diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml
index 6571e40f23..3a592b8263 100644
--- a/education/windows/TOC.yml
+++ b/education/windows/TOC.yml
@@ -1,3 +1,9 @@
+- name: Windows 11 SE for Education
+ items:
+ - name: Overview
+ href: windows-11-se-overview.md
+ - name: Settings and CSP list
+ href: windows-11-se-settings-list.md
- name: Windows 10 for Education
href: index.md
items:
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
new file mode 100644
index 0000000000..342ce437b3
--- /dev/null
+++ b/education/windows/windows-11-se-overview.md
@@ -0,0 +1,111 @@
+---
+title: What is Windows 11 SE
+description: Learn more about Windows 11 SE, and the apps that are included with the operating system. Read about the features IT professionals and administrators should know about Windows 11 SE. Add and deploy your apps using Microsoft Intune for Education.
+ms.reviewer:
+manager: dougeby
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+ms.author: mandia
+author: MandiOhlinger
+ms.localizationpriority: medium
+ms.topic: article
+---
+
+# Windows 11 SE for Education
+
+**Applies to**:
+
+- Windows 11 SE
+- Microsoft Intune for Education
+
+Windows 11 SE is a new edition of Windows that's designed for education. It runs on web-first devices that use essential education apps. Microsoft Office 365 is preinstalled.
+
+For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits:
+
+- A simplified and secure experience for students. Student privacy is prioritized.
+- Admins remotely manage Windows 11 SE devices using [Microsoft Intune for Education](/intune-education/what-is-intune-for-education).
+- It's built for low-cost devices.
+- It has a curated app experience, and is designed to only run essential education apps.
+
+## Get Windows 11 SE
+
+Windows 11 SE is only available preinstalled on devices from OEMs. The OEM installs Windows 11 SE, and makes the devices available for you to purchase. For example, you'll be able to purchase Microsoft Surface devices with Windows 11 SE already installed.
+
+## Available apps
+
+Windows 11 SE comes with some preinstalled apps. The following apps can also run on Windows 11 SE, and are deployed using the [Intune for Education portal](https://intuneeducation.portal.azure.com). For more information, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
+
+---
+| Application | Min version | Vendor |
+| --- | --- | --- |
+| Chrome | 95.0.4638.54 | Google |
+| Dragon Assistant | 3.2.98.061 | Nuance Communications |
+| Dragon Professional Individual | 15.00.100 | Nuance Communications |
+| e-Speaking Voice and Speech recognition | 4.4.0.8 | e-speaking |
+| Free NaturalReader | 16.1.2 | Natural Soft |
+| Jaws for Windows | 2022.2109.84 ILM | Freedom Scientific |
+| Kite Student Portal | 8.0.1 | Dynamic Learning Maps |
+| NextUp Talker | 1.0.49 | NextUp Technologies, LLC. |
+| NonVisual Desktop Access | 2021.2 | NV Access |
+| Read and Write | 12.0.71 | Texthelp Systems Ltd. |
+| SuperNova Magnifier & Screen Reader | 20.03 | Dolphin Computer Access |
+| SuperNova Magnifier & Speech | 20.03 | Dolphin Computer Access |
+| Text Aloud | 4.0.64 | Nextup.com |
+| Zoom | 5.8.3 (1581) | Zoom Inc |
+| Zoomtext Fusion by AiSquared | 2022.2109.10 | ORF Fusion |
+| ZoomText Magnifier/Reader | 2022.2109.25ILM | AI Squared |
+
+---
+
+### Enabled apps
+
+| App type | Enabled |
+| --- | --- |
+| Apps that run in a browser | ✔️ Apps that run in a browser, like Progressive Web Apps (PWA) and Web apps, can run on Windows 11 SE without any changes or limitations. |
+| Apps that require installation | ❌ Apps that require an installation, including Microsoft Store apps and Win32 apps can't be installed. If students try to install these apps, the installation fails.
✔️ If there are specific installation-type of apps you want to enable, then work with Microsoft to get them enabled. For more information, see [Add your own apps](#add-your-own-apps) (in this article). |
+
+### Add your own apps
+
+If the apps you need aren't shown in the [available apps list](#available-apps) (in this article), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account.
+
+Microsoft reviews every app request to make sure each app meets the following requirements:
+
+- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more.
+
+- Apps must be in one of the following app categories:
+ - Content Filtering apps
+ - Test Taking solutions
+ - Assistive technologies
+ - Classroom communication apps
+ - Essential diagnostics, management, and supportability apps
+
+- Apps must meet the performance [requirements of Windows 11](/windows/whats-new/windows-11-requirements).
+
+- Apps must meet the following security requirements:
+ - All app binaries are code-signed.
+ - All files include the `OriginalFileName` in the resource file header.
+ - All kernel drivers are WHQL-signed.
+
+- Apps don't have an equivalent web application.
+
+- Apps can't invoke any processes that can be used to jailbreak a device, automate jailbreaks, or present a security risk. For example, processes such as Reg.exe, CBE.exe, CMD.exe, and KD.exe are blocked on Windows 11 SE.
+
+If the app meets the requirements, Microsoft works with the Independent Software Vendor (ISV) to test the app, and make sure the app works as expected on Windows 11 SE.
+
+When the app is ready, Microsoft will update you. Then, you add the app to the [Intune for Education portal](https://intuneeducation.portal.azure.com), and [assign](/intune-education/assign-apps) it to your Windows 11 SE devices.
+
+For more information on Intune requirements for adding education apps, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
+
+### 0x87D300D9 error with an app
+
+When you deploy an app using Intune for Education, you may get a `0x87D300D9` error code with a `Failed` state in the [Intune for Education portal](https://intuneeducation.portal.azure.com). If you have an app that fails with this error, then:
+
+- Make sure the app is on the [available apps list](#available-apps) (in this article). Or, make sure your app is [approved for Windows 11 SE](#add-your-own-apps) (in this article).
+- If the app is approved, then it's possible the app is packaged wrong. For more information, see [Add your own apps](#add-your-own-apps) (in this article) and [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
+- If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own apps](#add-your-own-apps) (in this article). Or, use an app that runs in a web browser, such as a web app or PWA.
+
+## Related articles
+
+- [Use Intune for Education to manage devices running Windows 11 SE](/intune-education/windows-11-se-overview)
diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md
new file mode 100644
index 0000000000..0c7227041a
--- /dev/null
+++ b/education/windows/windows-11-se-settings-list.md
@@ -0,0 +1,67 @@
+---
+title: Windows 11 SE settings list
+description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change.
+ms.reviewer:
+manager: dougeby
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+ms.author: mandia
+author: MandiOhlinger
+ms.localizationpriority: medium
+ms.topic: article
+---
+
+# Windows 11 SE for Education settings list
+
+**Applies to**:
+
+- Windows 11 SE
+- Microsoft Intune for Education
+
+Windows 11 SE automatically configures settings and features in the operating system. These settings use the Configuration Service Provider (CSPs) provided by Microsoft. You can use an MDM provider to configure these settings.
+
+This article lists the settings automatically configured. For more information on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md).
+
+## Settings that can be changed
+
+The following table lists and describes the settings that can be changed by administrators.
+
+| Setting | Description |
+| --- | --- |
+| Block manual unenrollment | Default: Blocked
Users can't unenroll their devices from device management services.
[Experience/AllowManualMDMUnenrollment CSP](/windows/client-management/mdm/policy-csp-experience#experience-allowmanualmdmunenrollment)|
+| Allow option to Show Network | Default: Allowed
Gives users the option to see the **Show Network** folder in File Explorer. |
+| Allow option to Show This PC | Default: Allowed
Gives user the option to see the **Show This PC** folder in File Explorer. |
+| Set Allowed Folder location | Default folders: Documents, Desktop, Pictures, and Downloads
Gives user access to these folders. |
+| Set Allowed Storage Locations | Default: Blocks Local Drives and Network Drives
Blocks user access to these storage locations. |
+| Allow News and Interests | Default: Hide
Hides Widgets. |
+| Disable advertising ID | Default: Disabled
Blocks apps from using usage data to tailor advertisements.
|
+| Enable App Install Control | Default: Turned On
Users can’t download apps from the internet.
[SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)|
+| Configure Storage Sense Cloud Content Dehydration Threshold | Default: 30 days
If a file hasn’t been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again.
In Microsoft Edge, users can't override Windows Defender SmartScreen warnings.
[PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride)|
+
+## Settings that can't be changed
+
+The following settings can't be changed.
+
+| Category | Description |
+| --- | --- |
+| Visible Folders in File Explorer | By default, the Desktop, Downloads, Documents, and Pictures folders are visible to users in File Explorer. Users can make other folders, like **This PC**, visible in **View** > **Options**. |
+| Launch Windows Maximized | All Windows are opened in the maximized view. |
+| Windows Snapping | Windows snapping is limited to two Windows. |
+| Allowed Account Types | Microsoft accounts and Azure AD accounts are allowed. |
+| Virtual Desktops | Virtual Desktops are blocked. |
+| Microsoft Store | The Microsoft Store is blocked. |
+| Administrative tools | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Endpoint Manager can run. |
+| Apps | Only certain apps are allowed to run on Windows 11 SE. For more info on what apps can run on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md). |
+
+## Next steps
+
+[Windows 11 SE for Education overview](windows-11-se-overview.md)
diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md
index 557504605e..5e9de6a8c4 100644
--- a/windows/application-management/add-apps-and-features.md
+++ b/windows/application-management/add-apps-and-features.md
@@ -12,6 +12,7 @@ ms.date: 08/30/2021
ms.reviewer:
manager: dougeby
ms.topic: article
+ms.collection: highpri
---
# Add or hide features on the Windows client OS
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index 2584b8cb49..c9b830292f 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -11,6 +11,7 @@ ms.author: mandia
author: MandiOhlinger
ms.localizationpriority: medium
ms.topic: article
+ms.collection: highpri
---
# Overview of apps on Windows client devices
diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml
index e6739ae97e..a6b080d29e 100644
--- a/windows/application-management/index.yml
+++ b/windows/application-management/index.yml
@@ -10,7 +10,9 @@ metadata:
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
- ms.collection: windows-10
+ ms.collection:
+ - windows-10
+ - highpri
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
ms.date: 08/24/2021 #Required; mm/dd/yyyy format.
diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md
index 99da0233ac..4765af8423 100644
--- a/windows/client-management/administrative-tools-in-windows-10.md
+++ b/windows/client-management/administrative-tools-in-windows-10.md
@@ -12,13 +12,14 @@ author: greg-lindsay
ms.localizationpriority: medium
ms.date: 09/20/2021
ms.topic: article
+ms.collection: highpri
---
# Administrative Tools in Windows
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md
index 7e5b601fab..d55df0054b 100644
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@@ -11,6 +11,7 @@ author: greg-lindsay
ms.localizationpriority: medium
ms.author: tracyp
ms.topic: troubleshooting
+ms.collection: highpri
---
# Advanced troubleshooting 802.1X authentication
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
index 1c65aec135..49d851c6f6 100644
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -10,6 +10,7 @@ ms.date: 11/16/2018
ms.reviewer:
manager: dansimp
ms.topic: troubleshooting
+ms.collection: highpri
---
# Advanced troubleshooting for Windows boot problems
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index 87a70ff761..5a346bc6b9 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -13,6 +13,7 @@ ms.date: 09/14/2021
ms.reviewer:
manager: dansimp
ms.topic: article
+ms.collection: highpri
---
# Connect to remote Azure Active Directory-joined PC
@@ -20,7 +21,7 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
diff --git a/windows/client-management/determine-appropriate-page-file-size.md b/windows/client-management/determine-appropriate-page-file-size.md
index da6bb869ab..31f5c16b75 100644
--- a/windows/client-management/determine-appropriate-page-file-size.md
+++ b/windows/client-management/determine-appropriate-page-file-size.md
@@ -10,6 +10,7 @@ ms.author: delhan
ms.date: 8/28/2019
ms.reviewer: dcscontentpm
manager: dansimp
+ms.collection: highpri
---
# How to determine the appropriate page file size for 64-bit versions of Windows
diff --git a/windows/client-management/generate-kernel-or-complete-crash-dump.md b/windows/client-management/generate-kernel-or-complete-crash-dump.md
index e0a26c9402..12bd194bc7 100644
--- a/windows/client-management/generate-kernel-or-complete-crash-dump.md
+++ b/windows/client-management/generate-kernel-or-complete-crash-dump.md
@@ -10,6 +10,7 @@ ms.author: delhan
ms.date: 8/28/2019
ms.reviewer:
manager: willchen
+ms.collection: highpri
---
# Generate a kernel or complete crash dump
diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml
index e5ae09ccb3..f12a0ac603 100644
--- a/windows/client-management/index.yml
+++ b/windows/client-management/index.yml
@@ -10,7 +10,9 @@ metadata:
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
- ms.collection: windows-10
+ ms.collection:
+ - windows-10
+ - highpri
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
ms.date: 08/05/2021 #Required; mm/dd/yyyy format.
diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md
index 9354d9c8c9..329d185fad 100644
--- a/windows/client-management/introduction-page-file.md
+++ b/windows/client-management/introduction-page-file.md
@@ -9,6 +9,7 @@ ms.localizationpriority: medium
ms.author: delhan
ms.reviewer: dcscontentpm
manager: dansimp
+ms.collection: highpri
---
# Introduction to page files
@@ -27,20 +28,20 @@ Page files enable the system to remove infrequently accessed modified pages from
Some products or services require a page file for various reasons. For specific information, check the product documentation.
-For example, the following Windows servers requires page files:
+For example, the following Windows servers require page files:
- Windows Server domain controllers (DCs)
- DFS Replication (DFS-R) servers
- Certificate servers
- ADAM/LDS servers
-This is because the algorithm of the database cache for Extensible Storage Engine (ESENT, or ESE in Microsoft Exchange Server) depends on the "\Memory\Transition Pages RePurposed/sec" performance monitor counter. A page file is required to make sure that the database cache can release memory if other services or applications request memory.
+This is because the algorithm of the database cache for Extensible Storage Engine (ESENT, or ESE for Microsoft Exchange Server) depends on the "\Memory\Transition Pages RePurposed/sec" performance monitor counter. A page file is required to make sure that the database cache can release memory if other services or applications request memory.
-For Windows Server 2012 Hyper-V and Windows Server 2012 R2 Hyper-V, the page file of the management OS (commonly called the host OS) should be left at the default of setting of "System Managed" .
+For Windows Server 2012 Hyper-V and Windows Server 2012 R2 Hyper-V, the page file of the management OS (commonly called the host OS) should be left at the default of setting of "System Managed".
### Support for system crash dumps
-Page files can be used to "back" (or support) system crash dumps and extend how much system-committed memory (also known as “virtual memory”) a system can support.
+Page files can be used to "back" (or support) system crash dumps and extend how much system-committed memory (also known as "virtual memory") a system can support.
For more information about system crash dumps, see [system crash dump options](system-failure-recovery-options.md#under-write-debugging-information).
@@ -48,7 +49,7 @@ For more information about system crash dumps, see [system crash dump options](s
When large physical memory is installed, a page file might not be required to support the system commit charge during peak usage. For example, 64-bit versions of Windows and Windows Server support more physical memory (RAM) than 32-bit versions support. The available physical memory alone might be large enough.
-However, the reason to configure the page file size has not changed. It has always been about supporting a system crash dump, if it is necessary, or extending the system commit limit, if it is necessary. For example, when a lot of physical memory is installed, a page file might not be required to back the system commit charge during peak usage. The available physical memory alone might be large enough to do this. However, a page file or a dedicated dump file might still be required to back a system crash dump.
+However, the reason to configure the page file size hasn't changed. It has always been about supporting a system crash dump, if it's necessary, or extending the system commit limit, if it's necessary. For example, when a lot of physical memory is installed, a page file might not be required to back the system commit charge during peak usage. The available physical memory alone might be large enough to do this. However, a page file or a dedicated dump file might still be required to back a system crash dump.
## System committed memory
@@ -64,7 +65,7 @@ The system commit charge is the total committed or "promised" memory of all comm
-The system committed charge and system committed limit can be measured on the **Performance** tab in Task Manager or by using the "\Memory\Committed Bytes" and "\Memory\Commit Limit" performance counters. The \Memory\% Committed Bytes In Use counter is a ratio of \Memory\Committed Bytes to \Memory\Commit Limit values.
+The system committed charge and system committed limit can be measured on the **Performance** tab in Task Manager or by using the "\Memory\Committed Bytes" and "\Memory\Commit Limit" performance counters. The **\Memory\% Committed Bytes In Use** counter is a ratio of \Memory\Committed Bytes to \Memory\Commit Limit values.
> [!NOTE]
> System-managed page files automatically grow up to three times the physical memory or 4 GB (whichever is larger, but no more than one-eighth of the volume size) when the system commit charge reaches 90 percent of the system commit limit. This assumes that enough free disk space is available to accommodate the growth.
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index 25245fa812..2bfc3e5170 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -11,6 +11,7 @@ ms.date: 09/14/2021
ms.reviewer:
manager: dansimp
ms.topic: article
+ms.collection: highpri
---
# Create mandatory user profiles
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index 6b3adfa904..634025c4b9 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -9,6 +9,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
+ms.collection: highpri
---
# Azure Active Directory integration with MDM
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index e3f6b2bd85..456fbbd28c 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -10,6 +10,7 @@ ms.localizationpriority: medium
ms.date: 04/16/2020
ms.reviewer:
manager: dansimp
+ms.collection: highpri
---
# BitLocker CSP
@@ -26,19 +27,29 @@ the setting configured by the admin.
For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
The following shows the BitLocker configuration service provider in tree format.
+
```
./Device/Vendor/MSFT
BitLocker
----RequireStorageCardEncryption
----RequireDeviceEncryption
----EncryptionMethodByDriveType
+----IdentificationField
+----SystemDrivesEnablePreBootPinExceptionOnDECapableDevice
+----SystemDrivesEnhancedPIN
+----SystemDrivesDisallowStandardUsersCanChangePIN
+----SystemDrivesEnablePrebootInputProtectorsOnSlates
+----SystemDrivesEncryptionType
----SystemDrivesRequireStartupAuthentication
----SystemDrivesMinimumPINLength
----SystemDrivesRecoveryMessage
----SystemDrivesRecoveryOptions
----FixedDrivesRecoveryOptions
----FixedDrivesRequireEncryption
+----FixedDrivesEncryptionType
----RemovableDrivesRequireEncryption
+----RemovableDrivesEncryptionType
+----RemovableDrivesConfigureBDE
----AllowWarningForOtherDiskEncryption
----AllowStandardUserEncryption
----ConfigureRecoveryPasswordRotation
@@ -48,6 +59,7 @@ BitLocker
--------RotateRecoveryPasswordsStatus
--------RotateRecoveryPasswordsRequestID
```
+
**./Device/Vendor/MSFT/BitLocker**
Defines the root node for the BitLocker configuration service provider.
@@ -72,7 +84,6 @@ Allows the administrator to require storage card encryption on the device. This
-
@@ -129,7 +140,6 @@ Allows the administrator to require encryption to be turned on by using BitLocke
-
@@ -149,7 +159,7 @@ Encryptable fixed data volumes are treated similarly to OS volumes. However, fix
The following list shows the supported values:
-- 0 (default) — Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes.
+- 0 (default) —Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes.
- 1 – Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy).
If you want to disable this policy, use the following SyncML:
@@ -199,7 +209,6 @@ Allows you to set the default encryption method for each of the different drive
-
@@ -214,7 +223,7 @@ ADMX Info:
> [!TIP]
-> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
@@ -260,6 +269,363 @@ EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for remov
```
Data type is string. Supported operations are Add, Get, Replace, and Delete.
+
+
+**IdentificationField**
+
+Allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker.
