From 8f22f3ab905cc709147536882b150db5879e4f4a Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 11 Dec 2024 08:17:16 -0500
Subject: [PATCH 1/3] split to includes
---
...lication-security-application-isolation.md | 90 ++-----------------
.../security/book/includes/app-containers.md | 17 ++++
.../virtualization-based-security-enclaves.md | 17 ++++
.../book/includes/win32-app-isolation.md | 41 +++++++++
.../security/book/includes/windows-sandbox.md | 17 ++++
.../includes/windows-subsystem-for-linux.md | 35 ++++++++
6 files changed, 132 insertions(+), 85 deletions(-)
create mode 100644 windows/security/book/includes/app-containers.md
create mode 100644 windows/security/book/includes/virtualization-based-security-enclaves.md
create mode 100644 windows/security/book/includes/win32-app-isolation.md
create mode 100644 windows/security/book/includes/windows-sandbox.md
create mode 100644 windows/security/book/includes/windows-subsystem-for-linux.md
diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md
index 67465c5c5e3..d6ee4be861a 100644
--- a/windows/security/book/application-security-application-isolation.md
+++ b/windows/security/book/application-security-application-isolation.md
@@ -9,92 +9,12 @@ ms.date: 11/18/2024
:::image type="content" source="images/application-security.png" alt-text="Diagram containing a list of application security features." lightbox="images/application-security.png" border="false":::
-## :::image type="icon" source="images/new-button-title.svg" border="false"::: Win32 app isolation
+[!INCLUDE [win32-app-isolation](includes/win32-app-isolation.md)]
-Win32 app isolation is a security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer][LINK-1], and offers several added security features to help the Windows platform defend against attacks that use vulnerabilities in applications or third-party libraries. To isolate their applications, developers can update them using Visual Studio.
+[!INCLUDE [app-containers](includes/app-containers.md)]
-Win32 app isolation follows a two-step process:
+[!INCLUDE [windows-sandbox](includes/windows-sandbox.md)]
-- In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Windows. The process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level
-- In the second step, least privilege is enforced by granting authorized access to Windows securable objects. This access is determined by capabilities that are added to the application manifest through MSIX packaging. *Securable objects* in this context refers to Windows resources whose access is safeguarded by capabilities. These capabilities enable the implantation of a [Discretionary Access Control List][LINK-2] on Windows
+[!INCLUDE [windows-subsystem-for-linux](includes/windows-subsystem-for-linux.md)]
-To help ensuring that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. The *Application Capability Profiler (ACP)* simplifies the entire process by allowing the application to run in *learn mode* with low privileges. Instead of denying access if the capability isn't present, ACP allows access and logs additional capabilities required for access if the application were to run isolated.
-
-To create a smooth user experience that aligns with nonisolated, native Win32 applications, two key factors should be taken into consideration:
-
-- Approaches for accessing data and privacy information
-- Integrating Win32 apps for compatibility with other Windows interfaces
-
-The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary AppContainer. The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts.
-
-[!INCLUDE [learn-more](includes/learn-more.md)]
-
-- [Win32 app isolation overview][LINK-4]
-- [Application Capability Profiler (ACP)][LINK-5]
-- [Packaging a Win32 app isolation application with Visual Studio][LINK-6]
-- [Sandboxing Python with Win32 app isolation][LINK-7]
-
-## App containers
-
-In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP) applications run in Windows containers known as *app containers*. App containers act as process and resource isolation boundaries, but unlike Docker containers, these are special containers designed to run Windows applications.
-
-Processes that run in app containers operate at a low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the file system, registry, and other resources. The app container also enforces restrictions on network connectivity. For example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape.
-
-[!INCLUDE [learn-more](includes/learn-more.md)]
-
-- [Windows and app container][LINK-8]
-
-## Windows Sandbox
-
-Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based virtualization technology as Hyper-V. Any untrusted Win32 app installed in Windows Sandbox stays only in the sandbox and can't affect the host.
-
-Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed.
-
-[!INCLUDE [learn-more](includes/learn-more.md)]
-
-- [Windows Sandbox][LINK-9]
-
-## Windows Subsystem for Linux (WSL)
-
-With Windows Subsystem for Linux (WSL) you can run a Linux environment on a Windows device, without the need for a separate virtual machine or dual booting. WSL is designed to provide a seamless and productive experience for developers who want to use both Windows and Linux at the same time.
