From 068fc1632558cc82a332f3004da4fbcafae57bc3 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 11 Nov 2021 22:39:27 +0530 Subject: [PATCH 01/29] added windows 11 after reading this article, i found windows 11 is missing, so i added it in to this article. I need help from @JohanFreelancer9 for his assistance --- ...lization-based-protection-of-code-integrity.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index ea7806d09a..1af50efd7d 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -19,8 +19,9 @@ ms.technology: windows-sec **Applies to** - Windows 10 +- Windows 11 -This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. +This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10 and Windows 11. Some applications, including device drivers, may be incompatible with HVCI. This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. @@ -34,9 +35,9 @@ If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. * HVCI also ensures that your other trusted processes, like Credential Guard, have got a valid certificate. * Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI. -## How to turn on HVCI in Windows 10 +## How to turn on HVCI in Windows 10 and Windows 11 -To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options: +To enable HVCI on Windows 10 and Windows 11 devices with supporting hardware throughout an enterprise, use any of these options: - [Windows Security app](#windows-security-app) - [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune) - [Group Policy](#enable-hvci-using-group-policy) @@ -80,7 +81,7 @@ Set the following registry keys to enable HVCI. This provides exactly the same s > > - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers. -#### For Windows 10 version 1607 and later +#### For Windows 10 version 1607 and later, For Windows 11 21H2 Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock): @@ -194,17 +195,17 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG ### Validate enabled Windows Defender Device Guard hardware-based security features -Windows 10 and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command: +Windows 10, Windows 11 and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command: ```powershell Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard ``` > [!NOTE] -> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10. +> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10 and Windows 11. > [!NOTE] -> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803. +> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 21H2. The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. From 3769f89f6e63ecb5d8ea5f4f667e153e7c9406db Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 12 Nov 2021 11:18:20 +0530 Subject: [PATCH 02/29] Update windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md Accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../enable-virtualization-based-protection-of-code-integrity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 1af50efd7d..afe3d97a04 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -81,7 +81,7 @@ Set the following registry keys to enable HVCI. This provides exactly the same s > > - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers. -#### For Windows 10 version 1607 and later, For Windows 11 21H2 +#### For Windows 10 version 1607 and later and for Windows 11 version 21H2 Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock): From 8cdeaf2f40f4af5a08a90e16aaea910b5bf9335b Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 12 Nov 2021 12:19:46 +0530 Subject: [PATCH 03/29] Update windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md Accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../enable-virtualization-based-protection-of-code-integrity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index afe3d97a04..947d55b387 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -195,7 +195,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG ### Validate enabled Windows Defender Device Guard hardware-based security features -Windows 10, Windows 11 and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command: +Windows 10, Windows 11, and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command: ```powershell Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard From aa3793980e384d17ce344770e003640a5295e898 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 12 Nov 2021 12:20:04 +0530 Subject: [PATCH 04/29] Update windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md Accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../enable-virtualization-based-protection-of-code-integrity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 947d55b387..6dea84f15c 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -205,7 +205,7 @@ Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windo > The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10 and Windows 11. > [!NOTE] -> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 21H2. +> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 version 21H2. The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. From d93f5e693751373616b547916f2b048985ac9fe1 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 16 Nov 2021 21:32:50 +0530 Subject: [PATCH 05/29] added windows 11 after reading this article, i found windows 11 is missing so i added windows 11. --- .../security-policy-settings/user-rights-assignment.