Device Protection
Windows 10 and Windows 11 devices include several security features that administrators should consider during their device planning phase. In order to secure devices, you’ll want to evaluate both built-in technologies as well as components from the full Microsoft Defender suite.
To fully protect devices, consider the following components:
- Windows Hello for Business: This component replaces passwords with strongTwo-Factor Authentication (2FA) on PCs and mobile devices using a device-specific PIN or biometric credentials that can’t be captured or replayed on other devices.
- Credential Guard: This component is responsible for isolating secrets that are used throughout the machine to prevent unauthorized access.
- Windows Defender Application Control: This component allows only authorized applications to run on users’ machines.
- BitLocker: This is a whole-disk encryption, integrated with a device’s trusted computing module or Trusted Platform Module chip and the Windows 10 operating system.
- Windows Information Protection (WIP): Previously known as Enterprise Data Protection (EDP), WIP protects against data leakage separating personal and corporate data.
• Microsoft Defender for Endpoint (MDE): In addition to advanced antivirus capabilities, MDE can also apply corporate restrictions such as locking down USB devices and providing URL filtering. MDE can also protect Windows 7, Windows 8.1, Windows Server, and macOS.
Note
You can find more information on MDE at https://learn.microsoft.com/en-us/ microsoft -365/security/defender- endpoint/microsoft-defender-endpoint. You can read about the Windows security features at https://learn. microsoft.com/en-us/windows/security/.
You should plan on implementing some level of endpoint device protection and compliance checks as part of a zero-trust policy.