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ADMX Info:
+
+
GP English name: Provide the unique identifiers for your organization
+
GP name: IdentificationField_Name
+
GP path: Windows Components/BitLocker Drive Encryption
+
GP ADMX file name: VolumeEncryption.admx
+
+
+
+> [!TIP]
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+
+This setting is used to establish an identifier that is applied to all drives that are encrypted in your organization.
+
+Identifiers are usually stored as the identification field and the allowed identification field. You can configure the following identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde):
+
+- **BitLocker identification field**: It allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the Manage-bde command-line tool. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field.
+
+- **Allowed BitLocker identification field**: The allowed identification field is used in combination with the 'Deny write access to removable drives not protected by BitLocker' policy setting to help control the use of removable drives in your organization. It is a comma-separated list of identification fields from your organization or external organizations.
+
+>[!Note]
+>When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an outside organization.
+
+If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization.
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+```
+
+Data Id:
+
+- IdentificationField: BitLocker identification field
+- SecIdentificationField: Allowed BitLocker identification field
+
+If you disable or do not configure this setting, the identification field is not required.
+
+>[!Note]
+>Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value up to 260 characters.
+
+
+
+
+**SystemDrivesEnablePreBootPinExceptionOnDECapableDevice**
+
+Allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ADMX Info:
+
+
GP English name: Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN
+
GP name: EnablePreBootPinExceptionOnDECapableDevice_Name
+
GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
+
GP ADMX file name: VolumeEncryption.admx
+
+
+
+> [!TIP]
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+
+This setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This overrides the "Require startup PIN with TPM" option of the "Require additional authentication at startup" policy on compliant hardware.
+
+If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication.
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+```
+
+If this policy is disabled, the options of "Require additional authentication at startup" policy apply.
+
+
+
+**SystemDrivesEnhancedPIN**
+
+Allows users to configure whether or not enhanced startup PINs are used with BitLocker.
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ADMX Info:
+
+
GP English name: Allow enhanced PINs for startup
+
GP name: EnhancedPIN_Name
+
GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
+
GP ADMX file name: VolumeEncryption.admx
+
+
+
+> [!TIP]
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+
+This setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. Enhanced startup PINs permit the usage of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker.
+
+>[!Note]
+>Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
+
+If you enable this policy setting, all new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected.
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+```
+
+If you disable or do not configure this policy setting, enhanced PINs will not be used.
+
+
+
+**SystemDrivesDisallowStandardUsersCanChangePIN**
+
+Allows you to configure whether standard users are allowed to change BitLocker PIN or password that is used to protect the operating system drive.
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ADMX Info:
+
+
GP English name: Disallow standard users from changing the PIN or password
+
GP name: DisallowStandardUsersCanChangePIN_Name
+
GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
+
GP ADMX file name: VolumeEncryption.admx
+
+
+
+> [!TIP]
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+
+This policy setting allows you to configure whether or not standard users are allowed to change the PIN or password, that is used to protect the operating system drive.
+
+>[!Note]
+>To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when you turn on BitLocker.
+
+If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords.
+
+If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs or passwords.
+
+Sample value for this node to disable this policy is:
+
+```xml
+
+```
+
+
+
+**SystemDrivesEnablePrebootInputProtectorsOnSlates**
+
+Allows users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ADMX Info:
+
+
GP English name: Enable use of BitLocker authentication requiring preboot keyboard input on slates
+
GP name: EnablePrebootInputProtectorsOnSlates_Name
+
GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
+
GP ADMX file name: VolumeEncryption.admx
+
+
+
+> [!TIP]
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+
+The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
+
+It is recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard.
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+```
+
+If this policy is disabled, the Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.
+When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard.
+
+>[!Note]
+>If you do not enable this policy setting, the following options in the **Require additional authentication at startup policy** might not be available:
+>
+>- Configure TPM startup PIN: Required and Allowed
+>- Configure TPM startup key and PIN: Required and Allowed
+>- Configure use of passwords for operating system drives
+
+
+
+
+**SystemDrivesEncryptionType**
+
+Allows you to configure the encryption type that is used by BitLocker.
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ADMX Info:
+
+
GP English name: Enforce drive encryption type on operating system drives
+
GP name: OSEncryptionType_Name
+
GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
+
GP ADMX file name: VolumeEncryption.admx
+
+
+
+> [!TIP]
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+
+This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
+
+If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+```
+
+If this policy is disabled, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.
+
+>[!Note]
+>This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method.
+>For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: manage-bde -w. If the volume is shrunk, no action is taken for the new free space.
+
+For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
+
**SystemDrivesRequireStartupAuthentication**
@@ -299,7 +665,7 @@ ADMX Info:
> [!TIP]
-> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker.
@@ -407,7 +773,7 @@ ADMX Info:
> [!TIP]
-> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
@@ -484,7 +850,7 @@ ADMX Info:
> [!TIP]
-> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
This setting lets you configure the entire recovery message or replace the existing URL that is displayed on the pre-boot key recovery screen when the OS drive is locked.
@@ -573,7 +939,7 @@ ADMX Info:
> [!TIP]
-> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.
@@ -670,7 +1036,7 @@ ADMX Info:
> [!TIP]
-> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.
@@ -776,7 +1142,7 @@ ADMX Info:
> [!TIP]
-> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
@@ -806,6 +1172,67 @@ If you disable or do not configure this setting, all fixed data drives on the co
```
Data type is string. Supported operations are Add, Get, Replace, and Delete.
+
+
+**FixedDrivesEncryptionType**
+
+Allows you to configure the encryption type on fixed data drives that is used by BitLocker.
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ADMX Info:
+
+
GP English name: Enforce drive encryption type on fixed data drives
+
GP name: FDVEncryptionType_Name
+
GP path: Windows Components/BitLocker Drive Encryption/Fixed Data Drives
+
GP ADMX file name: VolumeEncryption.admx
+
+
+
+> [!TIP]
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+
+This policy setting is applied when you turn on BitLocker and controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection displays to the user.
+
+Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
+
+If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard.
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+```
+
+If this policy is disabled, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.
+
+>[!Note]
+>This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method.
+>For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: manage-bde -w. If the volume is shrunk, no action is taken for the new free space.
+
+For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
+
**RemovableDrivesRequireEncryption**
@@ -845,7 +1272,7 @@ ADMX Info:
> [!TIP]
-> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
@@ -886,6 +1313,126 @@ Disabling the policy will let the system choose the default behaviors. If you wa
```
+
+
+**RemovableDrivesEncryptionType**
+
+Allows you to configure the encryption type that is used by BitLocker.
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ADMX Info:
+
+
GP English name: Enforce drive encryption type on removable data drives
+
GP name: RDVEncryptionType_Name
+
GP path: Windows Components/BitLocker Drive Encryption/Removable Data Drives
+
GP ADMX file name: VolumeEncryption.admx
+
+
+
+> [!TIP]
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+
+This policy controls whether removed data drives utilize Full encryption or Used Space Only encryption, and is applied when you turn on BitLocker. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
+
+Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
+
+If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+```
+
+If this policy is disabled or not configured, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.
+
+
+
+**RemovableDrivesConfigureBDE**
+
+Allows you to control the use of BitLocker on removable data drives.
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ADMX Info:
+
+
GP English name: Control use of BitLocker on removable drives
+
GP name: RDVConfigureBDE_Name
+
GP path: Windows Components/BitLocker Drive Encryption/Removable Data Drives
+
GP ADMX file name: VolumeEncryption.admx
+
+
+
+> [!TIP]
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+
+This policy setting is used to prevent users from turning BitLocker on or off on removable data drives, and is applied when you turn on BitLocker.
+
+For information about suspending BitLocker protection, see [BitLocker Basic Deployment](/windows/security/information-protection/bitlocker/bitlocker-basic-deployment) .
+
+The options for choosing property settings that control how users can configure BitLocker are:
+
+- **Allow users to apply BitLocker protection on removable data drives**: Enables the user to enable BitLocker on a removable data drives.
+- **Allow users to suspend and decrypt BitLocker on removable data drives**: Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance.
+
+If you enable this policy setting, you can select property settings that control how users can configure BitLocker.
+
+Sample value for this node to enable this policy is:
+
+```xml
+
+```
+Data id:
+- RDVAllowBDE_Name: Allow users to apply BitLocker protection on removable data drives
+- RDVDisableBDE_Name: Allow users to suspend and decrypt BitLocker on removable data drives
+
+If this policy is disabled,users cannot use BitLocker on removable disk drives.
+
+If you do not configure this policy setting, users can use BitLocker on removable disk drives.
+
**AllowWarningForOtherDiskEncryption**
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index 8c85cf952f..a20e1c38e5 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -10,6 +10,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/18/2020
+ms.collection: highpri
---
# Configuration service provider reference
diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md
index b1d7b62247..7e608c8e07 100644
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@@ -11,6 +11,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 11/15/2017
+ms.collection: highpri
---
diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
index 92ed52968c..9e5ca86509 100644
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@@ -10,6 +10,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 06/25/2018
+ms.collection: highpri
---
# Diagnose MDM failures in Windows 10
diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md
index 3b59ea0c12..ee45d74fff 100644
--- a/windows/client-management/mdm/dynamicmanagement-csp.md
+++ b/windows/client-management/mdm/dynamicmanagement-csp.md
@@ -9,6 +9,7 @@ author: manikadhiman
ms.date: 06/26/2017
ms.reviewer:
manager: dansimp
+ms.collection: highpri
---
# DynamicManagement CSP
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 4dfc661666..3159c1869f 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -9,6 +9,7 @@ author: dansimp
ms.date: 10/14/2021
ms.reviewer:
manager: dansimp
+ms.collection: highpri
---
# Enroll a Windows 10 device automatically using Group Policy
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 2d9fbf4570..65b65a3326 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 01/26/2018
+ms.date: 11/29/2021
ms.reviewer:
manager: dansimp
---
@@ -98,7 +98,6 @@ Firewall
----------------EdgeTraversal
----------------LocalUserAuthorizationList
----------------FriendlyName
-----------------IcmpTypesAndCodes
----------------Status
----------------Name
```
diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md
index bba400d65a..bf8ff417c4 100644
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@@ -10,6 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
+ms.collection: highpri
---
# Mobile device management
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index 6dbe747d92..e2764b718c 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -12,6 +12,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
+ms.collection: highpri
---
# MDM enrollment of Windows 10-based devices
diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md
index 149069b97b..740b3a834f 100644
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@@ -10,6 +10,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 08/11/2017
+ms.collection: highpri
---
# Mobile device enrollment
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index bbd3101f94..727589929b 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -11,6 +11,7 @@ ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 07/18/2019
+ms.collection: highpri
---
# Policy CSP
diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md
index 1ed67abd42..986ec03798 100644
--- a/windows/client-management/mdm/policy-csp-admx-nca.md
+++ b/windows/client-management/mdm/policy-csp-admx-nca.md
@@ -59,38 +59,14 @@ manager: dansimp
**ADMX_nca/CorporateResources**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -166,7 +118,8 @@ If you enable or do not configure this policy setting, users can access and run
If you disable this policy setting, users cannot access or run the troubleshooting tools from the Control Panel.
-Note that this setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files.
+>[!Note]
+>This setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files.
@@ -186,38 +139,14 @@ ADMX Info:
**ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -529,32 +385,14 @@ The following list shows the supported values:
**ApplicationManagement/DisableStoreOriginatedApps**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
❌
-
-
-
Pro
-
❌
-
-
-
Business
-
❌
-
-
-
Enterprise
-
✔️1
-
-
-
Education
-
✔️1
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -595,32 +433,14 @@ The following list shows the supported values:
**ApplicationManagement/LaunchAppAfterLogOn**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
❌
-
-
-
Pro
-
✔️5
-
-
-
Business
-
✔️5
-
-
-
Enterprise
-
✔️5
-
-
-
Education
-
✔️5
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -666,32 +486,14 @@ For this policy to work, the Windows apps need to declare in their manifest that
**ApplicationManagement/MSIAllowUserControlOverInstall**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
❌
-
-
-
Pro
-
✔️4
-
-
-
Business
-
❌
-
-
-
Enterprise
-
✔️4
-
-
-
Education
-
✔️4
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -737,32 +539,14 @@ This setting supports a range of values between 0 and 1.
**ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
❌
-
-
-
Pro
-
✔️4
-
-
-
Business
-
❌
-
-
-
Enterprise
-
✔️4
-
-
-
Education
-
✔️4
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -811,32 +595,14 @@ This setting supports a range of values between 0 and 1.
**ApplicationManagement/RequirePrivateStoreOnly**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
❌
-
-
-
Pro
-
❌
-
-
-
Business
-
❌
-
-
-
Enterprise
-
✔️
-
-
-
Education
-
✔️
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -881,32 +647,14 @@ The following list shows the supported values:
**ApplicationManagement/RestrictAppDataToSystemVolume**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
❌
-
-
-
Pro
-
✔️
-
-
-
Business
-
✔️
-
-
-
Enterprise
-
✔️
-
-
-
Education
-
✔️
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -949,32 +697,14 @@ The following list shows the supported values:
**ApplicationManagement/RestrictAppToSystemVolume**
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
❌
-
-
-
Pro
-
✔️
-
-
-
Business
-
✔️
-
-
-
Enterprise
-
✔️
-
-
-
Education
-
✔️
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1017,32 +747,14 @@ The following list shows the supported values:
**ApplicationManagement/ScheduleForceRestartForUpdateFailures**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -122,38 +98,14 @@ The following list shows the supported values:
**Authentication/AllowEAPCertSSO**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -187,38 +139,14 @@ The following list shows the supported values:
**Authentication/AllowFastReconnect**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -254,38 +182,14 @@ The following list shows the supported values:
**Authentication/AllowFidoDeviceSignon**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -323,38 +227,14 @@ The following list shows the supported values:
**Authentication/AllowSecondaryAuthenticationDevice**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -400,38 +280,14 @@ The following list shows the supported values:
**Authentication/ConfigureWebSignInAllowedUrls**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -469,38 +325,14 @@ Specifies the list of domains that are allowed to be navigated to in AAD PIN res
**Authentication/EnableFastFirstSignIn**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -548,38 +380,14 @@ Value type is integer. Supported values:
**Authentication/EnableWebSignIn**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -627,38 +435,14 @@ Value type is integer. Supported values:
**Authentication/PreferredAadTenantDomainName**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -119,38 +95,14 @@ The following list shows the supported values:
**Bluetooth/AllowDiscoverableMode**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -188,38 +140,14 @@ The following list shows the supported values:
**Bluetooth/AllowPrepairing**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -253,38 +181,14 @@ The following list shows the supported values:
**Bluetooth/AllowPromptedProximalConnections**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -318,38 +222,14 @@ The following list shows the supported values:
**Bluetooth/LocalDeviceName**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -380,38 +260,14 @@ If this policy is not set or it is deleted, the default local radio name is used
**Bluetooth/ServicesAllowedList**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -440,38 +296,14 @@ The default value is an empty string. For more information, see [ServicesAllowed
**Bluetooth/SetMinimumEncryptionKeySize**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|No|
+|Business|Yes|No|
+|Enterprise|Yes|No|
+|Education|Yes|No|
@@ -2241,38 +1641,14 @@ To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set
**Browser/ConfigureAdditionalSearchEngines**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|No|
+|Business|Yes|No|
+|Enterprise|Yes|No|
+|Education|Yes|No|
@@ -4606,38 +3310,14 @@ To verify that favorites are in synchronized between Internet Explorer and Micro
**Browser/UnlockHomeButton**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -152,38 +128,14 @@ The following list shows the supported values:
**Connectivity/AllowCellularData**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -218,38 +170,14 @@ The following list shows the supported values:
**Connectivity/AllowCellularDataRoaming**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -304,38 +232,14 @@ To validate on mobile devices, do the following:
**Connectivity/AllowConnectedDevices**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
Yes
-
Yes
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -372,38 +276,14 @@ The following list shows the supported values:
**Connectivity/AllowPhonePCLinking**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -454,38 +334,14 @@ Device that has previously opt-in to MMX will also stop showing on the device li
**Connectivity/AllowUSBConnection**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
No
-
No
-
-
-
Education
-
No
-
No
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|No|No|
+|Education|No|No|
@@ -526,38 +382,14 @@ The following list shows the supported values:
**Connectivity/AllowVPNOverCellular**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -593,38 +425,14 @@ The following list shows the supported values:
**Connectivity/AllowVPNRoamingOverCellular**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -660,38 +468,14 @@ The following list shows the supported values:
**Connectivity/DisablePrintingOverHTTP**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -445,38 +349,14 @@ When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 a
**DeliveryOptimization/DODelayBackgroundDownloadFromHttp**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -753,38 +561,14 @@ The following list shows the supported values as number of seconds:
**DeliveryOptimization/DODownloadMode**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -834,38 +618,14 @@ The following list shows the supported values:
**DeliveryOptimization/DOGroupId**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1232,38 +896,14 @@ This policy is deprecated. Use [DOMaxForegroundDownloadBandwidth](#deliveryoptim
**DeliveryOptimization/DOMaxForegroundDownloadBandwidth**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1320,38 +960,14 @@ This policy is deprecated because it only applies to uploads to Internet peers (
**DeliveryOptimization/DOMinBackgroundQos**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -111,38 +87,14 @@ The following list shows the supported values:
**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -181,38 +133,14 @@ IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to
**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -772,41 +628,17 @@ You can also block installation by using a custom profile in Intune.
-## DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
+### DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -894,41 +726,17 @@ For example, this custom profile blocks installation and usage of USB devices wi
-## DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
+### DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|No|No|
+|Education|No|No|
@@ -144,38 +120,14 @@ The following list shows the supported values:
**DeviceLock/AllowSimpleDevicePassword**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
Yes
-
Yes
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -216,38 +168,14 @@ The following list shows the supported values:
**DeviceLock/AlphanumericDevicePasswordRequired**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
Yes
-
Yes
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -294,38 +222,14 @@ The following list shows the supported values:
**DeviceLock/DevicePasswordEnabled**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
Yes
-
Yes
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -400,38 +304,14 @@ The following list shows the supported values:
**DeviceLock/DevicePasswordExpiration**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
Yes
-
Yes
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -474,38 +354,14 @@ The following list shows the supported values:
**DeviceLock/DevicePasswordHistory**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
Yes
-
Yes
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -548,38 +404,14 @@ The following list shows the supported values:
**DeviceLock/EnforceLockScreenAndLogonImage**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
Yes
-
Yes
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -612,38 +444,14 @@ Value type is a string, which is the full image filepath and filename.
