From fd28f59c93faccd37380c240724446b84813f1de Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 18 Apr 2024 11:05:45 -0400
Subject: [PATCH] updates
---
windows/security/book/index.md | 28 +---
.../book/operating-system-security.md | 142 +++++++-----------
2 files changed, 60 insertions(+), 110 deletions(-)
diff --git a/windows/security/book/index.md b/windows/security/book/index.md
index c866423967..ea2b1c75dd 100644
--- a/windows/security/book/index.md
+++ b/windows/security/book/index.md
@@ -15,25 +15,25 @@ Emerging technologies and evolving business trends bring new opportunities and c
To thrive, organizations need security to work anywhere. [Microsoft's 2022 Work Trend Index](https://www.microsoft.com/security/blog/2022/04/05/new-security-features-for-windows-11-will-help-protect-hybrid-work/) shows *cybersecurity issues and risks* are top concerns for business decision-makers, who worry about issues like malware, stolen credentials, devices that lack security updates, and physical attacks on lost or stolen devices.
-In the past, a corporate network and software-based security were the first lines of defense. With an increasingly distributed and mobile workforce, attention has shifted to hardware-based endpoint security. People are now the top target for cybercriminals, with 74% of all breaches due to human error, privilege misuses, stolen credentials, or social engineering. Most attacks are financially motivated, and credential theft, phishing, and exploitation of vulnerabilities are the primary attack vectors. Credential theft is the most prevalent attack vector, accounting for 50% of breaches [\[1\]](#footnote1). [1](conclusion.md#footnote1)
+In the past, a corporate network and software-based security were the first lines of defense. With an increasingly distributed and mobile workforce, attention has shifted to hardware-based endpoint security. People are now the top target for cybercriminals, with 74% of all breaches due to human error, privilege misuses, stolen credentials, or social engineering. Most attacks are financially motivated, and credential theft, phishing, and exploitation of vulnerabilities are the primary attack vectors. Credential theft is the most prevalent attack vector, accounting for 50% of breaches [\[1\]](conclusion.md#footnote1).
-At Microsoft, we work hard to help organizations evolve and stay agile while protecting against modern threats. We're committed to helping businesses and their employees get secure, and stay secure. We [synthesize 43 trillion signals daily](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE5bcRe?culture=en-us&country=us) to understand and protect against digital threats. We have more than 8,500 dedicated security professionals across 77 countries and over 15,000 partners in our security ecosystem striving to increase resilience for our customers [\[2\]](#footnote2).
+At Microsoft, we work hard to help organizations evolve and stay agile while protecting against modern threats. We're committed to helping businesses and their employees get secure, and stay secure. We [synthesize 43 trillion signals daily](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE5bcRe?culture=en-us&country=us) to understand and protect against digital threats. We have more than 8,500 dedicated security professionals across 77 countries and over 15,000 partners in our security ecosystem striving to increase resilience for our customers [\[2\]](conclusion.md#footnote2).
Businesses worldwide are moving toward [secure-by-design and secure-by-default strategies](https://www.cisa.gov/securebydesign). With these models, organizations choose products from manufacturers that consider security as a business requirement, not just a technical feature. With a secure-by-default strategy, businesses can proactively reduce risk and exposure to threats across their organization because products are shipped with security features already built in and enabled.
-To help businesses transform and thrive in a new era, we built Windows 11 to be secure by design and secure by default. Windows 11 devices arrive with more security features enabled out of the box. In contrast, Windows 10 devices came with many safeguards turned off unless enabled by IT or employees. The default security provided by Windows 11 elevates protection without needing to configure settings. In addition, Windows 11 devices have been shown to increase malware resistance without impacting performance [\[3\]](#footnote3). Windows 11 is the most secure Windows ever, built in deep partnership with original equipment manufacturers (OEMs) and silicon manufacturers. Discover why organizations of all sizes, including 90% of Fortune 500 companies, are taking advantage of the powerful default protection of Windows 11 [\[4\]](#footnote4).
