Security Measures | Features & Capabilities | +| Feature name | Description | |:---|:---| -| **[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)** | User Account Control (UAC) helps prevent malware from damaging a device. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevents inadvertent changes to system settings. Enabling UAC helps to prevent malware from altering device settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. | -| **[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means for addressing the threat of executable file-based malware.

Windows 10 and above include Windows Defender Application Control (WDAC) and AppLocker. WDAC is the next generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to WDAC for the stronger protection. | | **[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections, by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run that are predicted to be safe based on existing and new intelligence processed daily. Smart App Control builds on top of the same cloud-based AI used in Windows Defender Application Control (WDAC) to predict the safety of an application, so people can be confident they're using safe and reliable applications on their new Windows 11 devices, or Windows 11 devices that have been reset. | +| **[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)** | | +| **[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means for addressing the threat of executable file-based malware.

Windows 10 and above include Windows Defender Application Control (WDAC) and AppLocker. WDAC is the next generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to WDAC for the stronger protection. | +| **[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)** | User Account Control (UAC) helps prevent malware from damaging a device. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevents inadvertent changes to system settings. Enabling UAC helps to prevent malware from altering device settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. | +| **[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.

Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. | -## Application Isolation +## Application isolation -| Security Measures | Features & Capabilities | +| Feature name | Description | |:---|:---| -| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. | -| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. | +| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. | +| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. | | **Microsoft Defender Application Guard (MDAG) public APIs** | Enable applications using them to be isolated Hyper-V based container, which is separate from the host operating system. | | **[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)** | Application Guard protects Office files including Word, PowerPoint, and Excel. Application icons have a small shield if Application Guard has been enabled and they are under protection. | | **[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)** | The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. | -| **[Windows containers](/virtualization/windowscontainers/about/)** | Universal Windows Platform (UWP) applications run in Windows containers known as app containers. Processes that run in app containers operate with low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the filesystem, registry, and other resources. The app container also enforces restrictions on network connectivity; for example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. | -| **[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. | +| **[App containers](/virtualization/windowscontainers/about/)** | Universal Windows Platform (UWP) applications run in Windows containers known as app containers. Processes that run in app containers operate with low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the filesystem, registry, and other resources. The app container also enforces restrictions on network connectivity; for example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. | +| **[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. | diff --git a/windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md b/windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md deleted file mode 100644 index 3f4998f4bc..0000000000 --- a/windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 06/02/2023 -ms.topic: include ---- - -The following table lists the edition applicability for all Protecting Your Work Information features. - -|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:-:|:-:|:-:|:-:|:-:| -|[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes| -|[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes| -|[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes| -|[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)|Yes|Yes|Yes|Yes| -|[Universal Print](/universal-print/)|Yes|Yes|Yes|Yes| - -The following table lists the licensing applicability for all Protecting Your Work Information features. - -|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:-:|:-:|:-:|:-:|:-:|:-:| -|[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|Yes| -|[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|Yes| -|[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|Yes| -|[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)|Yes|Yes|Yes|Yes|Yes| -|[Universal Print](/universal-print/)|❌|Yes|Yes|Yes|Yes| diff --git a/windows/security/includes/sections/cloud-services-update-overview.md b/windows/security/includes/sections/cloud-services-update-overview.md deleted file mode 100644 index b20a97756d..0000000000 --- a/windows/security/includes/sections/cloud-services-update-overview.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 06/02/2023 -ms.topic: include ---- - -The following table lists the edition applicability for all Update features. - -|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:-:|:-:|:-:|:-:|:-:| -|[Windows Autopatch](/windows/deployment/windows-autopatch/)|❌|Yes|❌|Yes| -|[Windows Autopilot](/windows/deployment/windows-autopilot)|Yes|Yes|Yes|Yes| - -The following table lists the licensing applicability for all Update features. - -|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:-:|:-:|:-:|:-:|:-:|:-:| -|[Windows Autopatch](/windows/deployment/windows-autopatch/)|❌|Yes|Yes|❌|❌| -|[Windows Autopilot](/windows/deployment/windows-autopilot)|Yes|Yes|Yes|Yes|Yes| diff --git a/windows/security/includes/sections/cloud-services.md b/windows/security/includes/sections/cloud-services.md index 4c2d636206..07fc5b88b5 100644 --- a/windows/security/includes/sections/cloud-services.md +++ b/windows/security/includes/sections/cloud-services.md @@ -1,23 +1,18 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 06/06/2023 +ms.date: 08/02/2023 ms.topic: include --- -## Protecting Your Work Information +## Protect your work information -| Security Measures | Features & Capabilities | +| Feature name | Description | |:---|:---| | **[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)** | Microsoft Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. | -| **[Security baselines](/mem/intune/protect/security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.

Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. | +| **[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.

Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. | | **[Remote wipe](/windows/client-management/mdm/remotewipe-csp)** | When a device is lost or stolen, IT administrators may want to remotely wipe data stored on the device. A helpdesk agent may also want to reset devices to fix issues encountered by remote workers.

With the Remote Wipe configuration service provider (CSP), an MDM solution can remotely initiate any of the following operations on a Windows device: reset the device and remove user accounts and data, reset the device and clean the drive, reset the device but persist user accounts and data. | -| **[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. | -| **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a
Microsoft hosted cloud subscription service that supports a zero-trust security model by
enabling network isolation of printers, including the Universal Print connector software, from
the rest of the organization's resources. | - -## Update - -| Security Measures | Features & Capabilities | -|:---|:---| +| **[Modern device management through (MDM)](/windows/client-management/mdm-overview)** | Windows 11 supports modern device management through mobile device management (MDM) protocols.

IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols.

To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. | +| **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft hosted cloud subscription service that supports a zero-trust security model by enabling network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. | | **[Windows Autopatch](/windows/deployment/windows-autopatch/)** | With the Autopatch service, IT teams can delegate management of updates to Windows 10/11, Microsoft Edge, and Microsoft 365 apps to Microsoft. Under the hood, Autopatch takes over configuration of the policies and deployment service of Windows Update for Business. What the customer gets are endpoints that are up to date, thanks to dynamically generated rings for progressive deployment that will pause and/or roll back updates (where possible) when issues arise.

