Jump to content
Microsoft Windows Bulletin Board

All Activity

This stream auto-updates

  1. Past hour
  2. Windows Server
    Organizations today grapple with securing data across the various devices, platforms, and data sources that comprise their modern ecosystem. This challenge has become even more daunting as unsanctioned and unsupervised generative AI becomes more ubiquitous in the workplace, presenting a new frontier for sensitive data loss. In response, many teams have found themselves with fragmented solutions and processes that don’t enable data loss prevention at scale, and even cause an increased rate of data security incidents. Microsoft Purview Data Loss Prevention (DLP) offers today’s organizations a unified approach to securing data across their ever-evolving data estates. Purview DLP not only is built into the Microsoft 365 apps and desktop devices that you rely on every day, but also extends to the expanding range of data types and locations found across your environment – for example, .java files as developers write or edit source code, or .txt files as information workers take notes. Today, we are happy to announce over 25 new capabilities in Purview DLP as part of our continued commitment to helping organizations protect their business-critical data. In particular, we are investing in new ways to: Expand visibility & protection beyond Microsoft 365, such as inline discovery of sensitive data across the network, inline protection of sensitive data accessed in Microsoft Edge for Business, and new label-based protections for non-Microsoft file types. Simplify experiences for admins with policy sync dashboards and collection policies for more streamlined signal collection and classification. Enhance existing protections with expanded advanced classification support and DLP coverage for all files in SharePoint & OneDrive, including previously unclassified files. This is enabled through the new on-demand classification capability. Let’s dive in. Expanded visibility & protection beyond Microsoft 365: Introducing new network & browser controls In the era of AI and remote work, organizations need to address data loss risks holistically across their environment – especially where sensitive data could leave the trusted boundaries of the organization to untrusted, 3rd party locations. This is why we are excited to introduce three momentous improvements to Purview DLP: Inline data discovery for the network, in public preview early May: Purview DLP now integrates with secure access service edge (SASE) solutions to provide admins greater visibility over sensitive data that is being sent outside of the organization from company devices. This can include sensitive data uploaded to personal cloud repositories or sent to 3rd party AI services from a desktop application. Inline data protection in Edge for Business, in public preview early April: With information workers spending more time working in the browser than ever before [1], it’s critical that organizations secure sensitive data that could be sent to untrusted locations from the browser. These potentially risky interactions include typed submissions to unmanaged SaaS apps like Slack or consumer GenAI apps like Google Gemini and DeepSeek. Our inline DLP controls are built natively into Edge for Business, meaning they can be enabled even without endpoint DLP deployed, and complement the existing endpoint DLP protections for uploading or pasting sensitive content to the browser. Data security controls for unmanaged Windows & macOS devices accessing Edge for Business, in public preview late April: These built-in controls help admins enforce guardrails for what users can do with sensitive data in organization-managed apps like Salesforce or Workday when they're accessed from Edge for Business on an unmanaged or personal computer. This prevents sensitive organizational data from being exfiltrated to unmanaged devices. To learn more about these new capabilities, visit our detailed blog. Beyond the extension of Purview DLP controls for the browser and to the network layer, we are also investing in deeper protections for file types beyond Office 365 or PDF. Given the variety of different data types and applications that users interact with every day, it’s imperative that any sensitive file be protected as it’s used, modified, or moved – regardless of the type of file that it is. Developers handle proprietary code daily, requiring protection for .java or .js files. Designers work with early branding concepts in Adobe Photoshop, requiring protection for .psd files. Engineers work with intellectual property in AutoCAD, requiring protection for .dwg files. The list goes on. With new sensitivity label-based protections (in public preview), employees can securely work on non-Microsoft file types such as Java, Adobe Creative Cloud, and AutoCAD that will stay protected even if they leave the device. Figure 1: Admins can enable advanced label-based protections in their endpoint DLP settings. By enabling these advanced label-based protections in your endpoint DLP settings, users will be able to apply sensitivity labels with access control settings on any file, including file types beyond Office 365 or PDF. While these files exist on the end user’s endpoint device, they will be treated as if they are unencrypted, meaning that the user does not need to manually decrypt & encrypt the file every time they work with it. This helps minimize any impact to their productivity. If the user decides to move or share this file, endpoint DLP will automatically encrypt the file upon egress from the device. This ensures that the intended protection stays with the file, wherever it lives or travels. This capability is now rolling out in public preview. Lastly, our investment into protection parity across platforms continues with improvements for macOS devices: First, we are excited to announce that Purview endpoint DLP can now be deployed to macOS devices independent of any device management solution. Deploying endpoint DLP across macOS devices no longer requires these devices to be managed by Microsoft Intune or Jamf. With this update, endpoint DLP can be enabled as long as users log in successfully through an Entra ID account to a Microsoft application, or through the Microsoft Enterprise SSO plugin for Apple devices. Second, we are happy to share that the following endpoint DLP capabilities are now available in public preview on macOS devices in addition to Windows: Coverage & exclusions for network shares and network share groups OCR cost estimation Detection & protection of sensitive data pasted to supported browsers Full file evidence storage for endpoint DLP policy matches Appearance of file read events in Activity Explorer Finally, just-in-time protection for removable media and network shares is now generally available for macOS devices. Simplified experiences for DLP admins In a survey of 600 data security decision makers, “protecting sensitive data across multiple data sources, repositories, and workloads” emerged as the #1 concern related to data loss prevention [2]. To help our customers scale their DLP operations across an expanding data estate, we are continuing to invest in simplified and centralized admin experiences. Historically, Microsoft Purview has been designed to discover and classify data by default using all sensitive information types (SITs) and user activities across all connected data sources – this approach enables us to provide insights into the top data risks in your organization before policies are ever created. In the coming weeks, we are introducing a flexible alternative to this default configuration for data-in-transit scenarios. This will enable admins to more granularly define the baseline signals and information collected from each data source, starting with endpoint devices and inline discovery for the network and Edge for Business. Unlike traditional DLP policies, this new configuration is designed to streamline discovery of relevant information, rather than apply enforcement on that information. This benefits DLP admins by: Making it easier to pinpoint relevant data events in Purview Data Security Posture Management (DSPM) and Activity Explorer, and reduce noise from SITs or user activities that are not relevant to your organization Enabling compliance with regional regulations that restrict collection of certain data types Reducing CPU & memory consumption from signal collection on endpoint devices Creating a baseline configuration of SITs & user activities for existing & future DLP policies Figure 2: Classifiers that are relevant to your organization can be scoped via "collection policies" under the Classifiers tab. From the new collection policies workflow, admins can define the classifiers that are relevant to their organization. Alternatively, admins can exclude classifiers that may be irrelevant to your organization or scenario. Figure 3: Admins can also scope just the user activities that are relevant to their organization. Similarly, admins can also define the types of user activities they would like to detect from each data source. These new configuration options are available to all Purview DLP customers based on the workloads for which they are licensed. Next, we’ll cover several new improvements to Purview DLP that equip DLP admins with the key insights they need, faster: Policy sync dashboards, now in public preview for cloud workloads: Starting today, admins now have visibility into the status of deployed policies or policy changes directly from the DLP Overview and Policies pages. The dashboard indicates whether these policy changes have reached their target locations and identifies any sync errors. This dashboard currently supports SharePoint, Exchange, Teams, and OneDrive policies. Figure 4: New policy sync dashboards help admins understand the status of deployed policies. Device-based policy scoping, now in public preview: Admins can now scope DLP policies to specific devices or Entra device groups under Locations in the policy workflow. This enables them to tailor protections to certain devices, such as those used by vendors or contractors, or devices that are based in the same physical office. Figure 5: DLP policies can now be scoped to include or exclude specific devices or device groups. Administrative unit scoping for SharePoint Online policies: Admins can now also scope DLP policies for SharePoint Online based on Entra-defined administrative units. This helps ensure that potential data loss risks in SharePoint Online are visible to & addressed by the proper personnel. For example, admin unit scoping enables DLP alerts originating from a Highly Confidential site for the Finance team to only be investigated by a specific group of incident handlers. Save & reuse filters in Activity Explorer, now in public preview: We are also making it easier for admins to identify relevant data events and streamline investigation with the ability to save and reuse filters in Activity Explorer. New filter for DLP alerts based on label, now in public preview: Admins can also drill down into DLP alerts generated from a specified sensitivity label, such as “Highly Confidential” or “Internal Only” for better ease-of-use. Evidence summaries for all supported file types in endpoint DLP, now in public preview: By providing admins contextual evidence, they can better understand which classifier(s) – including those detected through advanced methods like Exact Data Match – triggered the policy match. This capability extends to all supported file types on Windows & macOS devices. Security Copilot-powered alert summarization, now in public preview for DLP alerts in Microsoft Defender XDR: Security Copilot already provides the ability to summarize DLP alerts in the Purview portal. This skill now extends to Purview DLP alerts that are managed through the Defender XDR Incidents queue in the Defender portal. Security Copilot skills in Purview DLP, now generally available: Three Security Copilot skills – DLP policy insights, enhanced hunting & investigation prompts, and Activity Explorer prompts, are now generally available for all Purview DLP customers with Security Compute Units. These skills help admins easily understand the full breadth of their existing DLP policy coverage, and streamline investigation of potential data loss incidents. Enhanced protections across data sources and end users While we have invested significantly in broadening our coverage across different workloads, file types, and platforms, we also know that our customers need depth and flexibility of controls. Not only that, but these controls must optimize for the experience of end users. By continuing to strengthen our foundational capabilities, we enable admins to expand their DLP programs with confidence in existing protections. In that spirit, we are happy to share the following four key enhancements to Purview DLP: Critical to our commitment to customers is the ability to classify and protect all files containing sensitive content, even if they have been sitting dormant for some time. With on-demand classification, in public preview, admins can now detect and classify all files containing sensitive data in a specific SharePoint or OneDrive location. This can include documents that were never previously scanned by Purview, or that have not been updated with the latest set of classifiers. If the newly-classified documents match any SITs defined in an existing DLP policy, the policy will immediately take effect on that file. This helps ensure that previously unprotected files can be "grandfathered" into the proper DLP policies. Learn more in the Information Protection blog. Next, we are providing admins with the ability to tailor restrictions to network share and URL groups based on the IP address or IP range from which they’re accessed. This can be particularly helpful for organizations that track intranet sites using IP addresses and want to limit or allow access to data within those locations. This capability is now in public preview. Last year, we announced that Purview endpoint DLP would support a significantly expanded range of file types. Today, we are continuing this momentum by announcing that advanced classification methods such as Exact Data Match and Named Entities will now support this expanded list of file types on Windows devices (in public preview). We are also expanding opportunities for user education when employees trigger a DLP policy tip. Policy tips delivered on Windows endpoint devices will now support custom hyperlinks (public preview). These hyperlinks can help direct users to organizational policies or security best practices when they perform an action that violates an existing endpoint DLP policy. Licensing details Microsoft 365 E3 subscriptions and above Microsoft 365 E5, E5 Compliance, and E5 Information Protection & Governance Policy sync dashboards Save & reuse filters in Activity Explorer Rename DLP policies DLP Alerts filter: Label Admin unit support for SharePoint Online policies Security Copilot-powered DLP policy insights (requires Security Copilot Units) Advanced label-based protections for non-M365 file types All endpoint DLP capabilities for macOS Evidence summaries for all supported file types in endpoint DLP (Windows & macOS) Device-based policy scoping Network share & URL group restrictions based on IP address/IP range Advanced classification for all supported file types in endpoint DLP (Windows) Hyperlink support in endpoint DLP policy tips (Windows) Get started Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Hear from Microsoft leaders online at Microsoft Secure on April 9. You can try Microsoft Purview DLP and other Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial. Already have a Windows 10 and 11 device? You can get started easily by turning on endpoint DLP, which is built into your device and does not require an agent or on-premises component. Additional resources Frequently asked questions on DLP for endpoints. Investigating Microsoft Purview DLP alerts in the Microsoft Defender XDR portal. Customer stories to learn why leading enterprises rely on Microsoft Purview DLP. [1] Internal Windows telemetry [2] Internal Microsoft research View the full article