+To help businesses transform and thrive in a new era, we built Windows 11 to be secure by design and secure by default. Windows 11 devices arrive with more security features enabled out of the box. In contrast, Windows 10 devices came with many safeguards turned off unless enabled by IT or employees. The default security provided by Windows 11 elevates protection without needing to configure settings. In addition, Windows 11 devices have been shown to increase malware resistance without impacting performance [\[3\]](conclusion.md#footnote3). Windows 11 is the most secure Windows ever, built in deep partnership with original equipment manufacturers (OEMs) and silicon manufacturers. Discover why organizations of all sizes, including 90% of Fortune 500 companies, are taking advantage of the powerful default protection of Windows 11 [\[4\]](conclusion.md#footnote4).
## Security priorities and benefits
### Security by design and security by default
-Windows 11 is designed with layers of security enabled by default, so you can focus on your work, not your security settings. **Out-of-the-box features such as credential safeguards, malware shields, and application protection led to a reported 58% drop in security incidents, including a 3.1x reduction in firmware attacks** [\[5\]](#footnote5).
+Windows 11 is designed with layers of security enabled by default, so you can focus on your work, not your security settings. **Out-of-the-box features such as credential safeguards, malware shields, and application protection led to a reported 58% drop in security incidents, including a 3.1x reduction in firmware attacks** [\[5\]](conclusion.md#footnote5).
-In Windows 11, hardware and software work together to shrink the attack surface, protect system integrity, and shield valuable data. New and enhanced features are designed for security by default. For example, Win32 apps in isolation [\[6\]](#footnote6), token protection [\[6\]](#footnote6), and Microsoft Intune Endpoint Privilege Management [\[7\]](#footnote7) are some of the latest capabilities that help protect your organization and employees against attack. Windows Hello and Windows Hello for Business work with hardware-based features like TPM 2.0 and biometric scanners for credential protection and easier, secure sign-on. Existing security features like BitLocker encryption have also been enhanced to optimize both security and performance.
+In Windows 11, hardware and software work together to shrink the attack surface, protect system integrity, and shield valuable data. New and enhanced features are designed for security by default. For example, Win32 apps in isolation [\[6\]](conclusion.md#footnote6), token protection [\[6\]](conclusion.md#footnote6), and Microsoft Intune Endpoint Privilege Management [\[7\]](conclusion.md#footnote7) are some of the latest capabilities that help protect your organization and employees against attack. Windows Hello and Windows Hello for Business work with hardware-based features like TPM 2.0 and biometric scanners for credential protection and easier, secure sign-on. Existing security features like BitLocker encryption have also been enhanced to optimize both security and performance.
### Protect employees against evolving threats
-With attackers targeting employees and their devices, organizations need stronger security against increasingly sophisticated cyberthreats. Windows 11 provides proactive protection against credential theft. Windows Hello and TPM 2.0 work together to shield identities. Secure biometric sign-in virtually eliminates the risk of lost or stolen passwords. And enhanced phishing protection increases safety. In fact, **businesses reported 2.8x fewer instances of identity theft with the hardware-backed protection in Windows 11** [\[5\]](#footnote5).
+With attackers targeting employees and their devices, organizations need stronger security against increasingly sophisticated cyberthreats. Windows 11 provides proactive protection against credential theft. Windows Hello and TPM 2.0 work together to shield identities. Secure biometric sign-in virtually eliminates the risk of lost or stolen passwords. And enhanced phishing protection increases safety. In fact, **businesses reported 2.8x fewer instances of identity theft with the hardware-backed protection in Windows 11** [\[5\]](conclusion.md#footnote5).
### Gain mission-critical application safeguards
@@ -41,7 +41,7 @@ Help keep business data secure and employees productive with robust safeguards a
### End-to-end protection with modern management
-Increase protection and efficiency with Windows 11 and chip-to-cloud security. Microsoft offers comprehensive cloud services for identity, storage, and access management. In addition, Microsoft also provides the tools needed to attest that Windows 11 devices connecting to your network or accessing your data and resources are trustworthy. You can also enforce compliance and conditional access with modern device management (MDM) solutions such as Microsoft Intune and Microsoft Entra ID. Security by default not only enables people to work securely anywhere, but it also simplifies IT. A streamlined, chip-to-cloud security solution based on Windows 11 has improved productivity for IT and security teams by a reported 25% [\[8\]](#footnote8).
