Merge branch 'master' into PerfmonLogUser-Correction

windows/security/identity-protection/TOC.yml

@@ -1,132 +0,0 @@
-- name: Identity and access management
-  href: index.md
-  items: 
-    - name: Technical support policy for lost or forgotten passwords
-      href: password-support-policy.md
-    - name: Access Control Overview
-      href: access-control/access-control.md
-      items: 
-        - name: Dynamic Access Control Overview
-          href: access-control/dynamic-access-control.md
-        - name: Security identifiers
-          href: access-control/security-identifiers.md
-        - name: Security Principals
-          href: access-control/security-principals.md
-        - name: Local Accounts
-          href: access-control/local-accounts.md
-        - name: Active Directory Accounts
-          href: access-control/active-directory-accounts.md
-        - name: Microsoft Accounts
-          href: access-control/microsoft-accounts.md
-        - name: Service Accounts
-          href: access-control/service-accounts.md
-        - name: Active Directory Security Groups
-          href: access-control/active-directory-security-groups.md
-        - name: Special Identities
-          href: access-control/special-identities.md
-        - name: User Account Control
-          href: user-account-control\user-account-control-overview.md
-          items: 
-            - name: How User Account Control works
-              href: user-account-control\how-user-account-control-works.md
-            - name: User Account Control security policy settings
-              href: user-account-control\user-account-control-security-policy-settings.md
-            - name: User Account Control Group Policy and registry key settings
-              href: user-account-control\user-account-control-group-policy-and-registry-key-settings.md
-    - name: Windows Hello for Business
-      href: hello-for-business/index.yml
-    - name: Protect derived domain credentials with Credential Guard
-      href: credential-guard/credential-guard.md
-      items: 
-        - name: How Credential Guard works
-          href: credential-guard/credential-guard-how-it-works.md
-        - name: Credential Guard Requirements
-          href: credential-guard/credential-guard-requirements.md
-        - name: Manage Credential Guard
-          href: credential-guard/credential-guard-manage.md
-        - name: Hardware readiness tool
-          href: credential-guard/dg-readiness-tool.md
-        - name: Credential Guard protection limits
-          href: credential-guard/credential-guard-protection-limits.md
-        - name: Considerations when using Credential Guard
-          href: credential-guard/credential-guard-considerations.md
-        - name: "Credential Guard: Additional mitigations"
-          href: credential-guard/additional-mitigations.md
-        - name: "Credential Guard: Known issues"
-          href: credential-guard/credential-guard-known-issues.md
-    - name: Protect Remote Desktop credentials with Remote Credential Guard
-      href: remote-credential-guard.md
-    - name: Smart Cards
-      href: smart-cards/smart-card-windows-smart-card-technical-reference.md
-      items: 
-        - name: How Smart Card Sign-in Works in Windows
-          href: smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
-          items: 
-            - name: Smart Card Architecture
-              href: smart-cards/smart-card-architecture.md
-            - name: Certificate Requirements and Enumeration
-              href: smart-cards/smart-card-certificate-requirements-and-enumeration.md
-            - name: Smart Card and Remote Desktop Services
-              href: smart-cards/smart-card-and-remote-desktop-services.md
-            - name: Smart Cards for Windows Service
-              href: smart-cards/smart-card-smart-cards-for-windows-service.md
-            - name: Certificate Propagation Service
-              href: smart-cards/smart-card-certificate-propagation-service.md
-            - name: Smart Card Removal Policy Service
-              href: smart-cards/smart-card-removal-policy-service.md
-        - name: Smart Card Tools and Settings
-          href: smart-cards/smart-card-tools-and-settings.md
-          items: 
-            - name: Smart Cards Debugging Information
-              href: smart-cards/smart-card-debugging-information.md
-            - name: Smart Card Group Policy and Registry Settings
-              href: smart-cards/smart-card-group-policy-and-registry-settings.md
-            - name: Smart Card Events
-              href: smart-cards/smart-card-events.md
-        - name: Virtual Smart Cards
-          href: virtual-smart-cards\virtual-smart-card-overview.md
-          items: 
-            - name: Understanding and Evaluating Virtual Smart Cards
-              href: virtual-smart-cards\virtual-smart-card-understanding-and-evaluating.md
-              items: 
-                - name: "Get Started with Virtual Smart Cards: Walkthrough Guide"
-                  href: virtual-smart-cards\virtual-smart-card-get-started.md
-                - name: Use Virtual Smart Cards
-                  href: virtual-smart-cards\virtual-smart-card-use-virtual-smart-cards.md
-                - name: Deploy Virtual Smart Cards
-                  href: virtual-smart-cards\virtual-smart-card-deploy-virtual-smart-cards.md
-                - name: Evaluate Virtual Smart Card Security
-                  href: virtual-smart-cards\virtual-smart-card-evaluate-security.md
-            - name: Tpmvscmgr
-              href: virtual-smart-cards\virtual-smart-card-tpmvscmgr.md
-    - name: Enterprise Certificate Pinning
-      href: enterprise-certificate-pinning.md
-    - name: Windows 10 credential theft mitigation guide abstract
-      href: windows-credential-theft-mitigation-guide-abstract.md
-    - name: Configure S/MIME for Windows 10
-      href: configure-s-mime.md
-    - name: VPN technical guide
-      href: vpn\vpn-guide.md
-      items: 
-        - name: VPN connection types
-          href: vpn\vpn-connection-type.md
-        - name: VPN routing decisions
-          href: vpn\vpn-routing.md
-        - name: VPN authentication options
-          href: vpn\vpn-authentication.md
-        - name: VPN and conditional access
-          href: vpn\vpn-conditional-access.md
-        - name: VPN name resolution
-          href: vpn\vpn-name-resolution.md
-        - name: VPN auto-triggered profile options
-          href: vpn\vpn-auto-trigger-profile.md
-        - name: VPN security features
-          href: vpn\vpn-security-features.md
-        - name: VPN profile options
-          href: vpn\vpn-profile-options.md
-        - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections
-          href: vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
-        - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections
-          href: vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
-        - name: Optimizing Office 365 traffic with the Windows 10 VPN client
-          href: vpn\vpn-office-365-optimization.md