The goal is to provide peace of mind to IT pros, encourage rapid adoption of updates, and to reduce bandwidth required to deploy them successfully, thereby closing gaps in protection that may have been open to exploitation by malicious actors. | | **[Windows Autopilot](/windows/deployment/windows-autopilot)** | Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT. | diff --git a/windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md b/windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md deleted file mode 100644 index cb297f9fb2..0000000000 --- a/windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 06/02/2023 -ms.topic: include ---- - -The following table lists the edition applicability for all Hardware Root-Of-Trust features. - -|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:-:|:-:|:-:|:-:|:-:| -|[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)|Yes|Yes|Yes|Yes| -|[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes| -|[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes| - -The following table lists the licensing applicability for all Hardware Root-Of-Trust features. - -|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:-:|:-:|:-:|:-:|:-:|:-:| -|[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)|Yes|Yes|Yes|Yes|Yes| -|[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|Yes| -|[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|Yes| diff --git a/windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md b/windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md deleted file mode 100644 index fb61005d36..0000000000 --- a/windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 06/02/2023 -ms.topic: include ---- - -The following table lists the edition applicability for all Silicon Assisted Security (Secured Kernel) features. - -|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:-:|:-:|:-:|:-:|:-:| -|[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)|Yes|Yes|Yes|Yes| -|[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes| -|[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes| -|[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes| -|[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)|Yes|Yes|Yes|Yes| - -The following table lists the licensing applicability for all Silicon Assisted Security (Secured Kernel) features. - -|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:-:|:-:|:-:|:-:|:-:|:-:| -|[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)|Yes|Yes|Yes|Yes|Yes| -|[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|Yes| -|[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|Yes| -|[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|Yes| -|[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)|Yes|Yes|Yes|Yes|Yes| diff --git a/windows/security/includes/sections/hardware.md b/windows/security/includes/sections/hardware.md index 52202f35f7..11a4f97b60 100644 --- a/windows/security/includes/sections/hardware.md +++ b/windows/security/includes/sections/hardware.md @@ -1,24 +1,30 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 06/06/2023 +ms.date: 08/02/2023 ms.topic: include --- -## Hardware Root-Of-Trust +## Hardware root-of-trust -| Security Measures | Features & Capabilities | +| Feature name | Description | |:---|:---| -| **[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)** | In Secured-core PCs, Windows Defender System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit/bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction technology can be used instead of DRTM on supporting devices such as Microsoft Surface. | -| **[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)** | TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, Windows Defender System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. The 2.0 version of the specification includes support for newer algorithms, which can improve driver signing and key generation performance.

Starting with Windows 10, Microsoft's hardware certification requires all new Windows PCs to include TPM 2.0 built in and enabled by default. With Windows 11, both new and upgraded devices must have TPM 2.0. | -| **[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)** | Microsoft Pluton security processors are designed by Microsoft in partnership with silicon partners. Pluton enhances the protection of Windows devices with a hardware root-of-trust that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface as it integrates the security chip directly into the processor. It can be used with a discreet TPM 2.0, or as a standalone security processor. When root of trust is located on a separate, discrete chip on the motherboard, the communication path between the root-of-trust and the CPU can be vulnerable to physical attack. Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPMs including BitLocker, Windows Hello, and Windows Defender System Guard.

In addition to providing root-of trust, Pluton also supports other security functionality beyond what is possible with the TPM 2.0 specification, and this extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. Pluton-enabled Windows 11 devices are available and the selection of options with Pluton is growing. | +| **[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)** | In Secured-core PCs, Windows Defender System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit/bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction technology can be used instead of DRTM on supporting devices such as Microsoft Surface. | +| **[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)** | TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, Windows Defender System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. The 2.0 version of the specification includes support for newer algorithms, which can improve driver signing and key generation performance.

Starting with Windows 10, Microsoft's hardware certification requires all new Windows PCs to include TPM 2.0 built in and enabled by default. With Windows 11, both new and upgraded devices must have TPM 2.0. | +| **[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)** | Microsoft Pluton security processors are designed by Microsoft in partnership with silicon partners. Pluton enhances the protection of Windows devices with a hardware root-of-trust that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface as it integrates the security chip directly into the processor. It can be used with a discreet TPM 2.0, or as a standalone security processor. When root of trust is located on a separate, discrete chip on the motherboard, the communication path between the root-of-trust and the CPU can be vulnerable to physical attack. Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPMs including BitLocker, Windows Hello, and Windows Defender System Guard.

In addition to providing root-of trust, Pluton also supports other security functionality beyond what is possible with the TPM 2.0 specification, and this extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. Pluton-enabled Windows 11 devices are available and the selection of options with Pluton is growing. | -## Silicon Assisted Security (Secured Kernel) +## Silicon assisted security -| Security Measures | Features & Capabilities | +| Feature name | Description | |:---|:---| | **[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)** | In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats, such as by protecting the boot process, safeguarding the integrity of memory, isolating security sensitive compute logic, and more. Two examples include Virtualization-based security (VBS) and Hypervisor-protected code integrity (HVCI). Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel remains protected.

Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.
With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. | -| **[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.

Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.
With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. | +| **[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.

Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.
With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. | | **[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)** | Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats such as memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. | -| **[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)** | Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows. Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root of trust. Virtualization-based security comes enabled by default. And with built-in hypervisor protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all executables are signed by known and approved authorities only. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks. | -| **[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. | +| **[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. | + +## Secured-core PC + +| Feature name | Description | +|:---|:---| +| **[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)** | Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows. Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root of trust. Virtualization-based security comes enabled by default. And with built-in hypervisor protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all executables are signed by known and approved authorities only. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks. | +| **[Secured-core configuration lock](/windows/client-management/config-lock)** | Secured-core configuration lock is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired SCPC state in seconds. | diff --git a/windows/security/includes/sections/identity-advanced-credential-protection-overview.md b/windows/security/includes/sections/identity-advanced-credential-protection-overview.md deleted file mode 100644 index c8f646fb31..0000000000 --- a/windows/security/includes/sections/identity-advanced-credential-protection-overview.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 06/02/2023 -ms.topic: include ---- - -The following table lists the edition applicability for all Advanced Credential Protection features. - -|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:-:|:-:|:-:|:-:|:-:| -|[Windows LAPS](/windows-server/identity/laps/laps-overview)|Yes|Yes|Yes|Yes| -|[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)|Yes|Yes|Yes|Yes| -|[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)|Yes|Yes|Yes|Yes| -|[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)|Yes|Yes|Yes|Yes| -|[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)|❌|Yes|❌|Yes| -|[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)|Yes|Yes|Yes|Yes| - -The following table lists the licensing applicability for all Advanced Credential Protection features. - -|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:-:|:-:|:-:|:-:|:-:|:-:| -|[Windows LAPS](/windows-server/identity/laps/laps-overview)|Yes|Yes|Yes|Yes|Yes| -|[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)|Yes|Yes|Yes|Yes|Yes| -|[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)|Yes|Yes|Yes|Yes|Yes| -|[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)|Yes|Yes|Yes|Yes|Yes| -|[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)|❌|Yes|Yes|Yes|Yes| -|[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)|Yes|Yes|Yes|Yes|Yes| diff --git a/windows/security/includes/sections/identity-passwordless-sign-in-overview.md b/windows/security/includes/sections/identity-passwordless-sign-in-overview.md deleted file mode 100644 index c2666f968d..0000000000 --- a/windows/security/includes/sections/identity-passwordless-sign-in-overview.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 06/02/2023 -ms.topic: include ---- - -The following table lists the edition applicability for all Passwordless Sign In features. - -|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:-:|:-:|:-:|:-:|:-:| -|[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)|Yes|Yes|Yes|Yes| -|[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)|Yes|Yes|Yes|Yes| -|[Windows Hello for Business Enhanced Security Sign-in (ESS) ](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)|Yes|Yes|Yes|Yes| -|[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)|Yes|Yes|Yes|Yes| -|[Federated sign-in](/education/windows/federated-sign-in)|❌|❌|Yes|Yes| -|[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)|Yes|Yes|Yes|Yes| - -The following table lists the licensing applicability for all Passwordless Sign In features. - -|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:-:|:-:|:-:|:-:|:-:|:-:| -|[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)|Yes|Yes|Yes|Yes|Yes| -|[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)|Yes|Yes|Yes|Yes|Yes| -|[Windows Hello for Business Enhanced Security Sign-in (ESS) ](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)|Yes|Yes|Yes|Yes|Yes| -|[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)|Yes|Yes|Yes|Yes|Yes| -|[Federated sign-in](/education/windows/federated-sign-in)|❌|❌|❌|Yes|Yes| -|[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)|Yes|Yes|Yes|Yes|Yes| diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md index b31aaf1ca9..891ad65444 100644 --- a/windows/security/includes/sections/identity.md +++ b/windows/security/includes/sections/identity.md @@ -1,13 +1,13 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 06/06/2023 +ms.date: 08/02/2023 ms.topic: include --- -## Passwordless Sign In +## Passwordless sign in -| Security Measures | Features & Capabilities | +| Feature name | Description | |:---|:---| | **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.

Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. | | **[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. | @@ -16,13 +16,13 @@ ms.topic: include | **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. | | **[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)** | Organizations also have the option of using smart cards, an authentication method that pre-dates biometric sign in. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Smart cards can only be used to sign into domain accounts, not local accounts. When a password is used to sign into a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. | -## Advanced Credential Protection +## Advanced credential protection -| Security Measures | Features & Capabilities | +| Feature name | Description | |:---|:---| | **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. | -| **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | | +| **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | Account Lockout Policy settings control the response threshold for failed logon attempts and the actions to be taken after the threshold is reached. | | **[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. | -| **[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.

Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. | +| **[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.

Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. | | **[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)** | Enabled by default in Windows 11 Enterprise, Windows Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Windows Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.

By protecting the LSA process with Virtualization-based security, Windows Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. | | **[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Window Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.

Administrator credentials are highly privileged and must be protected. When you use Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. | diff --git a/windows/security/includes/sections/operating-system-encryption-and-data-protection-overview.md b/windows/security/includes/sections/operating-system-encryption-and-data-protection-overview.md deleted file mode 100644 index 68b64731f3..0000000000 --- a/windows/security/includes/sections/operating-system-encryption-and-data-protection-overview.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 06/02/2023 -ms.topic: include ---- - -The following table lists the edition applicability for all Data Protection features. - -|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:-:|:-:|:-:|:-:|:-:| -|[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)|Yes|Yes|Yes|Yes| -|[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)|Yes|Yes|Yes|Yes| -|[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)|Yes|Yes|Yes|Yes| -|[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)|❌|Yes|❌|Yes| -|[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)|Yes|Yes|Yes|Yes| - -The following table lists the licensing applicability for all Data Protection features. - -|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:-:|:-:|:-:|:-:|:-:|:-:| -|[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)|❌|Yes|Yes|Yes|Yes| -|[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)|Yes|Yes|Yes|Yes|Yes| -|[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)|Yes|Yes|Yes|Yes|Yes| -|[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)|❌|Yes|Yes|Yes|Yes| -|[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)|Yes|Yes|Yes|Yes|Yes| diff --git a/windows/security/includes/sections/operating-system-modern-device-management-overview.md b/windows/security/includes/sections/operating-system-modern-device-management-overview.md deleted file mode 100644 index b43f14f6ef..0000000000 --- a/windows/security/includes/sections/operating-system-modern-device-management-overview.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 06/02/2023 -ms.topic: include ---- - -The following table lists the edition applicability for all Modern Device Management features. - -|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:-:|:-:|:-:|:-:|:-:| -|[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)|Yes|Yes|Yes|Yes| -|[Secured-core configuration lock](/windows/client-management/config-lock)|Yes|Yes|Yes|Yes| -|[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)|Yes|Yes|Yes|Yes| - -The following table lists the licensing applicability for all Modern Device Management features. - -|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:-:|:-:|:-:|:-:|:-:|:-:| -|[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)|Yes|Yes|Yes|Yes|Yes| -|[Secured-core configuration lock](/windows/client-management/config-lock)|Yes|Yes|Yes|Yes|Yes| -|[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)|Yes|Yes|Yes|Yes|Yes| diff --git a/windows/security/includes/sections/operating-system-network-security-overview.md b/windows/security/includes/sections/operating-system-network-security-overview.md deleted file mode 100644 index 95b71a85f8..0000000000 --- a/windows/security/includes/sections/operating-system-network-security-overview.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 06/02/2023 -ms.topic: include ---- - -The following table lists the edition applicability for all Network Security features. - -|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:-:|:-:|:-:|:-:|:-:| -|[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)|Yes|Yes|Yes|Yes| -|Bluetooth pairing and connection protection|Yes|Yes|Yes|Yes| -|[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)|Yes|Yes|Yes|Yes| -|Opportunistic Wireless Encryption (OWE)|Yes|Yes|Yes|Yes| -|[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)|Yes|Yes|Yes|Yes| -|[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)|Yes|Yes|Yes|Yes| -|[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)|❌|Yes|❌|Yes| -|[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)|❌|Yes|❌|Yes| -|[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)|Yes|Yes|Yes|Yes| -|[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)|Yes|Yes|Yes|Yes| - -The following table lists the licensing applicability for all Network Security features. - -|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:-:|:-:|:-:|:-:|:-:|:-:| -|[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)|Yes|Yes|Yes|Yes|Yes| -|Bluetooth pairing and connection protection|Yes|Yes|Yes|Yes|Yes| -|[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)|Yes|Yes|Yes|Yes|Yes| -|Opportunistic Wireless Encryption (OWE)|Yes|Yes|Yes|Yes|Yes| -|[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)|Yes|Yes|Yes|Yes|Yes| -|[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)|Yes|Yes|Yes|Yes|Yes| -|[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)|❌|Yes|Yes|Yes|Yes| -|[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)|❌|Yes|Yes|Yes|Yes| -|[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)|Yes|Yes|Yes|Yes|Yes| -|[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)|Yes|Yes|Yes|Yes|Yes| diff --git a/windows/security/includes/sections/operating-system.md b/windows/security/includes/sections/operating-system-security.md similarity index 76% rename from windows/security/includes/sections/operating-system.md rename to windows/security/includes/sections/operating-system-security.md index e4414bfaaf..3a748fac25 100644 --- a/windows/security/includes/sections/operating-system.md +++ b/windows/security/includes/sections/operating-system-security.md @@ -1,61 +1,53 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 07/31/2023 +ms.date: 08/02/2023 ms.topic: include --- -## System Security +## System security -| Security Measures | Features & Capabilities | +| Feature name | Description | |:---|:---| | **[Secure Boot and Trusted Boot](/windows/security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts.

Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. | | **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.

The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The antimalware software can use the log to determine whether components that ran before it are trustworthy, or if they are infected with malware. The antimalware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. | | **[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Azure Active Directory for conditional access. | +| **[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. | -## Virus And Threat Protection +## Virus and threat protection -| Security Measures | Features & Capabilities | +| Feature name | Description | |:---|:---| | **[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)** | Microsoft Defender Antivirus is a protection solution included in all versions of Windows. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help keep your device safe and protect it from threats. Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection.

The combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA) which are applications that are deemed to negatively impact your device but are not considered malware. | -| **Local Security Authority (LSA) Protection** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.

LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. | +| **[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.

LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. | | **[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction (ASR) rules help to prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization.

Administrators can configure specific ASR rules to help block certain behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, performing behaviors that apps don't usually initiate during normal day-to-day work. | | **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. | -| **[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.

Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt in to enforce the policy from the **Windows Security** settings. | | **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders.

Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware. | | **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. | | **[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. | | **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams to detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: endpoint behavioral sensors, cloud security analytics, threat intelligence and rich response capabilities. | -## Network Security +## Network security -| Security Measures | Features & Capabilities | +| Feature name | Description | |:---|:---| | **[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. | | **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. | | **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification programs designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.

Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. | | **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots. | -| **[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Security provides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.

With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). | -| **[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.

In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls. | -| **[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)** | | +| **[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.

With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). | +| **[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.

In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls. | +| **[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)** | With Always On VPN, you can create a dedicated VPN profile for the device. Unlike User Tunnel, which only connects after a user logs on to the device, Device Tunnel allows the VPN to establish connectivity before a user sign-in. Both Device Tunnel and User Tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. | | **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.

With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. | | **[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. In Windows 11, the SMB protocol has significant security updates, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of more advanced security or continue to use the more compatible, and still-safe, AES-128 encryption. | | **[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)** | SMB Direct (SMB over remote direct memory access) is a storage protocol that enables direct memory-to-memory data transfers between device and storage, with minimal CPU usage, while using standard RDMA-capable network adapters.

SMB Direct supports encryption, and now you can operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. | -## Encryption And Data Protection +## Encryption and data protection -| Security Measures | Features & Capabilities | +| Feature name | Description | |:---|:---| | **[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Azure AD. | | **[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).

BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. | | **[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.

By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. | | **[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow.

Windows Hello for Business is used to protect the container which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content. | | **[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. | - -## Modern Device Management - -| Security Measures | Features & Capabilities | -|:---|:---| -| **[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. | -| **[Secured-core configuration lock](/windows/client-management/config-lock)** | In an enterprise organization, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Secured-core configuration lock (config lock) is a Secured-core PC feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. | -| **[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.

Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. | diff --git a/windows/security/includes/sections/operating-system-system-security-overview.md b/windows/security/includes/sections/operating-system-system-security-overview.md deleted file mode 100644 index 426c265aca..0000000000 --- a/windows/security/includes/sections/operating-system-system-security-overview.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 06/02/2023 -ms.topic: include ---- - -The following table lists the edition applicability for all System Security features. - -|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:-:|:-:|:-:|:-:|:-:| -|[Secure Boot and Trusted Boot](/windows/security/trusted-boot)|Yes|Yes|Yes|Yes| -|[Measured boot](/windows/compatibility/measured-boot)|Yes|Yes|Yes|Yes| -|[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)|Yes|Yes|Yes|Yes| - -The following table lists the licensing applicability for all System Security features. - -|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:-:|:-:|:-:|:-:|:-:|:-:| -|[Secure Boot and Trusted Boot](/windows/security/trusted-boot)|Yes|Yes|Yes|Yes|Yes| -|[Measured boot](/windows/compatibility/measured-boot)|Yes|Yes|Yes|Yes|Yes| -|[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)|Yes|Yes|Yes|Yes|Yes| diff --git a/windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md b/windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md deleted file mode 100644 index 4853fdc620..0000000000 --- a/windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 06/02/2023 -ms.topic: include ---- - -The following table lists the edition applicability for all Virus And Threat Protection features. - -|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:-:|:-:|:-:|:-:|:-:| -|[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)|Yes|Yes|Yes|Yes| -|Local Security Authority (LSA) Protection|Yes|Yes|Yes|Yes| -|[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)|Yes|Yes|Yes|Yes| -|[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)|Yes|Yes|Yes|Yes| -|[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)|Yes|Yes|Yes|Yes| -|[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)|Yes|Yes|Yes|Yes| -|[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)|Yes|Yes|Yes|Yes| -|[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)|Yes|Yes|Yes|Yes| -|[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)|Yes|Yes|Yes|Yes| - -The following table lists the licensing applicability for all Virus And Threat Protection features. - -|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:-:|:-:|:-:|:-:|:-:|:-:| -|[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)|Yes|Yes|Yes|Yes|Yes| -|Local Security Authority (LSA) Protection|Yes|Yes|Yes|Yes|Yes| -|[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)|Yes|Yes|Yes|Yes|Yes| -|[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)|Yes|Yes|Yes|Yes|Yes| -|[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)|Yes|Yes|Yes|Yes|Yes| -|[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)|Yes|Yes|Yes|Yes|Yes| -|[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)|Yes|Yes|Yes|Yes|Yes| -|[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)|Yes|Yes|Yes|Yes|Yes| -|[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)|❌|❌|Yes|❌|Yes| diff --git a/windows/security/includes/sections/privacy.md b/windows/security/includes/sections/privacy.md deleted file mode 100644 index cb5118754a..0000000000 --- a/windows/security/includes/sections/privacy.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 06/02/2023 -ms.topic: include ---- diff --git a/windows/security/includes/sections/security-foundations-certification-overview.md b/windows/security/includes/sections/security-foundations-certification-overview.md deleted file mode 100644 index 78601c07dd..0000000000 --- a/windows/security/includes/sections/security-foundations-certification-overview.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 06/02/2023 -ms.topic: include ---- - -The following table lists the edition applicability for all Certification features. - -|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| -|:-:|:-:|:-:|:-:|:-:| -|[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)|Yes|Yes|Yes|Yes| -|[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)|Yes|Yes|Yes|Yes| - -The following table lists the licensing applicability for all Certification features. - -|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| -|:-:|:-:|:-:|:-:|:-:|:-:| -|[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)|Yes|Yes|Yes|Yes|Yes| -|[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)|Yes|Yes|Yes|Yes|Yes| diff --git a/windows/security/includes/sections/security-foundations.md b/windows/security/includes/sections/security-foundations.md index 8c3cd14c92..6cbeb13816 100644 --- a/windows/security/includes/sections/security-foundations.md +++ b/windows/security/includes/sections/security-foundations.md @@ -1,13 +1,29 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 06/06/2023 +ms.date: 08/02/2023 ms.topic: include --- +## Offensive research + +| Feature name | Description | +|:---|:---| +| **[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)** | The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. | +| **[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)** | A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released. | +| **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.

Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quickly fix the issues before releasing the final Windows. | + ## Certification -| Security Measures | Features & Capabilities | +| Feature name | Description | |:---|:---| | **[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)** | Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. CC defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. | | **[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)** | The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established in 2001. Multiple Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. | + +## Secure supply chain + +| Feature name | Description | +|:---|:---| +| **Software Bill of Materials (SBOM)** | SBOMs are leveraged to provide the transparency and provenance of the content as it moves through various stages of the Windows supply chain. This enables trust between each supply chain segment, ensures that tampering has not taken place during ingestion and along the way, and provides a provable chain of custody for the product that we ship to customers. | +| **[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)** | Windows Defender Application Control (WDAC) enables customers to define policies for controlling what is allowed to run on their devices. WDAC policies can be remotely applied to devices using an MDM solution like Microsoft Intune.

To simplify WDAC enablement, organizations can take advantage of Azure Code Signing, a secure and fully managed service for signing WDAC policies and apps.

Azure Code Signing minimizes the complexity of code signing with a turnkey service backed by a Microsoft managed certificate authority, eliminating the need to procure and self-manage any signing certificates. The service is managed just as any other Azure resource and integrates easily with the leading development and CI/CD toolsets. | +| **[Windows application software development kit (SDK)](/windows/security/security-foundations/certification/windows-platform-common-criteria%23security-and-privacy)** | Developers have an opportunity to design highly secure applications that benefit from the latest Windows safeguards. The Windows App SDK provides a unified set of APIs and tools for developing desktop apps for Windows. To help create apps that are up-to-date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system. | diff --git a/windows/security/index.yml b/windows/security/index.yml index 393a49b66b..e49166e1ef 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -1,162 +1,168 @@ -### YamlMime:Landing +### YamlMime:Hub -title: Windows security -summary: Built with Zero Trust principles at the core to safeguard data and access anywhere, keeping you protected and productive. +title: Windows client security documentation +summary: Learn how to secure Windows clients for your organization. +brand: windows metadata: - title: Windows security - description: Learn about Windows security technologies and how to use them to protect your data and devices. - ms.topic: landing-page + ms.topic: hub-page ms.prod: windows-client - ms.technology: itpro-security ms.collection: + - highpri - tier1 author: paolomatarazzo ms.author: paoloma - ms.date: 12/19/2022 + manager: aaroncz + ms.date: 07/28/2023 -# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new +highlightedContent: + items: + - title: Get started with Windows security + itemType: get-started + url: introduction.md + - title: Windows 11, version 22H2 + itemType: whats-new + url: /windows/whats-new/whats-new-windows-11-version-22H2 + - title: Windows 11, version 22H2 group policy settings reference + itemType: download + url: https://www.microsoft.com/en-us/download/details.aspx?id=104594 + - title: Security features licensing and edition requirements + itemType: overview + url: /windows/security/licensing-and-edition-requirements -landingContent: -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Zero Trust and Windows - linkLists: - - linkListType: overview - links: - - text: Overview - url: zero-trust-windows-device-health.md -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Hardware security - linkLists: - - linkListType: overview - links: - - text: Overview - url: hardware.md - - linkListType: concept - links: - - text: Trusted Platform Module - url: hardware-security/tpm/trusted-platform-module-top-node.md - - text: Windows Defender System Guard firmware protection - url: hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md - - text: System Guard Secure Launch and SMM protection enablement - url: hardware-security/system-guard-secure-launch-and-smm-protection.md - - text: Virtualization-based protection of code integrity - url: hardware-security/enable-virtualization-based-protection-of-code-integrity.md - - text: Kernel DMA Protection - url: hardware-security/kernel-dma-protection-for-thunderbolt.md -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Operating system security - linkLists: - - linkListType: overview - links: - - text: Overview - url: operating-system-security/index.md - - linkListType: concept - links: - - text: Trusted boot - url: operating-system-security\system-security\trusted-boot.md - - text: Windows security baselines - url: operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md - - text: Virtual private network guide - url: operating-system-security/network-security/vpn/vpn-guide.md - - text: Windows Defender Firewall - url: operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md - - text: Virus & threat protection - url: threat-protection/index.md -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Application security - linkLists: - - linkListType: overview - links: - - text: Overview - url: application-security/index.md - - linkListType: concept - links: - - text: Application Control and virtualization-based protection - url: application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md - - text: Application Control - url: application-security/application-control/windows-defender-application-control/wdac.md - - text: Application Guard - url: application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md - - text: Windows Sandbox - url: application-security\application-isolation\windows-sandbox\windows-sandbox-overview.md - - text: Microsoft Defender SmartScreen - url: operating-system-security\virus-and-threat-protection\microsoft-defender-smartscreen\index.md - - text: S/MIME for Windows - url: operating-system-security/data-protection/configure-s-mime.md -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: User security and secured identity - linkLists: - - linkListType: overview - links: - - text: Overview - url: identity.md - - linkListType: concept - links: - - text: Windows Hello for Business - url: identity-protection/hello-for-business/index.md - - text: Protect domain credentials - url: identity-protection/credential-guard/credential-guard.md - - text: Windows Defender Credential Guard - url: identity-protection/credential-guard/credential-guard.md - - text: Lost or forgotten passwords - url: identity-protection/password-support-policy.md - - text: Access control - url: identity-protection/access-control/access-control.md - - text: Smart cards - url: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Cloud services - linkLists: - - linkListType: concept - links: - - text: Mobile device management - url: /windows/client-management/mdm/ - - text: Azure Active Directory - url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory - - text: Your Microsoft Account - url: identity-protection/access-control/microsoft-accounts.md - - text: OneDrive - url: /onedrive/onedrive - - text: Family safety - url: operating-system-security\system-security\windows-defender-security-center\wdsc-family-options.md -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Security foundations - linkLists: - - linkListType: overview - links: - - text: Overview - url: security-foundations/index.md - - linkListType: reference - links: - - text: Microsoft Security Development Lifecycle - url: threat-protection/msft-security-dev-lifecycle.md - - text: Microsoft Bug Bounty - url: /microsoft-365/security/intelligence/microsoft-bug-bounty-program - - text: Common Criteria Certifications - url: threat-protection/windows-platform-common-criteria.md - - text: Federal Information Processing Standard (FIPS) 140 Validation - url: threat-protection/fips-140-validation.md -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - - title: Privacy controls - linkLists: - - linkListType: reference - links: - - text: Windows and Privacy Compliance - url: /windows/privacy/windows-10-and-privacy-compliance + +productDirectory: + title: Get started + items: + + - title: Hardware security + imageSrc: /media/common/i_usb.svg + links: + - url: /windows/security/hardware-security/tpm/trusted-platform-module-overview + text: Trusted Platform Module + - url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor + text: Microsoft Pluton + - url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows + text: Windows Defender System Guard + - url: /windows-hardware/design/device-experiences/oem-vbs + text: Virtualization-based security (VBS) + - url: /windows-hardware/design/device-experiences/oem-highly-secure-11 + text: Secured-core PC + - url: /windows/security/hardware-security + text: Learn more about hardware security > + + - title: OS security + imageSrc: /media/common/i_threat-protection.svg + links: + - url: /windows/security/operating-system-security + text: Trusted boot + - url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center + text: Windows security settings + - url: /windows/security/operating-system-security/data-protection/bitlocker/ + text: BitLocker + - url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines + text: Windows security baselines + - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ + text: MMicrosoft Defender SmartScreen + - url: /windows/security/operating-system-security + text: Learn more about OS security > + + - title: Identity protection + imageSrc: /media/common/i_identity-protection.svg + links: + - url: /windows/security/identity-protection/hello-for-business + text: Windows Hello for Business + - url: /windows/security/identity-protection/credential-guard + text: Windows Defender Credential Guard + - url: /windows-server/identity/laps/laps-overview + text: Windows LAPS (Local Administrator Password Solution) + - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection + text: Enhanced phishing protection with SmartScreen + - url: /education/windows/federated-sign-in + text: Federated sign-in (EDU) + - url: /windows/security/identity-protection + text: Learn more about identity protection > + + - title: Application security + imageSrc: /media/common/i_queries.svg + links: + - url: /windows/security/application-security/application-control/windows-defender-application-control/ + text: Windows Defender Application Control (WDAC) + - url: /windows/security/application-security/application-control/user-account-control + text: User Account Control (UAC) + - url: /windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules + text: Microsoft vulnerable driver blocklist + - url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview + text: Microsoft Defender Application Guard (MDAG) + - url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview + text: Windows Sandbox + - url: /windows/security/application-security + text: Learn more about application security > + + - title: Security foundations + imageSrc: /media/common/i_build.svg + links: + - url: /windows/security/security-foundations/certification/fips-140-validation + text: FIPS 140-2 validation + - url: /windows/security/security-foundations/certification/windows-platform-common-criteria + text: Common Criteria Certifications + - url: /windows/security/security-foundations/msft-security-dev-lifecycle + text: Microsoft Security Development Lifecycle (SDL) + - url: https://www.microsoft.com/msrc/bounty-windows-insider-preview + text: Microsoft Windows Insider Preview bounty program + - url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/ + text: OneFuzz service + - url: /windows/security/security-foundations + text: Learn more about security foundations > + + - title: Cloud security + imageSrc: /media/common/i_cloud-security.svg + links: + - url: /mem/intune/protect/security-baselines + text: Security baselines with Intune + - url: /windows/deployment/windows-autopatch + text: Windows Autopatch + - url: /windows/deployment/windows-autopilot + text: Windows Autopilot + - url: /universal-print + text: Universal Print + - url: /windows/client-management/mdm/remotewipe-csp + text: Remote wipe + - url: /windows/security/cloud-security + text: Learn more about cloud security > + +additionalContent: + sections: + - title: More Windows resources + items: + + - title: Windows Server + links: + - text: Windows Server documentation + url: /windows-server + - text: What's new in Windows Server 2022? + url: /windows-server/get-started/whats-new-in-windows-server-2022 + - text: Windows Server blog + url: https://cloudblogs.microsoft.com/windowsserver/ + + - title: Windows product site and blogs + links: + - text: Find out how Windows enables your business to do more + url: https://www.microsoft.com/microsoft-365/windows + - text: Windows blogs + url: https://blogs.windows.com/ + - text: Windows IT Pro blog + url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog + - text: Microsoft Intune blog + url: https://techcommunity.microsoft.com/t5/microsoft-intune-blog/bg-p/MicrosoftEndpointManagerBlog + - text: "Windows help & learning: end-user documentation" + url: https://support.microsoft.com/windows + + - title: Participate in the community + links: + - text: Windows community + url: https://techcommunity.microsoft.com/t5/windows/ct-p/Windows10 + - text: Microsoft Intune community + url: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune + - text: Microsoft Support community + url: https://answers.microsoft.com/windows/forum \ No newline at end of file diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md index ac2d1d013e..2464ef0104 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/index.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md @@ -1,21 +1,21 @@ --- title: BitLocker overview -description: This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. +description: Learn about BitLocker requirements, practical applications, and deprecated features. ms.collection: - highpri - tier1 -ms.topic: conceptual -ms.date: 11/08/2022 +ms.topic: overview +ms.date: 08/03/2023 --- # BitLocker overview -Bitlocker is a disk encryption feature included with Windows, designed to protect data by providing encryption for entire volumes.\ +Bitlocker is a Windows disk encryption feature, designed to protect data by providing encryption for entire volumes.\ BitLocker addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. -BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many devices ant it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline. +BitLocker provides maximum protection when used with a Trusted Platform Module (TPM). A TPM is a hardware component installed in many devices ant it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline. -On computers that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the device or resume from hibernation. An operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM. +On devices that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the device or resume from hibernation. An operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM. In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device (such as a USB flash drive) that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer won't start or resume from hibernation until the correct PIN or startup key is presented. @@ -27,30 +27,25 @@ Data on a lost or stolen device is vulnerable to unauthorized access, either by BitLocker has the following hardware requirements: -For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If a computer doesn't have a TPM, saving a startup key on a removable drive, such as a USB flash drive, becomes mandatory when enabling BitLocker. +- For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If a computer doesn't have a TPM, saving a startup key on a removable drive, such as a USB flash drive, becomes mandatory when enabling BitLocker +- A device with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware +- The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment -A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware. + > [!NOTE] + > TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature. + > + > Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. -The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. - -> [!IMPORTANT] -> From Windows 7, an OS drive can be encrypted without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup). - -> [!NOTE] -> TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature. - -> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. - -The hard disk must be partitioned with at least two drives: - -- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system. -- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommended that the system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space. - -When installed on a new computer, Windows automatically creates the partitions that are required for BitLocker. +- The hard disk must be partitioned with at least two drives: + - The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system + - The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommended that the system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space > [!IMPORTANT] +> When installed on a new device, Windows automatically creates the partitions that are required for BitLocker. +> > An encrypted partition can't be marked as active. -When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives. +> [!NOTE] +> When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives. [!