Merge branch 'main' into v-smandalika-5694287-B12

windows/client-management/mdm/config-lock.md

@@ -8,7 +8,7 @@ ms.topic: article
 ms.prod: w11
 ms.technology: windows
 author: lovina-saldanha
-ms.date: 10/07/2021
+ms.date: 03/14/2022
 ---
 
 # Secured-Core PC Configuration Lock 
@@ -89,45 +89,45 @@ Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally m
 |[ApplicationControl](applicationcontrol-csp.md) 
 
 
-|**MDM policies**     |
-|-----|
-|[DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md)      |
-|[DataProtection/LegacySelectiveWipeID](policy-csp-dataprotection.md)      |
-|[DeviceGuard/ConfigureSystemGuardLaunch](policy-csp-deviceguard.md)      |
-|[DeviceGuard/EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md)      |
-|[DeviceGuard/LsaCfgFlags](policy-csp-deviceguard.md)      |
-|[DeviceGuard/RequirePlatformSecurityFeatures](policy-csp-deviceguard.md)      |
-|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md)      |
-|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md)      |
-|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) |
-|[DeviceInstallation/PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) |
-|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) |
-|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) |
-|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) |
-|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) |
-|[DmaGuard/DeviceEnumerationPolicy](policy-csp-dmaguard.md) |
-|[WindowsDefenderSecurityCenter/CompanyName](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md)|
-|[WindowsDefenderSecurityCenter/DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/Email](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/Phone](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/URL](policy-csp-windowsdefendersecuritycenter.md) |
-|[SmartScreen/EnableAppInstallControl](policy-csp-smartscreen.md)|
-|[SmartScreen/EnableSmartScreenInShell](policy-csp-smartscreen.md) |
-|[SmartScreen/PreventOverrideForFilesInShell](policy-csp-smartscreen.md) |
+|**MDM policies**     | **Supported by Group Policy** |
+|-----|-----|
+|[DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md)      | No |
+|[DataProtection/LegacySelectiveWipeID](policy-csp-dataprotection.md)      | No |
+|[DeviceGuard/ConfigureSystemGuardLaunch](policy-csp-deviceguard.md)      | Yes |
+|[DeviceGuard/EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md)      | Yes |
+|[DeviceGuard/LsaCfgFlags](policy-csp-deviceguard.md)      | Yes |
+|[DeviceGuard/RequirePlatformSecurityFeatures](policy-csp-deviceguard.md)      | Yes |
+|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md)      | Yes |
+|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md)      | Yes |
+|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) | Yes |
+|[DeviceInstallation/PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) | Yes |
+|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) | Yes |
+|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) | Yes |
+|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) | Yes |
+|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) | Yes |
+|[DmaGuard/DeviceEnumerationPolicy](policy-csp-dmaguard.md) | Yes |
+|[WindowsDefenderSecurityCenter/CompanyName](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md)| Yes |
+|[WindowsDefenderSecurityCenter/DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/Email](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/Phone](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/URL](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[SmartScreen/EnableAppInstallControl](policy-csp-smartscreen.md)| Yes |
+|[SmartScreen/EnableSmartScreenInShell](policy-csp-smartscreen.md) | Yes |
+|[SmartScreen/PreventOverrideForFilesInShell](policy-csp-smartscreen.md) | Yes |

windows/deployment/do/mcc-enterprise.md

@@ -120,11 +120,9 @@ For information about creating or locating your subscription ID, see [Steps to o
 
 ### Create the MCC resource in Azure
 
-The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes.
+The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. 
 
-#### Use the following link and sign in to Azure
-
-<https://portal.azure.com/?microsoft_azure_marketplace_ItemHideKey=Microsoft_ConnectedCache_EntHidden>
+Send email to the MCC team ([mccforenterprise@microsoft.com](mailto:mccforenterprise@microsoft.com)) with your Azure subscription ID to get access to the preview. The team will send you a link to the Azure portal which will allow you to create the resource described below. 
 
