updates

windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md

@@ -27,11 +27,16 @@ To configure Windows Firewall to log dropped packets or successful connections,
 > [!TIP]
 > You can also configure Windows Firewall by using an *TBD* profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
 
-Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1].
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [Firewall CSP][CSP-1].
 
-| Setting |
-|--------|
-| **Setting name**: Turn On Virtualization Based Security<br>**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity`<br>**Data type**: int<br>**Value**: `1`|
+| Network profile | Setting |
+|--------| - |
+| Domain | **Setting name**: [EnableLogDroppedPackets](/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogdroppedpackets)<br>**OMA-URI**: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogDroppedPackets`|
+| Domain | **Setting name**: [LogFilePath](/windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogfilepath)<br>**OMA-URI**: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogFilePath`|
+| Private | **Setting name**: [EnableLogDroppedPackets](/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablelogdroppedpackets)<br>**OMA-URI**: `./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogDroppedPackets`|
+| Private | **Setting name**: [LogFilePath](/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogfilepath)<br>**OMA-URI**: `./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogFilePath`|
+| Public | **Setting name**: [EnableLogDroppedPackets](/windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablelogdroppedpackets)<br>**OMA-URI**: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogDroppedPackets`|
+| Public | **Setting name**: [LogFilePath](/windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogfilepath)<br>**OMA-URI**: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogFilePath`|
 
 # [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
 

windows/security/operating-system-security/network-security/windows-firewall/quarantine.md

@@ -1,6 +1,6 @@
 ---
 title: Quarantine behavior
-description: Quarantine behavior is explained in detail.
+description: Learn about Windows Firewall and the quarantine feature behavior.
 ms.topic: conceptual
 ms.date: 11/14/2023
 ---
@@ -21,7 +21,7 @@ The quarantine feature creates filters that can be split into three categories:
 
 - Quarantine default inbound block filter
 - Quarantine default exception filters
-- Interface un-quarantine filters
+- Interface unquarantine filters
 
 These filters are added in the `FWPM_SUBLAYER_MPSSVC_QUARANTINE` sublayer and these layers are:
 
@@ -37,26 +37,26 @@ For more information about WFP layers and sublayers, see [WFP Operation](/window
 
 ### Quarantine default inbound block filter
 
-The *quarantine default inbound block filter* blocks any new non-loopback inbound connections, unless the packet isn't explicitly permitted by another filter in the quarantine sublayer.
+The *quarantine default inbound block filter* blocks any new nonloopback inbound connections, unless the packet isn't explicitly permitted by another filter in the quarantine sublayer.
 
 ### Quarantine default exception filters
 
 When the interface is in quarantine state, the quarantine default exception filters permit new inbound connections given that they meet the conditions of an exception filter. One example of the exception filters is the quarantine default inbound loopback exception filter. This exception filter allows all loopback packets when the interface is in quarantine state.
 
-### Interface un-quarantine filter
+### Interface unquarantine filter
 
-The interface un-quarantine filters allow all non-loopback packets if the interface is successfully categorized.
+The interface unquarantine filters allow all nonloopback packets if the interface is successfully categorized.
 
 ## Quarantine flow
 
 The following events describe the general flow of quarantine:
 
 1. There's some change on the current network interface
-1. The interface un-quarantine filters don't permit new inbound connections. The interface is now in quarantine state
-1. All non-loopback inbound connections are either permitted by quarantine default exception filters or dropped by the quarantine default inbound block filter
+1. The interface unquarantine filters don't permit new inbound connections. The interface is now in quarantine state
+1. All nonloopback inbound connections are either permitted by quarantine default exception filters or dropped by the quarantine default inbound block filter
 1. The WFP filters applicable to the old interface state are removed
-1. The WFP filters applicable to the new interface state are added, which include the un-quarantine filters for this interface. These filters are updated to match the interface's current state
-1. The interface has now exited quarantine state as the interface un-quarantine filters permit any new non-loopback packets
+1. The WFP filters applicable to the new interface state are added, which include the unquarantine filters for this interface. These filters are updated to match the interface's current state
+1. The interface has now exited quarantine state as the interface unquarantine filters permit any new nonloopback packets
 
 ## Quarantine diagnostics
 
@@ -64,7 +64,7 @@ There are two methods of identifying packet drops from the quarantine default in
 
 Given that the network connectivity issue is reproducible, diagnostic traces can be collected by running the following in an administrative command prompt:
 
-```console
+```cmd
 Netsh wfp cap start
 <Reproduce network connectivity issue>
 Netsh wfp cap stop
@@ -166,7 +166,7 @@ Alternatively, If the Filtering Platform Connection failure auditing is enabled,
 
 To enable Filtering Platform Connection audits, run the following command in an administrative command prompt:
 
-```console
+```cmd
 Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable
 ```
 
@@ -177,8 +177,8 @@ Sample drop audit with `filterOrigin` as `Quarantine Default`.
 Once the drop's filter origin has been identified as the quarantine default inbound block filter, the interface should be further investigated. To find the relevant interface, use the `InterfaceIndex` value from the `netEvent` or event audit in the following PowerShell command to generate more information about the interface:
 
 ```Powershell
-Get-NetIPInterface –InterfaceIndex <Interface Index>
-Get-NetIPInterface –InterfaceIndex 5
+Get-NetIPInterface -InterfaceIndex <Interface Index>
+Get-NetIPInterface -InterfaceIndex 5
 ```
 
 ![Quarantine Interfaceindex.](images/quarantine-interfaceindex1.png)

windows/security/operating-system-security/network-security/windows-firewall/toc.yml

@@ -9,7 +9,7 @@ items:
       href: tools.md
     - name: Configure with Microsoft Intune 🔗
       href: /mem/intune/protect/endpoint-security-firewall-policy
-    - name: Configure with GPO
+    - name: Configure with group policy
       href: configure.md
     - name: Configure with command line tools
       href: configure-with-command-line.md

windows/security/operating-system-security/network-security/windows-firewall/tools.md

@@ -1,7 +1,7 @@
 ---
 title: Windows Firewall tools
 description: Learn about the available tools to configure Windows Firewall and firewall rules.
-ms.date: 11/15/2023
+ms.date: 11/20/2023
 ms.topic: best-practice
 ---
 
@@ -125,7 +125,7 @@ Shields up can be achieved by checking **Block all incoming connections, includi
 
 :::image type="content" alt-text="Firewall cpl." source="images/fw07-legacy.png":::
 
-By default, the Windows Firewall blocks everything unless there's an exception rule created. The *shield up* option overrides the exceptions. For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there's an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access won't work as long as shields up is activated.
+By default, the Windows Firewall blocks everything unless there's an exception rule created. The *shield up* option overrides the exceptions. For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there's an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access can't work as long as shields up is active.
 
 Once the emergency is over, uncheck the setting to restore regular network traffic.
 
@@ -135,7 +135,7 @@ From the following dropdown, select one of tools to learn how to configure Windo
 
 > [!div class="op_single_selector"]
 >
-> - [Configure with Microsoft Intune 🔗](/mem/intune/protect/endpoint-security-firewall-policy)
+> - [Configure with Microsoft Intune 🔗][INT-1]
 > - [Configure with GPO](configure.md)
 > - [Configure with command line tools](configure-with-command-line.md)
 
@@ -143,3 +143,4 @@ From the following dropdown, select one of tools to learn how to configure Windo
 
 [SEC-1]: windowsdefender://network/
 [CSP]: /windows/client-management/mdm/firewall-csp
+[INT-1]: /mem/intune/protect/endpoint-security-firewall-policy