**DeviceLock/MaxDevicePasswordFailedAttempts**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
Yes
-
Yes
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -693,38 +501,14 @@ The following list shows the supported values:
**DeviceLock/MaxInactivityTimeDeviceLock**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
Yes
-
Yes
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -768,38 +552,14 @@ The following list shows the supported values:
**DeviceLock/MinDevicePasswordComplexCharacters**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
Yes
-
Yes
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -831,43 +591,12 @@ PIN enforces the following behavior for desktop and mobile devices:
The default value is 1. The following list shows the supported values and actual enforced values:
-
-
-
-
-
-
-
-
-
-
Account Type
-
Supported Values
-
Actual Enforced Values
-
-
-
-
-
Mobile
-
1,2,3,4
-
Same as the value set
-
-
-
Desktop Local Accounts
-
1,2,3
-
3
-
-
-
Desktop Microsoft Accounts
-
1,2
-
<p2
-
-
-
Desktop Domain Accounts
-
Not supported
-
Not supported
-
-
-
+|Account Type|Supported Values|Actual Enforced Values|
+|--- |--- |--- |
+|Mobile|1,2,3,4|Same as the value set|
+|Desktop Local Accounts|1,2,3|3|
+|Desktop Microsoft Accounts|1,2|<p2|
+|Desktop Domain Accounts|Not supported|Not supported|
Enforced values for Local and Microsoft Accounts:
@@ -897,38 +626,14 @@ For additional information about this policy, see [Exchange ActiveSync Policy En
**DeviceLock/MinDevicePasswordLength**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
Yes
-
Yes
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -997,38 +702,14 @@ The following example shows how to set the minimum password length to 4 characte
**DeviceLock/MinimumPasswordAge**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -112,38 +88,14 @@ The following list shows the supported values:
**Education/DefaultPrinterName**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -172,38 +124,14 @@ The policy value is expected to be the name (network host name) of an installed
**Education/PreventAddingNewPrinters**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -245,38 +173,14 @@ The following list shows the supported values:
**Education/PrinterNames**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -110,38 +86,14 @@ The default value is an empty string. Otherwise, the value should contain the UR
**EnterpriseCloudPrint/CloudPrintOAuthClientId**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -171,38 +123,14 @@ The default value is an empty string. Otherwise, the value should contain a GUID
**EnterpriseCloudPrint/CloudPrintResourceId**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -232,38 +160,14 @@ The default value is an empty string. Otherwise, the value should contain a URL.
**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -293,38 +197,14 @@ The default value is an empty string. Otherwise, the value should contain the UR
**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -352,38 +232,14 @@ The datatype is an integer.
**EnterpriseCloudPrint/MopriaDiscoveryResourceId**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -561,38 +417,14 @@ The following list shows the supported values:
**Experience/AllowTailoredExperiencesWithDiagnosticData**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -643,38 +475,14 @@ The following list shows the supported values:
**Experience/AllowThirdPartySuggestionsInWindowsSpotlight**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -719,38 +527,14 @@ The following list shows the supported values:
**Experience/AllowWindowsConsumerFeatures**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -798,38 +582,14 @@ The following list shows the supported values:
**Experience/AllowWindowsSpotlight**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -876,38 +636,14 @@ The following list shows the supported values:
**Experience/AllowWindowsSpotlightOnActionCenter**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -953,38 +689,14 @@ The following list shows the supported values:
**Experience/AllowWindowsSpotlightOnSettings**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1029,38 +741,14 @@ The following list shows the supported values:
**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1107,38 +795,14 @@ The following list shows the supported values:
**Experience/AllowWindowsTips**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1179,38 +843,14 @@ The following list shows the supported values:
**Experience/ConfigureChatIcon**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
Yes
-
-
-
Pro
-
No
-
Yes
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
No
-
Yes
-
-
-
Education
-
No
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|Yes|
+|Pro|No|Yes|
+|Business|No|No|
+|Enterprise|No|Yes|
+|Education|No|Yes|
@@ -1246,38 +886,14 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not
**Experience/ConfigureWindowsSpotlightOnLockScreen**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1321,38 +937,14 @@ The following list shows the supported values:
**Experience/DisableCloudOptimizedContent**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
Yes
-
Yes
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1397,38 +989,14 @@ The following list shows the supported values:
**Experience/DoNotShowFeedbackNotifications**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1473,38 +1041,14 @@ The following list shows the supported values:
**Experience/DoNotSyncBrowserSettings**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
No
-
No
-
-
-
Business
-
No
-
No
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1571,38 +1115,14 @@ _**Turn syncing off by default but don’t disable**_
**Experience/PreventUsersFromTurningOnBrowserSyncing**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index 76dcd8f06b..61c56fc7d1 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -55,38 +55,14 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic
**KioskBrowser/BlockedUrlExceptions**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -115,38 +91,14 @@ List of exceptions to the blocked website URLs (with wildcard support). This is
**KioskBrowser/BlockedUrls**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -175,38 +127,14 @@ List of blocked website URLs (with wildcard support). This is used to configure
**KioskBrowser/DefaultURL**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -235,38 +163,14 @@ Configures the default URL kiosk browsers to navigate on launch and restart.
**KioskBrowser/EnableEndSessionButton**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -292,38 +196,14 @@ Shows the Kiosk Browser's end session button. When the policy is enabled, the Ki
**KioskBrowser/EnableHomeButton**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1131,38 +820,14 @@ Valid values: From 0 to 599940, where the value is the amount of inactivity time
**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn**
-
+
+|Windows Edition|Supported|
+|--- |--- |
+|HoloLens (1st gen) Development Edition|No|
+|HoloLens (1st gen) Commercial Suite|No|
+|HoloLens 2|Yes|
Steps to use this policy correctly:
@@ -86,24 +74,12 @@ Steps to use this policy correctly:
**MixedReality/AutoLogonUser**
-
-
-
Windows Edition
-
Supported?
-
-
-
HoloLens (1st gen) Development Edition
-
❌
-
-
-
HoloLens (1st gen) Commercial Suite
-
❌
-
-
-
HoloLens 2
-
✔️
-
-
+
+|Windows Edition|Supported|
+|--- |--- |
+|HoloLens (1st gen) Development Edition|No|
+|HoloLens (1st gen) Commercial Suite|No|
+|HoloLens 2|Yes|
This new AutoLogonUser policy controls whether a user will be automatically logged on. Some customers want to set up devices that are tied to an identity but don't want any sign in experience. Imagine picking up a device and using remote assist immediately. Or have a benefit of being able to rapidly distribute HoloLens devices and enable their end users to speed up login.
@@ -154,24 +130,12 @@ Supported values are 0-60. The default value is 0 (day) and maximum value is 60
**MixedReality/BrightnessButtonDisabled**
-
-
-
Windows Edition
-
Supported?
-
-
-
HoloLens (1st gen) Development Edition
-
❌
-
-
-
HoloLens (1st gen) Commercial Suite
-
❌
-
-
-
HoloLens 2
-
✔️
-
-
+
+|Windows Edition|Supported|
+|--- |--- |
+|HoloLens (1st gen) Development Edition|No|
+|HoloLens (1st gen) Commercial Suite|No|
+|HoloLens 2|Yes|
@@ -207,24 +171,12 @@ The following list shows the supported values:
**MixedReality/FallbackDiagnostics**
-
-
-
Windows Edition
-
Supported?
-
-
-
HoloLens (1st gen) Development Edition
-
❌
-
-
-
HoloLens (1st gen) Commercial Suite
-
❌
-
-
-
HoloLens 2
-
✔️
-
-
+
+|Windows Edition|Supported|
+|--- |--- |
+|HoloLens (1st gen) Development Edition|No|
+|HoloLens (1st gen) Commercial Suite|No|
+|HoloLens 2|Yes|
@@ -261,24 +213,12 @@ The following list shows the supported values:
**MixedReality/MicrophoneDisabled**
-
-
-
Windows Edition
-
Supported?
-
-
-
HoloLens (1st gen) Development Edition
-
❌
-
-
-
HoloLens (1st gen) Commercial Suite
-
❌
-
-
-
HoloLens 2
-
✔️
-
-
+
+|Windows Edition|Supported|
+|--- |--- |
+|HoloLens (1st gen) Development Edition|No|
+|HoloLens (1st gen) Commercial Suite|No|
+|HoloLens 2|Yes|
@@ -314,24 +254,12 @@ The following list shows the supported values:
**MixedReality/VolumeButtonDisabled**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -917,38 +653,14 @@ The following are the supported lid close switch actions (on battery):
**Power/SelectLidCloseActionPluggedIn**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1002,38 +714,14 @@ The following are the supported lid close switch actions (plugged in):
**Power/SelectPowerButtonActionOnBattery**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1087,38 +775,14 @@ The following are the supported Power button actions (on battery):
**Power/SelectPowerButtonActionPluggedIn**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1172,38 +836,14 @@ The following are the supported Power button actions (plugged in):
**Power/SelectSleepButtonActionOnBattery**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1257,38 +897,14 @@ The following are the supported Sleep button actions (on battery):
**Power/SelectSleepButtonActionPluggedIn**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1342,38 +958,14 @@ The following are the supported Sleep button actions (plugged in):
**Power/StandbyTimeoutOnBattery**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1568,38 +1112,14 @@ The following are the supported values for Hybrid sleep (on battery):
**Power/TurnOffHybridSleepPluggedIn**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1650,38 +1170,14 @@ The following are the supported values for Hybrid sleep (plugged in):
**Power/UnattendedSleepTimeoutOnBattery**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1732,38 +1228,14 @@ Default value for unattended sleep timeout (on battery):
**Power/UnattendedSleepTimeoutPluggedIn**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2756,38 +1916,14 @@ This policy setting specifies whether Windows apps can access the eye tracker.
**Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
Yes
-
Yes
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2813,38 +1949,14 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed
**Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
Yes
-
Yes
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2870,38 +1982,14 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed
**Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
Yes
-
Yes
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -2927,38 +2015,14 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. The use
**Privacy/LetAppsAccessLocation**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
Yes
-
Yes
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -3004,38 +2068,14 @@ The following list shows the supported values:
**Privacy/LetAppsAccessLocation_ForceAllowTheseApps**
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -82,7 +58,7 @@ This policy setting enables process mitigation options on svchost.exe processes.
If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them.
-This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, as well as a policy disallowing dynamically-generated code.
+This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, and a policy disallowing dynamically generated code.
> [!IMPORTANT]
> Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software).
@@ -107,8 +83,8 @@ ADMX Info:
Supported values:
-- disabled - Do not add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes.
-- enabled - Add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes.
+- Disabled - Do not add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes.
+- Enabled - Add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index f04057f070..a2120ee9fb 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -7,9 +7,10 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 11/03/2020
+ms.date: 11/29/2021
ms.reviewer:
manager: dansimp
+ms.collection: highpri
---
# Policy CSP - Update
@@ -199,7 +200,7 @@ manager: dansimp
Update/SetProxyBehaviorForUpdateDetection
Update/TargetReleaseVersion
@@ -2417,6 +2418,88 @@ This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupd
+
+**Update/ProductVersion**
+
+
+
+
+
Edition
+
Windows 10
+
Windows 11
+
+
+
Home
+
No
+
No
+
+
+
Pro
+
Yes
+
Yes
+
+
+
Business
+
Yes
+
Yes
+
+
+
Enterprise
+
Yes
+
Yes
+
+
+
Education
+
Yes
+
Yes
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10, version 2004 and later. Enables IT administrators to specify which product they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy to target a new product.
+
+If no product is specified, the device will continue receiving newer versions of the Windows product it is currently on. For details about different Windows 10 versions, see [release information](/windows/release-health/release-information).
+
+
+
+ADMX Info:
+- GP Friendly name: *Select the target Feature Update version*
+- GP name: *TargetReleaseVersion*
+- GP element: *ProductVersion*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+Value type is a string containing a Windows product, for example, “Windows 11” or “11” or “Windows 10”.
+
+
+
+
+
+
+
+
+By using this Windows Update for Business policy to upgrade devices to a new product (for example, Windows 11) you are agreeing that when applying this operating system to a device, either:
+
+1. The applicable Windows license was purchased through volume licensing, or
+
+2. That you are authorized to bind your organization and are accepting on its behalf the relevant Microsoft Software License Terms to be found here: (https://www.microsoft.com/Useterms).
+
+
+
**Update/RequireDeferUpgrade**
@@ -3192,62 +3275,6 @@ The following list shows the supported values:
-
-**Update/TargetProductVersion**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in Windows 10, version 2004 and later. Enables IT administrators to specify which product they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy to target a new product.
-
-If no product is specified, the device will continue receiving newer versions of the Windows product it is currently on. For details about different Windows 10 versions, see [release information](/windows/release-health/release-information).
-
-
-
-ADMX Info:
-- GP Friendly name: *Select the target Feature Update version*
-- GP name: *TargetProductVersion*
-- GP element: *TargetProductVersionId*
-- GP path: *Windows Components/Windows Update/Windows Update for Business*
-- GP ADMX file name: *WindowsUpdate.admx*
-
-
-
-Value type is a string containing a Windows product, for example, “Windows 11” or “11” or “Windows 10”.
-
-
-
-
-
-
-
-
-By using this Windows Update for Business policy to upgrade devices to a new product (ex. Windows 11) you are agreeing that when applying this operating system to a device either
-(1) The applicable Windows license was purchased though volume licensing, or
-(2) That you are authorized to bind your organization and are accepting on its behalf the relevant Microsoft Software License Terms to be found here: (https://www.microsoft.com/Useterms).
-
-
-
**Update/TargetReleaseVersion**
@@ -3280,7 +3307,7 @@ Available in Windows 10, version 1803 and later. Enables IT administrators to sp
ADMX Info:
- GP Friendly name: *Select the target Feature Update version*
- GP name: *TargetReleaseVersion*
-- GP element: *TargetReleaseVersionId*
+- GP element: *TargetReleaseVersionInfo*
- GP path: *Windows Components/Windows Update/Windows Update for Business*
- GP ADMX file name: *WindowsUpdate.admx*
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 8d81fa62ec..a67e1377cd 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 11/11/2021
+ms.date: 11/24/2021
ms.reviewer:
manager: dansimp
---
@@ -423,6 +423,14 @@ GP Info:
This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
+> [!CAUTION]
+> Configuring user rights replaces existing users or groups previously assigned those user rights. The system requires that Local Service account (SID S-1-5-19) always has the ChangeSystemTime right. Therefore, Local Service must always be specified in addition to any other accounts being configured in this policy.
+>
+> Not including the Local Service account will result in failure with the following error:
+>
+> | Error code | Symbolic name | Error description | Header |
+> |----------|----------|----------|----------|
+> | 0x80070032 (Hex)|ERROR_NOT_SUPPORTED|The request is not supported.| winerror.h |
diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md
index ced09ebede..0cca91cc74 100644
--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@@ -8,6 +8,7 @@ author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
manager: laurawi
+ms.collection: highpri
---
# Use Quick Assist to help users
diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md
index f2673f9414..277685cfc8 100644
--- a/windows/client-management/troubleshoot-event-id-41-restart.md
+++ b/windows/client-management/troubleshoot-event-id-41-restart.md
@@ -13,7 +13,7 @@ audience: ITPro
ms.localizationpriority: medium
keywords: event id 41, reboot, restart, stop error, bug check code
manager: kaushika
-
+ms.collection: highpri
---
# Advanced troubleshooting for Event ID 41: "The system has rebooted without cleanly shutting down first"
diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md
index 390add3169..13ad63c974 100644
--- a/windows/client-management/troubleshoot-stop-errors.md
+++ b/windows/client-management/troubleshoot-stop-errors.md
@@ -10,6 +10,7 @@ ms.topic: troubleshooting
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
+ms.collection: highpri
---
# Advanced troubleshooting for Stop error or blue screen error issue
diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md
index 10ae554304..fd6540824c 100644
--- a/windows/client-management/troubleshoot-tcpip-connectivity.md
+++ b/windows/client-management/troubleshoot-tcpip-connectivity.md
@@ -10,6 +10,7 @@ ms.author: dansimp
ms.date: 12/06/2018
ms.reviewer:
manager: dansimp
+ms.collection: highpri
---
# Troubleshoot TCP/IP connectivity
diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md
index daa23de8b1..d63ebc5c58 100644
--- a/windows/client-management/troubleshoot-tcpip-netmon.md
+++ b/windows/client-management/troubleshoot-tcpip-netmon.md
@@ -10,6 +10,7 @@ ms.author: dansimp
ms.date: 12/06/2018
ms.reviewer:
manager: dansimp
+ms.collection: highpri
---
# Collect data using Network Monitor
diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
index 1267dad41f..7cdbf400e9 100644
--- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md
+++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
@@ -10,6 +10,7 @@ ms.author: dansimp
ms.date: 12/06/2018
ms.reviewer:
manager: dansimp
+ms.collection: highpri
---
# Troubleshoot port exhaustion issues
diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
index ba02501c81..808a919eef 100644
--- a/windows/client-management/troubleshoot-tcpip-rpc-errors.md
+++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
@@ -10,6 +10,7 @@ ms.author: dansimp
ms.date: 12/06/2018
ms.reviewer:
manager: dansimp
+ms.collection: highpri
---
# Troubleshoot Remote Procedure Call (RPC) errors
diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md
index 3ed83421c9..a255ead455 100644
--- a/windows/client-management/troubleshoot-windows-freeze.md
+++ b/windows/client-management/troubleshoot-windows-freeze.md
@@ -10,6 +10,7 @@ ms.topic: troubleshooting
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
+ms.collection: highpri
---
# Advanced troubleshooting for Windows-based computer freeze issues
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index 5f433844ac..65c86b5f5f 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -12,6 +12,7 @@ ms.localizationpriority: medium
ms.date: 01/18/2018
ms.reviewer:
manager: dansimp
+ms.collection: highpri
---
# Configure Windows 10 taskbar
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index f50e213ce8..ee138ae583 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -13,6 +13,7 @@ ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/18/2018
+ms.collection: highpri
---
# Customize and export Start layout
diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md
index f10b516b5c..c42cc44009 100644
--- a/windows/configuration/customize-start-menu-layout-windows-11.md
+++ b/windows/configuration/customize-start-menu-layout-windows-11.md
@@ -11,6 +11,7 @@ ms.sitesec: library
ms.pagetype: mobile
author: MandiOhlinger
ms.localizationpriority: medium
+ms.collection: highpri
---
# Customize the Start menu layout on Windows 11
diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md
index 30af3044b2..ec35a1f3e4 100644
--- a/windows/configuration/customize-taskbar-windows-11.md
+++ b/windows/configuration/customize-taskbar-windows-11.md
@@ -11,6 +11,7 @@ ms.sitesec: library
ms.pagetype: mobile
author: MandiOhlinger
ms.localizationpriority: medium
+ms.collection: highpri
---
# Customize the Taskbar on Windows 11
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index 7b7dcaed64..885cae4fed 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -12,6 +12,7 @@ author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
+ms.collection: highpri
---
# Customize Windows 10 Start and taskbar with Group Policy
diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
index 6d4c284574..fa89080422 100644
--- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
+++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
@@ -8,6 +8,7 @@ ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.prod: w10
+ms.collection: highpri
---
# Find the Application User Model ID of an installed app
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index 5a019e0862..b66df8ec19 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -11,6 +11,7 @@ ms.author: greglin
ms.topic: article
ms.reviewer: sybruckm
manager: dansimp
+ms.collection: highpri
---
# Guidelines for choosing an app for assigned access (kiosk mode)
diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml
index 66e42dca78..debd8b4652 100644
--- a/windows/configuration/index.yml
+++ b/windows/configuration/index.yml
@@ -10,7 +10,9 @@ metadata:
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
- ms.collection: windows-10
+ ms.collection:
+ - windows-10
+ - highpri
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
ms.date: 08/05/2021 #Required; mm/dd/yyyy format.
diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md
index 0c36aa0d52..42be271448 100644
--- a/windows/configuration/kiosk-methods.md
+++ b/windows/configuration/kiosk-methods.md
@@ -11,6 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: greg-lindsay
ms.topic: article
+ms.collection: highpri
---
# Configure kiosks and digital signs on Windows desktop editions
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index 5eef3d900c..26a122d0b9 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -12,6 +12,7 @@ ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.topic: article
+ms.collection: highpri
---
# Prepare a device for kiosk configuration
@@ -19,7 +20,7 @@ ms.topic: article
**Applies to**
-- Windows 10 Pro, Enterprise, and Education
+- Windows 10 Pro, Enterprise, and Education
- Windows 11
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
index 3b720d1bbe..ae9bcae53a 100644
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -12,6 +12,7 @@ ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.topic: article
+ms.collection: highpri
---
# Use Shell Launcher to create a Windows client kiosk
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index 3a71008734..d61c30032f 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -12,6 +12,7 @@ ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.topic: article
+ms.collection: highpri
---
# Set up a single-app kiosk on Windows 10/11
@@ -19,7 +20,7 @@ ms.topic: article
**Applies to**
-- Windows 10 Pro, Enterprise, and Education
+- Windows 10 Pro, Enterprise, and Education
- Windows 11
A single-app kiosk uses the Assigned Access feature to run a single app above the lock screen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app.