-
-[!INCLUDE [new-24h2](includes/new-24h2.md)]
-
-- **Hyper-V Firewall** is a network firewall solution that enables filtering of inbound and outbound traffic to/from WSL containers hosted by Windows
-- **DNS Tunneling** is a networking setting that improves compatibility in different networking environments, making use of virtualization features to obtain DNS information rather than a networking packet
-- **Auto proxy** is a networking setting that enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it makes that proxy automatically apply to WSL distributions
-
-These features can be set up using a device management solution such as Microsoft Intune[\[7\]](conclusion.md#footnote7). Microsoft Defender for Endpoint (MDE) integrates with WSL, allowing it to monitor activities within a WSL distro and report them to the MDE dashboards.
-
-[!INCLUDE [learn-more](includes/learn-more.md)]
-
-- [Hyper-V Firewall][LINK-10]
-- [DNS Tunneling][LINK-11]
-- [Auto proxy][LINK-12]
-- [Intune setting for WSL][LINK-13]
-- [Microsoft Defender for Endpoint plug-in for WSL][LINK-14]
-
-## :::image type="icon" source="images/new-button-title.svg" border="false"::: Virtualization-based security enclaves
-
-A **Virtualization-based security enclave** is a software-based trusted execution environment (TEE) inside a host application. VBS enclaves enable developers to use VBS to protect their application's secrets from admin-level attacks. VBS enclaves are available on Windows 10 onwards on both x64 and ARM64.
-
-[!INCLUDE [learn-more](includes/learn-more.md)]
-
-- [Virtualization-based security enclave][LINK-15]
-
-
-
-[LINK-1]: /windows/win32/secauthz/implementing-an-appcontainer
-[LINK-2]: /windows/win32/secauthz/access-control-lists
-[LINK-4]: /windows/win32/secauthz/app-isolation-overview
-[LINK-5]: /windows/win32/secauthz/app-isolation-capability-profiler
-[LINK-6]: /windows/win32/secauthz/app-isolation-packaging-with-vs
-[LINK-7]: https://blogs.windows.com/windowsdeveloper/2024/03/06/sandboxing-python-with-win32-app-isolation/
-[LINK-8]: /windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations
-[LINK-9]: /windows/security/threat-protection/windows-sandbox/windows-sandbox-overview
-[LINK-10]: /windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall
-[LINK-11]: /windows/wsl/networking#dns-tunneling
-[LINK-12]: /windows/wsl/networking#auto-proxy
-[LINK-13]: /windows/wsl/intune
-[LINK-14]: /defender-endpoint/mde-plugin-wsl
-[LINK-15]: /windows/win32/trusted-execution/vbs-enclaves
+[!INCLUDE [virtualization-based-security-enclaves](includes/virtualization-based-security-enclaves.md)]
diff --git a/windows/security/book/includes/app-containers.md b/windows/security/book/includes/app-containers.md
new file mode 100644
index 00000000000..32e39cdd352
--- /dev/null
+++ b/windows/security/book/includes/app-containers.md
@@ -0,0 +1,17 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## App containers
+
+In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP) applications run in Windows containers known as *app containers*. App containers act as process and resource isolation boundaries, but unlike Docker containers, these are special containers designed to run Windows applications.
+
+Processes that run in app containers operate at a low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the file system, registry, and other resources. The app container also enforces restrictions on network connectivity. For example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows and app container](/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations)
diff --git a/windows/security/book/includes/virtualization-based-security-enclaves.md b/windows/security/book/includes/virtualization-based-security-enclaves.md
new file mode 100644
index 00000000000..238c1d1681c
--- /dev/null
+++ b/windows/security/book/includes/virtualization-based-security-enclaves.md
@@ -0,0 +1,17 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Virtualization-based security enclaves
+
+A **Virtualization-based security enclave** is a software-based trusted execution environment (TEE) inside a host application. VBS enclaves enable developers to use VBS to protect their application's secrets from admin-level attacks.