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md index 6760680ea6..e32051cb2c 100644 --- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md +++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md @@ -22,6 +22,7 @@ ms.technology: windows-sec **Applies to** - Windows 10 +- Windows 11 Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the **User Rights Assignment** item. From 58a9eb3c3efee8ee57860f9793c6954b0eb466a0 Mon Sep 17 00:00:00 2001 From: sravanigannavarapu <95500630+sravanigannavarapu@users.noreply.github.com> Date: Mon, 6 Dec 2021 13:35:18 -0800 Subject: [PATCH 06/29] Update audit-registry.md Add a note about expected events on Create Subkey. --- .../security/threat-protection/auditing/audit-registry.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index 6ab435279c..bc39c3d697 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -46,6 +46,7 @@ If success auditing is enabled, an audit entry is generated each time any accoun - [4670](event-4670.md)(S): Permissions on an object were changed. -> [!NOTE] -> On creating a subkey for a parent, the expectation is to see a 4656 event for the newly created subkey. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using advanced audit policy configurations for registry specific events, such as using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". While using regedit.exe for creating subkeys you will see an additional 4663 event because you perform NtEnumerateKeys on the newly created subkey. You might additionally see a 4663 event on the newly created key if you try to rename the subkey. While using reg.exe for creating subkeys you'll see an additional 4663 event because you perform NtSetValueKey on the newly created subkey. We recommend not relying on 4663 events for subkey creation as they are dependent on the type of permissions enabled on the parent and are not consistent across regedit.exe and reg.exe. +> [!NOTE] +> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (Event 4656) issued by the object manager. We see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, we do not see this event with the setting to just see the registry related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". +Calls to Registry APIs which involve accessing the key to perform any operations like RegSetValue, RegEnumValue, RegRenameKey etc. would trigger an event to access the object (Event 4663). So for example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. From 5b6c9a109afd42e4d8defd11eb61c6086761822e Mon Sep 17 00:00:00 2001 From: sravanigannavarapu <95500630+sravanigannavarapu@users.noreply.github.com> Date: Wed, 8 Dec 2021 14:25:58 -0800 Subject: [PATCH 07/29] Update audit-registry.md --- windows/security/threat-protection/auditing/audit-registry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index bc39c3d697..f24a23d4fc 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -49,4 +49,4 @@ If success auditing is enabled, an audit entry is generated each time any accoun > [!NOTE] > On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (Event 4656) issued by the object manager. We see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, we do not see this event with the setting to just see the registry related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". -Calls to Registry APIs which involve accessing the key to perform any operations like RegSetValue, RegEnumValue, RegRenameKey etc. would trigger an event to access the object (Event 4663). So for example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. +Calls to Registry API's to access an open key object to perform an operation like RegSetValue, RegEnumValue, RegRenameKey etc. would trigger an event to access the object (Event 4663). So for example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. From a7fe5dc5142478e23c41c6791d5e22c7cf9f2f5a Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Thu, 9 Dec 2021 16:38:48 +0100 Subject: [PATCH 08/29] Update policy-csp-networklistmanager.md Additional information on how to use and configure AllowedTlsAuthenticationEndpoints and ConfiguredTLSAuthenticationNetworkName --- .../mdm/policy-csp-networklistmanager.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index ced9fe042a..686aaecb14 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -58,7 +58,16 @@ manager: dansimp -This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. +This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. +When entering a list of TLS Endpoints in MEM (Microsoft Endpoint Management), you must follow this format even in the UI: +`````` +- The HTTPS endpoint must not have any additional authentication checks such as login or multi-factor authentication. +- The HTTPS endpoint must be an internal address not accessible from outside the corporate network. +- The client must trust the server certificate, so the CA cert the HTTPS server cert chains to must be present in the client machines root certificate store. +- A certificate should not be a public certificate. + + +
@@ -91,7 +100,7 @@ This policy setting provides the list of URLs (separated by Unicode character 0x -This policy setting provides the string to be used to name the network authenticated against one of the endpoints listed in NetworkListManager/AllowedTlsAuthenticationEndpoints policy. +This policy setting provides the string to be used to name the network authenticated against one of the endpoints listed in NetworkListManager/AllowedTlsAuthenticationEndpoints policy. If this setting is used for Trusted Network Detection in an Always On VPN profile, it must be the DNS suffix configured in the TrustedNetworkDetection attribute.