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)] diff --git a/windows/security/operating-system-security/device-management/toc.yml b/windows/security/operating-system-security/device-management/toc.yml index 3fbd57294b..913340c2fb 100644 --- a/windows/security/operating-system-security/device-management/toc.yml +++ b/windows/security/operating-system-security/device-management/toc.yml @@ -1,10 +1,4 @@ items: - - name: Security policy settings - href: ../../threat-protection/security-policy-settings/security-policy-settings.md - - name: Security auditing - href: ../../threat-protection/auditing/security-auditing-overview.md - - name: Secured-core configuration lock - href: /windows/client-management/config-lock - name: Assigned Access (kiosk mode) href: /windows/configuration/kiosk-methods - name: Security baselines diff --git a/windows/security/operating-system-security/index.md b/windows/security/operating-system-security/index.md index 7787d87aa3..1c0cd9103b 100644 --- a/windows/security/operating-system-security/index.md +++ b/windows/security/operating-system-security/index.md @@ -1,7 +1,7 @@ --- title: Windows operating system security description: Securing the operating system includes system security, encryption, network security, and threat protection. -ms.date: 09/21/2021 +ms.date: 08/02/2023 ms.topic: article --- @@ -13,4 +13,4 @@ Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9Q Use the links in the following sections to learn more about the operating system security features and capabilities in Windows. -[!INCLUDE [operating-system-security](../includes/sections/operating-system.md)] +[!INCLUDE [operating-system-security](../includes/sections/operating-system-security.md)] diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index 809b88492a..d87edf7174 100644 --- a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -1,7 +1,7 @@ --- title: How to configure cryptographic settings for IKEv2 VPN connections description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections. -ms.date: 06/28/2023 +ms.date: 08/03/2023 ms.topic: how-to --- @@ -9,8 +9,8 @@ ms.topic: how-to In IKEv2 VPN connections, the default setting for IKEv2 cryptographic settings are: -- Encryption Algorithm : DES3 -- Integrity, Hash Algorithm : SHA1 +- Encryption Algorithm: DES3 +- Integrity, Hash Algorithm: SHA1 - Diffie Hellman Group (Key Size): DH2 These settings aren't secure for IKE exchanges. @@ -31,9 +31,9 @@ On an earlier version of Windows Server, run [Set-VpnServerIPsecConfiguration](/ Set-VpnServerIPsecConfiguration -CustomPolicy ``` -## VPN client +## VPN client -For VPN client, you need to configure each VPN connection. +For VPN client, you need to configure each VPN connection. For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps&preserve-view=true) and specify the name of the connection: ```powershell @@ -44,8 +44,8 @@ Set-VpnConnectionIPsecConfiguration -ConnectionName The following commands configure the IKEv2 cryptographic settings to: -- Encryption Algorithm : AES128 -- Integrity, Hash Algorithm : SHA256 +- Encryption Algorithm: AES128 +- Integrity, Hash Algorithm: SHA256 - Diffie Hellman Group (Key Size): DH14 ### IKEv2 VPN Server diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index 08b4c532c8..ae9673a74d 100644 --- a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -1,13 +1,13 @@ --- title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. -ms.date: 12/28/2022 +ms.date: 08/03/2023 ms.topic: how-to --- # How to use Single Sign-On (SSO) over VPN and Wi-Fi connections -This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The following scenarios are typically used: +This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over Wi-Fi or VPN connections. The following scenarios are typically used: - Connecting to a network using Wi-Fi or VPN - Use credentials for Wi-Fi or VPN authentication to also authenticate requests to access domain resources, without being prompted for domain credentials @@ -17,15 +17,15 @@ For example, you want to connect to a corporate network and access an internal w The credentials that are used for the connection authentication are placed in *Credential Manager* as the default credentials for the **logon session**. Credential Manager stores credentials that can be used for specific domain resources. These are based on the target name of the resource: - For VPN, the VPN stack saves its credential as the **session default** -- For WiFi, Extensible Authentication Protocol (EAP) provides support +- For Wi-Fi, Extensible Authentication Protocol (EAP) provides support The credentials are placed in Credential Manager as a *session credential*: - A *session credential* implies that it is valid for the current user session -- The credentials are cleaned up when the WiFi or VPN connection is disconnected +- The credentials are cleaned up when the Wi-Fi or VPN connection is disconnected > [!NOTE] -> In Windows 10, version 21H2 and later, the *session credential* is not visible in Credential Manager. +> In Windows 10, version 21H2 and later, the *session credential* isn't visible in Credential Manager. For example, if someone using Microsoft Edge tries to access a domain resource, Microsoft Edge has the right Enterprise Authentication capability. This allows [WinInet](/windows/win32/wininet/wininet-reference) to release the credentials that it gets from Credential Manager to the SSP that is requesting it. For more information about the Enterprise Authentication capability, see [App capability declarations](/windows/uwp/packaging/app-capability-declarations). diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md index 5b8c8be320..b79e1c9335 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md @@ -1,7 +1,7 @@ --- title: VPN authentication options description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods. -ms.date: 06/20/2023 +ms.date: 08/03/2023 ms.topic: conceptual --- diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md index 9af27f73a3..eb532bf8d6 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md @@ -1,7 +1,7 @@ --- title: VPN auto-triggered profile options description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections. -ms.date: 05/24/2023 +ms.date: 08/03/2023 ms.topic: conceptual --- diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md index 85ac1b4e02..26738c946b 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md @@ -1,7 +1,7 @@ --- title: VPN and conditional access description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Azure Active Directory (Azure AD) connected apps. -ms.date: 05/23/2023 +ms.date: 08/03/2023 ms.topic: conceptual --- @@ -17,10 +17,10 @@ Conditional Access Platform components used for Device Compliance include the fo - [Conditional Access Framework](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn) - [Azure AD Connect Health](/azure/active-directory/connect-health/active-directory-aadconnect-health) - [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional) -- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. +- Azure AD Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA can't be configured as part of an on-premises Enterprise