+
+VBS enclaves are available starting in Windows 11, version 24H2, and Windows Server 2025 on both x64 and ARM64.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Virtualization-based security enclave](/windows/win32/trusted-execution/vbs-enclaves)
diff --git a/windows/security/book/includes/win32-app-isolation.md b/windows/security/book/includes/win32-app-isolation.md
new file mode 100644
index 00000000000..88ab8625b06
--- /dev/null
+++ b/windows/security/book/includes/win32-app-isolation.md
@@ -0,0 +1,41 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Win32 app isolation
+
+Win32 app isolation is a security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer][LINK-1], and offers several added security features to help the Windows platform defend against attacks that use vulnerabilities in applications or third-party libraries. To isolate their applications, developers can update them using Visual Studio.
+
+Win32 app isolation follows a two-step process:
+
+- In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Windows. The process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level
+- In the second step, least privilege is enforced by granting authorized access to Windows securable objects. This access is determined by capabilities that are added to the application manifest through MSIX packaging. *Securable objects* in this context refers to Windows resources whose access is safeguarded by capabilities. These capabilities enable the implantation of a [Discretionary Access Control List][LINK-2] on Windows
+
+To help ensuring that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. The *Application Capability Profiler (ACP)* simplifies the entire process by allowing the application to run in *learn mode* with low privileges. Instead of denying access if the capability isn't present, ACP allows access and logs additional capabilities required for access if the application were to run isolated.
+
+To create a smooth user experience that aligns with nonisolated, native Win32 applications, two key factors should be taken into consideration:
+
+- Approaches for accessing data and privacy information
+- Integrating Win32 apps for compatibility with other Windows interfaces
+
+The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary AppContainer. The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Win32 app isolation overview][LINK-4]
+- [Application Capability Profiler (ACP)][LINK-5]
+- [Packaging a Win32 app isolation application with Visual Studio][LINK-6]
+- [Sandboxing Python with Win32 app isolation][LINK-7]
+
+
+
+[LINK-1]: /windows/win32/secauthz/implementing-an-appcontainer
+[LINK-2]: /windows/win32/secauthz/access-control-lists
+[LINK-4]: /windows/win32/secauthz/app-isolation-overview
+[LINK-5]: /windows/win32/secauthz/app-isolation-capability-profiler
+[LINK-6]: /windows/win32/secauthz/app-isolation-packaging-with-vs
+[LINK-7]: https://blogs.windows.com/windowsdeveloper/2024/03/06/sandboxing-python-with-win32-app-isolation/
diff --git a/windows/security/book/includes/windows-sandbox.md b/windows/security/book/includes/windows-sandbox.md
new file mode 100644
index 00000000000..8e2f55f7473
--- /dev/null
+++ b/windows/security/book/includes/windows-sandbox.md
@@ -0,0 +1,17 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## Windows Sandbox
+
+Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based virtualization technology as Hyper-V. Any untrusted Win32 app installed in Windows Sandbox stays only in the sandbox and can't affect the host.
+
+Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)
diff --git a/windows/security/book/includes/windows-subsystem-for-linux.md b/windows/security/book/includes/windows-subsystem-for-linux.md
new file mode 100644
index 00000000000..957410b0fbb
--- /dev/null
+++ b/windows/security/book/includes/windows-subsystem-for-linux.md
@@ -0,0 +1,35 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## Windows Subsystem for Linux (WSL)
+
+With Windows Subsystem for Linux (WSL) you can run a Linux environment on a Windows device, without the need for a separate virtual machine or dual booting. WSL is designed to provide a seamless and productive experience for developers who want to use both Windows and Linux at the same time.