  3. Windows 10
    Hungarian: az asus tp1401ka eszközmre szeretnék win 10 operácis rendszert telepíteni és amikor felrakom a windowst akkor lesz rajta wifi driver?English: I would like to install the Win 10 operating system on my Asus TP1401KA device and when I install Windows, will it have a WiFi driver?View the full article
  4. Windows 11
    My laptop told me this morning I needed to restart for an update. I close out and start the update. I notice that it's taking a long time, and I also notice that my fonts have changed on the update screen. After a few hours of lost work, my finally boots again and my worst fears of come to pass... Microsoft finally installed that piece of **** OS Windows 11. I never installed this ****. It never asked me to do this. I've disabled the update since it was announced, so why did it **** install on my machine without **** telling me? I don't care if I can roll back this ****, I shouldn't have to doView the full article
  5. Windows 11
    Hello \0Yesterday, I downloaded a new cursor skin, but I noticed that a few cursor elements didn't change. After some research, I found out that they simply can't be replaced in Windows settings.So, I have a question: Is it true that some cursor elements can't be replaced? And if so, why haven't you added this feature yet?It would be much better if all cursor elements followed the same stylish design.View the full article
  6. Windows 11
    I noticed these metrics (FPS, GPU, CPU and Lat 'latency?') popped up in the upper right corner of my display last night while I was playing Assassins Creed Shadows. Had about ten minutes where I was like "Oh, that's kind of cool" before I realized I didn't know how to make it go away. I turned off my computer, figuring they'd maybe be gone in the morning. Surprise, they weren't. The entertainment factor is gone. I've tried googling how to make it go away, with no success beyond bringing me here. Checking Task Manager has left me with not much else beyond an appreciation for all the background View the full article
  7. Windows 11
    I have spent so much time reading various forum posts trying to work around the buggy network-sharing issues that seem all too common. The first issue I was finally able to work past was to get network sharing set up and working between the two new Win 11 desktops and the old Win 10 desktop in the house, that was way harder than it should have been.The sharing is still not perfect. The Win 11 machines can't access folders on the Win 10 machine, but this is not a big issue as most sharing is going to the main Win 11 machine.The current most pressing issue is the shared folders on the main Win View the full article
  8. Windows 11
    After a recent upgrade to 23H2 File Explorer stopped responding, to clicks on task bar, shortcuts elsewhere, and responding to save as links or download links. I have followed endless fixes from various sources and none make any difference.View the full article
  9. Windows 11
    when i click shift and the plus icon then it shows a _ can anyone please help me. i would love it if someone replyed quick.- Pip5yh4View the full article
  10. Windows 11
    Hello, I encrypted some important files on my old Windows 10 install and I unfortunately had to reistall Windows because it wouldn't let me just upgrade to Windows 11. Now that I have a new user account I am no longer able to access those files. The files were encrypted with the basic built in encryption in Windows. Can anyone help? Thank you for your time. View the full article
  11. Windows Server
    As cyber threats evolve, security teams face the challenge of sifting through vast amounts of security data and threat intelligence to develop briefings that are relevant to their organization. This is a lengthy, resource-intensive process that takes analysts away from important work that keeps the organization safe. To help security teams focus on business-critical work while keeping pace with threat actors, we’re excited to introduce the Security Copilot Threat Intelligence Briefing Agent—a force-multiplying innovation that reduces the time for CTI analysts to produce timely, hyper-relevant threat intelligence reports from hours or days to just minutes. Analysis at Machine Speed This next evolution in Security Copilot threat intelligence capabilities builds on its powerful ability to correlate Microsoft threat data, real-time signals, and customer telemetry to add critical context to threats. In real time, the agent dynamically builds briefings based on the latest threat actor activity and both internal and external vulnerability data sourced from Microsoft security research. It automates the collection, analysis, and summarization of this powerful threat information, delivering continuous, tailored briefings based on factors such as industry, geographic location, and your organization’s evolving attack surface. These scheduled briefings offer executive daily summaries and detailed technical analysis accessible via the Security Copilot UI or directly to a CISO's inbox. They determine in real time whether a vulnerability is being actively exploited and its potential organizational impact. Instead of sifting through threat feeds and vulnerability reports, security teams receive clear insights aligned with the organization's needs, allowing for effective resource allocation. As a result, CTI analysts gain important data for further research, while CISOs and security leaders get the situational awareness needed to fine-tune their defense strategies. How the Agent Works Setting up the Agent The Threat Intelligence Briefing agent is in the Security Copilot standalone experience. A new area of the product is devoted to agents, where both Microsoft and partners offer a variety of agents that perform critical tasks to make cybersecurity teams more effective and efficient. CTI analysts can quickly set up the Threat Intelligence Briefing agent to run once for a one-time report or set it to run automatically every 24 hours. Setting up the agent is simple. Customers can choose an identity for the agent using Microsoft’s robust role-based access controls: Customers can choose an existing identity or create an agent-specific identity. They can then ensure the required plugins are enabled for the agent to run. At the core of this agent is its integration with Microsoft’s extensive threat intelligence ecosystem. It leverages Microsoft Defender Threat Intelligence (MDTI) profiles, articles, and intelligence on threat actors, tools, and techniques, automatically prioritizing content based on t organization's unique profile. For organizations with E5 licenses, the agent can also incorporate insights from Microsoft Defender Vulnerability Management (MDVM) to highlight potential weaknesses in your internal IT infrastructure. If the organization utilizes Microsoft Defender External Attack Surface Management (MDEASM), the agent further tailors its briefings using external data such as vulnerabilities associated with unmanaged assets (e.g., CVE information). Customers can choose up to three plugins to provide the agent with threat intelligence to build briefings. Once set up, the agent is ready to run in the background to generate the briefing: Once the agent is set up, it's ready to run! Agent in Action A key benefit of the agent for CISOs and security managers is simplification. The agent runs at regularly scheduled intervals or on-demand: Customers can look into any run the agent has made to read past briefings. Here, we can see the briefing for this organization highlighted potentially significant threats facing the organization, focusing on recent campaigns by the riskiest threat actors. These campaigns involve tactics such as exploiting vulnerabilities in network devices, phishing, and ransomware attacks: Briefings show the latest threats that are most relevant to an organization with a summary of recent campaigns and recommended actions. The briefings also include the most critical CVEs contextualized with threat intelligence. It also includes links to vulnerable assets for further action. The briefing also shows the most critical vulnerabilities identified by the agent, mitigation steps, and the affected assets across the organization's IT setup and external attack surface. The briefing provides concrete recommendations to enhance defenses, including patching vulnerabilities, strengthening endpoint protection, and implementing attack surface reduction rules. Customers can then review the path the agent took to see how it gathered this real-time intelligence: Here, we can see the path the agent has taken to generate the briefing. At each step of the way, it is making dynamic decisions about the best threat intelligence to include based on its inherent threat intelligence expertise. This path can change each day based on changes in the threat landscape and on the organization’s attack surface. For example, if a CVE gets remediated, threat intelligence associated with that vulnerability will become less of a priority. The agent shows the path it took to build each briefing. It makes dynamic decision based on its threat intelligence expertise every step of the way. What’s Next Threat Intelligence Briefing Agent offers a strategic way to reduce complexity, optimize security decision-making, and expedite the identification of the most relevant vulnerabilities and threats impacting your organization. By automating and prioritizing threat intelligence—the same intelligence that previously took hours or days to assemble—this agent provides clear, actionable insights that enhance overall security readiness. The Threat Intelligence Briefing Agent marks a major step toward AI-driven automation for improving security outcomes, but this is just the beginning. To learn more about this agent, join us at the Microsoft Secure digital event on April 9, 2025 and read our latest blog: https://aka.ms/SecurityCopilotagents View the full article
  12. Windows Server
    Microsoft Azure Cloud HSM is now available in public preview. Azure Cloud HSM is a highly available, FIPS 140-3 Level 3 validated single-tenant hardware security module (HSM) service designed to meet the highest security and compliance standards. With full administrative control over their HSM, customers can securely manage cryptographic keys and perform cryptographic operations within their own dedicated Cloud HSM cluster. In today’s digital landscape, organizations face an unprecedented volume of cyber threats, data breaches, and regulatory pressures. At the heart of securing sensitive information lies a robust key management and encryption strategy, which ensures that data remains confidential, tamper-proof, and accessible only to authorized users. However, encryption alone is not enough. How cryptographic keys are managed determines the true strength of security. Every interaction in the digital world from processing financial transactions, securing applications like PKI, database encryption, document signing to securing cloud workloads and authenticating users relies on cryptographic keys. A poorly managed key is a security risk waiting to happen. Without a clear key management strategy, organizations face challenges such as data exposure, regulatory non-compliance and operational complexity. An HSM is a cornerstone of a strong key management strategy, providing physical and logical security to safeguard cryptographic keys. HSMs are purpose-built devices designed to generate, store, and manage encryption keys in a tamper-resistant environment, ensuring that even in the event of a data breach, protected data remains unreadable. As cyber threats evolve, organizations must take a proactive approach to securing data with enterprise-grade encryption and key management solutions. Microsoft Azure Cloud HSM empowers businesses to meet these challenges head-on, ensuring that security, compliance, and trust remain non-negotiable priorities in the digital age. Key Features of Azure Cloud HSM Azure Cloud HSM ensures high availability and redundancy by automatically clustering multiple HSMs and synchronizing cryptographic data across three instances, eliminating the need for complex configurations. It optimizes performance through load balancing of cryptographic operations, reducing latency. Periodic backups enhance security by safeguarding cryptographic assets and enabling seamless recovery. Designed to meet FIPS 140-3 Level 3, it provides robust security for enterprise applications. Ideal use cases for Azure Cloud HSM Azure Cloud HSM is ideal for organizations migrating security-sensitive applications from on-premises to Azure Virtual Machines or transitioning from Azure Dedicated HSM or AWS Cloud HSM to a fully managed Azure-native solution. It supports applications requiring PKCS#11, OpenSSL, and JCE for seamless cryptographic integration and enables running shrink-wrapped software like Apache/Nginx SSL Offload, Microsoft SQL Server/Oracle TDE, and ADCS on Azure VMs. Additionally, it supports tools and applications that require document and code signing. Get started with Azure Cloud HSM Ready to deploy Azure Cloud HSM? Learn more and start building today: Get Started Deploying Azure Cloud HSM Customers can download the Azure Cloud HSM SDK and Client Tools from GitHub: Microsoft Azure Cloud HSM SDK Stay tuned for further updates as we continue to enhance Microsoft Azure Cloud HSM to support your most demanding security and compliance needs. View the full article
  13. Windows Server