+Increase protection and efficiency with Windows 11 and chip-to-cloud security. Microsoft offers comprehensive cloud services for identity, storage, and access management. In addition, Microsoft also provides the tools needed to attest that Windows 11 devices connecting to your network or accessing your data and resources are trustworthy. You can also enforce compliance and conditional access with modern device management (MDM) solutions such as Microsoft Intune and Microsoft Entra ID. Security by default not only enables people to work securely anywhere, but it also simplifies IT. A streamlined, chip-to-cloud security solution based on Windows 11 has improved productivity for IT and security teams by a reported 25% [\[8\]](conclusion.md#footnote8).
## Security by design and default
@@ -55,17 +55,3 @@ In Windows 11, hardware and software work together to protect sensitive data fro
> [!div class="nextstepaction"]
> [Chapter 1: Hardware security >](hardware-security.md)
-
-
-
----
-
-1 "2023 Data Breach Investigations Report" - Verizon, 2023.\
-2 "Microsoft Digital Defense Report 2022" - Microsoft, 2022.\
-3 Compared to Windows 10 devices. "Improve your day-to-day experience with Windows 11 Pro laptops" - Principled Technologies, February 2023.\
-4 Based on Monthly Active Device data. "Earnings Release FY23 Q3" - Microsoft, April 2023.\
-5 Windows 11 results are in comparison with Windows 10 devices. "Windows 11 Survey Report," Techaisle, February 2022.\
-6 Requires developer enablement.\
-7 Requires Microsoft Entra ID and Microsoft Intune, or other modern device management solution product required; sold separately.\
-8 Commissioned study delivered by Forrester Consulting. "The Total Economic Impact™ of Windows 11 Pro Devices", December 2022. Note: quantified benefits reflect results over three years combined into a single composite organization that generates $1 billion in annual revenue, has 2,000 employees, refreshes hardware on a four-year cycle, and migrates the entirety of its workforce to Windows 11 devices.\
-9 Sold separately.
diff --git a/windows/security/book/operating-system-security.md b/windows/security/book/operating-system-security.md
index 5d82cc2bd9..7e4bd6f47a 100644
--- a/windows/security/book/operating-system-security.md
+++ b/windows/security/book/operating-system-security.md
@@ -80,13 +80,13 @@ The digital signature is evaluated across the Windows environment on Windows boo
### Device health attestation
The Windows device health attestation process supports a Zero Trust paradigm that shifts the focus from static, network-based perimeters to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. These
-determinations are made with data stored in the TPM, which provides a secure root-of-trust. The information is sent to an attestation service such as Azure Attestation to verify that the device is in a trusted state. Then a modern device management (MDM) tool like Microsoft Intune[\[1\]](#footnote1) reviews device health and connects this information with Microsoft Entra ID[\[1\]](#footnote1) for conditional access.
+determinations are made with data stored in the TPM, which provides a secure root-of-trust. The information is sent to an attestation service such as Azure Attestation to verify that the device is in a trusted state. Then a modern device management (MDM) tool like Microsoft Intune[\[9\]](conclusion.md#footnote9) reviews device health and connects this information with Microsoft Entra ID[\[9\]](conclusion.md#footnote9) for conditional access.
Windows includes many security features to help protect users from malware and attacks. However, security components are trustworthy only if the platform boots as expected and is not tampered with. As noted above, Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot, and other low-level hardware and firmware security features to protect your PC from attacks. From the moment you power on your PC until your antimalware starts, Windows is backed with the appropriate hardware configurations that help keep you safe. Measured Boot, implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to the TPM, that functions as a hardware root-of-trust. Remote attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper-resilient report. Remote attestation is the trusted auditor of your system's boot, allowing reliant parties to bind trust to the device and its security.