windows/security/identity-protection/change-history-for-access-protection.md

@@ -1,36 +0,0 @@
----
-title: Change history for access protection (Windows 10)
-description: This topic lists new and updated topics in the Windows 10 access protection documentation for Windows 10.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 08/11/2017
-ms.reviewer: 
----
-
-# Change history for access protection
-This topic lists new and updated topics in the [Access protection](index.md) documentation.
-
-## August 2017
-|New or changed topic |Description |
-|---------------------|------------|
-|[Microsoft accounts](access-control/microsoft-accounts.md) |Revised to cover new Group Policy setting in Windows 10, version 1703, named **Block all consumer Microsoft account user authentication**.|
-
-## June 2017
-|New or changed topic |Description |
-|---------------------|------------|
-|[How hardware-based containers help protect Windows 10](/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows) | New | 
-
-
-## March 2017
-|New or changed topic |Description |
-|---------------------|------------|
-|[Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|

windows/security/identity-protection/configure-s-mime.md

@@ -1,5 +1,5 @@
 ---
-title: Configure S/MIME for Windows 10
+title: Configure S/MIME for Windows
 description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them.
 ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05
 ms.reviewer: 
@@ -19,16 +19,17 @@ ms.date: 07/27/2017
 ---
 
 
-# Configure S/MIME for Windows 10
+# Configure S/MIME for Windows
 
 **Applies to**
--   Windows 10
+- Windows 10
+- Windows 11
 
-S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.
+S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.
 
 ## About message encryption
 
-Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows 10 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys.
+Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys.
 
 Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipient(s) whose encryption certificate are not available, the app will prompt you to remove these recipients before sending the email.
 
@@ -48,7 +49,7 @@ A digitally signed message reassures the recipient that the message hasn't been
 
 On the device, perform the following steps: (add select certificate)
 
-1.  Open the Mail app. (In Windows 10 Mobile, the app is Outlook Mail.)
+1.  Open the Mail app.
 
 2.  Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone.
 

windows/security/identity-protection/hello-for-business/hello-faq.yml

@@ -219,4 +219,5 @@ sections:
           
       - question: Does Windows Hello for Business work with Mac and Linux clients?
         answer: |
-          Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
+          Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft is not developing clients for other platforms. 
+          

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md

@@ -80,7 +80,9 @@ To include the on-premises distinguished name in the certificate's subject, Azur
 Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_.
 
 1. Open **Synchronization Services** from the **Azure AD Connect** folder.
+
 2. In the **Synchronization Service Manager**, click **Help** and then click **About**.
+
 3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version.
 
 ### Verify the onPremisesDistinguishedName attribute is synchronized
@@ -88,9 +90,13 @@ Sign-in to computer running Azure AD Connect with access equivalent to _local ad
 The easiest way to verify the onPremisesDistingushedNamne attribute is synchronized is to use Azure AD Graph Explorer.
 
 1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/
+
 2. Click **Login** and provide Azure credentials
+
 3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory.  Click **Go**
+
 4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute.  Ensure the attribute has a value and the value is accurate for the given user.
+
    ![Azure AD Connect On-Prem DN Attribute.](images/aadjcert/aadconnectonpremdn.png)
 
 ## Prepare the Network Device Enrollment Services (NDES) Service Account
@@ -102,9 +108,13 @@ The deployment uses the **NDES Servers** security group to assign the NDES servi
 Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
 
 1. Open **Active Directory Users and Computers**.
+
 2. Expand the domain node from the navigation pane.
+
 3. Right-click the **Users** container. Hover over **New** and click **Group**.
+
 4. Type **NDES Servers** in the **Group Name** text box.
+
 5. Click **OK**.
 
 ### Add the NDES server to the NDES Servers global security group
@@ -112,8 +122,11 @@ Sign-in to a domain controller or management workstation with access equivalent
 Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
 
 1. Open **Active Directory Users and Computers**.
+
 2. Expand the domain node from the navigation pane.
-3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role.  Click **Add to a group...**.
+
+3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role.  Click **Add to a group**.
+
 4. Type **NDES Servers** in **Enter the object names to select**.  Click **OK**.  Click **OK** on the **Active Directory Domain Services** success dialog.
 
 > [!NOTE]
@@ -126,8 +139,11 @@ The Network Device Enrollment Services (NDES) role runs under a service account.
 Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
 
 1. In the navigation pane, expand the node that has your domain name.  Select **Users**.
+
 2. Right-click the **Users** container. Hover over **New** and then select **User**.  Type **NDESSvc** in  **Full Name** and **User logon name**. Click **Next**.
+
 3. Type a secure password in **Password**.  Confirm the secure password in **Confirm Password**.  Clear **User must change password at next logon**.  Click **Next**.
+
 4. Click **Finish**.
 
 > [!IMPORTANT]
@@ -140,15 +156,25 @@ The Group Policy object ensures the NDES Service account has the proper user rig
 Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
 
 1. Start the **Group Policy Management Console** (gpmc.msc)
+
 2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+
 3. Right-click **Group Policy object** and select **New**.
+
 4. Type **NDES Service Rights** in the name box and click **OK**.
+
 5. In the content pane, right-click the **NDES Service Rights** Group Policy object and click **Edit**.
+
 6. In the navigation pane, expand **Policies** under **Computer Configuration**.
+
 7. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**.
+
 8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** twice.
+
 9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** twice.
+
 10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** three times.
+
 11. Close the **Group Policy Management Editor**.
 