    Protecting your organization against cybersecurity threats is more challenging than ever before. As part of our 2025 Microsoft Secure cybersecurity conference announcements, we’re sharing new product features that spotlight our AI-first, end-to-end security innovations designed to help - including autonomous AI agents in the Security Operations Center (SOC), as well as automatic detection and response capabilities. We also share information on how you can expand your protection by bringing data security and collaboration tools closer to the SOC. Read on to learn more about how these capabilities can help your organization stay ahead of today’s advanced threat actors. Expanding AI-Driven Capabilities for Smarter SOC Operations Introducing Microsoft Security Copilot’s Phishing Triage Agent Today, we are excited to introduce Security Copilot agents, a major step in bringing AI-driven automation to Microsoft Security solutions. As part of this, we’re unveiling our newest innovation in Microsoft Defender: the Phishing Triage Agent. Acting as a force multiplier for SOC analysts, it streamlines the triage of user-submitted phishing incidents by autonomously identifying and resolving false positives with over 95% accuracy. This allows teams to focus on the remaining incidents – those that pose the most critical threats. Phishing submissions are among the highest-volume alerts that security teams handle daily, and our data shows that at least 9 in 10 reported emails turn out to be harmless bulk mail or spam. As a result, security teams must sift through hundreds of these incidents weekly, often spending up to 30 minutes per case determining whether it represents a real threat. This manual triage effort not only adds operational strain but also delays the response to actual phishing attacks, potentially impacting protection levels. The Phishing Triage Agent transforms this process by leveraging advanced LLM-driven analysis to conduct sophisticated assessments –such as examining the semantic content of emails– to autonomously determine whether an incident is a genuine phishing attempt or a false alarm. By intelligently cutting through the noise, the agent alleviates the burden on SOC teams, allowing them to focus on high-priority threats. Figure 1. A phishing incident triaged by the Security Copilot Phishing Triage Agent To help analysts gain trust in its decision-making, the agent provides natural language explanations for its classifications, along with a visual representation of its reasoning process. This transparency enables security teams to understand why an incident was classified in a certain way, making it easier to validate verdicts. Analysts can also provide feedback in plain language, allowing the agent to learn from these interactions, refine its accuracy, and adapt to the organization’s unique threat landscape. Over time, this continuous feedback loop fine-tunes the agent’s behavior, aligning it more closely with organizational nuances and reducing the need for manual verification. The Security Copilot Phishing Triage Agent is designed to transform SOC operations with autonomous, AI-driven capabilities. As phishing threats grow increasingly sophisticated and SOC analysts face mounting demands, this agent alleviates the burden of repetitive tasks, allowing teams to shift their focus to proactive security measures that strengthen the organization’s overall defense. Read more about Microsoft Security Copilot agent announcements here. New protection across Microsoft Defender XDR workloads To strengthen core protection across Microsoft Defender XDR workloads, we're introducing new capabilities while building upon existing integrations for enhanced protection. This ensures a more comprehensive and seamless defense against evolving threats. Introducing collaboration security for Microsoft Teams Email remains a prevalent entry point for attackers. But the fast adoption of collaboration tools like Microsoft Teams has opened new attack surfaces for cybercriminals. Our advancements within Defender for Office 365 allow organizations to continue to protect users in Microsoft Teams against phishing and other emerging cyberthreats with inline protection against malicious URLs, safe attachments, brand impersonation protection, and more. And to ensure seamless investigation and response at the incident level, everything is centralized across our SOC workflows in the unified security operations platform. Read the announcement here. Introducing Microsoft Purview Data Security Investigations for the SOC Understanding the extent of the data that has been impacted to better prioritize incidents has been a challenge for security teams. As data remains the main target for attackers it’s critical to dismantle silos between security and data security teams to enhance response times. At Microsoft, we’ve made significant investments in bringing SOC and data security teams closer together by integrating Microsoft Defender XDR and Microsoft Purview. We are continuing to build upon the rich set of capabilities and today, we are excited to announce that Microsoft Purview Data Security Investigations (DSI) can be initiated from the incident graph in Defender XDR. Ensuring robust data security within the SOC has always been important, as it helps protect sensitive information from breaches and unauthorized access. Data Security Investigations significantly accelerates the process of analyzing incident related data such as emails, files, and messages. With AI-powered deep content analysis, DSI reveals the key security and sensitive data risks. This integration allows analysts to further analyze the data involved in the incident, learn which data is at risk of compromise, and take action to respond and mitigate the incident faster, to keep the organization’s data protected. Read the announcement here. Figure 2. An incident that shows the ability to launch a data security investigation. OAuth app insights are now available in Exposure Management In recent years, we’ve witnessed a substantial surge in attackers exploiting OAuth applications to gain access to critical data in business applications like Microsoft Teams, SharePoint, and Outlook. To address this threat, Microsoft Defender for Cloud Apps is now integrating OAuth apps and their connections into Microsoft Security Exposure Management, enhancing both attack path and attack surface map experiences. Additionally, we are introducing a unified application inventory to consolidate all app interactions into a single location. This will address the following use cases: Visualize and remediate attack paths that attackers could potentially exploit using high-privilege OAuth apps to access M365 SaaS applications or sensitive Azure resources. Investigate OAuth applications and their connections to the broader ecosystem in Attack Surface Map and Advanced Hunting. Explore OAuth application characteristics and actionable insights to reduce risk from our new unified application inventory. Figure 3. An attack path infused with OAuth app insights Read the latest announcement here AI & TI are critical for effective detection & response To effectively combat emerging threats, AI has become critical in enabling faster detection and response. By combining this with the latest threat analytics, security teams can quickly pinpoint emerging risks and respond in real-time, providing organizations with proactive protection against sophisticated attacks. Disrupt more attacks with automatic attack disruption In this era of multi-stage, multi-domain attacks, the SOC need solutions that enable both speed and scale when responding to threats. That’s where automatic attack disruption comes in—a self-defense capability that dynamically pivots to anticipate and block an attacker’s next move using multi-domain signals, the latest TI, and AI models. We’ve made significant advancements in attack disruption, such as threat intelligence-based disruption announced at Ignite, expansion to OAuth apps, and more. Today, we are thrilled to share our next innovation in attack disruption—the ability to disrupt more attacks through a self-learning architecture that enables much earlier and much broader disruption. At its core, this technology monitors a vast array of signals, ranging from raw telemetry data to alerts and incidents across Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) systems. This extensive range of data sources provides an unparalleled view of your security environment, helping to ensure potential threats do not go unnoticed. What sets this innovation apart is its ability learn from historical events and previously seen attack types to identify and disrupt new attacks. By recognizing similar patterns across data and stitching them together into a contextual sequence, it processes information through machine learning models and enables disruption to stop the attack much earlier in the attack sequence, stopping significantly more attacks in volume and variety. Comprehensive Threat Analytics are now available across all Threat Intelligence reports Organizations can now leverage the full suite of Threat Analytics features (related incidents, impacted assets, endpoints exposure, recommended actions) on all Microsoft Threat Intelligence reports. Previously only available for a limited set of threats, these features are now available for all threats Microsoft has published in Microsoft Defender Threat Intelligence (MDTI), offering comprehensive insights and actionable intelligence to help you ensure your security measures are robust and responsive. Some of these key features include: IOCs with historical hunting: Access IOCs after expiration to investigate past threats and aid in remediation and proactive hunting. MITRE TTPs: Build detections based on threat techniques, going beyond IOCs to block and alert on specific tactics. Targeted Industries: Filter threats by industry, aligning security efforts with sector-specific challenges. We’re proud of our new AI-first innovations that strengthen security protections for our customers and help us further our pledge to customers and our community to prioritize cyber safety above all else. Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. We hope you’ll also join us in San Francisco from April 27th-May 1st 2025 at the RSA Conference 2025 to learn more. At the conference, we’ll share live, hands-on demos and theatre sessions all week at the Microsoft booth at Moscone Center. Secure your spot today. View the full article
  14. Windows Server
    In today's digital landscape, securing data has become a critical concern across all industries. Organizations face an average of 66 alerts per day, up from 52 in 2023, with teams able to review only 63% of these alerts. Given the sheer volume of data security alerts, it is no surprise that most organizations struggle to keep up[1]. The challenge of addressing the most important risks, combined with a staggering shortage of 4 million security professionals[2], has made it increasingly difficult for organizations to stay ahead of potential dangers such as data breaches and unauthorized access to sensitive information. This can overwhelm data security teams and allows for potentially serious data risks to slip through the cracks. To help customers increase the efficacy of their data security programs, address key alerts, and focus on the most critical data risks, we’re thrilled to announce Alert Triage Agents in Microsoft Purview Data Loss Prevention (DLP) and Insider Risk Management (IRM). These autonomous Security Copilot capabilities integrated into Microsoft Purview offer an agent-managed alert queue that identifies the DLP and IRM alerts that pose the greatest risk to your organization and should be prioritized first. Alert Triage Agents analyze the content and potential intent involved in an alert, based on the organization’s chosen parameters and risk tolerance. Additionally, they provide a comprehensive explanation for the logic behind that categorization. (Figure 1: Alert Triage Agent in DLP queue) Today, most teams still rely on manual triage, static rule-based filtering, and siloed security tools[3], which are often ineffective, create blind spots, and can slow down risk mitigation. These new agents empower data security teams to focus on the most important alerts and concentrate on the critical threats, with a dynamic process that takes inputs from data security admins and can also calibrate triage results to better match the organization’s priorities. (Figure 2: Alert Triage Agent in IRM queue, with prioritization rationale window option) Alert Triage Agents in DLP and IRM will leverage the power of Generative AI to provide organizations with the following core benefits: Enhanced alert management: Significantly improve alert prioritization, ensuring that critical risks are addressed first. This leads to faster response times, as teams can focus on the most pressing issues without being distracted by less urgent alerts. Evaluating sometimes complex alerts on DLP and IRM can be time-consuming and speeding the triage process allows teams to spend more time on the most critical cases. Increased team efficiency: Increase the efficacy of your team, regardless of the experience level, by triaging and providing relevant information about the top risks. They complement your teams’ skills and allow your team to efficiently handle more incidents, as the most crucial alerts are already identified. Thereby improving key metrics such as overall response time and percentage of alerts addressed. Dynamic responses: The agent will learn from the data security team’s feedback and fine-tune its logic, which can be provided based on parameters in natural language. This feedback loop will autonomously adjust how agents categorize the alerts. (Figure 3: Feedback loop for fine-tuning alert prioritization) A data security admin will be able to select the relevant policies that the agent will evaluate and set the restrictions for the categorization. For example, the admin can select the IRM policies ‘Data Leaks’ and ‘Data Theft’, then ask the agent to ‘prioritize alerts including intellectual property related to Project Obsidian’. The agent then identifies alerts as ‘Needs attention' or ‘Less urgent’ and provides the rationale behind the logic applied. Additionally, the admin can tailor the agent's responses by changing the alert categorization as needed and offering feedback on the changes in natural language, to which the agent will adapt in a few hours. For example, an admin can move an alert from ‘Needs attention’ to ‘Less urgent’ category, and teach the agent to better evaluate alerts by providing properties the agent should focus less on, such as sensitivity labels, or by indicating that an action is a regular business activity for that group. Alert Triage Agents are seamlessly integrated within Purview, allowing customers to easily improve the efficiency of their current trusted workflows. These agents empower data security admins by leveraging the power of Security Copilot, a trusted and reliable platform that adheres to global compliance and privacy standards, and that dynamically learns and adapts to emerging threats with a proven track record[4]. Alert Triage Agents in Purview public preview starts rolling out on April 27. To get started, check out the visit the Security Copilot product page for more information. Already using Security Copilot? Make sure you’re signed up for the Security Copilot Customer Connection Program (CCP) to receive the latest updates and try the new features — join today at aka.ms/JoinCCP. Strengthening data security, compliance and governance with Generative AI In addition to Alert Triage Agents, we are announcing the general availability of several Security Copilot embedded capabilities within Microsoft Purview that help customers accelerate and scale investigations and upskill their teams. Most organizations struggle with understanding the impact of DLP alerts on data and users and assessing the overall efficacy of their DLP policies. Enhanced hunting prompts allow teams to go deeper into alert summaries, providing a detailed exploration of data and users involved in an incident. Additionally, Security Copilot also guides admins through activity explorer insights, offering a birds-eye view of top activities detected over the past week. Admins can use natural language to apply the correct investigation filters to pinpoint specific activities or data. Moreover, the DLP policy insights skill summarizes the intent, scope, and impact of all or selected DLP policies to provide a summarized view of your DLP policies’ coverage. This skill provides insights such as the DLP policies deployed for each workload, the sensitive information types they aim to detect, and the number of rule matches associated with those policies. With this information, security admins can swiftly identify and address any protection gaps in their DLP program. (Figure 3: DLP policy insights) Data security, compliance, and governance teams can also leverage the Knowledge Base Hub in Microsoft Purview to guide their experiences across Microsoft Purview. This skill provides instant answers to questions about the Purview platform using public Microsoft documentation. This experience aims to improve user experience by offering direct answers, reducing the need for multiple tabs and searches. Accessible through the Purview portal, Knowledge Base Copilot addresses queries related to all Purview solutions. Stay tuned for more information about the innovative integration of Security Copilot and Microsoft Purview and leverage the power of generative AI to take your organization’s data security to the next level. Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. Get started Learn more about Copilot for Security in Purview with Microsoft Documentation. If you are a security partner interested in using Microsoft Security Copilot with your solutions, sign up to join the Security Copilot Partner Ecosystem. Stay up to date on Microsoft Purview features through the Microsoft 365 Roadmap for Microsoft Purview. Learn more about these solutions in the Microsoft Purview compliance portal. Visit your Microsoft Purview compliance portal to activate your free trial and begin using our new features. An active Microsoft 365 E3 subscription is required as a prerequisite to activate the free trial. Join the community - https://aka.ms/JoinCCP Get started with Microsoft Copilot for Security - Get started with Microsoft Copilot for Security - Training | Microsoft Learn Copilot for Security Ninja - How to Become a Microsoft Copilot for Security Ninja: The Complete Level 400 Training [1] Microsoft Data Security Index annual report highlights evolving generative AI security needs | Microsoft Security Blog [2] Cybersecurity Awareness Month: Microsoft resources for security teams | Microsoft Security Blog [3] What is AI-Powered Alert Triage? | Intezer [4] Randomized Controlled Trial for Copilot for Security View the full article
  15. Windows Server
    The rapid rise of generative AI presents both transformative opportunities and critical security challenges for organizations handling sensitive data. As data security teams grapple with an increasingly fragmented tooling landscape and a relentless stream of alerts, the use of AI within organizations also might bring new risks such as data leakage and exposure of sensitive information on 3rd party generative AI apps. AI has the potential to both reinforce security protocols and automate defenses, enhancing resilience against evolving data risks. However, securing AI itself is just as vital, ensuring the very tools organizations rely on remain protected. By adopting integrated and intelligent data security solutions, businesses can not only safeguard sensitive data but also empower teams to operate more efficiently, shifting focus from reactive to proactive defense. Microsoft Purview Insider Risk Management (IRM) addresses these pressing needs by offering comprehensive visibility over how users interact with data within your organization. It integrates machine learning-based detection controls, dynamic protections, and advanced privacy controls to help organizations effectively manage and mitigate insider risks. IRM correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy. Expanding visibility into risky AI usage across more AI workloads Despite the high interest in AI adoption, the 2024 Microsoft Data Security Index[1] reveals that 84% of surveyed organizations want greater confidence in managing and discovering data input into AI applications. Data leakage remains a top concern for 80% of business leaders, while the rise of shadow AI adds to the complexity, with 78% of users bringing their own AI tools like ChatGPT. Emerging threats such as indirect prompt injection attacks are also on the radar, with 11% identifying them as critical risks. Therefore, it is crucial for organizations to understand how their employees interact with generative AI tools. At Ignite last fall, we announced several new capabilities to help identify risky generative AI usage by insiders on Microsoft 365 Copilot, ChatGPT Enterprise, and Copilot Studio, enabling organizations to accelerate their AI adoption while ensuring robust data security and governance. To continue addressing the expansion of GenAI tools and scenarios, today we’re excited to announce new Risky GenAI usage detections in IRM for the enterprise-built apps Copilot for Fabric and Security Copilot, as well as for 3rd party apps such as Gemini, ChatGPT consumer, Copilot Chat, and DeepSeek. The detections will cover a wide range of activities, including risky prompts that contain sensitive information or exhibit risky intent, as well as sensitive responses that either contain sensitive information or are generated from sensitive files or sites, enabling admins to identify and mitigate risky AI usage. (Figure 1: IRM risky AI usage activity detected in Copilot for Fabric) Additionally, these signals will contribute to Adaptive Protection insider risk levels, further enhancing the data security posture of the organization, and facilitating the balance between protection and productivity. Adaptive Protection will also be leveraged by the new data security capabilities native within the Microsoft Edge for Business browser to dynamically enforce different levels of protection based on the risk level of the user interacting with the AI application. For example, Adaptive Protection can enable admins to block low-risk users from submitting prompts containing the highest-sensitivity classifiers for their organization, such as M&A-related data or intellectual property, while blocking prompts containing any sensitive information type (SIT) for an elevated-risk user. These updates will empower organizations to better manage and secure their AI usage and safeguard valuable data, increasing their confidence level in their AI adoption. Check out all the new capabilities we're announcing today across Microsoft Security to secure data in the era of AI. Introducing Alert Triage Agents in Insider Risk Management There are also significant opportunities to leverage generative AI to enhance data security teams' efficiency and enable them to prioritize critical tasks and risks. Organizations face an average of 66 data security alerts per day, but teams only have time to review 63% of them[2]. The large volume of alerts, combined with an ongoing shortage of security professionals, makes it increasingly challenging for organizations to stay ahead of potential data security risks and avoid blind spots in their data security programs. To support customers in addressing these challenges, we are thrilled to announce Alert Triage Agent in IRM. This new autonomous Security Copilot capability integrated into IRM will offer an agent-managed alert queue that highlights the IRM alerts posing the greatest risk to your organization, that should be tackled first. The agent analyses the content and potential intent behind an alert, based on the organization’s chosen parameters, to identify which alerts might signal bigger impacts on sensitive data and need to be prioritized, providing also explanation for the categorization logic. Today, most teams still rely on manual triage, static rule-based filtering, and siloed security tools, which are often ineffective and create blind spots on data security programs. Now, admins can choose from which IRM policies they’d like to triage alerts and which information the agent should focus on, as well as provide the agent with inputs to calibrate results to better match the organization’s priorities. (Figure 2: Alert Triage Agent in IRM queue, with prioritization rationale ) Customers will be able to leverage the following benefits: Enhanced alert management: Improves alert prioritization, addressing critical risks first and leading to faster response times. Increased team efficiency: Teams of varying degrees of expertise will be able to efficiently handle more alerts, improving overall percentage of risks addressed. Dynamic response: The agent will autonomously identify important alerts based on the selected parameters and will learn from feedback in natural language, dynamically fine-tuning alert prioritization. The Alert Triage Agent is seamlessly integrated within IRM to easily enhance workflow efficiency through Security Copilot, a trusted and reliable platform that dynamically learns and adapts to emerging threats with a proven track record. [3] Alert Triage Agents in Purview public preview starts rolling out on April 27. To get started, check out the visit the Security Copilot product page for more information. Already using Security Copilot? Make sure you’re signed up for the Security Copilot Customer Connection Program (CCP) to receive the latest updates and try the new features — join today at aka.ms/JoinCCP. New insider risk scenarios and continuous product experience improvement We are also continually expanding IRM scenarios and improving admin experiences to better address the most pressing challenges customers face. When facing data breaches, organizations struggle to understand the sensitivity and importance of the data involved due to fractured workflows and multiple tools. Breaches involving stolen credentials take nearly 10 months to identify and contain[4], and customers have expressed the need for a unified product to reduce incident resolution time and safeguard their data. Today we’re excited to announce the integration of IRM with the new Microsoft Purview Data Security Investigations (DSI). DSI accelerates data risk mitigation using generative AI-powered deep content analysis enriched with activity insights to dive deep into organizations’ emails, instant messages, and documents. When evaluating a risky user with IRM, you can now escalate the case to DSI, instead of reviewing files individually. The integration between IRM and DSI allows a data security admin to identify when a risky user needs deeper investigation to launch a pre-scoped investigation directly from the user activity pane, allowing them to view content analysis related to that user and better assess post-incident data impact. (Figure 3: DSI case being launched from Insider Risk Management) Data security context is also vital for SOC teams to better understand the user intent and sensitivity of the data involved in a possible attack. To strengthen the integration of data security into the SOC experience, we are bringing insider risk user analytics to Microsoft Defender XDR on the user entity page, for all users. Now, any potential risky behavior related to a user involved in an XDR incident will be surfaced, regardless of their triggering an IRM policy, enabling SOC analysts to evaluate behavior patterns that could have influenced the incident. User analytics will also be available for DLP and Communication Compliance investigations, and on Defender XDR Advanced Hunting tables in a few months. Increasing the connection of IRM with the broader Microsoft Purview stack, we’re now adding DLP alerts as IRM indicators to detect when a user activity triggers a DLP policy. This capability will provide admins greater visibility and efficiency by consolidating a user’s risky activity triggering DLP and/or IRM policies, eliminating the need to switch between solutions for better evaluating data risks. We are also bringing a new indicator for ‘Email to personal email accounts’ to alert when business-sensitive data is potentially leaked via email attachments to free public domains or personal email accounts. Now, admins will be able to better understand the intent behind emails with sensitive data attached being sent to a personal email for non-business reasons. To enhance the end-user experience, we have made several improvements that enable teams to refine their data security strategy and facilitate insider risk investigations. Enhancements include: Increasing IRM policy template units: Increase policy creation limits from 20 to 100 policies per template, enabling organizations to create more a granular policy strategy to better fit their needs, such as different data security needs in different groups of the organization or regulatory requirements. Endpoint collection policy update: Admins can now leverage collection policies to more granularly scope what is collected from the endpoint and used in IRM policies. Email signature exclusion enhancement: Inclusion of keyword exclusion logic update to exclude noisy signals when email signature images are considered as attachments on a policy. These capabilities will start rolling out to customers’ tenants within the coming weeks. Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. Get started To get started, read more about Insider Risk Management in our technical documentation. Stay up to date on Microsoft Purview features through the Microsoft 365 Roadmap for Microsoft Purview. Visit your Microsoft Purview compliance portal to activate your free trial and begin using new features. An active Microsoft 365 E3 subscription is required to activate the free trial. [1] Microsoft Data Security Index annual report highlights evolving generative AI security needs | Microsoft Security Blog [2] Microsoft Data Security Index annual report highlights evolving generative AI security needs | Microsoft Security Blog [3] Randomized Controlled Trial for Copilot for Security [4] Cost of a data breach 2024 | IBM View the full article
  16. Windows Server