A summary of the steps involved in attestation and Zero-Trust on a Windows device are as follows:
-- During each step of the boot process—such as a file load, update of special variables, and more—information such as file hashes and signature(s) are measured in the TPM Platform Configuration Register (PCRs). The measurements are bound by a Trusted Computing Group specification that dictates which events can be recorded and the format of each event. The data provides important information about device security from the moment it powers on
+- During each step of the boot process - such as a file load, update of special variables, and more - information such as file hashes and signature(s) are measured in the TPM Platform Configuration Register (PCRs). The measurements are bound by a Trusted Computing Group specification that dictates which events can be recorded and the format of each event. The data provides important information about device security from the moment it powers on
- Once Windows has booted, the attestor (or verifier) requests the TPM get the measurements stored in its PCRs alongside the Measured Boot log. Together, these form the attestation evidence that's sent to the Microsoft Azure Attestation Service
- The TPM is verified by using the keys or cryptographic material available on the chipset with an Azure Certificate Service
- The above information is sent to the Azure Attestation Service to verify that the device is in a trusted state.
@@ -112,8 +112,9 @@ All auditing categories are disabled when Windows is first installed. Before ena
1. Test these settings to validate your choices.
1. Develop plans for deploying and managing your audit policy.
-Learn more:
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+-
- Security policy settings
- Security auditing
@@ -129,7 +130,7 @@ With Assigned Access, Windows devices restrict functionality to pre-selected app
With traditional Group Policy, policies were refreshed on a PC when a user signed in and every 90 minutes by default. Administrators could adjust that timing to be shorter to ensure that the PC's policies were compliant with the management settings set by IT.
-By contrast, with an MDM solution like Microsoft Intune[\[1\]](#footnote1), policies are refreshed when a user signs in and then at eight-hour intervals by default. But as more available group policies were implemented through MDM, one remaining gap was the longer period between the reapplication of a changed policy.
+By contrast, with an MDM solution like Microsoft Intune[\[9\]](conclusion.md#footnote9), policies are refreshed when a user signs in and then at eight-hour intervals by default. But as more available group policies were implemented through MDM, one remaining gap was the longer period between the reapplication of a changed policy.
Config Refresh allows settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to be reset to the value the administrator intended every 90 minutes by default. It is configurable to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that were traditionally set with Group Policy and are now set through MDM.
@@ -139,7 +140,7 @@ Config Refresh can also be *paused* for a configurable period of time, after whi
Visibility and awareness of device security and health are key to any action taken. The Windows built-in security settings provide an at-a-glance view of the security status and health of your device. These insights help you identify issues and act to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.
-Learn more:
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows security settings](https://support.microsoft.com/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963)
- [Windows Security](../operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md)
@@ -159,7 +160,7 @@ When people travel with their PCs, their confidential information travels with t
### BitLocker
-BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses the AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure[\[1\]](#footnote1) can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune[\[2\]](#footnote2)> using a configuration service provider (CSP)[\[1\]](#footnote1). BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), leveraging technologies like Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. Windows consistently improves data protection by expanding existing options and providing new strategies.
+BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses the AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure[\[9\]](conclusion.md#footnote9) can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune[\[6\]](conclusion.md#footnote6)> using a configuration service provider (CSP)[\[9\]](conclusion.md#footnote9). BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), leveraging technologies like Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. Windows consistently improves data protection by expanding existing options and providing new strategies.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
@@ -213,7 +214,7 @@ PDE requires Microsoft Entra ID.
### Email encryption
-Email encryption enables users to encrypt outgoing email messages and attachments so that only intended recipients with a digital identification (ID)—also called a certificate—can read them.10 Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.
+Email encryption enables users to encrypt outgoing email messages and attachments so that only intended recipients with a digital identification (ID) - also called a certificate - can read them.10 Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.
These encrypted messages can be sent by a user to people within their organization as well as external contacts who have proper encryption certificates.
