Merge branch 'main' into patch-1

windows/application-management/private-app-repository-mdm-company-portal-windows-11.md

@@ -63,7 +63,7 @@ To install the Company Portal app, you have some options:
   - [What is co-management?](/mem/configmgr/comanage/overview)
   - [Use the Company Portal app on co-managed devices](/mem/configmgr/comanage/company-portal)
 
-- **Use Windows Autopilot**: Windows Autopilot automatically provisions devices, registers them in your Azure AD organization (tenant), and gets them ready for production. If you're purchasing new devices, then we recommend using Windows Autopilot to preconfigure the devices, and get them ready for use.
+- **Use Windows Autopilot**: Windows Autopilot automatically provisions devices, registers them in your Microsoft Entra organization (tenant), and gets them ready for production. If you're purchasing new devices, then we recommend using Windows Autopilot to preconfigure the devices, and get them ready for use.
 
   - In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you add the Company Portal app from the Microsoft Store. Once it's added, the app can be included in your Windows Autopilot deployment. When the device turns on and is getting ready, the Company Portal app is also installed, before users sign in.
 

windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md

@@ -105,7 +105,7 @@ To determine why some applications are blocked from communicating in the network
 
 Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy.
 
-![Windows Firewall prompt.](images/fw04-userquery.png)
+:::image type="content" alt-text="Windows Firewall prompt." source="images/fw04-userquery.png":::
 
 *Figure 4: Dialog box to allow access*
 
@@ -185,7 +185,7 @@ incoming connections, including those in the list of allowed apps** setting foun
 
 *Figure 6: Windows settings App/Windows Security/Firewall Protection/Network Type*
 
-![Firewall cpl.](images/fw07-legacy.png)
+:::image type="content" alt-text="Firewall cpl." source="images/fw07-legacy.png":::
 
 *Figure 7: Legacy firewall.cpl*
 
@@ -208,3 +208,24 @@ For tasks related to creating outbound rules, see [Checklist: Creating Outbound
 ## Document your changes
 
 When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall.
+
+## Configure Windows Firewall rules with WDAC tagging policies
+
+Windows Firewall now supports the use of Windows Defender Application Control (WDAC) Application ID (AppID) tags in firewall rules. With this capability, Windows Firewall rules can now be scoped to an application or a group of applications by referencing process tags, without using absolute path or sacrificing security. There are two steps for this configuration: 
+
+### Step 1: Deploy WDAC AppId Tagging Policies
+
+A Windows Defender Application Control (WDAC) policy needs to be deployed which specifies individual applications or groups of applications to apply a PolicyAppId tag to the process token(s). Then, the admin can define firewall rules which are scoped to all processes tagged with the matching PolicyAppId.  
+
+Follow the detailed [WDAC Application ID (AppId) Tagging Guide](/windows/security/threat-protection/windows-defender-application-control/appidtagging/windows-defender-application-control-appid-tagging-guide) to create, deploy, and test an AppID (Application ID) policy to tag applications. 
+
+### Step 2: Configure Firewall Rules using PolicyAppId Tags
+
+- **Deploy firewall rules with Intune:** When creating firewall rules with Intune Microsoft Defender Firewall Rules, provide the AppId tag in the Policy App ID setting. The properties come directly from the [Firewall configuration service provider ](/windows/client-management/mdm/firewall-csp)(CSP) and apply to the Windows platform.
+You can do this through the Intune admin center under Endpoint security > Firewall. Policy templates can be found via Create policy > Windows 10, Windows 11, and Windows Server > Microsoft Defender Firewall or Microsoft Defender Firewall Rules. 
+
+OR
+
+- **Create local firewall rules with PowerShell**: You can use PowerShell to configure by adding a Firewall rule using [New-NetFirewallRule](/powershell/module/netsecurity/new-netfirewallrule) and specify the `–PolicyAppId` tag. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported. 
+
+

windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md

@@ -37,7 +37,7 @@ Access and Remote Access permissions to users and groups. We recommend that you
 
 -   Blank
 
-    This value represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it to Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK.
+   This value represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it as Not defined. To set a blank value, select "Define this policy setting" and leave the Security descriptor empty, then select OK.
 
 -   *User-defined input* of the SDDL representation of the groups and privileges