 ### Configure security for the NDES Service User Rights Group Policy object
@@ -158,10 +184,15 @@ The best way to deploy the **NDES Service User Rights** Group Policy object is t
 Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
 
 1. Start the **Group Policy Management Console** (gpmc.msc)
+
 2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+
 3. Double-click the **NDES Service User Rights** Group Policy object.
+
 4. In the **Security Filtering** section of the content pane, click **Add**.  Type **NDES Servers** or the name of the security group you previously created and click **OK**.
+
 5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**.
+
 6. In the **Group or User names** list, select **Authenticated Users**.  In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**.
 
 ### Deploy the NDES Service User Rights Group Policy object
@@ -171,7 +202,9 @@ The application of the **NDES Service User Rights** Group Policy object uses sec
 Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
 
 1. Start the **Group Policy Management Console** (gpmc.msc)
+
 2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO**
+
 3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**.
 
 > [!IMPORTANT]
@@ -197,7 +230,7 @@ Sign-in to the issuing certificate authority with access equivalent to _local ad
 
 1. Open an elevated command prompt and type the following command:
 
-   ```
+   ```console
    certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
    ```
 
@@ -210,18 +243,26 @@ NDES uses a server authentication certificate to authenticate the server endpoin
 Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials.
 
 1. Open the **Certificate Authority** management console.
+
 2. Right-click **Certificate Templates** and click **Manage**.
+
 3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**.
+
 4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise's needs.
 
    > [!NOTE]
    > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
 
 5. On the **Subject** tab, select **Supply in the request**.
+
 6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**.
+
 7. On the **Security** tab, click **Add**.
+
 8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**.
+
 9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+
 10. Click on the **Apply** to save changes and close the console.
 
 ### Create an Azure AD joined Windows Hello for Business authentication certificate template
@@ -231,20 +272,30 @@ During Windows Hello for Business provisioning,  Windows requests an authenticat
 Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
 
 1. Open the **Certificate Authority** management console.
+
 2. Right-click **Certificate Templates** and click **Manage**.
+
 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
+
 4. On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+
 5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise's needs.
 
    > [!NOTE]
    > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
 
 6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.
+
 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
+
 8. On the **Subject** tab, select **Supply in the request**.
+
 9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list.  Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**.
+
 10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**.
+
 11. Select  **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
+
 12. Close the console.
 
 ### Publish certificate templates
@@ -257,10 +308,15 @@ The certificate authority may only issue certificates for certificate templates
 Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
 
 1. Open the **Certificate Authority** management console.
+
 2. Expand the parent node from the navigation pane.
+
 3. Click **Certificate Templates** in the navigation pane.
+
 4. Right-click the **Certificate Templates** node.  Click **New**, and click **Certificate Template** to issue.
+
 5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps.  Click **OK** to publish the selected certificate templates to the certificate authority.
+
 6. Close the console.
 
 ## Install and Configure the NDES Role
@@ -282,18 +338,31 @@ Install the Network Device Enrollment Service role on a computer other than the
 Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
 
 1. Open **Server Manager** on the NDES server.
+
 2. Click **Manage**.  Click **Add Roles and Features**.
+
 3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**.  Select **Role-based or feature-based installation** on the **Select installation type** page.  Click **Next**.  Click **Select a server from the server pool**.  Select the local server from the **Server Pool** list.  Click **Next**.
+
    ![Server Manager destination server.](images/aadjCert/servermanager-destination-server-ndes.png)
+
 4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list.
+
    ![Server Manager AD CS Role.](images/aadjCert/servermanager-adcs-role.png)
+
    Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Click **Next**.
-   ![Server Manager Add Features.](images/aadjcert/serverManager-adcs-add-features.png)
+
+   ![Server Manager Add Features.](images/aadjcert/servermanager-adcs-add-features.png)
+
 5. On the **Features** page, expand **.NET Framework 3.5 Features**.  Select **HTTP Activation**.  Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Expand **.NET Framework 4.5 Features**.  Expand **WCF Services**.  Select **HTTP Activation**.  Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Click **Next**.
+
    ![Server Manager Feature HTTP Activation.](images/aadjcert/servermanager-adcs-http-activation.png)
+
 6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**.  Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**.
+
    ![Server Manager ADCS NDES Role.](images/aadjcert/servermanager-adcs-ndes-role-checked.png)
+
 7. Click **Next** on the **Web Server Role (IIS)** page.
+
 8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**.
 
    - **Web Server > Security > Request Filtering**
@@ -303,10 +372,13 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
    - **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
 
    ![Server Manager Web Server Role.](images/aadjcert/servermanager-adcs-webserver-role.png)
+
 9. Click **Install**. When the installation completes, continue with the next procedure.  **Do not click Close**.
+
    > [!IMPORTANT]
    > .NET Framework 3.5 is not included in the typical installation.  If the server is connected to the Internet, the installation attempts to get the files using Windows Update.  If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \<driveLetter>:\\Sources\SxS\
-   ![.NET Side by Side.](images/aadjcert/dotNet35sidebyside.png)
+
+   ![.NET Side by Side.](images/aadjcert/dotnet35sidebyside.png)
 
 ### Configure the NDES service account
 
@@ -317,8 +389,11 @@ This task adds the NDES service account to the local IIS_USRS group.  The task a
 Sign-in the NDES server with access equivalent to _local administrator_.
 