@@ -253,7 +254,7 @@ Customers using TLS 1.3 (or Windows components that support it, including HTTP.S
Legacy protocol versions TLS 1.0 and 1.1 are officially deprecated and will be disabled by default in future OS versions only. This change will come to Windows Insider Preview in September 2023. Organizations and application developers are strongly encouraged to begin to identify and remove code dependencies on TLS 1.0/1.1 if they have not done so already.
-Learn more:
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [TLS/SSL overview (Schannel SSP)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)
- [TLS 1.0 and TLS 1.1 soon to be disabled in Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/bc-p/3894928/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExMM0hCN0VURDk3OU9OfDM4OTQ5Mjh8U1VCU0NSSVBUSU9OU3xoSw#M6180)
@@ -272,13 +273,13 @@ Support for DNS encryption integrates with existing Windows DNS configurations s
The number of Bluetooth devices connected to Windows 11 continues to increase. Windows users connect their Bluetooth headsets, mice, keyboards, and other accessories and improve their day-to-day PC experience by enjoying streaming, productivity, and gaming. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host-based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG) and Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that Bluetooth accessories' firmware and software are kept up to date.
-IT-managed environments have a number of [Bluetooth policies](/windows/client-management/mdm/policy-csp-bluetooth) (MDM, Group Policy, and PowerShell) that can be managed through MDM tools such as Microsoft Intune[\[1\]](#footnote1). You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments.
+IT-managed environments have a number of [Bluetooth policies](/windows/client-management/mdm/policy-csp-bluetooth) (MDM, Group Policy, and PowerShell) that can be managed through MDM tools such as Microsoft Intune[\[9\]](conclusion.md#footnote9). You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments.
### Securing Wi-Fi connections
Windows Wi-Fi supports industry-standard authentication and encryption methods when connecting to Wi-Fi networks. WPA (Wi-Fi Protected Access) is a security standard defined by the Wi-Fi Alliance (WFA) to provide sophisticated data encryption and better user authentication.
-The current security standard for Wi-Fi authentication is WPA3, which provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes—WPA3 Personal, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.
+The current security standard for Wi-Fi authentication is WPA3, which provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes - WPA3 Personal, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.
Windows 11 includes WPA3 Personal with the new H2E protocol and WPA3 Enterprise 192-bit Suite B. Windows 11 also supports WPA3 Enterprise, which includes enhanced server certificate validation and TLS 1.3 for authentication using EAP-TLS authentication.
@@ -306,7 +307,7 @@ ports, or program paths. This functionality increases manageability and decrease
Windows 11 makes the Windows Firewall easier to analyze and debug. IPSec behavior has been integrated with Packet Monitor (pktmon), an in-box, cross-component network diagnostic tool for Windows. Additionally, the Windows Firewall event logs have been enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on third-party tools.
-Admins can now configure additional settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune[\[1\]](#footnote1), leveraging the platform
+Admins can now configure additional settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune[\[9\]](conclusion.md#footnote9), leveraging the platform
support from the Firewall configuration service provider (CSP) and applying these settings to Windows endpoints.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
@@ -321,7 +322,7 @@ consumer VPNs, including apps for the most popular enterprise VPN gateways.
In Windows 11, we've integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and with one click, go to the modern Settings app for more control.
-The Windows VPN platform connects to Microsoft Entra ID[\[1\]](#footnote1) and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune and other modern device management (MDM) providers. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites.
+The Windows VPN platform connects to Microsoft Entra ID[\[9\]](conclusion.md#footnote9) and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune and other modern device management (MDM) providers. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites.
With Universal Windows Platform (UWP) VPN apps, end users never get stuck on an old version of their VPN client. VPN apps from the store will be automatically updated as needed. Naturally, the updates are in the control of your IT admins.
@@ -377,7 +378,7 @@ SmartScreen also determines whether a downloaded app or app installer is potenti
- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen warns that the file might be malicious
- Checking downloaded files against a list of well-known files. If the file is of a dangerous type and not well-known, SmartScreen displays a caution alert
-With enhanced phishing protection in Windows 11, SmartScreen also alerts people when they are entering their Microsoft credentials into a potentially risky location, regardless of which application or browser is used. IT can customize which notifications appear through Microsoft Intune[\[1\]](#footnote1). This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement.