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 2461a34568..6b2320ac1e 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -13,6 +13,7 @@ author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
+ms.collection: highpri
---
# Set up a multi-app kiosk on Windows 10 devices
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index 5086aae14b..0f8a4b93c1 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -10,6 +10,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.reviewer: gkomatsu
manager: dansimp
+ms.collection: highpri
---
# Create a provisioning package
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index 2185e1123a..484dd4a35b 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -10,6 +10,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.reviewer: gkomatsu
manager: dansimp
+ms.collection: highpri
---
# Install Windows Configuration Designer, and learn about any limitations
@@ -17,8 +18,8 @@ manager: dansimp
**Applies to**
-- Windows 10
-- Windows 11
+- Windows 10
+- Windows 11
Use the Windows Configuration Designer tool to create provisioning packages to easily configure devices running Windows client. Windows Configuration Designer is primarily used by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices.
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index 0a4cc16ed5..8f3f00962f 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -11,7 +11,7 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-
+ms.collection: highpri
---
# Provisioning packages for Windows
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index f47dd5956d..0cb346ab02 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -11,6 +11,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.reviewer: sybruckm
manager: dansimp
+ms.collection: highpri
---
# Set up a shared or guest PC with Windows 10/11
@@ -18,7 +19,7 @@ manager: dansimp
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
Windows client has a *shared PC mode*, which optimizes Windows client for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows client Pro, Pro Education, Education, and Enterprise.
diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
index 5a39031455..a655857a5f 100644
--- a/windows/configuration/start-layout-troubleshoot.md
+++ b/windows/configuration/start-layout-troubleshoot.md
@@ -10,6 +10,7 @@ ms.localizationpriority: medium
ms.reviewer:
manager: dansimp
ms.topic: troubleshooting
+ms.collection: highpri
---
# Troubleshoot Start menu errors
diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md
index 64b68fb707..0e84376bad 100644
--- a/windows/configuration/start-layout-xml-desktop.md
+++ b/windows/configuration/start-layout-xml-desktop.md
@@ -12,6 +12,7 @@ ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.localizationpriority: medium
+ms.collection: highpri
---
# Start layout XML for desktop editions of Windows 10 (reference)
@@ -19,7 +20,7 @@ ms.localizationpriority: medium
**Applies to**
-- Windows 10
+- Windows 10
>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md
index 000617ec7e..e7d3bcc9da 100644
--- a/windows/configuration/stop-employees-from-using-microsoft-store.md
+++ b/windows/configuration/stop-employees-from-using-microsoft-store.md
@@ -13,6 +13,7 @@ ms.author: greglin
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 4/16/2018
+ms.collection: highpri
---
# Configure access to Microsoft Store
@@ -20,7 +21,7 @@ ms.date: 4/16/2018
**Applies to**
-- Windows 10
+- Windows 10
>For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index b426a02ca2..13515dad9b 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -13,13 +13,14 @@ ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 08/05/2021
+ms.collection: highpri
---
# Customize the Start menu and taskbar layout on Windows 10 and later devices
**Applies to**:
-- Windows 10 version 1607 and later
+- Windows 10 version 1607 and later
- Windows Server 2016 with Desktop Experience
- Windows Server 2019 with Desktop Experience
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index 08afef11a3..b3febec8f6 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -13,6 +13,7 @@ ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/30/2018
+ms.collection: highpri
---
# Configure Windows Spotlight on the lock screen
@@ -20,7 +21,7 @@ ms.date: 04/30/2018
**Applies to**
-- Windows 10
+- Windows 10
Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10.
diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
index 2038b91889..d16a0e9084 100644
--- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
+++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
@@ -1,6 +1,6 @@
---
-title: Configure a PXE server to load Windows PE (Windows 10)
-description: This topic describes how to configure a PXE server to load Windows PE so that it can be used with an image file to install Windows 10 from the network.
+title: Configure a PXE server to load Windows PE (Windows 10)
+description: This topic describes how to configure a PXE server to load Windows PE so that it can be used with an image file to install Windows 10 from the network.
keywords: upgrade, update, windows, windows 10, pxe, WinPE, image, wim
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,18 +9,18 @@ ms.sitesec: library
ms.pagetype: deploy
audience: itpro
author: greg-lindsay
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
ms.topic: article
ms.custom: seo-marvel-apr2020
+ms.collection: highpri
---
-# Configure a PXE server to load Windows PE
+# Configure a PXE server to load Windows PE
**Applies to**
-- Windows 10
+- Windows 10
This walkthrough describes how to configure a PXE server to load Windows PE by booting a client computer from the network. Using the Windows PE tools and a Windows 10 image file, you can install Windows 10 from the network.
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index 9b4d7283c3..719e822d59 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -1,7 +1,6 @@
---
title: Deploy Windows 10/11 Enterprise licenses
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.audience: itpro
ms.author: greglin
description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows 10/11 Enterprise E3 or E5 Subscription Activation, or for Windows 10/11 Enterprise E3 in CSP
@@ -14,6 +13,7 @@ ms.pagetype: mdt
audience: itpro
author: greg-lindsay
ms.topic: article
+ms.collection: highpri
---
# Deploy Windows 10/11 Enterprise licenses
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index b092bc6e3c..287142a49d 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -1,7 +1,6 @@
---
title: What's new in Windows client deployment
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
description: Use this article to learn about new solutions and online content related to deploying Windows in your organization.
keywords: deployment, automate, tools, configure, news
@@ -14,12 +13,13 @@ audience: itpro
author: greg-lindsay
ms.topic: article
ms.custom: seo-marvel-apr2020
+ms.collection: highpri
---
# What's new in Windows client deployment
**Applies to:**
-- Windows 10
+- Windows 10
- Windows 11
## In this topic
diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
index ff7ad50540..8279bcedf6 100644
--- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -2,8 +2,7 @@
title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences.
ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
keywords: deployment, image, UEFI, task sequence
ms.prod: w10
@@ -13,13 +12,14 @@ ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.topic: article
+ms.collection: highpri
---
# Deploy Windows 10 using PXE and Configuration Manager
**Applies to**
-- Windows 10
+- Windows 10
In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic.
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index 1bb703d0bf..314d9aa780 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -10,7 +10,9 @@ metadata:
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
- ms.collection: windows-10
+ ms.collection:
+ - windows-10
+ - highpri
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
ms.date: 06/24/2021 #Required; mm/dd/yyyy format.
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index f925f48fd4..1f836e3637 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -10,12 +10,12 @@ audience: itpro
author: greg-lindsay
ms.author: greglin
ms.date: 02/13/2018
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.audience: itpro
ms.localizationpriority: medium
ms.topic: article
ms.custom: seo-marvel-apr2020
+ms.collection: highpri
---
# MBR2GPT.EXE
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
index c5160d884a..6f3f832a1c 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -1,5 +1,5 @@
---
-title: Windows 10 features we’re no longer developing
+title: Windows 10 features we're no longer developing
description: Review the list of features that are no longer being developed in Windows 10
ms.prod: w10
ms.mktglfcycl: plan
@@ -10,8 +10,10 @@ author: greg-lindsay
ms.author: greglin
manager: dougeby
ms.topic: article
+ms.collection: highpri
---
-# Windows 10 features we’re no longer developing
+
+# Windows 10 features we're no longer developing
> Applies to: Windows 10
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md
index a790a1e83a..3bd41f1ff6 100644
--- a/windows/deployment/planning/windows-10-removed-features.md
+++ b/windows/deployment/planning/windows-10-removed-features.md
@@ -8,9 +8,10 @@ ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.author: greglin
-manager: laurawi
+manager: dougeby
ms.topic: article
ms.custom: seo-marvel-apr2020
+ms.collection: highpri
---
# Features and functionality removed in Windows 10
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index be1b44ecc6..a4a9b96d26 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -7,14 +7,14 @@ ms.localizationpriority: medium
ms.prod: w10
ms.sitesec: library
ms.pagetype: deploy
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.audience: itpro
author: greg-lindsay
ms.author: greglin
audience: itpro
ms.topic: article
ms.custom: seo-marvel-apr2020
+ms.collection: highpri
---
# Windows 10 in S mode - What is it?
diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md
index a9cda4ed31..e628766463 100644
--- a/windows/deployment/update/get-started-updates-channels-tools.md
+++ b/windows/deployment/update/get-started-updates-channels-tools.md
@@ -7,16 +7,16 @@ ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.topic: article
+ms.collection: highpri
---
# Windows client updates, channels, and tools
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
## How Windows updates work
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index 821586a7d8..c4d62b04f1 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -8,9 +8,10 @@ itproauthor: jaimeo
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.reviewer:
-manager: laurawi
-ms.collection: M365-modern-desktop
+manager: dougeby
+ms.collection:
+ - M365-modern-desktop
+ - highpri
ms.topic: article
ms.custom: seo-marvel-apr2020
---
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 01eadf3247..1ba07b05c8 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -8,9 +8,10 @@ itproauthor: jaimeo
author: SteveDiAcetis
ms.localizationpriority: medium
ms.author: jaimeo
-ms.reviewer:
-manager: laurawi
-ms.collection: M365-modern-desktop
+manager: dougeby
+ms.collection:
+ - M365-modern-desktop
+ - highpri
ms.topic: article
---
@@ -18,7 +19,7 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
This topic explains how to acquire and apply Dynamic Update packages to existing Windows images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index 15a43dfe2f..079e41dff7 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -8,9 +8,10 @@ itproauthor: jaimeo
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.reviewer:
-manager: laurawi
-ms.collection: M365-modern-desktop
+manager: dougeby
+ms.collection:
+ - M365-modern-desktop
+ - highpri
ms.topic: article
ms.custom: seo-marvel-apr2020
---
@@ -20,7 +21,7 @@ ms.custom: seo-marvel-apr2020
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
## What is a servicing stack update?
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index db61a26720..fc12dbcd1f 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -1,7 +1,6 @@
---
title: Get started with Update Compliance
-ms.reviewer:
-manager: laurawi
+manager: dougeby
description: Prerequisites, Azure onboarding, and configuring devices for Update Compliance
keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
ms.prod: w10
@@ -11,7 +10,9 @@ audience: itpro
author: jaimeo
ms.author: jaimeo
ms.localizationpriority: medium
-ms.collection: M365-analytics
+ms.collection:
+ - M365-analytics
+ - highpri
ms.topic: article
---
@@ -19,7 +20,7 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
> [!IMPORTANT]
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 0c557a1ac6..7d70012874 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -1,11 +1,12 @@
---
title: Configure Windows Update for Business
-ms.reviewer:
-manager: laurawi
+manager: dougeby
description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices.
ms.prod: w10
ms.mktglfcycl: deploy
-ms.collection: m365initiative-coredeploy
+ms.collection:
+ - m365initiative-coredeploy
+ - highpri
audience: itpro
author: jaimeo
ms.localizationpriority: medium
@@ -18,7 +19,7 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index 4bd4c62a37..f454a8215c 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -1,6 +1,6 @@
---
title: Delivery Optimization for Windows client updates
-manager: laurawi
+manager: dougeby
description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10.
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
ms.prod: w10
@@ -12,6 +12,7 @@ ms.author: jaimeo
ms.collection:
- M365-modern-desktop
- m365initiative-coredeploy
+- highpri
ms.topic: article
ms.custom: seo-marvel-apr2020
---
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index bb91408f6f..3d2daa50ef 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -6,9 +6,9 @@ ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.topic: article
+ms.collection: highpri
---
# Deploy Windows client updates using Windows Server Update Services (WSUS)
@@ -16,7 +16,7 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index dea3bbba22..01e1e4742d 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -1,7 +1,6 @@
---
title: Windows Update for Business
-ms.reviewer:
-manager: laurawi
+manager: dougeby
description: Learn how Windows Update for Business lets you manage when devices receive updates from Windows Update.
ms.prod: w10
ms.mktglfcycl: manage
@@ -10,6 +9,7 @@ ms.localizationpriority: medium
ms.author: jaimeo
ms.topic: article
ms.custom: seo-marvel-apr2020
+ms.collection: highpri
---
# What is Windows Update for Business?
@@ -17,7 +17,7 @@ ms.custom: seo-marvel-apr2020
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 543f0e96db..a7c678949a 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -7,9 +7,9 @@ ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.topic: article
+ms.collection: highpri
---
# Overview of Windows as a service
@@ -17,7 +17,7 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index 59bb0e9b9a..3471f175df 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -7,9 +7,9 @@ ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: high
ms.author: jaimeo
-ms.reviewer:
manager: dougeby
ms.topic: article
+ms.collection: highpri
---
# Quick guide to Windows as a service
@@ -17,7 +17,7 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
Here is a quick guide to the most important concepts in Windows as a service. For more information, see the [extensive set of documentation](index.md).
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index c33db61e09..6f20c17750 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -6,11 +6,11 @@ ms.mktglfcycl: deploy
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.topic: article
ms.custom:
- seo-marvel-apr2020
+ms.collection: highpri
---
# Manage device restarts after updates
@@ -18,7 +18,7 @@ ms.custom:
**Applies to**
-- Windows 10
+- Windows 10
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 983dae6b61..3dc0059251 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -7,10 +7,10 @@ audience: itpro
ms.localizationpriority: medium
ms.audience: itpro
author: jaimeo
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.topic: article
ms.custom: seo-marvel-apr2020
+ms.collection: highpri
---
# Manage additional Windows Update settings
@@ -18,7 +18,7 @@ ms.custom: seo-marvel-apr2020
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 086e6b3841..a84632b0f8 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -6,8 +6,10 @@ ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.collection: m365initiative-coredeploy
-manager: laurawi
+ms.collection:
+ - m365initiative-coredeploy
+ - highpri
+manager: dougeby
ms.topic: article
---
@@ -16,7 +18,7 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md
index 508a27d244..64be11a43d 100644
--- a/windows/deployment/update/windows-update-error-reference.md
+++ b/windows/deployment/update/windows-update-error-reference.md
@@ -9,10 +9,10 @@ author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
ms.date: 09/18/2018
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.topic: article
ms.custom: seo-marvel-apr2020
+ms.collection: highpri
---
# Windows Update error codes by component
diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md
index fc07839d42..2ae8ed4834 100644
--- a/windows/deployment/update/windows-update-errors.md
+++ b/windows/deployment/update/windows-update-errors.md
@@ -8,9 +8,10 @@ itproauthor: jaimeo
ms.audience: itpro
author: jaimeo
ms.reviewer: kaushika
-manager: laurawi
+manager: dougeby
ms.topic: troubleshooting
ms.custom: seo-marvel-apr2020
+ms.collection: highpri
---
# Windows Update common errors and mitigation
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index 8ef6e625b4..3585846b66 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -7,10 +7,10 @@ audience: itpro
itproauthor: jaimeo
ms.audience: itpro
author: jaimeo
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.topic: article
ms.custom: seo-marvel-apr2020
+ms.collection: highpri
---
# Windows Update log files
diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md
index fd1d2c3d80..37a8ea37ae 100644
--- a/windows/deployment/update/windows-update-resources.md
+++ b/windows/deployment/update/windows-update-resources.md
@@ -6,11 +6,11 @@ ms.mktglfcycl:
audience: itpro
ms.localizationpriority: medium
ms.audience: itpro
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.topic: article
ms.author: jaimeo
author: jaimeo
+ms.collection: highpri
---
# Windows Update - additional resources
diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md
index affb4df80e..6b5410c4f1 100644
--- a/windows/deployment/update/windows-update-troubleshooting.md
+++ b/windows/deployment/update/windows-update-troubleshooting.md
@@ -7,10 +7,10 @@ audience: itpro
itproauthor: jaimeo
ms.audience: itpro
author: jaimeo
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.topic: article
ms.custom: seo-marvel-apr2020
+ms.collection: highpri
---
# Windows Update troubleshooting
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
index f7c75013e7..b37d7a9c41 100644
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@@ -1,7 +1,6 @@
---
title: Log files and resolving upgrade errors
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
description: Learn how to interpret and analyze the log files that are generated during the Windows 10 upgrade process.
keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
@@ -14,12 +13,13 @@ audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.topic: article
+ms.collection: highpri
---
# Log files
**Applies to**
-- Windows 10
+- Windows 10
>[!NOTE]
>This is a 400 level topic (advanced).
diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md
index 9752ac670c..3a353c8752 100644
--- a/windows/deployment/upgrade/resolution-procedures.md
+++ b/windows/deployment/upgrade/resolution-procedures.md
@@ -1,7 +1,6 @@
---
title: Resolution procedures - Windows IT Pro
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
description: Discover general troubleshooting procedures for dealing with 0xC1900101, the generic rollback code thrown when something goes wrong during a Windows 10 upgrade.
keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
@@ -13,12 +12,13 @@ audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.topic: article
+ms.collection: highpri
---
# Resolution procedures
**Applies to**
-- Windows 10
+- Windows 10
> [!NOTE]
> This is a 200 level topic (moderate).
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index 24ed5c4e2b..7056b16082 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -1,7 +1,6 @@
---
title: Resolve Windows 10 upgrade errors - Windows IT Pro
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
@@ -13,12 +12,13 @@ audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.topic: article
+ms.collection: highpri
---
# Resolve Windows 10 upgrade errors : Technical information for IT Pros
**Applies to**
-- Windows 10
+- Windows 10
>[!IMPORTANT]
>This article contains technical instructions for IT administrators. If you are not an IT administrator, try some of the [quick fixes](quick-fixes.md) described in this article then contact [Microsoft Support](https://support.microsoft.com/contactus/) starting with the Virtual Agent. To talk to a person about your issue, click **Get started** to interact with the Virtual Agent, then enter "Talk to a person" two times. The Virtual Agent can also help you to resolve many Windows upgrade issues. Also see: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/help/10587/windows-10-get-help-with-upgrade-installation-errors) and [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md).
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index 1e87d9bff7..9a69049140 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -1,7 +1,6 @@
---
title: SetupDiag
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
description: SetupDiag works by examining Windows Setup log files. This article shows how to use the SetupDiag tool to diagnose Windows Setup errors.
keywords: deploy, troubleshoot, windows, 10, upgrade, update, setup, diagnose
@@ -14,12 +13,13 @@ audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.topic: article
+ms.collection: highpri
---
# SetupDiag
**Applies to**
-- Windows 10
+- Windows 10
>[!NOTE]
>This is a 300 level topic (moderate advanced).
diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
index d8183e1f62..09c6a58127 100644
--- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
+++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
@@ -1,7 +1,6 @@
---
title: Troubleshoot Windows 10 upgrade errors - Windows IT Pro
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
description: Understanding the Windows 10 upgrade process can help you troubleshoot errors when something goes wrong. Find out more with this guide.
keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
@@ -18,7 +17,7 @@ ms.topic: article
# Troubleshooting upgrade errors
**Applies to**
-- Windows 10
+- Windows 10
> [!NOTE]
> This is a 300 level topic (moderately advanced).
diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md
index 93173e687a..2286a7ec90 100644
--- a/windows/deployment/upgrade/upgrade-error-codes.md
+++ b/windows/deployment/upgrade/upgrade-error-codes.md
@@ -1,7 +1,6 @@
---
title: Upgrade error codes - Windows IT Pro
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
description: Understand the error codes that may come up if something goes wrong during the Windows 10 upgrade process.
keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
@@ -13,12 +12,13 @@ audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.topic: article
+ms.collection: highpri
---
# Upgrade error codes
**Applies to**
-- Windows 10
+- Windows 10
>[!NOTE]
>This is a 400 level topic (advanced).