 1. Start the **Local Users and Groups** management console (`lusrmgr.msc`).
+
 2. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group.
+
 3. In the **IIS_IUSRS Properties** dialog box, click **Add**.  Type **NDESSvc** or the name of your NDES service account.  Click **Check Names** to verify the name and then click **OK**. Click **OK** to close the properties dialog box.
+
 4. Close the management console.
 
 #### Register a Service Principal Name on the NDES Service account
@@ -326,13 +401,16 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 Sign-in the NDES server with access equivalent to _Domain Admins_.
 
 1. Open an elevated command prompt.
+
 2. Type the following command to register the service principal name
 
-   ```
+   ```console
    setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]
    ```
+
    where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\).  An example of the command looks like the following:
-   ```
+
+   ```console
    setspn -s http/ndes.corp.contoso.com contoso\ndessvc
    ```
 
@@ -348,17 +426,29 @@ The NDES service enrolls certificates on behalf of users.  Therefore, you want t
 Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
 
 1. Open **Active Directory Users and Computers**
+
 2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab.
+
    ![NDES Delegation Tab.](images/aadjcert/ndessvcdelegationtab.png)
+
 3. Select **Trust this user for delegation to specified services only**.
+
 4. Select **Use any authentication protocol**.
+
 5. Click **Add**.
+
 6. Click **Users or Computers...**  Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices.  From the **Available services** list, select **HOST**.  Click **OK**.
+
    ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png)
+
 7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**.
+
 8. Click **Users or computers...**  Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices.  From the **Available services** list, select **dcom**.  Hold the **CTRL** key and select **HOST**. Click **OK**.
+
 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
+
    ![NDES Service delegation complete.](images/aadjcert/ndessvcdelegation-host-ca-spn.png)
+
 10. Click **OK**.  Close **Active Directory Users and Computers**.
 
 ### Configure the NDES Role and Certificate Templates
@@ -375,18 +465,31 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
 ![Server Manager Post-Install Yellow flag.](images/aadjcert/servermanager-post-ndes-yellowactionflag.png)
 
 1. Click the **Configure Active Directory Certificate Services on the destination server** link.
+
 2. On the **Credentials** page, click **Next**.
+
    ![NDES Installation Credentials.](images/aadjcert/ndesconfig01.png)
+
 3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next**
+
    ![NDES Role Services.](images/aadjcert/ndesconfig02.png)
+
 4. On the **Service Account for NDES** page, select **Specify service account (recommended)**.  Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box.  Click **Next**.
+
    ![NDES Service Account for NDES.](images/aadjcert/ndesconfig03b.png)
+
 5. On the **CA for NDES** page, select **CA name**. Click **Select...**.  Select the issuing certificate authority from which the NDES server requests certificates.  Click **Next**.
+
    ![NDES CA selection.](images/aadjcert/ndesconfig04.png)
+
 6. On the **RA Information**, click **Next**.
+
 7. On the **Cryptography for NDES** page, click **Next**.
+
 8. Review the **Confirmation** page.  Click **Configure**.
+
    ![NDES Confirmation.](images/aadjcert/ndesconfig05.png)
+
 9. Click **Close** after the configuration completes.
 
 #### Configure Certificate Templates on NDES
@@ -412,18 +515,23 @@ If the need arises, you can configure a signature certificate in the encryption
 Sign-in to the NDES Server with _local administrator_ equivalent credentials.
 
 1. Open an elevated command prompt.
+
 2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices.
+
 3. Type the following command:
 
-   ```
+   ```console
    reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]
    ```
+
    where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices.  Example:
-   ```
+
+   ```console
    reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication
    ```
 
 4. Type **Y** when the command asks for permission to overwrite the existing value.
+
 5. Close the command prompt.
 
 > [!IMPORTANT]
@@ -444,21 +552,34 @@ Connector group automatically round-robin, load balance the Azure AD Application
 Sign-in a workstation with access equivalent to a _domain user_.
 
 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+
 2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, Click **Azure Active Directory**.
+
 3. Under **MANAGE**, click **Application proxy**.
+
 4. Click **Download connector service**.  Click **Accept terms & Download**.  Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain.
+
    ![Azure Application Proxy Connectors.](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png)
+
 5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
+
    > [!IMPORTANT]
    > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy.  Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability.  Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
 
 6. Start **AADApplicationProxyConnectorInstaller.exe**.
+
 7. Read the license terms and then select **I agree to the license terms and conditions**.  Click **Install**.
+
    ![Azure Application Proxy Connector: license terms](images/aadjcert/azureappproxyconnectorinstall-01.png)
+
 8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**.
+
    ![Azure Application Proxy Connector: sign-in](images/aadjcert/azureappproxyconnectorinstall-02.png)
+
 9. When the installation completes. Read the information regarding outbound proxy servers.  Click **Close**.
+
    ![Azure Application Proxy Connector: read](images/aadjcert/azureappproxyconnectorinstall-03.png)
+
 10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments.
 
 #### Create a Connector Group
@@ -466,12 +587,19 @@ Sign-in a workstation with access equivalent to a _domain user_.
 Sign-in a workstation with access equivalent to a _domain user_.
 
 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+
 2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, Click **Azure Active Directory**.
+
 3. Under **MANAGE**, click **Application proxy**.
+
    ![Azure Application Proxy Connector groups.](images/aadjcert/azureconsole-applicationproxy-connectors-default.png)
+
 4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
+
    ![Azure Application New Connector Group.](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png)
+
 5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests.
+
 6. Click **Save**.
 