From 1a41dd2059c10e60ec6c7e519cf22b418c6126b4 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 10 Dec 2021 11:04:29 +0530 Subject: [PATCH 09/29] Update windows/client-management/mdm/policy-csp-networklistmanager.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-networklistmanager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index 686aaecb14..e1d8281bb6 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -61,7 +61,7 @@ manager: dansimp This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. When entering a list of TLS Endpoints in MEM (Microsoft Endpoint Management), you must follow this format even in the UI: `````` -- The HTTPS endpoint must not have any additional authentication checks such as login or multi-factor authentication. +- The HTTPS endpoint must not have any additional authentication checks, such as login or multifactor authentication. - The HTTPS endpoint must be an internal address not accessible from outside the corporate network. - The client must trust the server certificate, so the CA cert the HTTPS server cert chains to must be present in the client machines root certificate store. - A certificate should not be a public certificate. From dff2610703e38f778819aff3e9a85e24b39ed63e Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 10 Dec 2021 11:04:55 +0530 Subject: [PATCH 10/29] Update windows/client-management/mdm/policy-csp-networklistmanager.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-networklistmanager.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index e1d8281bb6..21039fb51c 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -59,7 +59,8 @@ manager: dansimp This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. -When entering a list of TLS Endpoints in MEM (Microsoft Endpoint Management), you must follow this format even in the UI: + +When entering a list of TLS endpoints in Microsoft Endpoint Manager, you should follow this format, even in the UI: `````` - The HTTPS endpoint must not have any additional authentication checks, such as login or multifactor authentication. - The HTTPS endpoint must be an internal address not accessible from outside the corporate network. From c798567889191eedab6c0c7fb6895246c7e6dec2 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 10 Dec 2021 11:05:05 +0530 Subject: [PATCH 11/29] Update windows/client-management/mdm/policy-csp-networklistmanager.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-networklistmanager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index 21039fb51c..5c296ad42b 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -64,7 +64,7 @@ When entering a list of TLS endpoints in Microsoft Endpoint Manager, you should `````` - The HTTPS endpoint must not have any additional authentication checks, such as login or multifactor authentication. - The HTTPS endpoint must be an internal address not accessible from outside the corporate network. -- The client must trust the server certificate, so the CA cert the HTTPS server cert chains to must be present in the client machines root certificate store. +- The client must trust the server certificate, so the CA certificate that the HTTPS server certificate chains to must be present in the client machine's root certificate store. - A certificate should not be a public certificate. From 726dd867bef292d80a0d43eb27b886a9ae0344fc Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 10 Dec 2021 11:05:15 +0530 Subject: [PATCH 12/29] Update windows/client-management/mdm/policy-csp-networklistmanager.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-networklistmanager.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index 5c296ad42b..ffd0fbfd0b 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -68,8 +68,6 @@ When entering a list of TLS endpoints in Microsoft Endpoint Manager, you should - A certificate should not be a public certificate. - -
From 77c6b849d4942f7e39442f4b4c5e9d6344afa250 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Fri, 10 Dec 2021 09:01:04 +0100 Subject: [PATCH 13/29] Update windows/client-management/mdm/policy-csp-networklistmanager.md Using this format is not a 'should' but a 'must', otherwise it just doesn't work. --- windows/client-management/mdm/policy-csp-networklistmanager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index ffd0fbfd0b..37197c7b20 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -60,7 +60,7 @@ manager: dansimp This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. -When entering a list of TLS endpoints in Microsoft Endpoint Manager, you should follow this format, even in the UI: +When entering a list of TLS endpoints in Microsoft Endpoint Manager, you must follow this format, even in the UI: `````` - The HTTPS endpoint must not have any additional authentication checks, such as login or multifactor authentication. - The HTTPS endpoint must be an internal address not accessible from outside the corporate network. From f1bff3c3f844a5a38a4edf3a043311952986b30b Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 10 Dec 2021 20:02:53 +0530 Subject: [PATCH 14/29] added prefessional , enterprise editions as per user feedback #10185, so i added professional and enterprise editions for windows 11 and 11. --- .../credential-guard/credential-guard-requirements.