+With enhanced phishing protection in Windows 11, SmartScreen also alerts people when they are entering their Microsoft credentials into a potentially risky location, regardless of which application or browser is used. IT can customize which notifications appear through Microsoft Intune[\[9\]](conclusion.md#footnote9). This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement.
Because Windows 11 comes with these enhancements already built in and enabled, users have extra security from the moment they turn on their device.
@@ -412,107 +413,70 @@ network, and firewall.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-- Attack surface reduction
+- [Attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide)
### Tamper protection
-Attacks like ransomware attempt to disable security features, such as anti-virus protection.
-Bad actors like to disable security features to get easier access to user's data, to install
-malware, or otherwise exploit user's data, identity, and devices without fear of being blocked.
-Tamper protection helps prevent these kinds of activities.
+Attacks like ransomware attempt to disable security features, such as anti-virus protection. Bad actors like to disable security features to get easier access to user's data, to install malware, or otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.
+
With tamper protection, malware is prevented from taking actions such as:
-* Disabling real-time protection.
-* Turning off behavior monitoring.
-* Disabling antivirus (such as IOfficeAntivirus (IOAV)).
-* Disabling cloud-delivered protection.
-* Removing security intelligence updates.
+
+- Disabling real-time protection
+- Turning off behavior monitoring
+- Disabling antivirus, such as IOfficeAntivirus (IOAV)
+- Disabling cloud-delivered protection
+- Removing security intelligence updates
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-- Tamper protection
+- [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)
### Exploit protection
-Exploit protection automatically applies several exploit mitigation techniques to operating
-system processes and apps. Exploit protection works best with Microsoft Defender for
-Endpoint[\[1\]](#footnote1), which gives organizations detailed reporting into exploit protection events and
-blocks as part of typical alert investigation scenarios. You can enable exploit protection on
-an individual device and then use Group Policy in Active Directory or Microsoft Intune[\[1\]](#footnote1) to
-distribute the configuration XML file to multiple devices simultaneously.
-When a mitigation is encountered on the device, a notification will be displayed from the
-Action Center. You can customize the notification with your company details and contact
-information. You can also enable the rules individually to customize which techniques the
-feature monitors.
-You can use audit mode to evaluate how exploit protection would impact your organization if
-it were enabled.
-Windows 11 provides configuration options for exploit protection. You can prevent users
-from modifying these specific options with Group Policy.
+Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint[\[9\]](conclusion.md#footnote9), which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device and then use Group Policy in Active Directory or Microsoft Intune[\[9\]](conclusion.md#footnote9) to distribute the configuration XML file to multiple devices simultaneously.
+
+When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.
+
+You can use audit mode to evaluate how exploit protection would impact your organization if it were enabled.
+
+Windows 11 provides configuration options for exploit protection. You can prevent users from modifying these specific options with Group Policy.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-- Protecting devices from exploits
+- [Protecting devices from exploits](/microsoft-365/security/defender-endpoint/enable-exploit-protection)
### Controlled folder access
-You can protect your valuable information in specific folders by managing app access to
-them. Only trusted apps can access protected folders, which are specified when controlled
-folder access is configured. Typically, commonly used folders, such as those used for
-documents, pictures, and downloads, are included in the list of controlled folders.
-Controlled folder access works with a list of trusted apps. Apps that are included in the
-list of trusted software work as expected. Apps that are not included in the trusted list are
-prevented from making any changes to files inside protected folders.
-Controlled folder access helps protect user's valuable data from malicious apps and threats
-such as ransomware.
+You can protect your valuable information in specific folders by managing app access tob them. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, and downloads, are included in the list of controlled folders.
+
+Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders.
