Merge branch 'main' nto vp-move-test

windows/security/application-security/application-control/user-account-control/how-it-works.md

@@ -93,6 +93,9 @@ The elevation process is further secured by directing the prompt to the *secure
 
 When an executable file requests elevation, the *interactive desktop*, also called the *user desktop*, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user selects **Yes** or **No**, the desktop switches back to the user desktop.
 
+> [!NOTE]
+> Starting in **Windows Server 2019**, it's not possible to paste the content of the clipboard on the secure desktop. This is the same behavior of the currently supported Windows client OS versions. 
+
 Malware can present an imitation of the secure desktop, but when the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting is set to **Prompt for consent**, the malware doesn't gain elevation if the user selects **Yes** on the imitation. If the policy setting is set to **Prompt for credentials**, malware imitating the credential prompt may be able to gather the credentials from the user. However, the malware doesn't gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password.
 
 While malware could present an imitation of the secure desktop, this issue can't occur unless a user previously installed the malware on the PC. Because processes requiring an administrator access token can't silently install when UAC is enabled, the user must explicitly provide consent by selecting **Yes** or by providing administrator credentials. The specific behavior of the UAC elevation prompt is dependent upon security policies.

windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md

@@ -31,7 +31,7 @@ Intune's built-in Windows Defender Application Control support allows you to con
 > Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. You can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic.
 
 > [!NOTE]
-> Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP will always request a reboot when applying WDAC policies. You can use Intune's custom OMA-URI feature with the ApplicationControl CSP to deploy your own WDAC policies rebootlessly.
+> Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP always requests a device restart when it applies WDAC policies. You can use Intune's custom OMA-URI feature with the ApplicationControl CSP to deploy your own WDAC policies without a restart.
 
 To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windows 10 (and later)](/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json).
 

windows/security/application-security/application-control/windows-defender-application-control/deployment/disable-wdac-policies.md

@@ -37,7 +37,7 @@ To make a policy effectively inactive before removing it, you can first replace
 5. If applicable, remove option **0 Enabled:UMCI** to convert the policy to kernel mode only.
 
 > [!IMPORTANT]
-> After a policy has been removed, you must restart the computer for it to take effect. You can't remove WDAC policies rebootlessly.
+> After you remove a policy, restart the computer for it to take effect. You can't remove WDAC policies without restarting the device.
 
 ### Remove WDAC policies using CiTool.exe