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index 095e9ddef9..bcd7516d2d 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -21,10 +21,10 @@ ms.date: 09/30/2020 ## Applies to -- Windows 10 -- Windows 11 -- Windows Server 2016 +- Windows 11 Professional and Enterprise +- Windows 10 Professional and Enterprise - Windows Server 2019 +- Windows Server 2016 For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations). @@ -155,4 +155,4 @@ The following table lists qualifications for Windows 10, version 1703, which are > > - Do not attempt to directly modify executable system memory > -> - Do not use dynamic code \ No newline at end of file +> - Do not use dynamic code From c17c1baf592811bf5d9b717f191a2ecfd4b29dfd Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 13 Dec 2021 19:56:04 +0500 Subject: [PATCH 15/29] Update update-compliance-using.md --- windows/deployment/update/update-compliance-using.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index d27fd0af96..b79203ce61 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -33,7 +33,7 @@ Update Compliance: - Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities. ## The Update Compliance tile -After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you'll see this tile: +After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you can navigate to your log analytics workspace, then select your Update Compliance deployment in the **Solutions** section and click on **Summary** to see this tile: ![Update Compliance tile no data.](images/UC_tile_assessing.png) @@ -93,4 +93,4 @@ See below for a few topics related to Log Analytics: ## Related topics -[Get started with Update Compliance](update-compliance-get-started.md) \ No newline at end of file +[Get started with Update Compliance](update-compliance-get-started.md) From f0aae708c6bac7417e086a4398f84b14f0d1ec17 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Tue, 14 Dec 2021 15:07:31 +0200 Subject: [PATCH 16/29] add info about Accounts_EnableAdministratorAccountStatus https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9927 --- ...policy-csp-localpoliciessecurityoptions.md | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index e8dc4d3729..22c1583ceb 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -23,6 +23,9 @@ manager: dansimp
LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
+
+ LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus +
LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
@@ -222,6 +225,54 @@ The following list shows the supported values:
+ +**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This setting allows the administrator to enable the local Administrator account. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + +GP Info: +- GP Friendly name: *Accounts: Enable Administrator Account Status* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + +The following list shows the supported values: + +- 0 - disabled (local Administrator account is disabled). +- 1 - enabled (local Administrator account is enabled). + + + + +
+ **LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly** From f8d9e6786a04f8abdde1024a1f8567b03626cd3c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Dec 2021 11:12:55 -0800 Subject: [PATCH 17/29] Update policy-csp-localpoliciessecurityoptions.md --- .../mdm/policy-csp-localpoliciessecurityoptions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 22c1583ceb..c23aac08e5 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 09/29/2021 +ms.date: 12/16/2021 ms.reviewer: manager: dansimp --- From 4f9114b898ddb8b6066ba167f7789ddd84b47f38 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Dec 2021 11:15:26 -0800 Subject: [PATCH 18/29] Update credential-guard-requirements.md --- .../credential-guard/credential-guard-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index bcd7516d2d..59826162ce 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -14,7 +14,7 @@ ms.collection: - M365-identity-device-management - highpri ms.topic: article -ms.date: 09/30/2020 +ms.date: 12/16/2021 --- # Windows Defender Credential Guard: Requirements From e89fcd498e8171268c12860a1ce3941d0d986376 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Dec 2021 11:16:31 -0800 Subject: [PATCH 19/29] Update policy-csp-networklistmanager.md --- windows/client-management/mdm/policy-csp-networklistmanager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index 37197c7b20..227d198378 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: nimishasatapathy ms.localizationpriority: medium -ms.date: 7/10/2021 +ms.date: 12/16/2021 ms.reviewer: manager: dansimp --- From e25e95d5e0a5da97f567510907689330ffaf03e0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Dec 2021 11:19:26 -0800 Subject: [PATCH 20/29] Update audit-registry.md --- windows/security/threat-protection/auditing/audit-registry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index f24a23d4fc..31014f7b9a 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -11,7 +11,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 09/06/2021 +ms.date: 12/16/2021 ms.technology: windows-sec --- From 6eaa1b9928818f8aa2dbf6ac28dcab5d324dfb02 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Dec 2021 11:20:27 -0800 Subject: [PATCH 21/29] Update windows/security/threat-protection/auditing/audit-registry.