+
+[!INCLUDE [new-24h2](new-24h2.md)]
+
+- **Hyper-V Firewall** is a network firewall solution that enables filtering of inbound and outbound traffic to/from WSL containers hosted by Windows
+- **DNS Tunneling** is a networking setting that improves compatibility in different networking environments, making use of virtualization features to obtain DNS information rather than a networking packet
+- **Auto proxy** is a networking setting that enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it makes that proxy automatically apply to WSL distributions
+
+These features can be set up using a device management solution such as Microsoft Intune[\[7\]](../conclusion.md#footnote7). Microsoft Defender for Endpoint (MDE) integrates with WSL, allowing it to monitor activities within a WSL distro and report them to the MDE dashboards.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Hyper-V Firewall][LINK-1]
+- [DNS Tunneling][LINK-2]
+- [Auto proxy][LINK-3]
+- [Intune setting for WSL][LINK-4]
+- [Microsoft Defender for Endpoint plug-in for WSL][LINK-5]
+
+
+
+[LINK-1]: /windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall
+[LINK-2]: /windows/wsl/networking#dns-tunneling
+[LINK-3]: /windows/wsl/networking#auto-proxy
+[LINK-4]: /windows/wsl/intune
+[LINK-5]: /defender-endpoint/mde-plugin-wsl
From 1ba88a65b743b61caa241dbfb8d82ed03e826dec Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 11 Dec 2024 10:07:03 -0500
Subject: [PATCH 2/3] Application Security chapter
---
...security-application-and-driver-control.md | 71 ++-----------------
...lication-security-application-isolation.md | 4 +-
windows/security/book/application-security.md | 2 +-
.../book/includes/administrator-protection.md | 18 +++++
.../book/includes/app-control-for-business.md | 20 ++++++
.../microsoft-vulnerable-driver-blocklist.md | 15 ++++
.../book/includes/smart-app-control.md | 23 ++++++
.../security/book/includes/trusted-signing.md | 15 ++++
8 files changed, 101 insertions(+), 67 deletions(-)
create mode 100644 windows/security/book/includes/administrator-protection.md
create mode 100644 windows/security/book/includes/app-control-for-business.md
create mode 100644 windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md
create mode 100644 windows/security/book/includes/smart-app-control.md
create mode 100644 windows/security/book/includes/trusted-signing.md
diff --git a/windows/security/book/application-security-application-and-driver-control.md b/windows/security/book/application-security-application-and-driver-control.md
index 9efc2c0f96d..d69dbb0445d 100644
--- a/windows/security/book/application-security-application-and-driver-control.md
+++ b/windows/security/book/application-security-application-and-driver-control.md
@@ -1,77 +1,20 @@
---
-title: Windows 11 security book - Application and driver control
+title: Windows 11 Security Book - Application And Driver Control
description: Application and driver control.
ms.topic: overview
-ms.date: 11/18/2024
+ms.date: 12/11/2024
---
# Application and driver control
:::image type="content" source="images/application-security.png" alt-text="Diagram containing a list of application security features." lightbox="images/application-security.png" border="false":::
-Windows 11 offers a rich application platform with layers of security like isolation and code integrity that help protect your valuable data. Developers can also take advantage of these
-capabilities to build in security from the ground up to protect against breaches and malware.
+[!INCLUDE [smart-app-control](includes/smart-app-control.md)]
-## Smart App Control
+[!INCLUDE [app-control-for-business](includes/app-control-for-business.md)]
-Smart App Control prevents users from running malicious applications by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, Smart App Control only allows processes to run if they're predicted to be safe based on existing and new intelligence updated daily.
+[!INCLUDE [administrator-protection](includes/administrator-protection.md)]
-Smart App Control builds on top of the same cloud-based AI used in *App Control for Business* to predict the safety of an application, so that users can be confident that their applications are safe and reliable. Additionally, Smart App Control blocks unknown script files and macros from the web, greatly improving security for everyday users.
+[!INCLUDE [microsoft-vulnerable-driver-blocklist](includes/microsoft-vulnerable-driver-blocklist.md)]
-We've been making significant improvements to Smart App Control to increase the security, usability, and cloud intelligence response for apps in the Windows ecosystem. Users can get the latest and best experience with Smart App Control by keeping their devices up to date via Windows Update every month.
-
-To ensure that users have a seamless experience with Smart App Control enabled, we ask developers to sign their applications with a code signing certificate from the Microsoft Trusted Root Program. Developers should include all binaries, such as exe, dll, temp installer files, and uninstallers. Trusted Signing makes the process of obtaining, maintaining, and signing with a trusted certificate simple and secure.
-
-Smart App Control is disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to use *App Control for Business*.
-
-[!INCLUDE [learn-more](includes/learn-more.md)]
-
-- [Smart App Control][LINK-1]
-
-## App Control for Business
-
-Your organization is only as secure as the applications that run on your devices. With *application control*, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
-
-App Control for Business (previously called *Windows Defender Application Control*) and AppLocker are both included in Windows. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Organizations that were using AppLocker on previous versions of Windows, can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
-
-Microsoft Intune[\[4\]](conclusion.md#footnote4) can configure App Control for Business in the admin console, including setting up Intune as a managed installer. Intune includes built-in options for App Control for Business and the possibility to upload policies as an XML file for Intune to package and deploy.
