diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md
index b371495760..dd0f7055f5 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md
@@ -27,11 +27,16 @@ To configure Windows Firewall to log dropped packets or successful connections,
> [!TIP]
> You can also configure Windows Firewall by using an *TBD* profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
-Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1].
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [Firewall CSP][CSP-1].
-| Setting |
-|--------|
-| **Setting name**: Turn On Virtualization Based Security
**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity`
**Data type**: int
**Value**: `1`|
+| Network profile | Setting |
+|--------| - |
+| Domain | **Setting name**: [EnableLogDroppedPackets](/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogdroppedpackets)
**OMA-URI**: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogDroppedPackets`|
+| Domain | **Setting name**: [LogFilePath](/windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogfilepath)
**OMA-URI**: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogFilePath`|
+| Private | **Setting name**: [EnableLogDroppedPackets](/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablelogdroppedpackets)
**OMA-URI**: `./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogDroppedPackets`|
+| Private | **Setting name**: [LogFilePath](/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogfilepath)
**OMA-URI**: `./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogFilePath`|
+| Public | **Setting name**: [EnableLogDroppedPackets](/windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablelogdroppedpackets)
**OMA-URI**: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogDroppedPackets`|
+| Public | **Setting name**: [LogFilePath](/windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogfilepath)
**OMA-URI**: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogFilePath`|
# [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure.md b/windows/security/operating-system-security/network-security/windows-firewall/configure.md
index dad089eb5b..4ead383383 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure.md
@@ -90,7 +90,7 @@ To create an inbound firewall rule for a program or service:
1. Open the *Windows Firewall with Advanced Security* console
1. In the navigation pane, select**Inbound Rules**
1. Select **Action**, and then select**New rule**
-1. On the **Rule Type** page of the New Inbound Rule Wizard, select**Custom**, and then select**Next**
+1. On the **Rule Type** page of the New Inbound Rule Wizard, select **Custom**, and then select**Next**
> [!NOTE]
> Information the user should notice even if skimmingAlthough you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
1. On the **Program** page, select**This program path**
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md b/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md
index 1217da01e1..37d303f00e 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md
@@ -1,6 +1,6 @@
---
title: Quarantine behavior
-description: Quarantine behavior is explained in detail.
+description: Learn about Windows Firewall and the quarantine feature behavior.
ms.topic: conceptual
ms.date: 11/14/2023
---
@@ -21,7 +21,7 @@ The quarantine feature creates filters that can be split into three categories:
- Quarantine default inbound block filter
- Quarantine default exception filters
-- Interface un-quarantine filters
+- Interface unquarantine filters
These filters are added in the `FWPM_SUBLAYER_MPSSVC_QUARANTINE` sublayer and these layers are:
@@ -37,26 +37,26 @@ For more information about WFP layers and sublayers, see [WFP Operation](/window
### Quarantine default inbound block filter
-The *quarantine default inbound block filter* blocks any new non-loopback inbound connections, unless the packet isn't explicitly permitted by another filter in the quarantine sublayer.
+The *quarantine default inbound block filter* blocks any new nonloopback inbound connections, unless the packet isn't explicitly permitted by another filter in the quarantine sublayer.
### Quarantine default exception filters
When the interface is in quarantine state, the quarantine default exception filters permit new inbound connections given that they meet the conditions of an exception filter. One example of the exception filters is the quarantine default inbound loopback exception filter. This exception filter allows all loopback packets when the interface is in quarantine state.
-### Interface un-quarantine filter
+### Interface unquarantine filter
-The interface un-quarantine filters allow all non-loopback packets if the interface is successfully categorized.
+The interface unquarantine filters allow all nonloopback packets if the interface is successfully categorized.