 #### Create the Azure Application Proxy
@@ -479,17 +607,29 @@ Sign-in a workstation with access equivalent to a _domain user_.
 Sign-in a workstation with access equivalent to a _domain user_.
 
 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+
 2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, Click **Azure Active Directory**.
+
 3. Under **MANAGE**, click **Application proxy**.
+
 4. Click **Configure an app**.
+
 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**.  Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server.  Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
+
 6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy.  For example, https://ndes.corp.mstepdemo.net).  You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
+
 7. Under **Internal URL**, select **https://** from the first list.  In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy.  In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy.  It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
+
    ![Azure NDES Application Proxy Configuration.](images/aadjcert/azureconsole-appproxyconfig.png)
+
 8. Select **Passthrough** from the **Pre Authentication** list.
+
 9. Select **NDES WHFB Connectors** from the **Connector Group** list.
+
 10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**.  Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
+
 11. Click **Add**.
+
 12. Sign-out of the Azure Portal.
 
     > [!IMPORTANT]
@@ -502,16 +642,27 @@ This task enrolls a client and server authentication certificate used by the Int
 Sign-in the NDES server with access equivalent to _local administrators_.
 
 1. Start the Local Computer **Certificate Manager** (certlm.msc).
+
 2. Expand the **Personal** node in the navigation pane.
+
 3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
+
 4. Click **Next** on the **Before You Begin** page.
+
 5. Click **Next** on the **Select Certificate Enrollment Policy** page.
+
 6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box.
+
 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
+
    ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png)
+
 8. Under **Subject name**, select **Common Name** from the **Type** list.  Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**.
+
 9. Under **Alternative name**, select **DNS** from the **Type** list.  Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**).  Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished.
+
 10. Click **Enroll**
+
 11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices.
 
 ### Configure the Web Server Role
@@ -521,15 +672,25 @@ This task configures the Web Server role on the NDES server to use the server au
 Sign-in the NDES server with access equivalent to _local administrator_.
 
 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
+
 2. Expand the node that has the name of the NDES server.  Expand **Sites** and select **Default Web Site**.
+
    ![NDES IIS Console](images/aadjcert/ndes-iis-console.png)
-3. Click **Bindings...*** under **Actions**.  Click **Add**.
+
+3. Click **Bindings...** under **Actions**.  Click **Add**.
+
    ![NDES IIS Console: Add](images/aadjcert/ndes-iis-bindings.png)
+
 4. Select **https** from **Type**. Confirm the value for **Port** is **443**.
+
 5. Select the certificate you previously enrolled from the **SSL certificate** list.  Select **OK**.
+
    ![NDES IIS Console: Certificate List](images/aadjcert/ndes-iis-bindings-add-443.png)
+
 6. Select **http** from the **Site Bindings** list.  Click **Remove**.
+
 7. Click **Close** on the **Site Bindings** dialog box.
+
 8. Close **Internet Information Services (IIS) Manager**.
 
 ### Verify the configuration
@@ -541,18 +702,23 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 #### Disable Internet Explorer Enhanced Security Configuration
 
 1. Open **Server Manager**. Click **Local Server** from the navigation pane.
+
 2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section.
+
 3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**.  Click **OK**.
+
 4. Close **Server Manager**.
 
 #### Test the NDES web server
 
 1. Open **Internet Explorer**.
+
 2. In the navigation bar, type
 
-   ```
+   ```https
    https://[fqdnHostName]/certsrv/mscep/mscep.dll
    ```
+
    where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
 
 A web page similar to the following should appear in your web browser.  If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights.  You can also review the application event log for events with the **NetworkDeviceEnrollmentService** source.
@@ -560,6 +726,7 @@ A web page similar to the following should appear in your web browser.  If you d
 ![NDES IIS Console: Source](images/aadjcert/ndes-https-website-test-01.png)
 
 Confirm the web site uses the server authentication certificate.
+
 ![NDES IIS Console: Confirm](images/aadjcert/ndes-https-website-test-01-show-cert.png)
 
 ## Configure Network Device Enrollment Services to work with Microsoft Intune
@@ -575,23 +742,34 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 #### Configure the Default Web Site
 
 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
+
 2. Expand the node that has the name of the NDES server.  Expand **Sites** and select **Default Web Site**.
+
 3. In the content pane, double-click **Request Filtering**.  Click **Edit Feature Settings...** in the action pane.
+
    ![Intune NDES Request filtering.](images/aadjcert/NDES-IIS-RequestFiltering.png)
+
 4. Select **Allow unlisted file name extensions**.
+
 5. Select **Allow unlisted verbs**.
+
 6. Select **Allow high-bit characters**.
+
 7. Type **30000000** in **Maximum allowed content length (Bytes)**.
+
 8. Type **65534** in **Maximum URL length (Bytes)**.
+
 9. Type **65534** in **Maximum query string (Bytes)**.
+
 10. Click **OK**.  Close **Internet Information Services (IIS) Manager**.
 
 #### Configure Parameters for HTTP.SYS
 
 1. Open an elevated command prompt.
+
 2. Run the following commands:
 
-   ```
+   ```console
    reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534
    reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534
    ```
@@ -607,10 +785,15 @@ The Intune Certificate Connector application enables Microsoft Intune to enroll
 Sign-in a workstation with access equivalent to a _domain user_.
 
 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+
 2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**.
+
 3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section.
+
    ![Intune Certificate Authority.](images/aadjcert/profile01.png)
+
 4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
+
 5. Sign-out of the Microsoft Endpoint Manager admin center.
 
 ### Install the Intune Certificate Connector
@@ -618,27 +801,39 @@ Sign-in a workstation with access equivalent to a _domain user_.
 Sign-in the NDES server with access equivalent to _domain administrator_.
 