-
-[!INCLUDE [learn-more](includes/learn-more.md)]
-
-- [Application Control for Windows][LINK-2]
-- [Automatically allow apps deployed by a managed installer with App Control for Business][LINK-3]
-
-## :::image type="icon" source="images/soon-button-title.svg" border="false"::: Administrator protection
-
-When users sign in with administrative rights to Windows, they have the power to make significant changes to the system, which can impact its overall security. These rights can be a target for malicious software.
-
-Administrator protection is a new security feature in Windows 11 designed to safeguard these administrative rights. It allows administrators to perform all necessary functions with **just-in-time administrative rights**, while running most tasks without administrative privileges. The goal of administrator protection is to provide a secure and seamless experience, ensuring users operate with the least required privileges.
-
-When administrator protection is enabled, if an app needs special permissions like administrative rights, the user is asked for approval. When an approval is needed, Windows Hello provides a secure and easy way to approve or deny these requests.
-
-> [!NOTE]
-> Administrator protection is currently in preview. For devices running previous versions of Windows, refer to [User Account Control (UAC)][LINK-5].
-
-## Microsoft vulnerable driver blocklist
-
-The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. To prevent vulnerable versions of drivers from running, Windows has a *block policy* turned on by default. Users can configure the policy from the Windows Security app.
-
-[!INCLUDE [learn-more](includes/learn-more.md)]
-
-- [Microsoft recommended driver block rules][LINK-4]
-
-## :::image type="icon" source="images/new-button-title.svg" border="false"::: Trusted Signing
-
-Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the signing process and empowers third-party developers to easily build and distribute applications.
-
-[!INCLUDE [learn-more](includes/learn-more.md)]
-
-- [What is Trusted Signing](/azure/trusted-signing/overview)
-
-
-
-[LINK-1]: /windows/apps/develop/smart-app-control/overview
-[LINK-2]: /windows/security/application-security/application-control/windows-defender-application-control/wdac
-[LINK-3]: /windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer
-[LINK-4]: /windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
-[LINK-5]: /windows/security/identity-protection/user-account-control/how-user-account-control-works
+[!INCLUDE [trusted-signing](includes/trusted-signing.md)]
diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md
index d6ee4be861a..00bf51928f0 100644
--- a/windows/security/book/application-security-application-isolation.md
+++ b/windows/security/book/application-security-application-isolation.md
@@ -1,8 +1,8 @@
---
-title: Windows 11 security book - Application isolation
+title: Windows 11 Security Book - Application Isolation
description: Application isolation.
ms.topic: overview
-ms.date: 11/18/2024
+ms.date: 12/11/2024
---
# Application isolation
diff --git a/windows/security/book/application-security.md b/windows/security/book/application-security.md
index da054a7d5da..7270a503143 100644
--- a/windows/security/book/application-security.md
+++ b/windows/security/book/application-security.md
@@ -1,5 +1,5 @@
---
-title: Windows 11 security book - Application security
+title: Windows 11 Security Book - Application Security
description: Application security chapter.
ms.topic: overview
ms.date: 11/18/2024
diff --git a/windows/security/book/includes/administrator-protection.md b/windows/security/book/includes/administrator-protection.md
new file mode 100644
index 00000000000..e993800f319
--- /dev/null
+++ b/windows/security/book/includes/administrator-protection.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## :::image type="icon" source="../images/soon-button-title.svg" border="false"::: Administrator protection
+
+When users sign in with administrative rights to Windows, they have the power to make significant changes to the system, which can impact its overall security. These rights can be a target for malicious software.
+
+Administrator protection is a new security feature in Windows 11 designed to safeguard these administrative rights. It allows administrators to perform all necessary functions with **just-in-time administrative rights**, while running most tasks without administrative privileges. The goal of administrator protection is to provide a secure and seamless experience, ensuring users operate with the least required privileges.
+
+When administrator protection is enabled, if an app needs special permissions like administrative rights, the user is asked for approval. When an approval is needed, Windows Hello provides a secure and easy way to approve or deny these requests.
+
+> [!NOTE]
+> Administrator protection is currently in preview. For devices running previous versions of Windows, refer to [User Account Control (UAC)](/windows/security/identity-protection/user-account-control/how-user-account-control-works).