    Today’s blog post introduced new capabilities to enhance AI security and governance across multi-model and multi-cloud environments. This follow-on blog post dives deeper into how Microsoft Defender for Cloud can help organizations protect their custom-built AI applications. The AI revolution has been transformative for organizations, driving them to integrate sophisticated AI features and products into their existing systems to maintain a competitive edge. However, this rapid development often outpaces their ability to establish adequate security measures for these advanced applications. Moreover, traditional security teams frequently lack the visibility and actionable insights needed, leaving organizations vulnerable to increasingly sophisticated attacks and struggling to protect their AI resources. To address these challenges, we are excited to announce the general availability (GA) of threat protection for AI services, a capability that enhances threat protection in Microsoft Defender for Cloud. Starting May 1, 2025, the new Defender for AI Services plan will support models in Azure AI and Azure OpenAI Services. “Security is paramount at Icertis. That’s why we've partnered with Microsoft to host our Contract Intelligence platform on Azure, fortified by Microsoft Defender for Cloud. As large language models (LLMs) became mainstream, our Icertis ExploreAI Service leveraged generative AI and proprietary models to transform contract management and create value for our customers. Microsoft Defender for Cloud emerged as our natural choice for the first line of defense against AI-related threats. It meticulously evaluates the security of our Azure OpenAI deployments, monitors usage patterns, and promptly alerts us to potential threats. These capabilities empower our Security Operations Center (SOC) teams to make more informed decisions based on AI detections, ensuring that our AI-driven contract management remains secure, reliable, and ahead of emerging threats.” Subodh Patil, Principal Cyber Security Architect at Icertis With these new threat protection capabilities, security teams can: Monitor suspicious activity in Azure AI resources, abiding by security frameworks like the OWASP Top 10 threats for LLM applications to defend against attacks on AI applications, such as direct and indirect prompt injections, wallet abuse, suspicious access to AI resources, and more. Triage and act on detections using contextual and insightful evidence, including prompt and response evidence, application and user context, grounding data origin breadcrumbs, and Microsoft Threat Intelligence details. Gain visibility from cloud to code (right to left) for better posture discovery and remediation by translating runtime findings into posture insights, like smart discovery of grounding data sources. Requires Defender CSPM posture plan to be fully utilized. Leverage frictionless onboarding with one-click, agentless enablement on Azure resources. This includes native integrations to Defender XDR, enabling advanced hunting and incident correlation capabilities. Detect and protect against AI threats Defender for Cloud helps organizations secure their AI applications from the latest threats. It identifies vulnerabilities and protects against sophisticated attacks, such as jailbreaks, invisible encodings, malicious URLs, and sensitive data exposure. It also protects against novel threats like ASCII smuggling, which could otherwise compromise the integrity of their AI applications. Defender for Cloud helps ensure the safety and reliability of critical AI resources by leveraging signals from prompt shields, AI analysis, and Microsoft Threat Intelligence. This provides comprehensive visibility and context, enabling security teams to quickly detect and respond to suspicious activities. Figure 1 - An ASCII smuggling detection with relevant prompt evidence. Prompt analysis-based detections aren’t the full story. Detections are also designed to analyze the application and user behavior to detect anomalies and suspicious behavior patterns. Analysts can leverage insights into user context, application context, access patterns, and use Microsoft Threat Intelligence tools to uncover complex attacks or threats that escape prompt-based content filtering detectors. For example, wallet attacks are a common threat where attackers aim to cause financial damage by abusing resource capacity. These attacks often appear innocent because the prompts' content looks harmless. However, the attacker's intention is to exploit the resource capacity when left unconstrained. While these prompts might go unnoticed as they don't contain suspicious content, examining the application's historical behavior patterns can reveal anomalies and lead to detection. Figure 2 - A wallet abuse detection, showcasing an extreme anomaly in usage pattern in an AI application. Respond and act on AI detections effectively The lack of visibility into AI applications is a real struggle for security teams. The detections contain evidence that is hard or impossible for most SOC analysts to access. For example, in the below credential exposure detection, the user was able to solicit secrets from the organizational data connected to the Contoso Outdoors chatbot app. How would the analyst go about understanding this detection? The detection evidence shows the user prompt and the model response (secrets are redacted). The evidence also explicitly calls out what kind of secret was exposed. The prompt evidence of this suspicious interaction is rarely stored, logged, or accessible anywhere outside the detection. The prompt analysis engine also tied the user request to the model response, making sense of the interaction. Figure 3 - A credential exposure alert about Contoso Outdoors AI application, showing application context, the user prompt, and model response as well as the type of credential exposed. What is most helpful in this specific detection is the application and user context. The application name instantly assists the SOC in determining if this is a valid scenario for this application. Contoso Outdoors chatbot is not supposed to access organizational secrets, so this is worrisome. Next, the user context reveals who was exposed to the data, through what IP (internal or external) and their supposed intention. Most AI applications are built behind AI gateways, proxies, or Azure API Management (APIM) instances, making it challenging for SOC analysts to obtain these details through conventional logging methods or network solutions. Defender for Cloud addresses this issue by using a straightforward approach that fetches these details directly from the application’s API request to Azure AI. Now, the analyst can reach out to the user (internal) or block (external) the identity or the IP. Figure 4 - A credential exposure alert about Contoso Outdoors AI application, showing user context details of IP and identity. Finally, to resolve this incident, the SOC analyst intends to remove and decommission the secret to mitigate the impact of the exposure. The final piece of evidence presented reveals the origin of the exposed data. This evidence substantiates the fact that the leak is genuine and originates from internal organizational data. It also provides the analyst with a critical breadcrumb trail to successfully remove the secret from the data store and communicate with the owner on next steps. Figure 5 - A credential exposure alert about Contoso Outdoors AI application, showing details of the data store used to ground this specific model response. Trace the invisible lines between your AI application and the grounding sources Defender for Cloud excels in continuous feedback throughout the application lifecycle. While posture capabilities help triage detections, runtime protection provides crucial insights from traffic analysis, such as discovering data stores used for grounding AI applications. The AI application's connection to these stores is often hidden from current control or data plane tools. The credential leak example provided a real-world connection that was then integrated into our resource graph, uncovering previously overlooked data stores. Tagging these stores improves attack path and risk factor identification during posture scanning, ensuring safe configuration. This approach reinforces the feedback loop between runtime protection and posture assessment, maximizing cloud-native application protection platform (CNAPP) effectiveness. Figure 6 - The cloud security explorer in Defender portal, showing evidence that the specific Search service is being used to ground the Contoso Outdoors AI application and tagged with the relevant insight “Used for AI grounding”. Align with AI security frameworks Our guiding principle is widely recognized by OWASP Top 10 for LLMs. By combining our posture capabilities with runtime monitoring, we can comprehensively address a wide range of threats, enabling us to proactively prepare for and detect AI-specific breaches with Defender for Cloud. As the industry evolves and new regulations emerge, frameworks such as OWASP, the EU AI Act, and NIST 600-1 are shaping security expectations. Our detections are aligned with these frameworks as well as the MITRE ATLAS framework, ensuring that organizations stay compliant and are prepared for future regulations and standards. Get started with threat protection for AI services To get started with threat protection capabilities in Defender for Cloud, it’s as simple as one-click to enable it on your relevant subscription in Azure. The integration is agentless and requires zero intervention in the application dev lifecycle. More importantly, the native integration directly inside Azure AI pipeline does not entail scale or performance degradation in the application runtime. Consuming the detections is easy, it appears in Defender for Cloud’s portal, but is also seamlessly connected to Defender XDR and Sentinel, leveraging the existing connectors. SOC analysts can leverage the correlation and analysis capabilities of Defender XDR from day one. Figure 7 - A multistage incident in Defender XDR, showing an attack that included jailbreak, credential exposure, and wallet abuse. Explore these capabilities today with a free 30-day trial*. You can leverage your existing AI application and simply enable the “AI workloads” plan on your chosen subscription to start detecting and responding to AI threats. *Trial free period is limited to up to 75B tokens scanned. Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. Explore additional resources Learn more about Runtime protection Learn more about Posture capabilities Watch the Defender for Cloud in the Field episode on securing AI applications Get started with Defender for Cloud View the full article
  17. Windows Server
    Today, data usage has moved beyond the traditional borders of business and is now stored on-premises, in multiple clouds, on devices; and accessed from within and outside of your corporate networks. Data has become the lifeblood of every business, driving insights that enable effective operations, competitive advantage, and productive collaboration among employees. IDC predicts that the datasphere will double by 2026, meaning data everywhere, and exponentially growing. With this growth in data and with organizations adopting multiple cloud infrastructures and platforms, data security incidents are widespread and increasing in severity. In 2024, 27% of data security incidents were severe compared to 20% in 2023[1], costing millions of dollars every year to resolve. Additionally, organizations faced 66 alerts per day, up from 52 in 2023[2]. Fortify data security with an integrated approach Data security is a cornerstone of effective cybersecurity programs – as data is at the center of cyberattacks. Safeguarding sensitive information, spanning from employee and customer data to intellectual property, financial projections, and operational records, against an array of cyberthreats, data breaches, and insider risks, is a top priority for these organizations. Although essential, for many customers, securing all their data is a complex and multi-faceted undertaking. Organizations typically deploy multiple non-integrated data security solutions, increasing complexity, cost, and security gaps due to fragmented data handling, inconsistent classification, redundant alerts, and limited investigative insights. A vast majority (82%) of decision makers we spoke to agree that an integrated platform is superior to managing multiple isolated tools. To effectively address this complexity, organizations need a unified approach to data security. Microsoft Purview provides a comprehensive integrated set of tools in Information Protection, Insider Risk Management, and Data Loss Prevention that can together help you: Discover hidden risks to your data Create effective protection and prevention policies Quickly respond and remediate data security incidents. These solutions have been built to work better together with reinforced synergy across the platform. New AI-powered data security investigations and analysis Today, we are announcing Microsoft Purview Data Security Investigations (DSI), a new generative AI-powered solution that helps data security teams quickly understand and mitigate risks associated with sensitive data exposure. DSI further expands Microsoft Purview data security offerings, introducing AI-powered deep content analysis to uncover key sensitive data and security risks within incident-related data across multiple languages. DSI can uniquely draw correlations among incident-related data, users, and user activities. Incident investigators can use DSI to collaborate securely with partner teams to enhance mitigation, simplifying previously complex and time-consuming tasks. The solution is also integrated with our Microsoft Security solutions; you can launch a data security investigation via a Defender XDR incident or a Purview Insider Risk Management case. DSI is available for preview starting April 9. Learn more in our blog. Agents designed to unlock new levels of productivity and security efficacy To help customers further increase efficacy of their data security programs and focus on the most critical risks, today we are announcing Alert Triage Agents in Microsoft Purview Data Loss Prevention (DLP) and Insider Risk Management (IRM). These autonomous Security Copilot capabilities integrated into Microsoft Purview offer an agent-managed alert queue that identifies the DLP and IRM alerts that pose the greatest risk to your organization and should be prioritized first. Today, most teams still rely on manual triage, static rule-based filtering, and siloed security tools [3], which are often ineffective, create blind spots, and can slow down risk mitigation. Our new agents empower data security teams to focus on the most important alerts and concentrate on the critical threats, with a dynamic process that takes inputs from data security admins and calibrates the triage results to better match the organizations’ priorities. Learn more in our blog. Expanding data discovery and protection to the network and browser At Microsoft Purview, we are committed to helping our customers protect their data wherever it lives or travels - even as the modern data estate grows more complex. Given the nature of modern work is continuously evolving: Generative AI tools are increasingly ubiquitous in the digital workplace and information workers are spending more time working in the browser than ever before [4]. As such, we are extending Purview data security capabilities to the network layer and enhancing our browser-based capabilities for Microsoft Edge for Business. These capabilities include: Inline discovery of sensitive data across the network. Delivered in partnership with Netskope One and iboss Zero Trust SASE through secure access service edge (SASE) integration Inline discovery & protection of sensitive data in Edge for Business Data access restrictions in Edge for Business for unmanaged Windows and macOS devices Learn more in our blog Securing data across various devices, platforms, and data sources Organizations today grapple with securing data across the various