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index 1de5b11aa3..e7434cf95e 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -1,9 +1,8 @@
---
title: Windows 10 edition upgrade (Windows 10)
-description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported.
+description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported.
ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,19 +12,20 @@ ms.pagetype: mobile
audience: itpro
author: greg-lindsay
ms.topic: article
+ms.collection: highpri
---
# Windows 10 edition upgrade
**Applies to**
-- Windows 10
+- Windows 10
-With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section on this page.
+With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section on this page.
For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](https://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf).
-The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer.
+The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer.
> [!NOTE]
> The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 600631905f..88c583d5f3 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -1,7 +1,6 @@
---
title: Windows 10 upgrade paths (Windows 10)
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
description: You can upgrade to Windows 10 from a previous version of Windows if the upgrade path is supported.
ms.prod: w10
@@ -12,13 +11,14 @@ ms.pagetype: mobile
audience: itpro
author: greg-lindsay
ms.topic: article
+ms.collection: highpri
---
# Windows 10 upgrade paths
**Applies to**
-- Windows 10
+- Windows 10
## Upgrade paths
diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md
index 6e27022a54..d3c30b002d 100644
--- a/windows/deployment/usmt/usmt-overview.md
+++ b/windows/deployment/usmt/usmt-overview.md
@@ -1,9 +1,8 @@
---
title: User State Migration Tool (USMT) Overview (Windows 10)
-description: Learn about using User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems.
+description: Learn about using User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems.
ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,6 +11,7 @@ audience: itpro
author: greg-lindsay
ms.date: 10/16/2017
ms.topic: article
+ms.collection: highpri
---
# User State Migration Tool (USMT) Overview
diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md
index dfb923bbd4..a2ff4251a9 100644
--- a/windows/deployment/usmt/usmt-recognized-environment-variables.md
+++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md
@@ -2,8 +2,7 @@
title: Recognized Environment Variables (Windows 10)
description: Learn how to use environment variables to identify folders that may be different on different computers.
ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,6 +11,7 @@ audience: itpro
author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
+ms.collection: highpri
---
# Recognized Environment Variables
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 10e7c2e418..169a4416a4 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -3,8 +3,7 @@ title: Activate using Active Directory-based activation (Windows 10)
description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
ms.custom: seo-marvel-apr2020
ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
keywords: vamt, volume activation, activation, windows activation
ms.prod: w10
@@ -16,6 +15,7 @@ author: greg-lindsay
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.topic: article
+ms.collection: highpri
---
# Activate using Active Directory-based activation
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index 5fa4723874..db338e7496 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -1,8 +1,7 @@
---
title: Activate using Key Management Service (Windows 10)
ms.assetid: f2417bfe-7d25-4e82-bc07-de316caa8dac
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
description: How to activate using Key Management Service in Windows 10.
keywords: vamt, volume activation, activation, windows activation
@@ -15,6 +14,7 @@ author: greg-lindsay
ms.localizationpriority: medium
ms.date: 10/16/2017
ms.topic: article
+ms.collection: highpri
---
# Activate using Key Management Service
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 0b67293d6a..f8d3ac95f3 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -1,9 +1,8 @@
---
title: Install VAMT (Windows 10)
-description: Learn how to install Volume Activation Management Tool (VAMT) as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
+description: Learn how to install Volume Activation Management Tool (VAMT) as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
@@ -14,6 +13,7 @@ author: greg-lindsay
ms.localizationpriority: medium
ms.date: 03/11/2019
ms.topic: article
+ms.collection: highpri
---
# Install VAMT
diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md
index 23c0a83614..4e644f4019 100644
--- a/windows/deployment/volume-activation/volume-activation-management-tool.md
+++ b/windows/deployment/volume-activation/volume-activation-management-tool.md
@@ -2,8 +2,7 @@
title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10)
description: The Volume Activation Management Tool (VAMT) enables network administrators to automate and centrally manage volume activation and retail activation.
ms.assetid: 1df0f795-f41c-473b-850c-e98af1ad2f2a
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
@@ -14,6 +13,7 @@ author: greg-lindsay
ms.date: 04/25/2017
ms.topic: article
ms.custom: seo-marvel-apr2020
+ms.collection: highpri
---
# Volume Activation Management Tool (VAMT) Technical Reference
diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md
index f141ef1446..b8352c8389 100644
--- a/windows/deployment/wds-boot-support.md
+++ b/windows/deployment/wds-boot-support.md
@@ -8,9 +8,10 @@ ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.author: greglin
-manager: laurawi
+manager: dougeby
ms.topic: article
ms.custom: seo-marvel-apr2020
+ms.collection: highpri
---
# Windows Deployment Services (WDS) boot.wim support
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 402a6d2c80..098cf03790 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -2,8 +2,7 @@
title: Windows 10 deployment scenarios (Windows 10)
description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios.
ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.audience: itpro
ms.author: greglin
author: greg-lindsay
@@ -14,14 +13,15 @@ ms.localizationpriority: medium
ms.sitesec: library
audience: itpro
ms.topic: article
+ms.collection: highpri
---
# Windows 10 deployment scenarios
**Applies to**
-- Windows 10
+- Windows 10
-To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task.
+To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task.
The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories.
- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home).
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index a4d743c9db..f2e2593414 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -8,12 +8,13 @@ ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
ms.date: 09/28/2021
-ms.reviewer:
manager: dougeby
ms.audience: itpro
author: greg-lindsay
audience: itpro
-ms.collection: M365-modern-desktop
+ms.collection:
+ - M365-modern-desktop
+ - highpri
ms.topic: article
---
diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md
index d7492c26c2..f07a6346f2 100644
--- a/windows/deployment/windows-10-missing-fonts.md
+++ b/windows/deployment/windows-10-missing-fonts.md
@@ -70,7 +70,7 @@ For example, here are the steps to install the fonts associated with the Hebrew
3. If you don't see **Hebrew Supplemental Fonts** in the list of installed features, select the plus sign (**+**) to add a feature.
-4. Select **Hebrew Supplemental Fonts** in the list, and then clselectick **Install**.
+4. Select **Hebrew Supplemental Fonts** in the list, and then select **Install**.
> [!NOTE]
> The optional features are installed by Windows Update. You need to be online for the Windows Update service to work.
diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md
index dfe970649c..c5fab48cb9 100644
--- a/windows/deployment/windows-10-pro-in-s-mode.md
+++ b/windows/deployment/windows-10-pro-in-s-mode.md
@@ -1,7 +1,6 @@
---
title: Switch to Windows 10 Pro/Enterprise from S mode
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.audience: itpro
author: greg-lindsay
description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional.
@@ -12,7 +11,9 @@ ms.prod: w10
ms.sitesec: library
ms.pagetype: deploy
audience: itpro
-ms.collection: M365-modern-desktop
+ms.collection:
+ - M365-modern-desktop
+ - highpri
ms.topic: article
---
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 46c4eef1ae..97dcacdb84 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -11,7 +11,9 @@ ms.pagetype: mdt
audience: itpro
author: greg-lindsay
manager: dougeby
-ms.collection: M365-modern-desktop
+ms.collection:
+ - M365-modern-desktop
+ - highpri
search.appverid:
- MET150
ms.topic: article
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index ac69de04a3..5cbb5a3e71 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -1,7 +1,6 @@
---
title: Demonstrate Autopilot deployment
-ms.reviewer:
-manager: laurawi
+manager: dougeby
description: In this article, find step-by-step instructions on how to set up a Virtual Machine with a Windows Autopilot deployment.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
ms.prod: w10
@@ -11,7 +10,9 @@ ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
-ms.collection: M365-modern-desktop
+ms.collection:
+ - M365-modern-desktop
+ - highpri
ms.topic: article
ms.custom:
- autopilot
@@ -23,7 +24,7 @@ ms.custom:
**Applies to**
-- Windows 10
+- Windows 10
To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10.
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index 04f798b127..70d738e262 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -2,8 +2,7 @@
title: Windows 10 deployment scenarios and tools
description: Learn about the tools you can use to deploy Windows 10 and related applications to your organization. Explore deployment scenarios.
ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.audience: itpro
ms.author: greglin
author: greg-lindsay
@@ -13,6 +12,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro
ms.topic: article
+ms.collection: highpri
---
# Windows 10 deployment scenarios and tools
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 9c115c5b15..23a3c69aae 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -12,7 +12,9 @@ metadata:
ms.service: subservice #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice # Optional; Remove if no subservice is used.
ms.topic: hub-page # Required
- ms.collection: windows-10 # Optional; Remove if no collection is used.
+ ms.collection:
+ - windows-10
+ - highpri
author: dougeby #Required; your GitHub user alias, with correct capitalization.
ms.author: dougeby #Required; microsoft alias of author; optional team alias.
ms.date: 10/01/2021 #Required; mm/dd/yyyy format.
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index c4cac4808b..5e2e41f1a3 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -11,7 +11,9 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: article
ms.date: 10/04/2021
---
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index 7818a1c9ef..1a9cf79059 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -11,7 +11,9 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: article
ms.date: 01/17/2018
ms.reviewer:
diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md
index 5ad54e7a9e..6ead597184 100644
--- a/windows/privacy/essential-services-and-connected-experiences.md
+++ b/windows/privacy/essential-services-and-connected-experiences.md
@@ -10,7 +10,8 @@ audience: ITPro
author: siosulli
ms.author: dansimp
manager: dansimp
-ms.date:
+ms.date: 11/24/2021
+ms.collection: highpri
---
# Essential services and connected experiences for Windows
diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml
index 63d295f52a..e518d55a86 100644
--- a/windows/privacy/index.yml
+++ b/windows/privacy/index.yml
@@ -10,7 +10,9 @@ metadata:
services: windows
ms.prod: windows
ms.topic: hub-page # Required
- ms.collection: M365-security-compliance
+ ms.collection:
+ - M365-security-compliance
+ - highpri
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index aef42b510b..768ea3d4e6 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -12,7 +12,9 @@ audience: ITPro
author: tomlayson
ms.author: tomlayson
manager: riche
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: article
ms.date: 5/21/2021
---
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index 718e6bdc07..1e45080fea 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -10,7 +10,9 @@ audience: ITPro
author: gental-giant
ms.author: v-hakima
manager: robsize
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: article
ms.date: 10/04/2021
---
diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md
index 427beac9b9..b79b2a57a2 100644
--- a/windows/privacy/manage-windows-21H1-endpoints.md
+++ b/windows/privacy/manage-windows-21H1-endpoints.md
@@ -10,7 +10,9 @@ audience: ITPro
author: gental-giant
ms.author: v-hakima
manager: robsize
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: article
ms.date: 10/04/2021
---
diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md
index c6578dcc77..288fffd6a5 100644
--- a/windows/privacy/manage-windows-21h2-endpoints.md
+++ b/windows/privacy/manage-windows-21h2-endpoints.md
@@ -10,7 +10,9 @@ audience: ITPro
author: gental-giant
ms.author: v-hakima
manager: robsize
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: article
ms.date: 10/04/2021
---
diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
index 728704a57e..696afe4f31 100644
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@@ -10,7 +10,9 @@ localizationpriority: high
author: brianlic-msft
ms.author: brianlic
manager: dansimp
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: article
audience: ITPro
ms.date: 10/04/2021
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index 5c6f22d52c..022a291824 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -10,7 +10,9 @@ localizationpriority: high
author: brianlic-msft
ms.author: brianlic
manager: dansimp
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: article
audience: ITPro
ms.date:
diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
index 1e8dc3c6e9..8fef9f1e7a 100644
--- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
+++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
@@ -10,7 +10,9 @@ audience: ITPro
author: gental-giant
ms.author: v-hakima
manager: robsize
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: article
ms.date: 10/04/2021
---
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index 711144eaff..350ef3f102 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -10,9 +10,10 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: article
-ms.reviewer:
---
# Windows 10, version 1709 and later and Windows 11 optional diagnostic data
diff --git a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
index 6fde4a825a..935ca0d986 100644
--- a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
@@ -10,7 +10,9 @@ audience: ITPro
author: gental-giant
ms.author: v-hakima
manager: robsize
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: article
ms.date: 10/04/2021
---
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 079ce945b4..2fd6ef89b3 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -9,11 +9,12 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/18/2017
-ms.reviewer:
---
# Access Control Overview
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index 69dba47679..1149a9fdd9 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -9,11 +9,12 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 08/23/2019
-ms.reviewer:
---
# Active Directory Accounts
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 5ac3dcc651..8fd9296afb 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -9,11 +9,12 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/21/2021
-ms.reviewer:
---
# Active Directory Security Groups
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 6ad17afded..2126be498a 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -9,11 +9,12 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 02/28/2019
-ms.reviewer:
---
# Local Accounts
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index be0a573f71..65372923f4 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -9,11 +9,12 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
-ms.reviewer:
---
# Security identifiers
diff --git a/windows/security/identity-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md
index d9e9c99503..6b3c522221 100644
--- a/windows/security/identity-protection/access-control/service-accounts.md
+++ b/windows/security/identity-protection/access-control/service-accounts.md
@@ -9,11 +9,12 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 11/19/2021
-ms.reviewer:
---
# Service Accounts
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 17ee0a5394..8eca62faa0 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -10,9 +10,10 @@ audience: ITPro
author: dansimp
ms.author: v-tea
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
-ms.reviewer:
ms.custom:
- CI 120967
- CSSTroubleshooting
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index a23f5dbebd..d6f1e64f67 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -10,10 +10,11 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
ms.date: 09/30/2020
-ms.reviewer:
---
# Windows Defender Credential Guard: Requirements
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index 20d2d330d4..d4d4c73e7a 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -2,7 +2,6 @@
title: Protect derived domain credentials with Windows Defender Credential Guard (Windows)
description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -12,7 +11,9 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
ms.date: 08/17/2017
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index 7dc20cb316..8547067ad6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -2,7 +2,6 @@
title: Windows Hello biometrics in the enterprise (Windows)
description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc
-ms.reviewer:
keywords: Windows Hello, enterprise biometrics
ms.prod: w10
ms.mktglfcycl: explore
@@ -12,7 +11,9 @@ audience: ITPro
author: mapalko
ms.author: mapalko
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
localizationpriority: medium
ms.date: 01/12/2021
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 4f529da2a1..e138bab868 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -10,17 +10,18 @@ audience: ITPro
author: mapalko
ms.author: mapalko
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
localizationpriority: medium
ms.date: 08/20/2018
-ms.reviewer:
---
# Configure Windows Hello for Business Policy settings - Certificate Trust
**Applies to**
-- Windows 10, version 1703 or later
+- Windows 10, version 1703 or later
- Windows 11
- On-premises deployment
- Certificate trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 4e7d1f7942..ab014e303e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -10,17 +10,18 @@ audience: ITPro
author: mapalko
ms.author: mapalko
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
localizationpriority: medium
ms.date: 01/21/2021
-ms.reviewer:
---
# Windows Hello for Business Deployment Overview
**Applies to**
-- Windows 10, version 1703 or later
+- Windows 10, version 1703 or later
- Windows 11
Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index f6d78686a8..854123637f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -1,8 +1,7 @@
---
title: Windows Hello errors during PIN creation (Windows)
-description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step.
+description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step.
ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
-ms.reviewer:
keywords: PIN, error, create a work PIN
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,7 +11,9 @@ audience: ITPro
author: mapalko
ms.author: mapalko
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: troubleshooting
ms.localizationpriority: medium
ms.date: 05/05/2018
@@ -22,10 +23,10 @@ ms.date: 05/05/2018
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
-When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
+When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
## Where is the error code?
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 213b9c9999..913d779ce0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -11,11 +11,12 @@ metadata:
author: mapalko
ms.author: mapalko
manager: dansimp
- ms.collection: M365-identity-device-management
+ ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
localizationpriority: medium
ms.date: 10/15/2021
- ms.reviewer:
title: Windows Hello for Business Frequently Asked Questions (FAQ)
summary: |
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 29bce3f5dc..a1c8949be0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -10,11 +10,12 @@ audience: ITPro
author: mapalko
ms.author: mapalko
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
localizationpriority: medium
ms.date: 5/3/2021
-ms.reviewer:
---
# PIN reset
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index eeb8ee8626..7ad9aed6b5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -10,11 +10,12 @@ audience: ITPro
author: mapalko
ms.author: mapalko
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
localizationpriority: medium
ms.date: 01/14/2021
-ms.reviewer:
---
# Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
@@ -335,6 +336,9 @@ Sign-in a workstation with access equivalent to a _domain user_.
> [!IMPORTANT]
> For more details about the actual experience after everything has been configured, please see [Windows Hello for Business and Authentication](./hello-how-it-works-authentication.md).
+> [!NOTE]
+> For access issues in the context of VPN, make sure to check the resolution and workaround described in [Workaround for user security context and access control](/troubleshoot/windows-client/group-policy/group-membership-changes-not-updating-over-some-vpn-connections#workarounds).
+
## Section Review
> [!div class="checklist"]
> * Configure Internet Information Services to host CRL distribution point
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 92c2b72d61..0f9a7881ad 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -2,7 +2,6 @@
title: Windows Hello for Business Deployment Prerequisite Overview
description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
-ms.reviewer:
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,7 +11,9 @@ audience: ITPro
author: mapalko
ms.author: mapalko
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
localizationpriority: medium
ms.date: 1/22/2021
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 5c7129efd6..de574128e5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -1,8 +1,7 @@
---
title: Manage Windows Hello in your organization (Windows)
-description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
+description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
-ms.reviewer:
keywords: identity, PIN, biometric, Hello
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,7 +11,9 @@ audience: ITPro
author: mapalko
ms.author: mapalko
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 1/20/2021
@@ -21,7 +22,7 @@ ms.date: 1/20/2021
# Manage Windows Hello for Business in your organization
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 33d820a1a7..64a4985b03 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -11,7 +11,9 @@ audience: ITPro
author: mapalko
ms.author: mapalko
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: conceptual
localizationpriority: medium
---
@@ -19,10 +21,10 @@ localizationpriority: medium
# Windows Hello for Business Overview
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
-In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
+In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
>[!NOTE]
> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 8aada054b6..d0c17c1f16 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -10,17 +10,18 @@ audience: ITPro
author: mapalko
ms.author: mapalko
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
localizationpriority: conceptual
ms.date: 09/16/2020
-ms.reviewer:
---
# Planning a Windows Hello for Business Deployment
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 738db8c9bd..657098b167 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -2,7 +2,6 @@
title: Why a PIN is better than a password (Windows)
description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password .
ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212
-ms.reviewer:
keywords: pin, security, password, hello
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,7 +11,9 @@ audience: ITPro
author: mapalko
ms.author: mapalko
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 10/23/2017
@@ -22,10 +23,10 @@ ms.date: 10/23/2017
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
-Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
+Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password.
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml
index 4282b8e701..bced7d0bcd 100644
--- a/windows/security/identity-protection/hello-for-business/index.yml
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@@ -12,7 +12,9 @@ metadata:
manager: dansimp
ms.author: mapalko
ms.date: 01/22/2021
- ms.collection: M365-identity-device-management
+ ms.collection:
+ - M365-identity-device-management
+ - highpri
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 65fa656745..cb1f1f6d7a 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -9,11 +9,12 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 01/12/2018
-ms.reviewer:
---
# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index b65f0ce66c..3a098751e8 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -9,11 +9,12 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
-ms.reviewer:
---
# Smart Card Troubleshooting
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index 05d1dbf771..a366007a1e 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -9,11 +9,12 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
-ms.reviewer:
---
# How Smart Card Sign-in Works in Windows
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index a5676db15b..e9f7b85291 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -2,7 +2,6 @@
title: How User Account Control works (Windows)
description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
ms.assetid: 9f921779-0fd3-4206-b0e4-05a19883ee59
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: operate
ms.sitesec: library
@@ -11,7 +10,9 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/23/2021
@@ -20,8 +21,8 @@ ms.date: 09/23/2021
# How User Account Control works
**Applies to**
-- Windows 10
-- Windows 11
+- Windows 10
+- Windows 11
- Windows Server 2016 and above
User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index 8f6746eee7..3ea3734384 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -9,11 +9,12 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
-ms.reviewer:
---
# User Account Control Group Policy and registry key settings
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index 2e221d273c..3ed51e743f 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -2,7 +2,6 @@
title: User Account Control (Windows)
description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: operate
ms.sitesec: library
@@ -12,7 +11,9 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
ms.date: 09/24/2011
---
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
index f811afcaa3..a3cfe02792 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
@@ -2,7 +2,6 @@
title: User Account Control security policy settings (Windows)
description: You can use security policies to configure how User Account Control works in your organization.
ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -11,7 +10,9 @@ audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
-ms.collection: M365-identity-device-management
+ms.collection:
+ - M365-identity-device-management
+ - highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
@@ -20,8 +21,8 @@ ms.date: 09/24/2021
# User Account Control security policy settings
**Applies to**
-- Windows 10
-- Windows 11
+- Windows 10
+- Windows 11
- Windows Server 2016 and above
diff --git a/windows/security/index.yml b/windows/security/index.yml
index debbf67a5a..8828c44e74 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -8,7 +8,9 @@ metadata:
description: Learn about Windows security # Required; article description that is displayed in search results. < 160 chars.
ms.topic: landing-page # Required
ms.prod: windows
- ms.collection: m365-security-compliance
+ ms.collection:
+ - m365-security-compliance
+ - highpri
author: dansimp #Required; your GitHub user alias, with correct capitalization.
ms.author: dansimp #Required; microsoft alias of author; optional team alias.
ms.date: 09/20/2021
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
index 21493aca12..a920bdcb74 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
@@ -1,9 +1,8 @@
### YamlMime:FAQ
metadata:
- title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)
+ title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)
description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
- ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -13,15 +12,17 @@ metadata:
ms.author: dansimp
manager: dansimp
audience: ITPro
- ms.collection: M365-security-compliance
+ ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
-title: BitLocker and Active Directory Domain Services (AD DS) FAQ
+title: BitLocker and Active Directory Domain Services (AD DS) FAQ
summary: |
**Applies to**
- - Windows 10
+ - Windows 10
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 9a77ca4317..d43cdb899b 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -2,7 +2,6 @@
title: BitLocker basic deployment (Windows 10)
description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -12,7 +11,9 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index f73028e4a0..574dad11e1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -2,7 +2,6 @@
title: BitLocker Countermeasures (Windows 10)
description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key.
ms.assetid: ebdb0637-2597-4da1-bb18-8127964686ea
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -12,7 +11,9 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index ddb93cce30..4594e1c375 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -10,10 +10,11 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 02/28/2019
-ms.reviewer:
ms.custom: bitlocker
---
diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
index ce3ad7185a..f6f5f81fa5 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
@@ -3,7 +3,6 @@ metadata:
title: BitLocker FAQ (Windows 10)
description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
- ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -13,7 +12,9 @@ metadata:
ms.author: dansimp
manager: dansimp
audience: ITPro
- ms.collection: M365-security-compliance
+ ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
@@ -21,7 +22,7 @@ metadata:
title: BitLocker frequently asked questions (FAQ) resources
summary: |
**Applies to**
- - Windows 10
+ - Windows 10
This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 25c64a62b1..12cc8715fe 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -2,7 +2,6 @@
title: BitLocker Group Policy settings (Windows 10)
description: This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
ms.assetid: 4904e336-29fe-4cef-bb6c-3950541864af
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -12,7 +11,9 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 04/17/2019
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index 5adf857335..cf8030fe0c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -2,7 +2,6 @@
title: BitLocker - How to enable Network Unlock (Windows 10)
description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it.
ms.assetid: be45bc28-47db-4931-bfec-3c348151d2e9
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -12,7 +11,9 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index eabe91593f..e99cd2215d 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -10,10 +10,11 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 02/28/2019
-ms.reviewer:
ms.custom: bitlocker
---
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
index bd62782893..a5650881cd 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
@@ -3,7 +3,6 @@ metadata:
title: BitLocker overview and requirements FAQ (Windows 10)
description: This article for IT professionals answers frequently asked questions concerning the requirements to use BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
- ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -13,7 +12,9 @@ metadata:
ms.author: dansimp
manager: dansimp
audience: ITPro
- ms.collection: M365-security-compliance
+ ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 07/27/2021
ms.custom: bitlocker
@@ -21,7 +22,7 @@ metadata:
title: BitLocker Overview and Requirements FAQ
summary: |
**Applies to**
- - Windows 10
+ - Windows 10
sections:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index bc8488a920..97424e26dd 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -2,7 +2,6 @@
title: BitLocker (Windows 10)
description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2
-ms.reviewer:
ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,7 +11,9 @@ ms.localizationpriority: medium
author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 01/26/2018
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index bc39c1121d..0ac8b4877f 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -2,7 +2,6 @@
title: BitLocker recovery guide (Windows 10)
description: This article for IT professionals describes how to recover BitLocker keys from AD DS.
ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -12,7 +11,9 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
index 4ae0e5d8e8..e1736269b5 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
@@ -11,7 +11,9 @@ ms.author: v-maave
author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 10/28/2019
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index 4f375c0d85..c70a1373ec 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -2,7 +2,6 @@
title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10)
description: This article for the IT professional describes how to use tools to manage BitLocker.
ms.assetid: e869db9c-e906-437b-8c70-741dd61b5ea6
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -12,7 +11,9 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
index 7c4a6c76bf..7cc02625e5 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
@@ -2,7 +2,6 @@
title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10)
description: This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer.
ms.assetid: 04c93ac5-5dac-415e-b636-de81435753a2
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -12,7 +11,9 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index 8a15267bc2..e08c975702 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -2,7 +2,6 @@
title: Prepare your organization for BitLocker Planning and policies (Windows 10)
description: This topic for the IT professional explains how can you plan your BitLocker deployment.
ms.assetid: 6e3593b5-4e8a-40ac-808a-3fdbc948059d
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -12,7 +11,9 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 04/24/2019
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
index 44ad76e76b..ef9d46fc5b 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@@ -10,7 +10,9 @@ author: Teresa-Motiv
ms.author: v-tea
manager: kaushika
audience: ITPro
-ms.collection: Windows Security Technologies\BitLocker
+ms.collection:
+ - Windows Security Technologies\BitLocker
+ - highpri
ms.topic: troubleshooting
ms.date: 10/18/2019
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
index 110aad6465..71b28fa19c 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
@@ -10,7 +10,9 @@ author: Teresa-Motiv
ms.author: v-tea
manager: kaushika
audience: ITPro
-ms.collection: Windows Security Technologies\BitLocker
+ms.collection:
+ - Windows Security Technologies\BitLocker
+ - highpri
ms.topic: troubleshooting
ms.date: 10/18/2019
ms.custom: bitlocker
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index e89b66ca77..065b6e5f39 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -9,16 +9,17 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 03/26/2019
-ms.reviewer:
---
-# Kernel DMA Protection
+# Kernel DMA Protection
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (for example, Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (for example, M.2 slots)
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index a13435b388..de1fb03bea 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -10,10 +10,11 @@ ms.localizationpriority: medium
author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
-ms.date:
-ms.reviewer:
+ms.date: 11/24/2021
ms.author: dansimp
---
diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
index 44bdc2c7a6..143888e0fb 100644
--- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
+++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
@@ -13,15 +13,15 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 09/03/2021
+ms.date: 11/30/2021
---
# Change the TPM owner password
**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
@@ -30,7 +30,7 @@ This topic for the IT professional describes how to change the password or PIN f
Starting with Windows 10, version 1607, or Windows 11, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.
> [!IMPORTANT]
-> Although the TPM owner password is not retained starting with Windows 10, version 1607, or Windows 11, you can change a default registry key to retain it. However, we strongly recommend that you do not make this change. To retain the TPM owner password, set the registry key 'HKLM\\Software\\Policies\\Microsoft\\TPM' \[REG\_DWORD\] 'OSManagedAuthLevel' to 4. The default value for this key is 2, and unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved.
+> Although the TPM owner password is not retained starting with Windows 10, version 1607, or Windows 11, you can change a default registry key to retain it. However, we strongly recommend that you do not make this change. To retain the TPM owner password, set the registry key 'HKLM\\Software\\Policies\\Microsoft\\TPM' \[REG\_DWORD\] 'OSManagedAuthLevel' to 4. The default value for this key is 5, and unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved.
Only one owner password exists for each TPM. The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it.
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index 3688226a4f..ec318abd87 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -2,7 +2,6 @@
title: How Windows uses the TPM
description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it to enhance security.
ms.assetid: 0f7e779c-bd25-42a8-b8c1-69dfb54d0c7f
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -12,7 +11,9 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 09/03/2021
---
diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
index bb72304f8c..f3e0a5c4f1 100644
--- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -2,7 +2,6 @@
title: Troubleshoot the TPM (Windows)
description: This article for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM).
ms.assetid: 1166efaf-7aa3-4420-9279-435d9c6ac6f8
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -11,7 +10,9 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 09/06/2021
---
diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md
index 23fb8a8789..e129717503 100644
--- a/windows/security/information-protection/tpm/manage-tpm-commands.md
+++ b/windows/security/information-protection/tpm/manage-tpm-commands.md
@@ -2,7 +2,6 @@
title: Manage TPM commands (Windows)
description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
ms.assetid: a78e751a-2806-43ae-9c20-2e7ca466b765
-ms.reviewer:
ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
@@ -11,7 +10,9 @@ ms.pagetype: security
author: dulcemontemayor
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 09/06/2021
---
diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index f2c79979ef..5b27a18617 100644
--- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -2,7 +2,6 @@
title: Understanding PCR banks on TPM 2.0 devices (Windows)
description: This topic for the IT professional provides background about what happens when you switch PCR banks on TPM 2.0 devices.
ms.assetid: 743FCCCB-99A9-4636-8F48-9ECB3A3D10DE
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -11,7 +10,9 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 09/06/2021
---
@@ -19,7 +20,7 @@ ms.date: 09/06/2021
# Understanding PCR banks on TPM 2.0 devices
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
- Windows Server 2016 and above
diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md
index 123b5b21c7..8eac7c2e01 100644
--- a/windows/security/information-protection/tpm/tpm-fundamentals.md
+++ b/windows/security/information-protection/tpm/tpm-fundamentals.md
@@ -2,7 +2,6 @@
title: Trusted Platform Module (TPM) fundamentals (Windows)
description: Inform yourself about the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and how they are used to mitigate dictionary attacks.
ms.assetid: ac90f5f9-9a15-4e87-b00d-4adcf2ec3000
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -11,7 +10,9 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 09/06/2021
---
@@ -19,7 +20,7 @@ ms.date: 09/06/2021
# TPM fundamentals
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
- Windows Server 2016 and above
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index de5f910d13..8106125dc5 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -2,7 +2,6 @@
title: TPM recommendations (Windows)
description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
ms.assetid: E85F11F5-4E6A-43E7-8205-672F77706561
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -12,7 +11,9 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 09/06/2021
---
@@ -21,7 +22,7 @@ ms.date: 09/06/2021
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
- Windows Server 2016 and above
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index c5a7d50e68..1c188569b7 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -2,7 +2,6 @@
title: Trusted Platform Module Technology Overview (Windows)
description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
ms.assetid: face8932-b034-4319-86ac-db1163d46538
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -12,7 +11,9 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
---
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
index 0ae9cb6622..17056f4135 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -2,7 +2,6 @@
title: TPM Group Policy settings (Windows)
description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd
-ms.reviewer:
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -11,7 +10,9 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 09/06/2021
---
@@ -19,7 +20,7 @@ ms.date: 09/06/2021
# TPM Group Policy settings
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
- Windows Server 2016 and above
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
index 1e071cfbdc..426eee0478 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
@@ -10,16 +10,17 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 09/06/2021
-ms.reviewer:
---
# Trusted Platform Module
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
- Windows Server 2016 and above
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 424341046d..624bef6fa2 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -2,7 +2,6 @@
title: Protect your enterprise data using Windows Information Protection (WIP) (Windows 10)
description: Learn how to prevent accidental enterprise data leaks through apps and services, such as email, social media, and the public cloud.
ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
-ms.reviewer:
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, DLP, data loss prevention, data leakage protection
ms.prod: w10
ms.mktglfcycl: explore
@@ -13,7 +12,9 @@ author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection:
+ - M365-security-compliance
+ - highpri
ms.topic: conceptual
ms.date: 03/05/2019
---
@@ -21,8 +22,8 @@ ms.date: 03/05/2019
# Protect your enterprise data using Windows Information Protection (WIP)
**Applies to:**
-- Windows 10, version 1607 and later
-- Windows 10 Mobile, version 1607 and later
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index 1cb4f72589..076b555055 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -18,24 +18,33 @@ ms.date: 09/06/2021
ms.technology: windows-sec
---
-# Advanced security audit policy settings
+# Advanced security audit policy settings (Windows 10)
-This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
+This reference for IT professionals provides information about:
+- The advanced audit policy settings available in Windows
+- The audit events that these settings generate.
The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:
- A group administrator has modified settings or data on servers that contain finance information.
- An employee within a defined group has accessed an important file.
-- The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access.
+- The correct system access control list (SACL) - as a verifiable safeguard against undetected access - is applied to either of the following:
+ - every file and folder
+ - registry key on a computer
+ - file share.
You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local computer or by using Group Policy.
-These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
+These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for the following types of behaviors:
+- That are of little or no concern to you
+- That create an excessive number of log entries.
+
+In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
## Account Logon
-Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, which track attempts to access a particular computer, settings and events in this category focus on the account database that is used. This category includes the following subcategories:
+Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, Account Logon settings and events focus on the account database that is used. This category includes the following subcategories:
- [Audit Credential Validation](audit-credential-validation.md)
- [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
@@ -55,7 +64,11 @@ The security audit policy settings in this category can be used to monitor chang
## Detailed Tracking
-Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. This category includes the following subcategories:
+Detailed Tracking security policy settings and audit events can be used for the following purposes:
+- To monitor the activities of individual applications and users on that computer
+- To understand how a computer is being used.
+
+This category includes the following subcategories:
- [Audit DPAPI Activity](audit-dpapi-activity.md)
- [Audit PNP activity](audit-pnp-activity.md)
@@ -91,7 +104,7 @@ Logon/Logoff security policy settings and audit events allow you to track attemp
## Object Access
-Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate Object Access auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.
+Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, enable the appropriate Object Access auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations; the Registry subcategory needs to be enabled to audit registry accesses.
Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access-auditing).
@@ -114,7 +127,7 @@ This category includes the following subcategories:
## Policy Change
-Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, monitoring changes or attempts to change these policies can be an important aspect of security management for a network. This category includes the following subcategories:
+Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, tracking changes (or its attempts) to these policies is an important aspect of security management for a network. This category includes the following subcategories:
- [Audit Audit Policy Change](audit-audit-policy-change.md)
- [Audit Authentication Policy Change](audit-authentication-policy-change.md)
@@ -133,7 +146,11 @@ Permissions on a network are granted for users or computers to complete defined
## System
-System security policy settings and audit events allow you to track system-level changes to a computer that are not included in other categories and that have potential security implications. This category includes the following subcategories:
+System security policy settings and audit events allow you to track the following types of system-level changes to a computer:
+- Not included in other categories
+- Have potential security implications.
+
+This category includes the following subcategories:
- [Audit IPsec Driver](audit-ipsec-driver.md)
- [Audit Other System Events](audit-other-system-events.md)
@@ -144,9 +161,11 @@ System security policy settings and audit events allow you to track system-level
## Global Object Access Auditing
Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type.
-Auditors will be able to prove that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
+Auditors can prove that every resource in the system is protected by an audit policy. They can do this task by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
-Resource SACLs are also useful for diagnostic scenarios. For example, setting the Global Object Access Auditing policy to log all the activity for a specific user and enabling the policy to track "Access denied" events for the file system or registry can help administrators quickly identify which object in a system is denying a user access.
+Resource SACLs are also useful for diagnostic scenarios. For example, administrators quickly identify which object in a system is denying a user access by:
+- Setting the Global Object Access Auditing policy to log all the activities for a specific user
+- Enabling the policy to track "Access denied" events for the file system or registry can help
> [!NOTE]
> If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
index 8cce54444d..9308046bcd 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
@@ -41,7 +41,7 @@ summary: This topic for the IT professional lists questions and answers about un
- [How can I set an audit policy that affects all objects on a computer?](#how-can-i-set-an-audit-policy-that-affects-all-objects-on-a-computer-)
- - [How do I figure out why someone was able to access a resource?](#how-do-i-figure-out-why-someone-was-able-to-access-a-resource-)
+ - [How do I ascertain the purpose for accessing a resource?](#how-do-i-figure-out-why-someone-was-able-to-access-a-resource-)
- [How do I know when changes are made to access control settings, by whom, and what the changes were?](#how-do-i-know-when-changes-are-made-to-access-control-settings--by-whom--and-what-the-changes-were-)
@@ -64,7 +64,7 @@ sections:
- question: |
What is Windows security auditing and why might I want to use it?
answer: |
- Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, security auditing is more narrowly defined as the features and services that enable an administrator to log and review events for specified security-related activities.
+ Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, security auditing is the features and services for an administrator to log and review events for specified security-related activities.
Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.
@@ -91,16 +91,16 @@ sections:
> **Important** Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting.
- If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
+ If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This setting prevents conflicts between similar settings by forcing basic security auditing to be ignored.
- question: |
How are audit settings merged by Group Policy?
answer: |
By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level.
- For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing).
+ For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of extra settings. To accomplish this customization, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing).
- The rules that govern how Group Policy settings are applied propagate to the subcategory level of audit policy settings. This means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior.
+ The rules that govern how Group Policy settings are applied propagate to the subcategory level of audit policy settings. This coverage means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior.
| Auditing subcategory | Setting configured in an OU GPO (higher priority) | Setting configured in a domain GPO (lower priority) | Resulting policy for the target computer |
@@ -119,7 +119,7 @@ sections:
The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access.
- If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing is not completely configured unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied.
+ If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing is not configured entirely unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied.
- question: |
Why are audit policies applied on a per-computer basis rather than per user?
@@ -128,7 +128,7 @@ sections:
In addition, because audit policy capabilities can vary between computers running different versions of Windows, the best way to ensure that the audit policy is applied correctly is to base these settings on the computer instead of the user.
- However, in cases where you want audit settings to apply only to specified groups of users, you can accomplish this by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
+ However, when you want audit settings to apply only to specified groups of users, you can accomplish this customization by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This configuration results in an audit of attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
- question: |
What are the differences in auditing functionality between versions of Windows?
@@ -147,13 +147,13 @@ sections:
A failure audit event is triggered when a defined action, such as a user logon, is not completed successfully.
- The appearance of failure audit events in the event log does not necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may simply mean that a user mistyped his or her password.
+ The appearance of failure audit events in the event log does not necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may mean that a user mistyped the password.
- question: |
How can I set an audit policy that affects all objects on a computer?
answer: |
- System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL.
- Introduced in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This can be useful for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy.
+ System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This requirement has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL.
+ Introduced in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This application of SACL can be useful for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This resultant SACL from the combination means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy.
- question: |
How do I figure out why someone was able to access a resource?
