Looking for:
Windows 11 zero trust docs |
Embrace proactive security with Zero Trust - Windows 11 zero trust docs
Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. Remote attestation determines:. Devices can attest that the TPM is enabled, and that the device hasn't been tampered with. Windows includes many security features to help protect users from malware and attacks.
However, trusting the Windows security components can only be achieved if the platform boots as expected and wasn't tampered with. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe.
Measured and Trusted boot , implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs.
The measurements are bound by a Trusted Computing Group specification TCG that dictates what events can be recorded and the format of each event. The measurements in both these components together form the attestation evidence that is then sent to the attestation service. This information is then sent to the attestation service in the cloud to verify that the device is safe.
Microsoft Endpoint Manger integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with Azure Active Directory conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device.
The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service.
The device then sends the report to the Microsoft Intune cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules. Skip to main content. This browser is no longer supported. Table of contents Exit focus mode.
Table of contents. This illustration represents the work of deploying Zero Trust capabilities. This work is broken into units of work that can be configured together, starting from the bottom and working to the top to ensure that prerequisite work is complete. This article assumes you have already configured cloud identity. If you need guidance for this objective, see Deploy your identity infrastructure for Microsoft The first step is to build your Zero Trust foundation by configuring identity and device access protection.
Go to Zero Trust identity and device access protection for prescriptive guidance to accomplish this. This series of articles describes a set of identity and device access prerequisite configurations and a set of Azure Active Directory Azure AD Conditional Access, Microsoft Intune, and other policies to secure access to Microsoft for enterprise cloud apps and services, other SaaS services, and on-premises applications published with Azure AD Application Proxy.
Start by implementing the starting-point tier. These policies do not require enrolling devices into management.
Next, enroll your devices into management and begin protecting these with more sophisticated controls. Go to Manage devices with Intune for prescriptive guidance to accomplish this. With devices enrolled into management, you can now implement the full set of recommended Zero Trust identity and device access policies, requiring compliant devices.
Return to Common identity and device access policies and add the policies in the Enterprise tier. Microsoft Defender is an extended detection and response XDR solution that automatically collects, correlates, and analyzes signal, threat, and alert data from across your Microsoft environment, including endpoint, email, applications, and identities.
Go to Evaluate and pilot Microsoft Defender for a methodical guide to piloting and deploying Microsoft Defender components. Implement Microsoft Purview Information Protection to help you discover, classify, and protect sensitive information wherever it lives or travels. Microsoft Purview Information Protection capabilities are included with Microsoft Purview and give you the tools to know your data, protect your data, and prevent data loss. While this work is represented at the top of the deployment stack illustrated earlier in this article, you can begin this work anytime.
Microsoft Purview Information Protection provides a framework, process, and capabilities you can use to accomplish your specific business objectives. For more information on how to plan and deploy information protection, see Deploy a Microsoft Purview Information Protection solution. If you're deploying information protection for data privacy regulations, this solution guide provides a recommended framework for the entire process: Deploy information protection for data privacy regulations with Microsoft Skip to main content.
This browser is no longer supported. Table of contents Exit focus mode.
❿
No comments:
Post a Comment