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/threat-protection/auditing/audit-registry.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index 31014f7b9a..ff99ab6148 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -48,5 +48,6 @@ If success auditing is enabled, an audit entry is generated each time any accoun > [!NOTE] -> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (Event 4656) issued by the object manager. We see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, we do not see this event with the setting to just see the registry related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". +> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". + Calls to Registry API's to access an open key object to perform an operation like RegSetValue, RegEnumValue, RegRenameKey etc. would trigger an event to access the object (Event 4663). So for example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. From 88ee40a7f3dbef9fe969623332417b2a1a95bea4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Dec 2021 11:20:49 -0800 Subject: [PATCH 22/29] Update windows/security/threat-protection/auditing/audit-registry.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/threat-protection/auditing/audit-registry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index ff99ab6148..306872fcbc 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -50,4 +50,4 @@ If success auditing is enabled, an audit entry is generated each time any accoun > [!NOTE] > On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". -Calls to Registry API's to access an open key object to perform an operation like RegSetValue, RegEnumValue, RegRenameKey etc. would trigger an event to access the object (Event 4663). So for example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. +Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. From c9e9c75f6decaf3c0e09df28a720a3126ab7471e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Dec 2021 11:21:50 -0800 Subject: [PATCH 23/29] Update user-rights-assignment.md --- .../security-policy-settings/user-rights-assignment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md index e32051cb2c..e2a05656b9 100644 --- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md +++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 12/16/2021 ms.technology: windows-sec --- From 758f7c4f6b55576725b63ee396a7a1b2d0ee1eda Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Dec 2021 11:23:10 -0800 Subject: [PATCH 24/29] Update enable-virtualization-based-protection-of-code-integrity.md --- .../enable-virtualization-based-protection-of-code-integrity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 6dea84f15c..e58975aade 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -10,7 +10,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 07/30/2021 +ms.date: 12/16/2021 ms.reviewer: ms.technology: windows-sec --- From fa1d74c654219a03419c220cb04d96919ffb406b Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Thu, 16 Dec 2021 12:10:17 -0800 Subject: [PATCH 25/29] Update windows/deployment/update/update-compliance-using.md --- windows/deployment/update/update-compliance-using.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index b79203ce61..aae829eff7 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -33,7 +33,7 @@ Update Compliance: - Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities. ## The Update Compliance tile -After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you can navigate to your log analytics workspace, then select your Update Compliance deployment in the **Solutions** section and click on **Summary** to see this tile: +After Update Compliance is successfully [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you can navigate to your log analytics workspace, select your Update Compliance deployment in the **Solutions** section, and then select **Summary** to see this tile: ![Update Compliance tile no data.](images/UC_tile_assessing.png) From ca2b3e9865bbb36217e8ea53700bfcec18ad9a37 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 16 Dec 2021 22:26:39 -0800 Subject: [PATCH 26/29] Changes to improve Acrolinx score This article had a score of 76, which is too low to merge. These changes should raise the score to about 92. --- .../mdm/policy-csp-networklistmanager.