devices, platforms, and data sources that comprise their modern ecosystem. This challenge has become even more daunting as unsanctioned and unsupervised generative AI becomes more ubiquitous in the workplace, presenting a new frontier for sensitive data loss. Microsoft Purview Data Loss Prevention (DLP) offers today’s organizations a unified approach to securing data across their ever-evolving data estates. Purview DLP not only is built into the Microsoft 365 apps and desktop devices that you rely on every day but also extends to the expanding range of data types and locations found across your environment. Today we are announcing a number of enhancements to our existing rich set of DLP capabilities Expanded visibility & protection beyond Microsoft 365 with inline discovery of sensitive data across the network, inline protection of sensitive data accessed in Microsoft Edge for Business, and new label-based protections for non-Microsoft file types. Simplified day-to-day admin experiences with policy sync dashboards and a new collection policy workflow to help organizations scale their DLP operations across an expanding data estate. Enhance existing protections with expanded advanced classification support and DLP coverage for previously unscanned files in SharePoint and OneDrive. Learn more in our blog. Expanding visibility into risky AI usage across more AI workloads A growing area of concern is the rise in data security incidents from the use of AI applications, which nearly doubled from 27% in 2023 to 40% in 2024[5], while the rise of shadow AI adds to the complexity, with 78% of users bringing their own AI tools like ChatGPT. Emerging threats such as indirect prompt injection attacks are also on the radar, with 11% identifying them as critical risks. Therefore, it is crucial for organizations to understand how their employees interact with generative AI tools. To continue addressing the expansion of GenAI tools and scenarios, today we’re excited to announce new risky GenAI usage detections in Insider Risk Management for Copilot for Power BI and Security Copilot, as well as for 3rd party apps such as Gemini, ChatGPT consumer, Bing and DeepSeek. The detections will cover a wide range of activities, including risky prompts that contain sensitive information or exhibit risky intent, as well as sensitive responses that either contain sensitive information or are generated from sensitive files or sites, enabling admins to identify and mitigate risky AI usage. Learn more in our blog. And finally, we are also bringing several new capabilities in Information Protection. Learn more in our blog. Getting started with Microsoft Purview You can try these and other Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial. Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. [1] [2] [5] Data Security Index Report, Microsoft Dec 2024 [3] What is AI-Powered Alert Triage? | Intezer [4] Windows telemetry View the full article
  18. Windows Server
    It takes an average of 292 days – almost a year – to identify and contain data breaches involving stolen credentials.[1] During those critical months, organizations struggle to understand their overall risk as a result of the data breach. Investigating a data security incident is daunting, and includes inefficient workflows across multiple tools, labor-intensive reviews of impacted data, further complexity and manual work as the investigation scope grows, and increased costs. In addition, there is a greater risk of exposing or leaking sensitive data when moving the impacted data for analysis or sharing evidence with stakeholders to remediate a breach. To streamline and simplify this process, organizations have shared their need for a unified, purpose-built solution that enables them to rapidly identify and mitigate risks from sensitive data exposure. Today, we are excited to announce Microsoft Purview Data Security Investigations (DSI) – a new solution that enables data security teams to identify incident-related data, investigate that data with generative AI-powered deep content analysis, and mitigate risk within one unified solution. DSI builds on and extends Microsoft Purview’s existing best-of-breed Data Security portfolio. Our information protection, data loss prevention, and insider risk management solutions have provided customers with a strong foundation to protect their crown jewels, their data. Data is at the center of cyberattacks, and now DSI will use AI to reimagine how customers investigate and mitigate data security incidents, accelerating the process dramatically. Most organizations we spoke to (77%) believe that AI will accelerate data security detection and response, and 76% think AI will improve the accuracy of data security detection and response strategies.[2] With its cutting edge, generative AI-powered investigative capabilities, DSI will transform and scale how data security admins analyze incident-related data. DSI uncovers key security and sensitive data risks and facilitates secure collaboration between partner teams to mitigate those identified risks. This simplifies previously complex, time-consuming tasks – what once took months, can now be done in a fraction of the time. Figure 1: Introducing Microsoft Purview Data Security Investigations, a new AI-powered solution that enables data security teams to rapidly identify and mitigate risks from sensitive data exposure. A closer look Picture your data security team is made aware of a massive data breach and needs to quickly determine the risk present within the impacted data. With DSI, you can search your Microsoft 365 data estate to locate incident-relevant emails, Teams messages, Copilot prompts and responses, and documents. DSI enables you to efficiently locate the impacted data, eliminating the need for multiple team handoffs or moving the data. Once the investigation is scoped, you can use DSI’s generative AI capabilities to rapidly and efficiently sift through mountains of data to pinpoint the major risks to your organization. AI can categorize the impacted data to help you get an initial understanding of incident severity and narrow your focus to highest risk assets. Next, DSI enables you to easily address the number one priority during a data security investigation, finding security risks buried within impacted data. With a few clicks, you can use AI to examine impacted data for security risks and promptly find credentials, network risks, or evidence of threat actor discussion, for example. DSI allows you to evaluate sensitive data risk, like what intellectual property, financial information, and personally identifiable information were exposed using AI. These probing capabilities can also be used to proactively improve data hygiene by examining datasets for sensitive information or security risks, helping your organization prevent a data security incident. To query impacted data and discover assets related to a specific subject, you can leverage vector-based semantic search, which uses embeddings and advanced orchestration to understand context and meaning – even if keywords are missing. Figure 2: Categorize impacted data to focus on highest risk assets.Figure 3: Examine impacted data to find key security risks. DSI can uniquely visualize correlations between impacted data, users, and their activities, providing critical context to guide mitigation and next steps. For example, upon uncovering a highly sensitive document, DSI gives you visibility into which users downloaded it or if it was accessed from a risky IP address. This lets you uncover new nodes to a data security incident, like additional users or new content that requires investigation. Enriching DSI analysis with activity insights can help you resolve your data security incidents faster, and with greater confidence. Figure 3: Examine impacted data to find key security risks. Since security is a team sport, DSI facilitates secure collaboration between partner teams to mitigate identified risks. For instance, if you discover credentials within impacted data, an Entra admin can join the investigation to securely view the extracted credentials and take necessary next steps to reset the accounts. You can use investigation learnings to refine existing policies to strengthen your organization's security practices. In the future, DSI will include features like the ability to purge overshared risky files and more. We’ve integrated DSI with the products you already use today, allowing you to launch pre-scoped data security investigations from Microsoft Defender XDR and Microsoft Purview Insider Risk Management. When reviewing a security incident in Defender XDR, you can start a data security investigation directly from the incident graph to gain insight into the impacted content. DSI findings equip the SOC with much-needed visibility into a security incident’s impact on data so they can prioritize their incidents based on the sensitivity and severity of data loss. When evaluating a risky user with Insider Risk Management, you can now launch a Data Security Investigation and analyze data at scale with AI-powered deep content analysis. DSI’s distinctive investigative capabilities enhance cross-product protection across Microsoft Security. With AI at its core, DSI is designed to tackle the most complex, high volume, and time-sensitive data security incidents, redefining how data security teams investigate and mitigate risk. DSI offers pay-as-you-go billing giving you the flexibility, scalability and cost efficiency you need. Beginning April 9, DSI will be available in public preview. This is another key step in our journey to secure and govern your data – we look forward to hearing your feedback and continuing to invest in DSI. Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. Get started Try DSI: Your Global Admin can begin using DSI by activating Purview pay-as-you-go meters and provision Security Compute Units when rollout of public preview begins on April 9. Learn more: Tune into our Microsoft Mechanics episode for a full demo. Share feedback: We’d love to hear from you! Email DSIfeedback@microsoft.com with feedback about DSI. [1] IBM Cost of a Data Breach Report 2024 [2] Microsoft Data Security Index View the full article
  19. Windows Server
    Generative AI adoption is accelerating, with AI transformation happening in real-time across various industries. This rapid adoption is reshaping how organizations operate and innovate, but it also introduces new challenges that require careful attention. At Ignite last fall, we announced several new capabilities to help organizations secure their AI transformation. These capabilities were designed to address top customer priorities such as preventing data oversharing, safeguarding custom AI, and preparing for emerging AI regulations. Organizations like Cummins, KPMG, and Mia Labs have leveraged these capabilities to confidently strengthen their AI security and governance efforts. However, despite these advancements, challenges persist. One major concern is the rise of shadow AI—applications used without IT or security oversight. In fact, 78% of AI users report bringing their own AI tools, such as ChatGPT and DeepSeek, into the workplace1. Additionally, new threats, like indirect prompt injection attacks, are emerging, with 77% of organizations expressing concerns and 11% of organizations identifying them as a critical risk2. To address these challenges, we are excited to announce new features and capabilities that help customers do the following: Prevent risky access and data leakage in shadow AI with granular access controls and inline data security capabilities Manage AI security posture across multi-cloud and multi-model environments Detect and respond to new AI threats, such as indirect prompt injections and wallet abuse Secure and govern data in Microsoft 365 Copilot and beyond In this blog, we’ll explore these announcements and demonstrate how they help organizations navigate AI adoption with confidence, mitigating risks, and unlocking AI’s full potential on their transformation journey. Prevent risky access and data leakage in shadow AI With the rapid rise of generative AI, organizations are increasingly encountering unauthorized employee use of AI applications without IT or security team approval. This unsanctioned and unprotected usage has given rise to “shadow AI,” significantly heightening the risk of sensitive data exposure. Today, we are introducing a set of access and data security controls designed to support a defense-in-depth strategy, helping you mitigate risks and prevent data leakage in third-party AI applications. Real-time access controls to shadow AI The first line of defense against security risks in AI applications is controlling access. While security teams can use endpoint controls to block access for all users across the organization, this approach is often too restrictive and impractical. Instead, they need more granular controls at the user level to manage access to SaaS-based AI applications. Today we are announcing the general availability of the AI web category filter in Microsoft Entra Internet Access to help enforce access controls that govern which users and groups have access to different AI applications. Internet Access deep integration with Microsoft Entra ID extends Conditional Access to any AI application, enabling organizations to apply AI access policies with granularity. By using Conditional Access as the policy control engine, organizations can enforce policies based on user roles, locations, device compliance, user risk levels, and other conditions, ensuring secure and adaptive access to AI applications. For example, with Internet Access, organizations can allow your strategy team to experiment with all or most consumer AI apps while blocking those apps for highly privileged roles, such as accounts payable or IT infrastructure admins. For even greater security, organizations can further restrict access to all AI applications if Microsoft Entra detects elevated identity risk. Inline discovery and protection of sensitive data Once users gain access to sanctioned AI applications, security teams still need to ensure that sensitive data isn’t shared with those applications. Microsoft Purview provides Data Loss Prevention (DLP) capabilities to prevent users from sending sensitive data to AI applications. Today, we are announcing enhanced Purview data security capabilities for the browser available in preview in the coming weeks. The new inline discovery & protection controls within Microsoft Edge for Business detect and block sensitive data from being sent to AI apps in real-time, even if typed directly. This prevents sensitive data leaks as users interact with consumer AI applications, starting with ChatGPT, Google Gemini, and DeepSeek. For example, if an employee attempts to type sensitive details about an upcoming merger or acquisition into Google Gemini to generate a written summary, the new inline protection controls in Microsoft Purview will block the prompt from being submitted, effectively blocking the potential leaks of confidential data to an unsanctioned AI app. This augments existing DLP controls for Edge for Business, including protections that prevent file uploads and the pasting of sensitive content into AI applications. Since