 1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server.
+
 2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server.
+
 3. On the **Microsoft Intune** page, click **Next**.
+
    ![Intune Connector Install 01.](images/aadjcert/intunecertconnectorinstall-01.png)
+
 4. Read the **End User License Agreement**.  Click **Next** to accept the agreement and to proceed with the installation.
+
 5. On the **Destination Folder** page, click **Next**.
+
 6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**.
+
    ![Intune Connector Install 03.](images/aadjcert/intunecertconnectorinstall-03.png)
+
 7. On the **Client certificate for Microsoft Intune** page, Click **Select**.  Select the certificate previously enrolled for the NDES server. Click **Next**.
+
    ![Intune Connector Install 05.](images/aadjcert/intunecertconnectorinstall-05.png)
 
    > [!NOTE]
    > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate.  However, the application rembers the selection and shows it in the next page.
 
 8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
+
 9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
+
    ![Intune Connector Install 06.](images/aadjcert/intunecertconnectorinstall-06.png)
 
    > [!NOTE]
    > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder.
 
 10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task.
+
     ![Intune Connector install 07.](images/aadjcert/intunecertconnectorinstall-07.png)
 
 ### Configure the Intune Certificate Connector
@@ -651,9 +846,11 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
    > If the **NDES Connector** user interface is not open, you can start it from **\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**.
 
 2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect.  Click **Apply**
+
    ![Intune Certificate Connector Configuration 01.](images/aadjcert/intunecertconnectorconfig-01.png)
 
 3. Click **Sign-in**.  Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
+
    ![Intune Certificate Connector Configuration 02.](images/aadjcert/intunecertconnectorconfig-02.png)
 
    > [!IMPORTANT]
@@ -671,9 +868,13 @@ Optionally (not required), you can configure the Intune connector for certificat
 Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_.
 
 1. Start the **Certification Authority** management console.
+
 2. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
+
 3. Click the **Security** tab.  Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account).  Click *Check Names*. Click **OK**.  Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission.  Click **OK**.
+
    ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png)
+
 4. Close the **Certification Authority**
 
 #### Enable the NDES Connector for certificate revocation
@@ -681,8 +882,11 @@ Sign-in the certificate authority used by the NDES Connector with access equival
 Sign-in the NDES server with access equivalent to _domain administrator_.
 
 1. Open the **NDES Connector** user interface (**\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**).
+
 2. Click the **Advanced** tab.  Select **Specify a different account username and password**.  Type the NDES service account username and password.  Click **Apply**.  Click **OK** to close the confirmation dialog box.  Click **Close**.
+
    ![Intune Connector cert revocation configuration 04.](images/aadjcert/intunecertconnectorconfig-04.png)
+
 3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**.
 
 ### Test the NDES Connector
@@ -690,23 +894,28 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
 Sign-in the NDES server with access equivalent to _domain admin_.
 
 1. Open a command prompt.
+
 2. Type the following command to confirm the NDES Connector's last connection time is current.
 
-   ```
+   ```console
    reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus
    ```
 
 3. Close the command prompt.
+
 4. Open **Internet Explorer**.
+
 5. In the navigation bar, type:
 
-   ```
+   ```console
    https://[fqdnHostName]/certsrv/mscep/mscep.dll
    ```
 
    where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
    A web page showing a 403 error (similar to the following) should appear in your web browser.  If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights.  You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
+
    ![NDES web site test after Intune Certificate Connector.](images/aadjcert/ndes-https-website-test-after-intune-connector.png)
+
 6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**.
 
 ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile
@@ -716,14 +925,23 @@ Sign-in the NDES server with access equivalent to _domain admin_.
 Sign-in a workstation with access equivalent to a _domain user_.
 
 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+
 2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, Click **Azure Active Directory**.
+
 3. Click **Groups**.  Click **New group**.
+
 4. Select **Security** from the **Group type** list.
+
 5. Under **Group Name**, type the name of the group.  For example, **AADJ WHFB Certificate Users**.
+
 6. Provide a **Group description**, if applicable.
+
 7. Select **Assigned** from the **Membership type** list.
+
    ![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png)
+
 8. Click **Members**.  Use the  **Select members** pane to add members to this group. When finished click **Select**.
+
 9. Click **Create**.
 
 ### Create a SCEP Certificate Profile
@@ -731,20 +949,30 @@ Sign-in a workstation with access equivalent to a _domain user_.
 Sign-in a workstation with access equivalent to a _domain user_.
 
 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+
 2. Select **Devices**, and then click **Configuration Profiles**.
+
 3. Select **Create Profile**.
+
    ![Intune Device Configuration Create Profile.](images/aadjcert/profile02.png)
+
 4. Select **Windows 10 and later** from the **Platform** list.
+
 5. Choose **SCEP certificate** from the **Profile** list, and select **Create**.
+
 6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**.
+
 7. Next to **Description**, provide a description meaningful for your environment, then select **Next**.
+
 8. Select **User** as a certificate type.
+
 9. Configure **Certificate validity period** to match your organization.
 
    > [!IMPORTANT]
    > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
 
 10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
+
 11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
 
    > [!NOTE]
@@ -752,13 +980,21 @@ Sign-in a workstation with access equivalent to a _domain user_.
    > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement).
 
 12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}.
+
 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
+
 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile.
+
 15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
+
 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
+
     ![WHFB SCEP certificate Profile EKUs.](images/aadjcert/profile03.png)
+
 17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
+
 18. Click **Next**.
+
 19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**.
 
 ### Assign Group to the WHFB Certificate Enrollment Certificate Profile
@@ -766,12 +1002,19 @@ Sign-in a workstation with access equivalent to a _domain user_.
 Sign-in a workstation with access equivalent to a _domain user_.
 