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index 227d198378..8dc3a74c3b 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -1,6 +1,6 @@ --- title: Policy CSP - NetworkListManager -description: The Policy CSP - NetworkListManager setting creates a new MDM policy that allows admins to configure a list of URIs of HTTPS endpoints that are considered secure. +description: Policy CSP - NetworkListManager is a setting creates a new MDM policy. This setting allows admins to configure a list of URIs of HTTPS endpoints that are considered secure. ms.author: v-nsatapathy ms.topic: article ms.prod: w10 @@ -61,16 +61,18 @@ manager: dansimp This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. When entering a list of TLS endpoints in Microsoft Endpoint Manager, you must follow this format, even in the UI: -`````` -- The HTTPS endpoint must not have any additional authentication checks, such as login or multifactor authentication. + +`` + +- The HTTPS endpoint must not have any more authentication checks, such as login or multi-factor authentication. + - The HTTPS endpoint must be an internal address not accessible from outside the corporate network. -- The client must trust the server certificate, so the CA certificate that the HTTPS server certificate chains to must be present in the client machine's root certificate store. + +- The client must trust the server certificate. So the CA certificate that the HTTPS server certificate chains to must be present in the client machine's root certificate store. + - A certificate should not be a public certificate. -
- -
@@ -99,7 +101,7 @@ When entering a list of TLS endpoints in Microsoft Endpoint Manager, you must fo -This policy setting provides the string to be used to name the network authenticated against one of the endpoints listed in NetworkListManager/AllowedTlsAuthenticationEndpoints policy. If this setting is used for Trusted Network Detection in an Always On VPN profile, it must be the DNS suffix configured in the TrustedNetworkDetection attribute. +This policy setting provides the string that is to be used to name a network. That network is authenticated against one of the endpoints that are listed in NetworkListManager/AllowedTlsAuthenticationEndpoints policy. If this setting is used for Trusted Network Detection in an _Always On_ VPN profile, it must be the DNS suffix that is configured in the TrustedNetworkDetection attribute.
From 87fa3696cdf5667b1f7ad672af72c399b4f8fa5a Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 16 Dec 2021 22:27:41 -0800 Subject: [PATCH 27/29] Add image borders and one lightbox --- windows/deployment/update/update-compliance-using.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index aae829eff7..4c35caa25b 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -35,17 +35,17 @@ Update Compliance: ## The Update Compliance tile After Update Compliance is successfully [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you can navigate to your log analytics workspace, select your Update Compliance deployment in the **Solutions** section, and then select **Summary** to see this tile: -![Update Compliance tile no data.](images/UC_tile_assessing.png) +:::image type="content" alt-text="Update Compliance tile no data." source="images/UC_tile_assessing.png"::: When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that belongs to the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary: -![Update Compliance tile with data.](images/UC_tile_filled.png) +:::image type="content" alt-text="Update Compliance tile with data." source="images/UC_tile_filled.png"::: The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was refreshed. ## The Update Compliance workspace -![Update Compliance workspace view.](images/UC_workspace_needs_attention.png) +:::image type="content" alt-text="Update Compliance workspace view." source="images/UC_workspace_needs_attention.png" lightbox="images/UC_workspace_needs_attention.png"::: When you select this tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview blade providing a hub from which to navigate to different reports of your devices' data. From 6e5a55aef4537fd5f9f07313ed1e08fc6a65b6c9 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 16 Dec 2021 22:41:11 -0800 Subject: [PATCH 28/29] Restoring commit after force-push This deletion of a space restores changes that I made in commit https://github.com/MicrosoftDocs/windows-docs-pr/pull/6103/commits/ca2b3e9865bbb36217e8ea53700bfcec18ad9a37 that were wiped by force push a moment later. --- windows/client-management/mdm/policy-csp-networklistmanager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index 8dc3a74c3b..22a950170a 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -18,7 +18,7 @@ manager: dansimp
-## NetworkListManager policies +## NetworkListManager policies
From 340b0c93c0ba163e14f4578f73f9672f68b2bf14 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 16 Dec 2021 22:42:10 -0800 Subject: [PATCH 29/29] Restoring changes that were wiped by force-push This deletion of a space restores the changes that I made in commit https://github.com/MicrosoftDocs/windows-docs-pr/pull/6103/commits/87fa3696cdf5667b1f7ad672af72c399b4f8fa5a, which were wiped by a force-push a moment later. --- windows/deployment/update/update-compliance-using.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 4c35caa25b..9789b8c171 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -26,7 +26,7 @@ ms.custom: seo-marvel-apr2020 In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Microsoft Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md). -Update Compliance: +Update Compliance: - Provides detailed deployment monitoring for Windows client feature and quality updates. - Reports when devices need attention due to issues related to update deployment. - Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](waas-delivery-optimization.md).