CA. See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy). - Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued. -- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things. +- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things. - Antivirus status - Auto-update status and update compliance - Password policy compliance @@ -35,7 +35,7 @@ The following client-side components are also required: ## VPN device compliance -At this time, the Azure AD certificates issued to users do not contain a CRL Distribution Point (CDP) and are not suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the <SSO> section. +At this time, the Azure AD certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the <SSO> section. Server-side infrastructure requirements to support VPN device compliance include: @@ -91,7 +91,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3) - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4) -## Related topics +## Related articles - [VPN technical guide](vpn-guide.md) - [VPN connection types](vpn-connection-type.md) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md index 686ae5380b..3f71587ce8 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md @@ -1,7 +1,7 @@ --- -title: VPN connection types (Windows 10 and Windows 11) +title: VPN connection types description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured. -ms.date: 05/24/2022 +ms.date: 08/03/2023 ms.topic: conceptual --- @@ -16,6 +16,7 @@ There are many options for VPN clients. In Windows, the built-in plug-in and the ## Built-in VPN client Tunneling protocols: + - [Internet Key Exchange version 2 (IKEv2)](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687731(v=ws.10)): configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp). - [L2TP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687761(v=ws.10)): L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp). - [PPTP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687676(v=ws.10)) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md index 66e09e5a4c..cd91bd8540 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md @@ -1,7 +1,7 @@ --- title: Windows VPN technical guide description: Learn how to plan and configure Windows devices for your organization's VPN solution. -ms.date: 05/24/2023 +ms.date: 08/03/2023 ms.topic: conceptual --- diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md index 406f11946c..e727022c01 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md @@ -1,7 +1,7 @@ --- title: VPN name resolution description: Learn how name resolution works when using a VPN connection. -ms.date: 05/24/2023 +ms.date: 08/03/2023 ms.topic: conceptual --- diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md index 4ff6994bfc..5aae45f5c3 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md @@ -2,7 +2,7 @@ title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client ms.topic: article -ms.date: 05/24/2023 +ms.date: 08/03/2023 --- # Optimize Microsoft 365 traffic for remote workers with the Windows VPN client diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md index 5c344676b6..f7974cce7c 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md @@ -1,22 +1,22 @@ --- title: VPN profile options description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network. -ms.date: 05/17/2018 +ms.date: 08/03/2023 ms.topic: conceptual --- # VPN profile options -Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp). +Most of the VPN settings in Windows can be configured in VPN profiles using Microsoft Intune or Microsoft Configuration Manager. VPN settings can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp). >[!NOTE] >If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) first. The following table lists the VPN settings and whether the setting can be configured in Intune and Configuration Manager, or can only be configured using **ProfileXML**. -| Profile setting | Can be configured in Intune and Configuration Manager | -| --- | --- | -| Connection type | Yes | +| Profile setting | Can be configured in Intune and Configuration Manager | +| --- | --- | +| Connection type | Yes | | Routing: split-tunnel routes | Yes, except exclusion routes | | Routing: forced-tunnel | Yes | | Authentication (EAP) | Yes, if connection type is built in | @@ -33,15 +33,14 @@ The following table lists the VPN settings and whether the setting can be config | Traffic filters | Yes | | Proxy settings | Yes, by PAC/WPAD file or server and port | -> [!NOTE] +> [!NOTE] > VPN proxy settings are only used on Force Tunnel Connections. On Split Tunnel Connections, the general proxy settings are used. The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This node is useful for deploying profiles with features that aren't yet supported by MDMs. You can get more examples in the [ProfileXML XSD](/windows/client-management/mdm/vpnv2-profile-xsd) article. - ## Sample Native VPN profile -The following sample is a sample Native VPN profile. This blob would fall under the ProfileXML node. +The following sample is a sample Native VPN profile. This blob would fall under the ProfileXML node. ```xml diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md index 6931f683fd..85d884162a 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md @@ -1,5 +1,5 @@ --- -ms.date: 05/24/2023 +ms.date: 08/03/2023 title: VPN routing decisions description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations. ms.topic: conceptual diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md index 4c7d2f87b4..c07cabae8d 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md @@ -1,7 +1,7 @@ --- title: VPN security features description: Learn about security features for VPN, including LockDown VPN and traffic filters. -ms.date: 05/24/2023 +ms.date: 08/03/2023 ms.topic: conceptual --- diff --git a/windows/security/operating-system-security/system-security/toc.yml b/windows/security/operating-system-security/system-security/toc.yml index d16f3d1e5d..2b6feab9aa 100644 --- a/windows/security/operating-system-security/system-security/toc.yml +++ b/windows/security/operating-system-security/system-security/toc.yml @@ -9,6 +9,10 @@ items: href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md - name: Cryptography and certificate management href: cryptography-certificate-mgmt.md +- name: Security policy settings + href: ../../threat-protection/security-policy-settings/security-policy-settings.md +- name: Security auditing + href: ../../threat-protection/auditing/security-auditing-overview.md - name: Windows Security settings href: windows-defender-security-center/windows-defender-security-center.md items: diff --git a/windows/security/security-foundations/toc.yml b/windows/security/security-foundations/toc.yml index 9a34209d14..0741c7a555 100644 --- a/windows/security/security-foundations/toc.yml +++ b/windows/security/security-foundations/toc.yml @@ -3,7 +3,13 @@ items: href: index.md - name: Zero Trust and Windows href: zero-trust-windows-device-health.md -- name: Microsoft Security Development Lifecycle - href: msft-security-dev-lifecycle.md +- name: Offensive research + items: + - name: Microsoft Security Development Lifecycle + href: msft-security-dev-lifecycle.md + - name: OneFuzz service + href: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/ + - name: Microsoft Windows Insider Preview bounty program 🔗 + href: https://www.microsoft.com/msrc/bounty-windows-insider-preview - name: Certification - href: certification/toc.yml + href: certification/toc.yml \ No newline at end of file diff --git a/windows/security/toc.yml b/windows/security/toc.yml index 4beeab15eb..74469d7972 100644 --- a/windows/security/toc.yml +++ b/windows/security/toc.yml @@ -1,11 +1,10 @@ items: -- name: Windows security - href: index.yml - expanded: true - name: Introduction to Windows security href: introduction.md - name: Security features licensing and edition requirements href: licensing-and-edition-requirements.md +- name: Security foundations + href: security-foundations/toc.yml - name: Hardware security href: hardware-security/toc.yml - name: Operating system security @@ -14,9 +13,7 @@ items: href: application-security/toc.yml - name: Identity protection href: identity-protection/toc.yml -- name: Windows Privacy 🔗 - href: /windows/privacy -- name: Security foundations - href: security-foundations/toc.yml - name: Cloud security - href: cloud-security/toc.yml \ No newline at end of file + href: cloud-security/toc.yml +- name: Windows Privacy 🔗 + href: /windows/privacy \ No newline at end of file