## Quarantine flow
The following events describe the general flow of quarantine:
1. There's some change on the current network interface
-1. The interface un-quarantine filters don't permit new inbound connections. The interface is now in quarantine state
-1. All non-loopback inbound connections are either permitted by quarantine default exception filters or dropped by the quarantine default inbound block filter
+1. The interface unquarantine filters don't permit new inbound connections. The interface is now in quarantine state
+1. All nonloopback inbound connections are either permitted by quarantine default exception filters or dropped by the quarantine default inbound block filter
1. The WFP filters applicable to the old interface state are removed
-1. The WFP filters applicable to the new interface state are added, which include the un-quarantine filters for this interface. These filters are updated to match the interface's current state
-1. The interface has now exited quarantine state as the interface un-quarantine filters permit any new non-loopback packets
+1. The WFP filters applicable to the new interface state are added, which include the unquarantine filters for this interface. These filters are updated to match the interface's current state
+1. The interface has now exited quarantine state as the interface unquarantine filters permit any new nonloopback packets
## Quarantine diagnostics
@@ -64,7 +64,7 @@ There are two methods of identifying packet drops from the quarantine default in
Given that the network connectivity issue is reproducible, diagnostic traces can be collected by running the following in an administrative command prompt:
-```console
+```cmd
Netsh wfp cap start
Netsh wfp cap stop
@@ -166,7 +166,7 @@ Alternatively, If the Filtering Platform Connection failure auditing is enabled,
To enable Filtering Platform Connection audits, run the following command in an administrative command prompt:
-```console
+```cmd
Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable
```
@@ -177,8 +177,8 @@ Sample drop audit with `filterOrigin` as `Quarantine Default`.
Once the drop's filter origin has been identified as the quarantine default inbound block filter, the interface should be further investigated. To find the relevant interface, use the `InterfaceIndex` value from the `netEvent` or event audit in the following PowerShell command to generate more information about the interface:
```Powershell
-Get-NetIPInterface –InterfaceIndex
-Get-NetIPInterface –InterfaceIndex 5
+Get-NetIPInterface -InterfaceIndex
+Get-NetIPInterface -InterfaceIndex 5
```
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/toc.yml b/windows/security/operating-system-security/network-security/windows-firewall/toc.yml
index 075afbe659..1de1d50dd3 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/toc.yml
+++ b/windows/security/operating-system-security/network-security/windows-firewall/toc.yml
@@ -9,7 +9,7 @@ items:
href: tools.md
- name: Configure with Microsoft Intune 🔗
href: /mem/intune/protect/endpoint-security-firewall-policy
- - name: Configure with GPO
+ - name: Configure with group policy
href: configure.md
- name: Configure with command line tools
href: configure-with-command-line.md
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/tools.md b/windows/security/operating-system-security/network-security/windows-firewall/tools.md
index e4d5485358..69becc531a 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/tools.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/tools.md
@@ -1,7 +1,7 @@
---
title: Windows Firewall tools
description: Learn about the available tools to configure Windows Firewall and firewall rules.
-ms.date: 11/15/2023
+ms.date: 11/20/2023
ms.topic: best-practice
---
@@ -125,7 +125,7 @@ Shields up can be achieved by checking **Block all incoming connections, includi
:::image type="content" alt-text="Firewall cpl." source="images/fw07-legacy.png":::
-By default, the Windows Firewall blocks everything unless there's an exception rule created. The *shield up* option overrides the exceptions. For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there's an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access won't work as long as shields up is activated.
+By default, the Windows Firewall blocks everything unless there's an exception rule created. The *shield up* option overrides the exceptions. For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there's an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access can't work as long as shields up is active.
Once the emergency is over, uncheck the setting to restore regular network traffic.
@@ -135,7 +135,7 @@ From the following dropdown, select one of tools to learn how to configure Windo
> [!div class="op_single_selector"]
>
-> - [Configure with Microsoft Intune 🔗](/mem/intune/protect/endpoint-security-firewall-policy)
+> - [Configure with Microsoft Intune 🔗][INT-1]
> - [Configure with GPO](configure.md)
> - [Configure with command line tools](configure-with-command-line.md)
@@ -143,3 +143,4 @@ From the following dropdown, select one of tools to learn how to configure Windo
[SEC-1]: windowsdefender://network/
[CSP]: /windows/client-management/mdm/firewall-csp
+[INT-1]: /mem/intune/protect/endpoint-security-firewall-policy