+
+Controlled folder access helps protect user's valuable data from malicious apps and threats such as ransomware.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-- Controlled folder access
+- [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
### Microsoft Defender for Endpoint
-Microsoft Defender for Endpoint[\[1\]](#footnote1) is an enterprise endpoint detection and response solution
-that helps security teams detect, investigate, and respond to advanced threats.
-Organizations can use the rich event data and attack insights Defender for Endpoint provides
-to investigate incidents. Defender for Endpoint brings together the following elements to
-provide a more complete picture of security incidents:
-* Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process
-behavioral signals from the operating system and send this sensor data to your private,
-isolated cloud instance of Microsoft Defender for Endpoint.
-* Cloud security analytics: Behavioral signals are translated into insights, detections, and
-recommended responses to advanced threats. These analytics leverage big data, device
-learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud
-products such as Microsoft 365[\[1\]](#footnote1), and online assets.
-* Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours,
-yielding a deep and broad view into the evolving threat landscape. Combined with our
-global team of security experts and cutting-edge artificial intelligence and machine learning,
-we can see threats that others miss. This threat intelligence helps provide unparalleled
-protection for our customers. The protections built into our platforms and products blocked
-attacks that include 31 billion identity threats and 32 billion email threats.
-* Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate,
-remediate, and remote into machines to further investigate and stop active threats in their
-environment, as well as block files, network destinations, and create alerts for them. In
-addition, Automated Investigation and Remediation can help reduce the load on the SOC
-by automatically performing otherwise manual steps towards remediation and providing
-detailed investigation outcomes.
-Defender for Endpoint is also part of Microsoft 365 Defender, our end-to-end, cloud-native
-extended detection and response (XDR) solution that combines best-of-breed endpoint,
-email, and identity security products. It enables organizations to prevent, detect, investigate,
-and remediate attacks by delivering deep visibility, granular context, and actionable insights
-generated from raw signals harnessed across the Microsoft 365 environment and other
-platforms, all synthesized into a single dashboard. This solution offers tremendous value to
-organizations of any size, especially those that are looking to break away from the added
-complexity of multiple point solutions, keeping them protected from sophisticated attacks
-and saving IT and security teams' time and resources.
+Microsoft Defender for Endpoint[\[9\]](conclusion.md#footnote9) is an enterprise endpoint detection and response solution that helps security teams detect, investigate, and respond to advanced threats.
+
+Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents:
+
+- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated cloud instance of Microsoft Defender for Endpoint
+- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365[\[9\]](conclusion.md#footnote9), and online assets
+- Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours, yielding a deep and broad view into the evolving threat landscape. Combined with our global team of security experts and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. This threat intelligence helps provide unparalleled protection for our customers. The protections built into our platforms and products blocked
+attacks that include 31 billion identity threats and 32 billion email threats
+- Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate, remediate, and remote into machines to further investigate and stop active threats in their environment, as well as block files, network destinations, and create alerts for them. In addition, Automated Investigation and Remediation can help reduce the load on the SOC by automatically performing otherwise manual steps towards remediation and providing
+detailed investigation outcomes
+
+Defender for Endpoint is also part of Microsoft 365 Defender, our end-to-end, cloud-native extended detection and response (XDR) solution that combines best-of-breed endpoint, email, and identity security products. It enables organizations to prevent, detect, investigate, and remediate attacks by delivering deep visibility, granular context, and actionable insights generated from raw signals harnessed across the Microsoft 365 environment and other
+platforms, all synthesized into a single dashboard. This solution offers tremendous value to organizations of any size, especially those that are looking to break away from the added complexity of multiple point solutions, keeping them protected from sophisticated attacks and saving IT and security teams' time and resources.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-- Microsoft Defender for Endpoint
-- Microsoft 365 Defender
+- [Microsoft Defender for Endpoint](/security/defender-endpoint/microsoft-defender-endpoint)
+- [Microsoft 365 Defender])(/microsoft-365/security/defender/microsoft-365-defender?view=o365-worldwide)
> [!div class="nextstepaction"]
> [Chapter 3: Application security >](application-security.md)
-
----
-
-1 Sold separately.\
-2 Requires developer enablement.