 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+
 2. Select **Devices**, and then click **Configuration Profiles**.
+
 3. Click **WHFB Certificate Enrollment**.
+
 4. Select **Properties**, and then click **Edit** next to the **Assignments** section.
+
 5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list.  Click **Select groups to include**.
+
    ![WHFB SCEP Profile Assignment.](images/aadjcert/profile04.png)
+
 6. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
+
 7. Click **Review + Save**, and then **Save**.
 
 You have successfully completed the configuration.  Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group.  This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources.

windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md

@@ -1,5 +1,5 @@
 ---
-title: Smart Card and Remote Desktop Services (Windows 10)
+title: Smart Card and Remote Desktop Services (Windows)
 description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
 ms.reviewer: 
 ---
 
 # Smart Card and Remote Desktop Services
 
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
 
 This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
 

windows/security/identity-protection/smart-cards/smart-card-architecture.md

@@ -1,5 +1,5 @@
 ---
-title: Smart Card Architecture (Windows 10)
+title: Smart Card Architecture (Windows)
 description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
 ms.reviewer: 
 ---
 
 # Smart Card Architecture
 
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
 
 This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture.
 

windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md

@@ -1,5 +1,5 @@
 ---
-title: Certificate Propagation Service (Windows 10)
+title: Certificate Propagation Service (Windows)
 description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 08/24/2021
 ms.reviewer: 
 ---
 
 # Certificate Propagation Service
 
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
 
 This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
 

windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md

@@ -1,5 +1,5 @@
 ---
-title: Certificate Requirements and Enumeration (Windows 10)
+title: Certificate Requirements and Enumeration (Windows)
 description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
 ms.reviewer: 
 ---
 
 # Certificate Requirements and Enumeration
 
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
 
 This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
 
@@ -185,7 +185,7 @@ Certificate requirements are listed by versions of the Windows operating system.
 The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider.
 
 
-|            **Component**             |                                                                **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows 10**                                                                 |                                                                                                **Requirements for Windows XP**                                                                                                 |
+|            **Component**             |                                                                **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows 10, and Windows 11**                                                                 |                                                                                                **Requirements for Windows XP**                                                                                                 |
 |--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 |   CRL distribution point location    |                                                                                               Not required                                                                                               |             The location must be specified, online, and available, for example:<br>\[1\]CRL Distribution Point<br>Distribution Point Name:<br>Full Name:<br>URL=<http://server1.contoso.com/CertEnroll/caname.crl>             |
 |              Key usage               |                                                                                            Digital signature                                                                                             |                                                                                                       Digital signature                                                                                                        |

windows/security/identity-protection/smart-cards/smart-card-debugging-information.md

@@ -1,5 +1,5 @@
 ---
-title: Smart Card Troubleshooting (Windows 10)
+title: Smart Card Troubleshooting (Windows)
 description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
 ms.reviewer: 
 ---
 
 # Smart Card Troubleshooting
 
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
 
 This article explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
 

windows/security/identity-protection/smart-cards/smart-card-events.md

@@ -1,5 +1,5 @@
 ---
-title: Smart Card Events (Windows 10)
+title: Smart Card Events (Windows)
 description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
 ms.reviewer: 
 ---
 
 # Smart Card Events
 
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
 
 This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
 

windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md

@@ -1,5 +1,5 @@
 ---
-title: Smart Card Group Policy and Registry Settings (Windows 10)
+title: Smart Card Group Policy and Registry Settings (Windows)
 description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/23/2021
 ms.reviewer: 
 ---
 
 # Smart Card Group Policy and Registry Settings
 
-Applies to: Windows 10, Windows Server 2016
+Applies to: Windows 10, Windows 11, Windows Server 2016 and above
 
 This article for IT professionals and smart card developers describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.
 

windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md

@@ -1,5 +1,5 @@
 ---
-title: How Smart Card Sign-in Works in Windows (Windows 10)
+title: How Smart Card Sign-in Works in Windows
 description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
 ms.reviewer: 
 ---
 
 # How Smart Card Sign-in Works in Windows
 
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
 
 This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use:
 

windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md

@@ -1,5 +1,5 @@
 ---
-title: Smart Card Removal Policy Service (Windows 10)
+title: Smart Card Removal Policy Service (Windows)
 description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -12,17 +12,17 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
 ms.reviewer: 
 ---
 
 # Smart Card Removal Policy Service
 
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016
 
 This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
 
-The smart card removal policy service is applicable when a user has signed in with a smart card and subsequently removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
 
 **Smart card removal policy service**
 

windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md

@@ -1,5 +1,5 @@
 ---
-title: Smart Cards for Windows Service (Windows 10)
+title: Smart Cards for Windows Service (Windows)
 description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
 ms.reviewer: 
 ---
 
 # Smart Cards for Windows Service
 
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
 
 This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions.
 