@@ -173,7 +173,7 @@ sections:
- question: |
How can I roll back security audit policies from the advanced audit policy to the basic audit policy?
answer: |
- Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you subsequently change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings:
+ Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you later change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings:
1. Set all Advanced Audit Policy subcategories to **Not configured**.
2. Delete all audit.csv files from the %SYSVOL% folder on the domain controller.
@@ -203,7 +203,7 @@ sections:
What are the best tools to model and manage audit policies?
answer: |
The integration of advanced audit policy settings with domain Group Policy, introduced in Windows 7 and Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy Group Policy Objects for a domain can also be used to plan and deploy security audit policies.
- On an individual computer, the Auditpol command-line tool can be used to complete a number of important audit policy–related management tasks.
+ On an individual computer, the Auditpol command-line tool can be used to complete many important audit policy–related management tasks.
In addition, there are a number of computer management products, such as the Audit Collection Services in the Microsoft System Center Operations Manager products, which can be used to collect and filter event data.
diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
index fe2879fa16..258ea0a79b 100644
--- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
+++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
@@ -24,7 +24,7 @@ This document, the [Advanced security audit policy settings](advanced-security-a
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. |
-| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | Monitor the relevant events for **“Subject\\Security ID”** accounts that are outside the allow list of accounts. |
+| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | Monitor the relevant events for **“Subject\\Security ID”** accounts that are outside the allowlist of accounts. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | Identify events that correspond to the actions you want to monitor, and for those events, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index 4deca9cd3b..7cc6b35da0 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -29,7 +29,7 @@ To complete this procedure, you must be signed in as a member of the built-in Ad
1. Select and hold (or right-click) the file or folder that you want to audit, select **Properties**, and then select the **Security** tab.
2. Select **Advanced**.
3. In the **Advanced Security Settings** dialog box, select the **Auditing** tab, and then select **Continue**.
-4. Do one of the following:
+4. Do one of the following tasks:
- To set up auditing for a new user or group, select **Add**. Select **Select a principal**, type the name of the user or group that you want, and then select **OK**.
- To remove auditing for an existing group or user, select the group or user name, select **Remove**, select **OK**, and then skip the rest of this procedure.
- To view or change auditing for an existing group or user, select its name, and then select **Edit.**
@@ -40,7 +40,7 @@ To complete this procedure, you must be signed in as a member of the built-in Ad
-6. In the **Applies to** box, select the object(s) to which the audit of events will apply. These include:
+6. In the **Applies to** box, select the object(s) to which the audit of events will apply. These objects include:
- **This folder only**
- **This folder, subfolders and files**
@@ -62,9 +62,9 @@ To complete this procedure, you must be signed in as a member of the built-in Ad
> [!IMPORTANT]
> Before you set up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md). To do this, define auditing policy settings for the object access event category. If you don't enable object access auditing, you'll receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
-## Additional considerations
+## More considerations
-- After you turn on object access auditing, view the security log in Event Viewer to review the results of your changes.
+- After you turn on object access auditing, view the security login Event Viewer to review the results of your changes.
- You can set up file and folder auditing only on NTFS drives.
- Because the security log is limited in size, carefully select the files and folders to be audited. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.
diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md
index 2f8d75b174..2d936555a6 100644
--- a/windows/security/threat-protection/auditing/audit-account-lockout.md
+++ b/windows/security/threat-protection/auditing/audit-account-lockout.md
@@ -29,9 +29,9 @@ This subcategory failure logon attempts, when account was already locked out.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on). This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
-| Member Server | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on). This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
-| Workstation | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on). This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
+| Domain Controller | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or for local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on). This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
+| Member Server | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or for local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on). This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
+| Workstation | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or for local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on). This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
**Events List:**
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index ea7806d09a..2ba6bae7e6 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -10,7 +10,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 07/30/2021
+ms.date: 11/29/2021
ms.reviewer:
ms.technology: windows-sec
---
@@ -293,9 +293,9 @@ Another method to determine the available and enabled Windows Defender Device Gu
A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using **Device Manager**.
-B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you are able to log in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
+B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you are able to log in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from `\Windows\System32\CodeIntegrity\` and then restart your device.
-C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see [Windows RE Technical Reference](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
+C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see [Windows RE Technical Reference](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from `\Windows\System32\CodeIntegrity\` and then restart your device.
## How to turn off HVCI
diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md
index 56c3058279..5d606c7889 100644
--- a/windows/security/threat-protection/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/get-support-for-security-baselines.md
@@ -16,7 +16,7 @@ ms.reviewer:
ms.technology: windows-sec
---
-# Get Support
+# Get Support for Windows baselines
**What is the Microsoft Security Compliance Manager (SCM)?**
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index e783eedfcd..fdd4c1c7d4 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -59,26 +59,26 @@ Windows 10 mitigations that you can configure are listed in the following two ta
|---|---|
| **Windows Defender SmartScreen** helps prevent malicious applications from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.
**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic |
| **Credential Guard** helps keep attackers from gaining access through Pass-the-Hash or Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them. Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard) |
-| **Enterprise certificate pinning** helps prevent man-in-the-middle attacks that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can "pin" (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.
**More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) |
-| **Device Guard** helps keep a device from running malware or other untrusted apps | Device Guard includes a Code Integrity policy that you create; an allowlist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel. Device Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) |
-| **Microsoft Defender Antivirus**, which helps keep devices free of viruses and other malware | Windows 10 includes Microsoft Defender Antivirus, a robust inbox antimalware solution. Microsoft Defender Antivirus has been significantly improved since it was introduced in Windows 8.
**More information**: [Microsoft Defender Antivirus](#microsoft-defender-antivirus), later in this topic |
+| **Enterprise certificate pinning** helps prevent man-in-the-middle attacks that use PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can "pin" (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.
**More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) |
+| **Device Guard** helps keep a device from running malware or other untrusted apps | Device Guard includes a Code Integrity policy that you create; an allowlist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which uses virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel. Device Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) |
+| **Microsoft Defender Antivirus**, which helps keep devices free of viruses and other malware | Windows 10 includes Microsoft Defender Antivirus, a robust inbox anti-malware solution. Microsoft Defender Antivirus has been improved to a considerable extent since it was introduced in Windows 8.
**More information**: [Microsoft Defender Antivirus](#microsoft-defender-antivirus), later in this topic |
| **Blocking of untrusted fonts** helps prevent fonts from being used in elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](/windows/win32/secauthz/appcontainer-isolation) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).
**More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) |
| **Memory protections** help prevent malware from using memory manipulation techniques such as buffer overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note: A subset of apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.
**More information**: [Table 2](#table-2), later in this topic |
| **UEFI Secure Boot** helps protect the platform from boot kits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.
**More information**: [UEFI and Secure Boot](/windows/device-security/bitlocker/bitlocker-countermeasures#uefi-and-secure-boot) |
-| **Early Launch Antimalware (ELAM)** helps protect the platform from rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.
**More information**: [Early Launch Antimalware](/windows/device-security/bitlocker/bitlocker-countermeasures#protection-during-startup) |
+| **Early Launch Antimalware (ELAM)** helps protect the platform from rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the anti-malware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.
**More information**: [Early Launch Antimalware](/windows/device-security/bitlocker/bitlocker-countermeasures#protection-during-startup) |
| **Device Health Attestation** helps prevent compromised devices from accessing an organization's assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device's actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.
**More information**: [Control the health of Windows 10-based devices](/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices) and [Device Health Attestation](/windows-server/security/device-health-attestation) |
Configurable Windows 10 mitigations designed to help protect against memory manipulation require in-depth understanding of these threats and mitigations and knowledge about how the operating system and applications handle memory. The standard process for maximizing these types of mitigations is to work in a test lab to discover whether a given setting interferes with any applications that you use so that you can deploy settings that maximize protection while still allowing apps to run correctly.
-As an IT professional, you can ask application developers and software vendors to deliver applications that include an additional protection called Control Flow Guard (CFG). No configuration is needed in the operating system—the protection is compiled into applications. More information can be found in [Control Flow Guard](#control-flow-guard).
+As an IT professional, you can ask application developers and software vendors to deliver applications that include an extra protection called Control Flow Guard (CFG). No configuration is needed in the operating system—the protection is compiled into applications. More information can be found in [Control Flow Guard](#control-flow-guard).
### Table 2 Configurable Windows 10 mitigations designed to help protect against memory exploits
| Mitigation and corresponding threat | Description |
|---|---|
-| **Data Execution Prevention (DEP)** helps prevent exploitation of buffer overruns | **Data Execution Prevention (DEP)** is a system-level memory protection feature available in Windows operating systems. DEP enables the operating system to mark one or more pages of memory as non-executable, which prevents code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. Although some applications have compatibility problems with DEP, the vast majority of applications do not. **More information**: [Data Execution Prevention](#data-execution-prevention), later in this topic.
**Group Policy settings**: DEP is on by default for 64-bit applications, but you can configure additional DEP protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
-| **SEHOP** helps prevent overwrites of the Structured Exception Handler | **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to help block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. A few applications have compatibility problems with SEHOP, so be sure to test for your environment. **More information**: [Structured Exception Handling Overwrite Protection](#structured-exception-handling-overwrite-protection), later in this topic.
**Group Policy setting**: SEHOP is on by default for 64-bit applications, but you can configure additional SEHOP protections by using the Group Policy setting described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
-| **ASLR** helps mitigate malware attacks based on expected memory locations | **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time. This helps mitigate malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded. **More information**: [Address Space Layout Randomization](#address-space-layout-randomization), later in this topic.
**Group Policy settings**: ASLR is on by default for 64-bit applications, but you can configure additional ASLR protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
+| **Data Execution Prevention (DEP)** helps prevent exploitation of buffer overruns | **Data Execution Prevention (DEP)** is a system-level memory protection feature available in Windows operating systems. DEP enables the operating system to mark one or more pages of memory as non-executable, which prevents code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. Although some applications have compatibility problems with DEP, most applications do not. **More information**: [Data Execution Prevention](#data-execution-prevention), later in this topic.
**Group Policy settings**: DEP is on by default for 64-bit applications, but you can configure more DEP protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
+| **SEHOP** helps prevent overwrites of the Structured Exception Handler | **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to help block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. A few applications have compatibility problems with SEHOP, so be sure to test for your environment. **More information**: [Structured Exception Handling Overwrite Protection](#structured-exception-handling-overwrite-protection), later in this topic.
**Group Policy setting**: SEHOP is on by default for 64-bit applications, but you can configure more SEHOP protections by using the Group Policy setting described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
+| **ASLR** helps mitigate malware attacks based on expected memory locations | **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time. This loading - of specific DLLs -helps mitigate malware that's designed to attack specific memory locations. **More information**: [Address Space Layout Randomization](#address-space-layout-randomization), later in this topic.
**Group Policy settings**: ASLR is on by default for 64-bit applications, but you can configure more ASLR protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
### Windows Defender SmartScreen
@@ -90,17 +90,17 @@ For more information, see [Microsoft Defender SmartScreen overview](microsoft-de
### Microsoft Defender Antivirus
-Microsoft Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware:
+Microsoft Defender Antivirus in Windows 10 uses a multi-pronged approach to improve anti-malware:
- **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates.
- **Rich local context** improves how malware is identified. Windows 10 informs Microsoft Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Microsoft Defender Antivirus to apply different levels of scrutiny to different content.
-- **Extensive global sensors** help keep Microsoft Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data.
+- **Extensive global sensors** help keep Microsoft Defender Antivirus current and aware of even the newest malware. This up-to-date status is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data.
- **Tamper proofing** helps guard Microsoft Defender Antivirus itself against malware attacks. For example, Microsoft Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Microsoft Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.)
-- **Enterprise-level features** give IT pros the tools and configuration options necessary to make Microsoft Defender Antivirus an enterprise-class antimalware solution.
+- **Enterprise-level features** give IT pros the tools and configuration options necessary to make Microsoft Defender Antivirus an enterprise-class anti-malware solution.
@@ -112,7 +112,7 @@ For information about Microsoft Defender for Endpoint, a service that helps ente
Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed later. Wouldn't it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information?
-Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can't be used to execute malicious code that may be inserted by means of a vulnerability exploit.
+Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can't be used to execute malicious code that may be inserted through a vulnerability exploit.
**To use Task Manager to see apps that use DEP**
@@ -164,7 +164,7 @@ You can use the Group Policy setting called **Process Mitigation Options** to co
### Address Space Layout Randomization
-One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. Any malware that could write directly to the system memory could simply overwrite it in well-known and predictable locations.
+One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. Any malware that could write directly to the system memory could overwrite it in well-known and predictable locations.
Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts.
@@ -180,23 +180,23 @@ You can use the Group Policy setting called **Process Mitigation Options** to co
Windows 10 provides many threat mitigations to protect against exploits that are built into the operating system and need no configuration within the operating system. The table that follows describes some of these mitigations.
-Control Flow Guard (CFG) is a mitigation that does not need configuration within the operating system, but does require that an application developer configure the mitigation into the application when it's compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they are compiled.
+Control Flow Guard (CFG) is a mitigation that does not need configuration within the operating system, but does require an application developer to configure the mitigation into the application when it's compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they are compiled.
### Table 3 Windows 10 mitigations to protect against memory exploits – no configuration needed
| Mitigation and corresponding threat | Description |
|---|---|
| **SMB hardening for SYSVOL and NETLOGON shares** helps mitigate man-in-the-middle attacks | Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).
**More information**: [SMB hardening improvements for SYSVOL and NETLOGON shares](#smb-hardening-improvements-for-sysvol-and-netlogon-shares), later in this topic. |
-| **Protected Processes** help prevent one process from tampering with another process | With the Protected Processes feature, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed.
**More information**: [Protected Processes](#protected-processes), later in this topic. |
+| **Protected Processes** help prevent one process from tampering with another process | With the Protected Processes feature, Windows 10 prevents untrusted processes from interacting or tampering with those processes that have been specially signed.
**More information**: [Protected Processes](#protected-processes), later in this topic. |
| **Universal Windows apps protections** screen downloadable apps and run them in an AppContainer sandbox | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.
**More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. |
-| **Heap protections** help prevent exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.
**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. |
+| **Heap protections** help prevent exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures that help protect against corruption of memory used by the heap.
**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. |
| **Kernel pool protections** help prevent exploitation of pool memory used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations that can be used to create an attack.
**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. |
-| **Control Flow Guard** helps mitigate exploits that are based on flow between code locations in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it's compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015. For such an application, CFG can detect an attacker's attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.
**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. |
+| **Control Flow Guard** helps mitigate exploits based on flow between code locations in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it's compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015. For such an application, CFG can detect an attacker's attempt to change the intended flow of code. If this attempt occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.
**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. |
| **Protections built into Microsoft Edge** (the browser) helps mitigate multiple threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.
**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer11), later in this topic. |
### SMB hardening improvements for SYSVOL and NETLOGON shares
-In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). This reduces the likelihood of man-in-the-middle attacks. If SMB signing and mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won't process domain-based Group Policy and scripts.
+In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). This requirement reduces the likelihood of man-in-the-middle attacks. If SMB signing and mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won't process domain-based Group Policy and scripts.
> [!NOTE]
> The registry values for these settings aren't present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://support.microsoft.com/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015) and [MS15-011 & MS15-014: Hardening Group Policy](https://msrc-blog.microsoft.com/2015/02/10/ms15-011-ms15-014-hardening-group-policy/).
@@ -205,7 +205,7 @@ In Windows 10 and Windows Server 2016, client connections to the Active Director
Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on malware that gets on the device. Protected Processes creates limits of this type.
-With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](/windows/win32/services/protecting-anti-malware-services-). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system.
+With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those processes that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and, as in Windows 8.1, implements them in a way that can be used by third-party anti-malware vendors, as described in [Protecting Anti-Malware Services](/windows/win32/services/protecting-anti-malware-services-). This ease in use helps make the system and anti-malware solutions less susceptible to tampering by malware that does manage to get on the system.
### Universal Windows apps protections
@@ -223,13 +223,13 @@ Windows 10 has several important improvements to the security of the heap:
- **Heap metadata hardening** for internal data structures that the heap uses, to improve protections against memory corruption.
-- **Heap allocation randomization**, that is, the use of randomized locations and sizes for heap memory allocations, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable.
+- **Heap allocation randomization**, that is, the use of randomized locations and sizes for heap memory allocations, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable.
- **Heap guard pages** before and after blocks of memory, which work as trip wires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app.
### Kernel pool protections
-The operating system kernel in Windows sets aside two pools of memory, one which remains in physical memory ("nonpaged pool") and one which can be paged in and out of physical memory ("paged pool"). There are many mitigations that have been added over time, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 adds multiple "pool hardening" protections, such as integrity checks, that help protect the kernel pool against more advanced attacks.
+The operating system kernel in Windows sets aside two pools of memory, one which remains in physical memory ("nonpaged pool") and one that can be paged in and out of physical memory ("paged pool"). There are many mitigations that have been added over time, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 adds multiple "pool hardening" protections, such as integrity checks, that help protect the kernel pool against more advanced attacks.
In addition to pool hardening, Windows 10 includes other kernel hardening features:
@@ -239,27 +239,27 @@ In addition to pool hardening, Windows 10 includes other kernel hardening featur
- **Disabling of NT Virtual DOS Machine (NTVDM)**: The old NTVDM kernel module (for running 16-bit applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM decreases protection against Null dereference and other exploits.)
-- **Supervisor Mode Execution Prevention (SMEP)**: Helps prevent the kernel (the "supervisor") from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support.
+- **Supervisor Mode Execution Prevention (SMEP)**: Helps prevent the kernel (the "supervisor") from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This configuration requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support.
- **Safe unlinking:** Helps protect against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the "FastFail" mechanism to enable rapid and safe process termination.
-- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques such as "NULL dereference" to overwrite critical system data structures in memory.
+- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This allocation for the system makes it more difficult for malware to use techniques such as "NULL dereference" to overwrite critical system data structures in memory.
### Control Flow Guard
-When applications are loaded into memory, they are allocated space based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls additional code located in other memory addresses. The relationships between the code locations are well known—they are written in the code itself—but previous to Windows 10, the flow between these locations was not enforced, which gave attackers the opportunity to change the flow to meet their needs.
+When applications are loaded into memory, they are allocated space based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls the other code located in other memory addresses. The relationships between the code locations are well known—they are written in the code itself—but previous to Windows 10, the flow between these locations was not enforced, which gave attackers the opportunity to change the flow to meet their needs.
This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location is not trusted, the application is immediately terminated as a potential security risk.
An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](/windows/win32/secbp/control-flow-guard).
-Of course, browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full advantage of CFG.
+Browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full advantage of CFG.
### Microsoft Edge and Internet Explorer 11
-Browser security is a critical component of any security strategy, and for good reason: the browser is the user's interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks.
+Browser security is a critical component of any security strategy, and for good reason: the browser is the user's interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks.
-All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples of this are Flash and Java extensions that enable their respective applications to run inside a browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a priority.
+All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples are Flash and Java extensions that enable their respective applications to run inside a browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a priority.
Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is more secure in multiple ways, especially:
@@ -267,15 +267,15 @@ Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is m
- **Runs 64-bit processes.** A 64-bit PC running an older version of Windows often runs in 32-bit compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only 64-bit processes, which are much more secure against exploits.
-- **Includes Memory Garbage Collection (MemGC)**. This helps protect against use-after-free (UAF) issues.
+- **Includes Memory Garbage Collection (MemGC)**. This feature helps protect against use-after-free (UAF) issues.
- **Designed as a Universal Windows app.** Microsoft Edge is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can also take advantage of the same AppContainer technology through Enhanced Protect Mode. However, because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range of attacks than Microsoft Edge.
-- **Simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge default settings align with security best practices, which makes it more secure by default.
+- **Simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge default settings align with security best practices, making it more secure by default.