 1.  On the Azure Portal home page, choose **Create a resource**:  
     ![eMCC img02](images/emcc02.png)
@@ -527,7 +525,7 @@ You can either set your MCC IP address or FQDN using:
 
 **Verify Content using the DO Client**
 
-To verify that Delivery Optimization client can download content using Microsoft Connected Cache you can execute the following steps:
+To verify that the Delivery Optimization client can download content using MCC, you can use the following steps:
 
 1. Download a game or application from the Microsoft Store.   
 

windows/deployment/do/mcc-isp.md

@@ -111,9 +111,9 @@ For information about creating or locating your subscription ID, see [Steps to o
 
 ### Create the MCC resource in Azure
 
-The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes.
+The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. 
 
-Use the following link to sign in to Azure: <https://portal.azure.com/?microsoft_azure_marketplace_ItemHideKey=Microsoft_ConnectedCache_EntHidden>
+Send email to the MCC team ([msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)) with your Azure subscription ID to get access to the preview. The team will send you a link to the Azure portal, which will allow you to create the resource described below.
 
 1. Choose **Create a resource**  
 

windows/security/information-protection/bitlocker/bitlocker-security-faq.yml

@@ -15,7 +15,7 @@ metadata:
   audience: ITPro
   ms.collection: M365-security-compliance
   ms.topic: conceptual
-  ms.date: 02/28/2019
+  ms.date: 03/14/2022
   ms.custom: bitlocker
     
 title: BitLocker Security FAQ
@@ -41,7 +41,7 @@ sections:
       - question: |
           What are the implications of using the sleep or hibernate power management options?
         answer: |
-          BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. For improved security, we recommend disabling sleep mode and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp). 
+          BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it is configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since it remains unprotected data in RAM. Therefore, for improved security, we recommend disabling sleep mode and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp). 
           
       - question: |
           What are the advantages of a TPM?
@@ -50,4 +50,4 @@ sections:
           
           > [!NOTE]
           > Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.
-          
+          

windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml

@@ -9,7 +9,7 @@ metadata:
   ms.localizationpriority: medium
   author: denisebmsft
   ms.author: deniseb
-  ms.date: 09/30/2021
+  ms.date: 03/14/2022
   ms.reviewer:
   manager: dansimp
   ms.custom: asr
@@ -220,6 +220,11 @@ sections:
           1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`.
 
           2. Reboot the device.
+          
+      - question: |
+          What does the _Allow users to trust files that open in Microsoft Defender Application Guard_ option in the Group policy do?
+        answer: |
+         This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office.
 
 
 additionalContent: |

windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md

@@ -10,7 +10,7 @@ author: denisebmsft
 ms.author: deniseb
 ms.reviewer: 
 manager: dansimp
-ms.date: 09/09/2021
+ms.date: 03/14/2022
 ms.custom: asr
 ms.technology: windows-sec
 ---
@@ -215,20 +215,6 @@ You have the option to change each of these settings to work with your enterpris
 - Windows 10 Professional edition, version 1809
 - Windows 11
 
-#### File trust options
-
-1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow users to trust files that open in Microsoft Defender Application Guard** setting.
-
-2. Click **Enabled**, set **Options** to **2**, and click **OK**.
-
-    ![Group Policy editor File trust options.](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png)
-
-3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
-
-4. Open a file in Edge, such an Office 365 file.
-
-5. Check to see that an antivirus scan completed before the file was opened.
-
 #### Camera and microphone options
 
 1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow camera and microphone access in Microsoft Defender Application Guard** setting.
@@ -267,5 +253,5 @@ Once a user has the extension and its companion app installed on their enterpris
 3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
    ![A non-enterprise website being redirected to an Application Guard container -- the text displayed explains that the page is being opened in Application Guard for Microsoft Edge.](images/app-guard-chrome-extension-launchIng-edge.png)
 
-4. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window**
-   ![The "New Application Guard Window" option is highlighted in red](images/app-guard-chrome-extension-new-app-guard-page.png)
+4. Open a new Application Guard window, by selecting the Microsoft Defender Application Guard icon, then **New Application Guard Window**
+   ![The "New Application Guard Window" option is highlighted in red](images/app-guard-chrome-extension-new-app-guard-page.png)