@@ -26,7 +26,7 @@ The Smart Cards for Windows service provides the basic infrastructure for all ot
 
 The Smart Cards for Windows service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process. The Smart Cards for Windows service, Scardsvr, has the following service description:
 
-```
+```PowerShell
 <serviceData
     dependOnService="PlugPlay"
     description="@%SystemRoot%\System32\SCardSvr.dll,-5"

windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md

@@ -1,5 +1,5 @@
 ---
-title: Smart Card Tools and Settings (Windows 10)
+title: Smart Card Tools and Settings (Windows)
 description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
 ms.reviewer: 
 ---
 
 # Smart Card Tools and Settings
 
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
 
 This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
 

windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md

@@ -1,5 +1,5 @@
 ---
-title: Smart Card Technical Reference (Windows 10)
+title: Smart Card Technical Reference (Windows)
 description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
 ms.reviewer: 
 ---
 
 # Smart Card Technical Reference
 
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
 
 The Smart Card Technical Reference describes the Windows smart card infrastructure for physical smart cards and how smart card-related components work in Windows. This document also contains information about tools that information technology (IT) developers and administrators can use to troubleshoot, debug, and deploy smart card-based strong authentication in the enterprise.
 

windows/security/identity-protection/user-account-control/how-user-account-control-works.md

@@ -1,5 +1,5 @@
 ---
-title: How User Account Control works (Windows 10)
+title: How User Account Control works (Windows)
 description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
 ms.assetid: 9f921779-0fd3-4206-b0e4-05a19883ee59
 ms.reviewer: 
@@ -14,21 +14,23 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 11/16/2018
+ms.date: 09/23/2021
 ---
 
 # How User Account Control works
 
 **Applies to**
 -   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
 
 User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
 
 ## UAC process and interactions
 
-Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows 10 protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
+Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
 
-In order to better understand how this process happens, let's look at the Windows logon process.
+To better understand how this process happens, let's look at the Windows logon process.
 
 ### Logon process
 
@@ -40,17 +42,17 @@ By default, standard users and administrators access resources and run apps in t
 
 When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start apps that do not perform administrative tasks (standard user apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token.
 
-A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
+A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 or Windows 11 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
 
 ### The UAC User Experience
 
-When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
+When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 or Windows 11 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
 
 The alternative to running as a standard user is to run as an administrator in Admin Approval Mode. With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative task by providing approval. The default, built-in UAC elevation component for an administrator account in Admin Approval Mode is called the consent prompt.
 
 **The consent and credential prompts**
 
-With UAC enabled, Windows 10 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed.
+With UAC enabled, Windows 10 or Windows 11 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed.
 
 **The consent prompt**
 
@@ -68,12 +70,12 @@ The following is an example of the UAC credential prompt.
 
 **UAC elevation prompts**
 
-The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows 10 first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows 10 determines which color elevation prompt to present to the user.
+The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows 10 or Windows 11 first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10 or Windows 11, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows determines which color elevation prompt to present to the user.
 
 The elevation prompt color-coding is as follows:
 
 -   Red background with a red shield icon: The app is blocked by Group Policy or is from a publisher that is blocked.
--   Blue background with a blue and gold shield icon: The application is a Windows 10 administrative app, such as a Control Panel item.
+-   Blue background with a blue and gold shield icon: The application is a Windows 10 and Windows 11 administrative app, such as a Control Panel item.
 -   Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer.
 -   Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer.
 
@@ -87,7 +89,7 @@ The shield icon on the **Change date and time** button indicates that the proces
 
 **Securing the elevation prompt**
 
-The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled.
+The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10 and Windows 11. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled.
 
 When an executable file requests elevation, the interactive desktop, also called the user desktop, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user clicks **Yes** or **No**, the desktop switches back to the user desktop.
 
@@ -281,7 +283,7 @@ The slider will never turn UAC completely off. If you set it to <b>Never notify<
 
 Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on.
 
-Windows 10 includes file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.
+Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.
 
 Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
 
@@ -301,7 +303,7 @@ All UAC-compliant apps should have a requested execution level added to the appl
 
 ### Installer detection technology
 
-Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
+Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 and Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
 
 Installer detection only applies to:
 

windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md

@@ -1,5 +1,5 @@
 ---
-title: User Account Control Group Policy and registry key settings (Windows 10)
+title: User Account Control Group Policy and registry key settings (Windows)
 description: Here's a list of UAC  Group Policy and registry key settings that your organization can use to manage UAC.
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -21,7 +21,8 @@ ms.reviewer:
 **Applies to**
 
 - Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
 
 ## Group Policy settings
 There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings).

windows/security/identity-protection/user-account-control/user-account-control-overview.md

@@ -1,5 +1,5 @@
 ---
-title: User Account Control (Windows 10)
+title: User Account Control (Windows)
 description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
 ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38
 ms.reviewer: 
@@ -14,14 +14,15 @@ ms.author: dansimp
 manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
-ms.date: 07/27/2017
+ms.date: 09/24/2011
 ---
 
 # User Account Control
 
 **Applies to**
 - Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
 
 User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
 

windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md

@@ -1,5 +1,5 @@
 ---
-title: User Account Control security policy settings (Windows 10)
+title: User Account Control security policy settings (Windows)
 description: You can use security policies to configure how User Account Control works in your organization.
 ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98
 ms.reviewer: 
@@ -14,13 +14,16 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
 ---
 
 # User Account Control security policy settings
 
 **Applies to**
 -   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+    
 
 You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.
 

windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md

@@ -1,6 +1,6 @@
 ---
-title: Windows 10 Credential Theft Mitigation Guide Abstract (Windows 10)
-description: Provides a summary of the Windows 10 credential theft mitigation guide.
+title: Windows Credential Theft Mitigation Guide Abstract
+description: Provides a summary of the Windows credential theft mitigation guide.
 ms.assetid: 821ddc1a-f401-4732-82a7-40d1fff5a78a
 ms.reviewer: 
 ms.prod: w10
@@ -17,12 +17,12 @@ ms.localizationpriority: medium
 ms.date: 04/19/2017
 ---
 
-# Windows 10 Credential Theft Mitigation Guide Abstract
+# Windows Credential Theft Mitigation Guide Abstract
 
 **Applies to**
 -   Windows 10
 
-This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx).
+This topic provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx).
 This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages:
 
 - Identify high-value assets