inline protection is built natively into Edge for Business, newly deployed policies automatically take effect in the browser even if endpoint DLP is not deployed to the device. Figure 1: Inline DLP in Edge for Business prevents sensitive data from being submitted to consumer AI applications like Google Gemini by blocking the action. The new inline protection controls are integrated with Adaptive Protection to dynamically enforce different levels of DLP policies based on the risk level of the user interacting with the AI application. For example, admins can block low-risk users from submitting prompts containing the highest-sensitivity classifiers for their organization, such as M&A-related data or intellectual property, while blocking prompts containing any sensitive information type (SIT) for elevated-risk users. Learn more about inline discovery & protection in the Edge for Business browser in this blog. In addition to the new capabilities within Edge for Business, today we are also introducing Purview data security capabilities for the network layer available in preview starting in early May. Enabled through integrations with Netskope and iboss to start, organizations will be able to extend inline discovery of sensitive data to interactions between managed devices and untrusted AI sites. By integrating Purview DLP with their SASE solution (e.g. Netskope and iBoss), data security admins can gain visibility into the use of sensitive data on the network as users interact with AI applications. These interactions can originate from desktop applications such as the ChatGPT desktop app or Microsoft Word with a ChatGPT plugin installed, or non-Microsoft browsers such as Opera and Brave that are accessing AI sites. Using Purview Data Security Posture Management (DSPM) for AI, admins will also have visibility into how these interactions contribute to organizational risk and can take action through DSPM for AI policy recommendations. For example, if there is a high volume of prompts containing sensitive data sent to ChatGPT, DSPM for AI will detect and recommend a new DLP policy to help mitigate this risk. Learn more about inline discovery for the network, including Purview integrations with Netskope and iBoss, in this blog. Manage AI security posture across multi-cloud and multi-model environments In today’s rapidly evolving AI landscape, developers frequently leverage multiple cloud providers to optimize cost, performance, and availability. Different AI models excel at various tasks, leading developers to deploy models from various providers for different use cases. Consequently, managing security posture across multi-cloud and multi-model environments has become essential. Today, Microsoft Defender for Cloud supports deployed AI workloads across Azure OpenAI Service, Azure Machine Learning, and Amazon Bedrock. To further enhance our security coverage, we are expanding AI Security Posture Management (AI-SPM) in Defender for Cloud to improve compatibility with additional cloud service providers and models. This includes: Support for Google Vertex AI models Enhanced support for Azure AI Foundry model catalog and custom models With this expansion, AI-SPM in Defender for Cloud will now offer the discovery of the AI inventory and vulnerabilities, attack path analysis, and recommended actions to address risks in Google VertexAI workloads. Additionally, it will support all models in Azure AI Foundry model catalog, including Meta Llama, Mistral, DeepSeek, as well as custom models. This expansion ensures a consistent and unified approach to managing AI security risks across multi-model and multi-cloud environments. Support for Google Vertex AI models will be available in public preview starting May 1, while support for Azure AI Foundry model catalog and custom models is generally available today. Learn More. Figure 2: Microsoft Defender for Cloud detects an attack path to a DeepSeek R1 workload. In addition, Defender for Cloud will also offer a new data and AI security dashboard. Security teams will have access to an intuitive overview of their datastores and AI services across their multi-cloud environment, top recommendations, and critical attack paths to prioritize and accelerate remediation. The dashboard will be generally available on May 1. Figure 3: The new data & AI security dashboard in Microsoft Defender for Cloud provides a comprehensive overview of your data and AI security posture. These new capabilities reflect Microsoft’s commitment to helping organizations address the most critical security challenges in managing AI security posture in their heterogeneous environments. Detect and respond to new AI threats Organizations are integrating generative AI into their workflows and facing new security risks unique to AI. Detecting and responding to these evolving threats is critical to maintaining a secure AI environment. The Open Web Application Security Project (OWASP) provides a trusted framework for identifying and mitigating such vulnerabilities, such as prompt injection and sensitive information disclosure. Today, we are announcing Threat protection for AI services, a new capability that enhances threat protection in Defender for Cloud, enabling organizations to secure custom AI applications by detecting and responding to emerging AI threats more effectively. Building on the OWASP Top 10 risks for LLM applications, this capability addresses those critical vulnerabilities highlighted on the top 10 list, such as prompt injections and sensitive information disclosure. Threat protection for AI services helps organizations identify and mitigate threats to their custom AI applications using anomaly detection and AI-powered insights. With this announcement, Defender for Cloud will now extend its threat protection for AI workloads, providing a rich suite of new and enriched detections for Azure OpenAI Service and models in the Azure AI Foundry model catalog. New detections include direct and indirect prompt injections, novel attack techniques like ASCII smuggling, malicious URL in user prompts and AI responses, wallet abuse, suspicious access to AI resources, and more. Security teams can leverage evidence-based security alerts to enhance investigation and response actions through integration with Microsoft Defender XDR. For example, in Microsoft Defender XDR, a SOC analyst can detect and respond to a wallet abuse attack, where an attacker exploits an AI system to overload resources and increase costs. The analyst gains detailed visibility into the attack, including the affected application, user-entered prompts, IP address, and other suspicious activities performed by the bad actor. With this information, the SOC analyst can take action and block the attacker from accessing the AI application, preventing further risks. This capability will be generally available on May 1. Learn More. Figure 4: Security teams can investigate new detections of AI threats in Defender XDR. Secure and govern data in Microsoft 365 Copilot and beyond Data oversharing and non-compliant AI use are significant concerns when it comes to securing and governing data in Microsoft Copilots. Today, we are announcing new data security and compliance capabilities. New data oversharing insights for unclassified data available in Microsoft Purview DSPM for AI: Today, we are announcing the public preview of on-demand classification for SharePoint and OneDrive. This new capability gives data security admins visibility into unclassified data stored in SharePoint and OneDrive and enables them to classify that data on demand. This helps ensure that Microsoft 365 Copilot is indexing and referencing files in its responses that have been properly classified. Previously, unclassified and unscanned files did not appear in DSPM for AI oversharing assessments. Now admins can initiate an on-demand data classification scan, directly from the oversharing assessment, ensuring that older or previously unscanned files are identified, classified, and incorporated into the reports. This allows organizations to detect and address potential risks more comprehensively. For example, an admin can initiate a scan of legacy customer contracts stored in a specified SharePoint library to detect and classify sensitive information such as account numbers or contact information. If these newly classified documents match the classifiers included in any existing auto-labeling policies, they will be automatically labeled. This helps ensure that documents containing sensitive information remain protected when they are referenced in Microsoft 365 Copilot interactions. Learn More. Figure 5: Security teams can trigger on-demand classification scan results in the oversharing assessment in Purview DSPM for AI. Secure and govern data in Security Copilot and Copilot for Fabric for Power BI: We are excited to announce the public preview of Purview for Security Copilot and Copilot for Power BI, offering DSPM for AI, Insider Risk Management, and data compliance controls, including eDiscovery, Audit, Data Lifecycle Management, and Communication Compliance. These capabilities will help organizations enhance data security posture, manage compliance, and mitigate risks more effectively. For example, admins can now use DSPM for AI to discover sensitive data in user prompts and agent responses in Security Copilot and detect unethical or risky AI usage. Figure 6: Purview’s DSPM for AI provides admins with comprehensive reports on user activities and data interactions in Copilot for Power BI, as part of the Copilot in Fabrice experience, and Security Copilot. DSPM Discoverability for Communication Compliance: This new feature in Communication Compliance, which will be available in public preview starting May 1, enables organizations to quickly create policies that detect inappropriate messages that could lead to data compliance risks. The new recommendation card on the DSPM for AI page offers a one-click policy creation in Microsoft Purview Communication Compliance, simplifying the detection and mitigation of potential threats, such as regulatory violations or improperly shared sensitive information. With these enhanced capabilities for securing and governing data in Microsoft 365 Copilot and beyond, organizations can confidently embrace AI innovation while maintaining strict security and compliance standards. Explore additional resources As organizations embrace AI, securing and governing its use is more important than ever. Staying informed and equipped with the right tools is key to navigating its challenges. Explore these resources to see how Microsoft Security can help you confidently adopt AI in your organization. Learn more about Security for AI solutions on our webpage Get started with Microsoft Purview Get started with Microsoft Defender for Cloud Sign up for a free Microsoft 365 E5 Security Trial and Microsoft Purview Trial Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. [1] 2024 Work Trend Index Annual Report, Microsoft and LinkedIn, May 2024, N=31,000. [2] Gartner®, Gartner Peer Community Poll – If your org’s using any virtual assistants with AI capabilities, are you concerned about indirect prompt injection attacks? GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. View the full article
  20. Windows
    Work doesn't look the same as it did a few years ago. As an IT or Security professional, you're now expected to provide mainstream support for flexible work arrangements, including personal devices. Cybersecurity threats have become more frequent and sophisticated, making it increasingly challenging for you to protect sensitive organizational data. And with AI integrated into daily workflows, ensuring secure and compliant AI usage has quickly become your priority. Since most PC usage occurs in the browser1, it's essential to secure the browser as part of your overall endpoint security strategy. Fortunately, you already have a browser pre-installed on Windows ready to tackle these challenges. Edge for Business is a secure enterprise browser optimized for AI, designed to meet the needs of your entire organization as a single browser for work, across work and personal devices. It extends the enterprise-grade protections from your Microsoft 365 E3 and E5 licenses, at no additional cost and without the hassle of extensions. And it supports the latest in Microsoft security—from phishing and malware protection, to enabling conditional access, to safeguarding sensitive data—offering a comprehensive secure enterprise browser solution. Building on this strong foundation, today we're announcing new native data protection in Edge for Business: the extension of data security controls to personal or unmanaged devices, and inline discovery and protection for consumer AI apps. Peace of mind with secure access to corporate resources for personal devices Today, you see more personal and unmanaged devices on your network than ever—and you need to ensure that they access corporate resources safely. Unlike corporate devices, personal and unmanaged devices have traditionally been outside IT admin control and often lacking necessary security configurations, making them more susceptible to malware and data breaches. But now, these devices can be addressed with tools already within your reach: the powerful combination of Edge for Business, Intune, and Purview. Together, they provide a comprehensive secure enterprise browser solution for BYOD. Intune and Purview work together in Edge for Business to create a secure, context-aware BYOD browsing experience. It starts with Intune performing device health checks before granting access to corporate resources, ensuring that only devices meeting specific security standards can access corporate data. This is complemented by app protection policies that enforce all access to corporate resources through Edge for Business. But you don't only want to lock out unpatched devices and ensure that the right people have access, you also want corporate data to be handled correctly. With Purview data security controls now extending to Edge for Business on personal and unmanaged devices, organizations can create nuanced, real-time, and context-aware data security policies that balance protection with productivity. This means that different levels of access and protection can be applied based on the sensitivity of the data and the context in which it is accessed. For instance, you can allow employees using personal devices for work to download benefits brochures that do not contain any sensitive information but block the download of records that contain personal contact information or social security numbers. This preview will be available with Microsoft 365 E5 licenses in the coming weeks. For organizations requiring consistent data protection across users' work profiles, Intune provides secure personal and unmanaged device access to corporate resources with extensive app protection and configuration capabilities included in Microsoft 365 E3 plans. By using Intune app protection and Purview data security controls in Edge for Business, you can ensure your organization is well-equipped to protect sensitive data from exfiltration or mismanagement, whether it's a managed device or BYOD. New controls to prevent data leaks from typed prompts in consumer AI apps You play