\ No newline at end of file
diff --git a/windows/security/book/includes/app-control-for-business.md b/windows/security/book/includes/app-control-for-business.md
new file mode 100644
index 00000000000..c6b63cb102b
--- /dev/null
+++ b/windows/security/book/includes/app-control-for-business.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## App Control for Business
+
+Your organization is only as secure as the applications that run on your devices. With *application control*, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
+
+App Control for Business (previously called *Windows Defender Application Control*) and AppLocker are both included in Windows. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Organizations that were using AppLocker on previous versions of Windows, can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
+
+Microsoft Intune[\[4\]](..\conclusion.md#footnote4) can configure App Control for Business in the admin console, including setting up Intune as a managed installer. Intune includes built-in options for App Control for Business and the possibility to upload policies as an XML file for Intune to package and deploy.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac)
+- [Automatically allow apps deployed by a managed installer with App Control for Business](/windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer)
diff --git a/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md b/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md
new file mode 100644
index 00000000000..73ddeba96b4
--- /dev/null
+++ b/windows/security/book/includes/microsoft-vulnerable-driver-blocklist.md
@@ -0,0 +1,15 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## Microsoft vulnerable driver blocklist
+
+The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. To prevent vulnerable versions of drivers from running, Windows has a *block policy* turned on by default. Users can configure the policy from the Windows Security app.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)
\ No newline at end of file
diff --git a/windows/security/book/includes/smart-app-control.md b/windows/security/book/includes/smart-app-control.md
new file mode 100644
index 00000000000..9d3548d40f7
--- /dev/null
+++ b/windows/security/book/includes/smart-app-control.md
@@ -0,0 +1,23 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## Smart App Control
+
+Smart App Control prevents users from running malicious applications by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, Smart App Control only allows processes to run if they're predicted to be safe based on existing and new intelligence updated daily.
+
+Smart App Control builds on top of the same cloud-based AI used in *App Control for Business* to predict the safety of an application, so that users can be confident that their applications are safe and reliable. Additionally, Smart App Control blocks unknown script files and macros from the web, greatly improving security for everyday users.
+
+We've been making significant improvements to Smart App Control to increase the security, usability, and cloud intelligence response for apps in the Windows ecosystem. Users can get the latest and best experience with Smart App Control by keeping their devices up to date via Windows Update every month.
+
+To ensure that users have a seamless experience with Smart App Control enabled, we ask developers to sign their applications with a code signing certificate from the Microsoft Trusted Root Program. Developers should include all binaries, such as exe, dll, temp installer files, and uninstallers. Trusted Signing makes the process of obtaining, maintaining, and signing with a trusted certificate simple and secure.
+
+Smart App Control is disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to use *App Control for Business*.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [Smart App Control](/windows/apps/develop/smart-app-control/overview)
\ No newline at end of file
diff --git a/windows/security/book/includes/trusted-signing.md b/windows/security/book/includes/trusted-signing.md
new file mode 100644
index 00000000000..a2323c20e8e
--- /dev/null
+++ b/windows/security/book/includes/trusted-signing.md
@@ -0,0 +1,15 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/11/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+## :::image type="icon" source="images/new-button-title.svg" border="false"::: Trusted Signing
+
+Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the signing process and empowers third-party developers to easily build and distribute applications.
+
+[!INCLUDE [learn-more](learn-more.md)]
+
+- [What is Trusted Signing](/azure/trusted-signing/overview)
From aafd52db5a26f31d8d2d61e8b0b6312dbbf0ff19 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 11 Dec 2024 11:48:08 -0500
Subject: [PATCH 3/3] updates
---
windows/security/book/includes/trusted-signing.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/book/includes/trusted-signing.md b/windows/security/book/includes/trusted-signing.md
index a2323c20e8e..123195a9cc3 100644
--- a/windows/security/book/includes/trusted-signing.md
+++ b/windows/security/book/includes/trusted-signing.md
@@ -6,7 +6,7 @@ ms.topic: include
ms.service: windows-client
---
-## :::image type="icon" source="images/new-button-title.svg" border="false"::: Trusted Signing
+## :::image type="icon" source="../images/new-button-title.svg" border="false"::: Trusted Signing
Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the signing process and empowers third-party developers to easily build and distribute applications.