a pivotal role in unleashing user productivity with AI, without compromising on security. With 75% of users already utilizing AI at work2, you may be worried about what employees are typing into consumer AI apps, such as ChatGPT, DeepSeek, and more. It may feel like you don't have control, but with the combination of Edge for Business and Purview, you can prevent users from inadvertently leaking sensitive data through unsanctioned AI app usage. The new inline protection capability in Purview allows admins to prevent users from submitting typed prompts containing sensitive data to consumer AI apps, starting with ChatGPT, DeepSeek, Google Gemini, and Microsoft Copilot. As a secure enterprise browser optimized for AI, Edge for Business also enables you to restrict access to public AI services that may not meet your organization's compliance requirements. How does inline protection work? First, when a user in an unmanaged browser on a PC attempts to use a consumer AI app, they can be directed to Edge for Business for a more secure and controlled environment. Once there, the new Purview inline data loss prevention policies are applied. Text prompts can be audited and blocked from being sent based on the sensitive content and the risk-level of the user entering the data, helping you maintain control over the data processed by consumer AI apps. For instance, you can audit an interaction in which a low-risk user submits a prompt containing sensitive data, while blocking the same submission from an elevated-risk user. This inline protection capability builds on the existing native Purview protections in Edge for Business, such as preventing upload of sensitive files or copy and pasting sensitive data into a web apps. Inline protection is now available in preview with Microsoft 365 E5 licenses. It's hard to stay ahead of AI use in the organization. You need controls—now. As a secure enterprise browser optimized for AI, Edge for Business offers an essential set of AI controls, and will continue evolving to meet your AI needs. Get started today with the secure enterprise browser Edge for Business is your ally in addressing today's challenges. As a secure enterprise browser optimized for AI, it provides your organization with a comprehensive approach to securing the browser as an endpoint, without sacrificing productivity. Learn more about the new data protection in Edge for Business today 1 Microsoft telemetry, 2025. 2 2024 Annual Work Trend Index from Microsoft and LinkedIn.View the full article
  21. Windows 11
    We are a corporate customer who are at present managing our transition from Windows 10 22H2 to Windows 11 24H2. On one of our devices we have the following error: InstallAccessDenied  Severity Error Owner Customer Action Description Installer doesn't have permission to access or replace a file. The installer might have tried to replace a file that an antivirus, antimalware, or a backup program is currently scanning. Recommended action The Windows Update services could not access the necessary system locations, please retry the installation. (This can often occur with 3rd party security prodView the full article
  22. Windows 11
    Had drivers updated and after reboot the Bluetooth icon 7& functionality disappear in my laptopView the full article
  23. Windows 11
    I have a box for HP Audio Switch on my screen which interferes with my ability to read the screen or to scroll downward. I want to get rid of this box.View the full article
  24. Windows Server
    When we introduced Microsoft Security Copilot last year, we set out to transform the way defenders approach cybersecurity. As one of the industry's first generative AI solutions for security and IT teams, Security Copilot is empowering teams to catch what others miss, respond faster, and strengthen team expertise in an evolving threat landscape. Customers like Eastman are already seeing the impact. “I’m finding that I can ask [Security Copilot] about attack factors that I’ve never seen before and get answers much faster”, said David Yates, Senior Cybersecurity Analyst at Eastman. “That helps me to make a better decision and respond faster to an attacker.” A recent study of Copilot users showed that using Security Copilot reduced mean time to resolution by 30%, helping accelerate response times and minimizing the impact of security incidents. But as defenders evolve, so have attackers. Adversaries are now leveraging AI to launch more sophisticated attacks with unprecedented speed and scale. Security and IT teams – already overwhelmed by a huge volume of alerts, data, and threats – are struggling to keep up. Traditional automation, while useful, lacks the flexibility and adaptability to keep up. Today, we’re taking the next leap forward in generative AI-powered cybersecurity. I am thrilled to introduce agents in Microsoft Security Copilot. AI-powered agents represent the natural evolution of Security Copilot, going beyond AI assistant capabilities. They autonomously manage high-volume security and IT tasks, seamlessly integrated with Microsoft Security solutions and partner solutions. Purpose-built for security, these agents learn from feedback, adapt to organizational workflows with your team fully in-control, and operate securely within Microsoft’s Zero-Trust framework. Delivering powerful automation across threat protection, identity management, data security, and IT operations, these agents empower teams to accelerate responses, prioritize risks, and drive efficiency at scale. By reducing manual workloads, they enhance operational effectiveness and strengthen overall security posture – allowing defenders to stay ahead. To bring this automation to life, we’re introducing six security agents from Microsoft and five security agents from partners which will be available for preview in April. Empowering security and IT teams with Security Copilot agents Our goal is to provide generative AI-powered security for everyone. Integrating Copilot with Microsoft Security products helps IT and security teams benefit from increased speed and accuracy. Now, you can use embedded Security Copilot agents with capabilities specific to use cases for your role in the products you know and love: Phishing Triage Agent SOC analysts often face the challenge of managing hundreds of user-submitted phishing alerts each week, with each alert taking up to 30 minutes for manual triage. This process requires meticulous sifting through submissions to find the needle in the haystack – the genuine threat amidst all the noise. Security Copilot solves this challenge with an AI-powered agent embedded in Microsoft Defender, that works in the background to autonomously triage user-submitted phishing incidents. Powered by advanced multi-modal AI tools, it determines whether an alert is a genuine phishing attempt or a false alarm with exceptional precision. The agent not only delivers natural language explanations for its decisions but also dynamically refines its detection capabilities based on analyst feedback. By alleviating the burden of reactive work, it empowers SOC analysts to focus on proactive security measures, ultimately strengthening the organization's overall security posture. Learn more about the Phishing Triage Agent here. Alert Triage Agents for Data Loss Prevention and Insider Risk Management Data security admins regularly struggle to manage the volume of alerts they receive daily, addressing only about 60% of them due to time and resource constraints1. The Alert Triage Agents in Microsoft Purview Data Loss Prevention (DLP) and Insider Risk Management (IRM) identify the alerts that pose the greatest risk to your organization and should be prioritized first. These agents analyze the content and potential intent involved in an alert, based on the organization’s chosen parameters and selected policies, to categorize alerts based on the impact they have on sensitive data. Additionally, they provide a comprehensive explanation on the logic behind that categorization, allowing admins to analyze a risk in just a few minutes. These agents empower data security teams to focus on the most important alerts and concentrate on the critical threats, with a dynamic process that takes inputs from data security admins in natural language and fine-tunes the triage results to better match the organizations’ priorities. The agent learns from this feedback, using that rationale to calibrate the prioritization of future alerts in DLP and IRM. Learn more about the Alert Triage Agents for DLP and IRM here. Conditional Access Optimization Agent As organizations grow, identity and IT admins must continuously ensure that access policies adapt to new employees, contractors, SaaS apps, and more – keeping security intact without adding complexity. But as their environments evolve, keeping Conditional Access (CA) policies up to date becomes increasingly difficult. New users and apps can slip through, and exclusions can go unaddressed, creating security risks. Even with routine reviews, manually auditing policies and adjusting coverage can take days or weeks –yet gaps can still go unnoticed. The CA Optimization Agent in Microsoft Entra changes that for admins, automating the detection and resolution of policy drift. This agent continuously monitors for newly created users and applications, analyzing their alignment with existing CA policies, and proactively detects security gaps in real time. Unlike static automation, it recommends optimizations and provides one-click fixes, helping admins refine policy coverage effortlessly while ensuring a strong, adaptive security posture. Learn more about the CA Optimization Agent here. Vulnerability Remediation Agent Managing security vulnerabilities is a growing challenge for organizations, as the volume of CVEs and limited resources make it difficult to prioritize and implement critical fixes effectively. Microsoft Intune is designed for organizations that need a modern, cloud-powered approach to endpoint management, one that not only simplifies IT operations but strengthens security in an evolving threat landscape. IT admins require more than just visibility into vulnerabilities; they need a proactive, risk-based security strategy that continuously assesses risk and automates remediation to minimize exposure. That’s why Intune is introducing the Vulnerability Remediation Agent—a solution built to help organizations stay ahead of emerging threats. By leveraging Microsoft Defender Vulnerability Management, the agent automatically identifies, evaluates, and prioritizes vulnerabilities. It continuously monitors newly published threats, assesses their risk levels, and offers clear, actionable recommendations for remediation. With continuous vulnerability detection, risk-based prioritization and guided remediation, the agent reduces exposure time while freeing up IT teams to focus on strategic initiatives. This is the first step toward designing vulnerability remediation at scale. A future, comprehensive approach will work across device platforms, address vulnerabilities in third-party applications, and remediate using configuration changes. Learn more about the Vulnerability Remediation Agent here. Threat Intelligence Briefing Agent Cyber Threat Intelligence analysts often face data overload and resource constraints when sourcing the threat intelligence needed to help their organizations understand, prioritize, and respond to critical threats. Crafting a threat intelligence briefing for security teams and executives can take hours—or even days—due to the constant evolution of both the threat landscape and an organization’s attack surface. The Threat Intelligence Briefing Agent in Security Copilot dramatically expedites this process. It automatically curates up-to-date, context-specific intelligence tailored to your organization’s unique profile and attack surface. Operating autonomously in the background, it taps into Microsoft’s extensive threat intelligence resources (including Microsoft Defender Threat Intelligence and Microsoft Defender External Surface Management) to deliver prioritized reports in just 4-5 minutes. This tool not only cuts down on manual effort but also highlights the most pressing threats and provides actionable recommendations, ensuring your team stays well-informed and ready to respond. Learn more about the Threat Intelligence Briefing Agent here. Extending agentic capabilities with partner solutions We are grateful to our partners who continue to play a vital role in empowering everyone to confidently adopt safe and responsible AI. Our growing partner ecosystem seamlessly integrates Security Copilot with established tools across various applications. Today, I am pleased to share five new upcoming agents in partner solutions, with many more to come. Privacy Breach Response agent by OneTrust analyzes a data breach based on type of data, geographic jurisdiction, and regulatory requirements to generate guidance for the privacy team on how to meet those requirements. Network Supervisor by Aviatrix determines why a VPN, Gateway, or Site2Cloud connection is down and provides information about the failure. SecOps Tooling Agent by BlueVoyant assesses your security operations center (SOC) and state of controls to make recommendations to optimize security operations to improve controls, efficacy, and compliance. Alert Triage Agent by Tanium provides analysts with necessary context to quickly and confidently make a decision on each alert. Task Optimizer Agent by Fletch helps organizations forecast and prioritize the most critical threat alerts to reduce alert fatigue and improve security. Learn more about our partner integrations at aka.ms/partnerintegrations. Get Started with Security Copilot Agents Microsoft Security Copilot agents will be available in preview starting April 27. To get started with Security Copilot, check out the (TBD: quick start video or visit the Security Copilot product page) for more information. Already using Security Copilot? Make sure you’re signed up for the Security Copilot Customer Connection Program (CCP) to receive the latest updates and features—join today at aka.ms/JoinCCP. Learn more about the latest innovations at the Microsoft Secure digital event on April 9, 2025. Register now. With agents, Security Copilot continues to lead the way in AI-powered cybersecurity, helping organizations defend against threats faster, smarter, and with greater confidence. View the full article
  25. Windows 11
    When I open ZOMM, and turn on camera, the screen left side appears black with a diffuse border towards the centerView the full article
  26. Windows 11
    Hello, since updating my BIOS from F.20 to F.34, I have been experiencing a lot of performance issues leading to most games being unplayable due to such low FPS which should not be the case considering my specs (detailed below). I have tried the easy fixes such as a clean install of windows, update all drivers etc but with no luck. I can confirm there is no cooling issues, my temperatures are always well within range, even under load. I was wondering if anyone has an installer for a BIOS version prior to F.34(F.20 if possible) for me to test if this was the issue? I have tried to download the View the full article
  1. Load more activity
×
×
  • Create New...