-In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with websites and with binary extensions that do not work with Microsoft Edge. It should not be configured as the primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security.
+In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with websites and with binary extensions that do not work with Microsoft Edge. You cannot configure it as the primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security.
-For sites that require IE11 compatibility, including those that require binary extensions and plug-ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11.
+For sites that require IE11 compatibility, including those sites that require binary extensions and plug-ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11.
### Functions that software vendors can use to build mitigations into apps
@@ -293,16 +293,16 @@ Some of the protections available in Windows 10 are provided through functions t
| Child Process Restriction to restrict the ability to create child processes | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute) \[PROC\_THREAD\_ATTRIBUTE\_CHILD\_PROCESS\_POLICY\] |
| Code Integrity Restriction to restrict image loading | [SetProcessMitigationPolicy function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy) \[ProcessSignaturePolicy\] |
| Win32k System Call Disable Restriction to restrict ability to use NTUser and GDI | [SetProcessMitigationPolicy function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy) \[ProcessSystemCallDisablePolicy\] |
-| High Entropy ASLR for up to 1TB of variance in memory allocations | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute) \[PROCESS\_CREATION\_MITIGATION\_POLICY\_HIGH\_ENTROPY\_ASLR\_ALWAYS\_ON\] |
+| High Entropy ASLR for up to 1 TB of variance in memory allocations | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute) \[PROCESS\_CREATION\_MITIGATION\_POLICY\_HIGH\_ENTROPY\_ASLR\_ALWAYS\_ON\] |
| Strict handle checks to raise immediate exception upon bad handle reference | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute) \[PROCESS\_CREATION\_MITIGATION\_POLICY\_STRICT\_HANDLE\_CHECKS\_ALWAYS\_ON\] |
| Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute) \[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] |
| Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute) \[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] |
## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit
-You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered a variety of exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those in Windows 10. Many of EMET's mitigations have been built into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10.
+You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered various exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those mitigations in Windows 10. Many of EMET's mitigations have been built into Windows 10, some with extra improvements. However, some EMET mitigations carry high-performance cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10.
-Because many of EMET's mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://web.archive.org/web/20170928073955/https://technet.microsoft.com/en-US/security/jj653751)).
+Because many of EMET's mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly the ones assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://web.archive.org/web/20170928073955/https://technet.microsoft.com/en-US/security/jj653751)).
The following table lists EMET features in relation to Windows 10 features.
@@ -323,7 +323,7 @@ to Windows 10 features
SEHOP
ASLR (Force ASLR, Bottom-up ASLR)
-
DEP, SEHOP and ASLR are included in Windows 10 as configurable features. See Table 2, earlier in this topic.
+
DEP, SEHOP, and ASLR are included in Windows 10 as configurable features. See Table 2, earlier in this topic.
You can install the ProcessMitigations PowerShell module to convert your EMET settings for these features into policies that you can apply to Windows 10.
@@ -429,13 +429,13 @@ Examples:
ConvertTo-ProcessMitigationPolicy -EMETFilePath policy.xml -OutputFilePath result.xml
```
-- **Audit and modify the converted settings (the output file)**: Additional cmdlets let you apply, enumerate, enable, disable, and save settings in the output file. For example, this cmdlet enables SEHOP and disables MandatoryASLR and DEPATL registry settings for Notepad:
+- **Audit and modify the converted settings (the output file)**: More cmdlets let you apply, enumerate, enable, disable, and save settings in the output file. For example, this cmdlet enables SEHOP and disables MandatoryASLR and DEPATL registry settings for Notepad:
```powershell
Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL
```
-- **Convert Attack surface reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET's Attack surface reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](/windows/device-security/device-guard/deploy-windows-defender-application-control). This will enable protections on Windows 10 equivalent to EMET's ASR protections.
+- **Convert Attack surface reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET's Attack surface reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](/windows/device-security/device-guard/deploy-windows-defender-application-control). This completion will enable protections on Windows 10 equivalent to EMET's ASR protections.
- **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET "Certificate Trust" XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning). For example:
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 21a31de5bd..7794832d3e 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -80,13 +80,13 @@ An MDM solution evaluates the health assertions and, depending on the health rul
Access to content is then authorized to the appropriate level of trust for whatever the health status and other conditional elements indicate.
-Depending on the requirements and the sensitivity of the managed asset, device health status can be combined with user identity information when processing an access request. Access to content is then authorized to the appropriate level of trust. The Conditional Access engine may be structured to allow additional verification as needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, additional security authentication may need to be established by querying the user to answer a phone call before access is granted.
+Depending on the requirements and the sensitivity of the managed asset, device health status can be combined with user identity information when processing an access request. Access to content is then authorized to the appropriate level of trust. The Conditional Access engine may be structured to allow more verification as needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, further security authentication may need to be established by querying the user to answer a phone call before access is granted.
### Microsoft’s security investments in Windows 10
In Windows 10, there are three pillars of investments:
-- **Secure identities.** Microsoft is part of the FIDO Alliance which aims to provide an interoperable method of secure authentication by moving away from the use of passwords for authentication, both on the local system as well as for services like on-premises resources and cloud resources.
+- **Secure identities.** Microsoft is part of the FIDO Alliance that aims to provide an interoperable method of secure authentication by moving away from the use of passwords for authentication, both on the local system and for services like on-premises resources and cloud resources.
- **Information protection.** Microsoft is making investments to allow organizations to have better control over who has access to important data and what they can do with that data. With Windows 10, organizations can take advantage of policies that specify which applications are considered to be corporate applications and can be trusted to access secure data.
- **Threat resistance.** Microsoft is helping organizations to better secure enterprise assets against the threats of malware and attacks by using security defenses relying on hardware.
@@ -99,7 +99,7 @@ This section is an overview that describes different parts of the end-to-end sec
| Number | Part of the solution | Description |
| - | - | - |
| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM. A Windows 10-based device with TPM can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.|
-| **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organization’s tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status. Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that leverages the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.|
+| **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organization’s tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status. Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that uses the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.|
| **3**|Mobile device management| Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent. MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.|
| **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device. Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).|
| **5** | Enterprise managed asset | Enterprise managed asset is the resource to protect. For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Azure AD, or even VPN access.|
@@ -121,7 +121,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
- **Trusted Platform Module.** A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
- Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
+ Windows 10 uses security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other:
@@ -161,7 +161,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
- **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows 10 configuration.
- Examples of protected configuration information include protecting Disable Execute bit (NX option) or ensuring that the test signing policy (code integrity) cannot be enabled. This ensures that the binaries and configuration of the computer can be trusted after the boot process has completed.
+ Examples of protected configuration information include protecting Disable Execute bit (NX option) or ensuring that the test signing policy (code integrity) cannot be enabled. This protective action ensures that the binaries and configuration of the computer can be trusted after the boot process has completed.
Secure Boot configuration policy does this with UEFI policy. These signatures for these policies are signed in the same way that operating system binaries are signed for use with Secure Boot.
The Secure Boot configuration policy must be signed by a private key that corresponds to one of the public keys stored in the Key Exchange Key (KEK) list. The Microsoft Certificate Authority (CA) will be present in the KEK list of all Windows certified Secure Boot systems. By default, a policy signed by the Microsoft KEK shall be work on all Secure Boot systems. BootMgr must verify the signature against the KEK list before applying a signed policy. With Windows 10, the default Secure Boot configuration policy is embedded in bootmgr.
@@ -188,7 +188,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services. HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup.
- HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This means that kernel memory pages can never be Writable and Executable (W+X) and executable code cannot be directly modified.
+ HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This dependency on verification means that kernel memory pages can never be Writable and Executable (W+X) and executable code cannot be directly modified.
> [!NOTE]
> Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=691612) blog post.
@@ -200,7 +200,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
In Windows 10, Credential Guard aims to protect domain corporate credentials from theft and reuse by malware. With Credential Guard, Windows 10 implemented an architectural change that fundamentally prevents the current forms of the pass-the-hash (PtH) attack.
- This is accomplished by leveraging Hyper-V and the new virtualization-based security feature to create a protected container where trusted code and secrets are isolated from the Windows kernel. That means that even if the Windows kernel is compromised an attacker has no way to read and extract the data required to initiate a PtH attack. Credential Guard prevents this because the memory where secrets are stored is no longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the memory.
+ This attack-free state is accomplished by using Hyper-V and the new virtualization-based security feature to create a protected container where trusted code and secrets are isolated from the Windows kernel. This accomplishment means that even if the Windows kernel is compromised, an attacker has no way to read and extract the data required to initiate a PtH attack. Credential Guard prevents this unauthorized access because the memory where secrets are stored is no longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the memory.
- **Health attestation.** The device’s firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device’s health.
@@ -208,15 +208,15 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
For more information, see [Secured Boot and Measured Boot: Hardening Early Boot Components Against Malware](/previous-versions/windows/hardware/design/dn653311(v=vs.85)).
- During each subsequent boot, the same components are measured, which allows comparison of the measurements against an expected baseline. For additional security, the values measured by the TPM can be signed and transmitted to a remote server, which can then perform the comparison. This process, called *remote device health attestation*, allows the server to verify health status of the Windows device.
+ During each subsequent boot, the same components are measured, which allows comparison of the measurements against an expected baseline. For more security, the values measured by the TPM can be signed and transmitted to a remote server, which can then perform the comparison. This process, called *remote device health attestation*, allows the server to verify health status of the Windows device.
Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM vendor. Unlike Secure Boot, health attestation will not stop the boot process and enter remediation when a measurement does not work. But with conditional access control, health attestation will help to prevent access to high-value assets.
### Virtualization-based security
-Virtualization-based security provides a new trust boundary for Windows 10. leverages Hyper-V hypervisor technology to enhance platform security. Virtualization-based security provides a secure execution environment to run specific Windows trusted code (trustlet) and to protect sensitive data.
+Virtualization-based security provides a new trust boundary for Windows 10 and uses Hyper-V hypervisor technology to enhance platform security. Virtualization-based security provides a secure execution environment to run specific Windows trusted code (trustlet) and to protect sensitive data.
-Virtualization-based security helps to protect against a compromised kernel or a malicious user with Administrator privileges. Note that virtualization-based security is not trying to protect against a physical attacker.
+Virtualization-based security helps to protect against a compromised kernel or a malicious user with Administrator privileges. Virtualization-based security is not trying to protect against a physical attacker.
The following Windows 10 services are protected with virtualization-based security:
@@ -234,14 +234,14 @@ The schema below is a high-level view of Windows 10 with virtualization-based se
### Credential Guard
-In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user mode. This helps ensure that protected data is not stolen and reused on
+In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs a sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user mode. This code execution helps ensure that protected data is not stolen and reused on
remote machines, which mitigates many PtH-style attacks.
Credential Guard helps protect credentials by encrypting them with either a per-boot or persistent key:
- **The per-boot key** is used for any in-memory credentials that do not require persistence. An example of such a credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution Center (KDC) every time authentication occurs and is protected with a per-boot key.
- **The persistent key**, or some derivative, is used to help protect items that are stored and reloaded after a reboot. Such protection is intended for long-term storage, and must be protected with a consistent key.
-Credential Guard is activated by a registry key and then enabled by using an UEFI variable. This is done to protect against remote modifications of the configuration. The use of a UEFI variable implies that physical access is required to change the configuration. When lsass.exe detects that
+Credential Guard is activated by a registry key and then enabled by using a UEFI variable. This activation is done to protect against remote modifications of the configuration. The use of a UEFI variable implies that physical access is required to change the configuration. When lsass.exe detects that
credential isolation is enabled, it then spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode support routines are ready before any authentication begins.
### Device Guard
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index a2c720f8da..f1504a61e6 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -1,6 +1,6 @@
---
title: Microsoft Security Compliance Toolkit 1.0
-description: This article describes how to use the Security Compliance Toolkit in your organization
+description: This article describes how to use the Microsoft Security Compliance Toolkit in your organization
keywords: virtualization, security, malware
ms.prod: m365-security
ms.mktglfcycl: deploy
@@ -16,7 +16,7 @@ ms.reviewer:
ms.technology: windows-sec
---
-# Microsoft Security Compliance Toolkit 1.0
+# Microsoft Security Compliance Toolkit 1.0 - Usage
## What is the Security Compliance Toolkit (SCT)?
diff --git a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
index fe3ba96d3f..9d439eb3b6 100644
--- a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
@@ -18,7 +18,7 @@ ms.date: 04/19/2017
ms.technology: windows-sec
---
-# Advanced security audit policy settings
+# Advanced security audit policy settings for Windows 10
**Applies to**
- Windows 10
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index fc9376dadb..877251cbc7 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -25,7 +25,7 @@ Learn about an approach to collect events from devices in your organization. Thi
Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server.
-To accomplish this, there are two different subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The Suspect subscription collects additional events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations.
+To accomplish this functionality, there are two different subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The Suspect subscription collects more events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations.
This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices with online analytical capability, such as Security Event Manager (SEM), while also sending events to a MapReduce system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they are largely used for host forensic analysis.
@@ -41,7 +41,7 @@ Here's an approximate scaling guide for WEF events:
| 5,000 - 50,000 | SEM |
| 50,000+ | Hadoop/HDInsight/Data Lake |
-Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This is because WEF is a passive system regarding the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling additional event channels and expanding the size of event log files has not resulted in noticeable performance differences.
+Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This condition is because WEF is a passive system regarding the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling more event channels and expanding the size of event log files has not resulted in noticeable performance differences.
For the minimum recommended audit policy and registry system ACL settings, see [Appendix A - Minimum recommended minimum audit policy](#bkmk-appendixa) and [Appendix B - Recommended minimum registry system ACL policy](#bkmk-appendixb).
@@ -49,14 +49,14 @@ For the minimum recommended audit policy and registry system ACL settings, see [
From a WEF subscription management perspective, the event queries provided should be used in two separate subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the targeted subscription, this access would be determined by an algorithm or an analysts’ direction. All devices should have access to the Baseline subscription.
-This means you would create two base subscriptions:
+This system of dual subscription means you would create two base subscriptions:
-- **Baseline WEF subscription**. Events collected from all hosts, this includes some role-specific events, which will only be emitted by those machines.
+- **Baseline WEF subscription**. Events collected from all hosts; these events include some role-specific events, which will only be emitted by those machines.
- **Targeted WEF subscription**. Events collected from a limited set of hosts due to unusual activity and/or heightened awareness for those systems.
-Each using the respective event query below. Note that for the Targeted subscription enabling the “read existing events” option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client.
+Each using the respective event query below. For the Targeted subscription enabling the “read existing events” option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client.
-In [Appendix E – Annotated Baseline Subscription Event Query](#bkmk-appendixe) and [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf), the event query XML is included when creating WEF subscriptions. These are annotated for query purpose and clarity. Individual <Query> element can be removed or edited without affecting the rest of the query.
+In [Appendix E – Annotated Baseline Subscription Event Query](#bkmk-appendixe) and [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf), the event query XML is included when creating WEF subscriptions. These subscriptions are annotated for query purpose and clarity. Individual <Query> element can be removed or edited without affecting the rest of the query.
### Common WEF questions
@@ -70,7 +70,7 @@ The longer answer is: The **Eventlog-forwardingPlugin/Operational** event channe
### Is WEF Push or Pull?
-A WEF subscription can be configured to be push or pull, but not both. The simplest, most flexible IT deployment with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are to be selected. Those clients also have to be configured ahead of time to allow the credentials used in the subscription to access their event logs remotely (normally by adding the credential to the **Event Log Readers** built-in local security group.) A useful scenario: closely monitoring a specific set of machines.
+A WEF subscription can be configured to be push or pull, but not both. The simplest, most flexible IT deployment with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are to be selected. Those clients are to be configured ahead of time to allow the credentials used in the subscription to access their event logs remotely (normally by adding the credential to the **Event Log Readers** built-in local security group.) A useful scenario: closely monitoring a specific set of machines.
### Will WEF work over VPN or RAS?
@@ -78,7 +78,7 @@ WEF handles VPN, RAS, and DirectAccess scenarios well and will reconnect and sen
### How is client progress tracked?
-The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription. When an event source re-connects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events. If a
+The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription. When an event source reconnects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events. If a
WEF client has no events to send, the WEF client will connect periodically to send a Heartbeat to the WEC server to indicate it is active. This heartbeat value can be individually configured for each subscription.
### Will WEF work in an IPv4, IPv6, or mixed IPv4/IPv6 environment?
@@ -188,7 +188,7 @@ The annotated event query can be found in the following. For more info, see [App
- Registry modification events. For more info, see [Appendix B – Recommended minimum Registry System ACL Policy](#bkmk-appendixb).
- OS startup and shutdown
- - Startup event include operating system version, service pack level, QFE version, and boot mode.
+ - Startup events include operating system version, service pack level, QFE version, and boot mode.
- Service install
@@ -216,13 +216,13 @@ The annotated event query can be found in the following. For more info, see [App
- Find out what initiated the restart of a device.
- User initiated interactive logoff event
-- Remote Desktop Services session connect, reconnect, or disconnect.
+- Remote Desktop Services sessions connect, reconnect, or disconnect.
- EMET events, if EMET is installed.
- Event forwarding plugin events
- For monitoring WEF subscription operations, particularly Partial Success events. This is useful for diagnosing deployment issues.
-- Network share create and delete
+- Network share creation and deletion
- Enables detection of unauthorized share creation.
>**Note:** All shares are re-created when the device starts.
@@ -232,7 +232,7 @@ The annotated event query can be found in the following. For more info, see [App
- Logon success for interactive (local and Remote Interactive/Remote Desktop)
- Logon success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on.
- Logon success for batch sessions
- - Logon session close, which are logoff events for non-network sessions.
+ - Logon session close, which is logoff events for non-network sessions.
- Windows Error Reporting (Application crash events only)
@@ -244,7 +244,7 @@ The annotated event query can be found in the following. For more info, see [App
- Event log cleared (including the Security Event Log)
- - This could indicate an intruder that are covering their tracks.
+ - This could indicate an intruder that is covering their tracks.
- Special privileges assigned to new logon
@@ -271,7 +271,7 @@ The annotated event query can be found in the following. For more info, see [App
- Logon with explicit credentials
- - Detect credential use changes by intruders to access additional resources.
+ - Detect credential use changes by intruders to access more resources.
- Smartcard card holder verification events
@@ -296,7 +296,7 @@ This adds some possible intruder-related activity to help analyst further refine
- Groups assigned to local logon
- - Gives visibility to groups which enable account wide access
+ - Gives visibility to groups which enable account-wide access
- Allows better planning for remediation efforts
- Excludes well known, built-in system accounts.
@@ -337,7 +337,7 @@ This adds some possible intruder-related activity to help analyst further refine
## Appendix A - Minimum recommended minimum audit policy
-If your organizational audit policy enables additional auditing to meet its needs, that is fine. The policy below is the minimum audit policy settings needed to enable events collected by both baseline and targeted subscriptions.
+If your organizational audit policy enables more auditing to meet its needs, that is fine. The policy below is the minimum audit policy settings needed to enable events collected by both baseline and targeted subscriptions.
| Category | Subcategory | Audit settings |
|--------------------|---------------------------------|---------------------|
@@ -388,7 +388,7 @@ Use the following figures to see how you can configure those registry keys.
Some channels are disabled by default and have to be enabled. Others, such as Microsoft-Windows-CAPI2/Operational must have the channel access modified to allow the Event Log Readers built-in security group to read from it.
-The recommended and most effective way to do this is to configure the baseline GPO to run a scheduled task to configure the event channels (enable, set maximum size, and adjust channel access.) This will take effect at the next GPO refresh cycle and has minimal impact on the client device.
+The recommended and most effective way to do this is configuring the baseline GPO to run a scheduled task to configure the event channels (enable, set maximum size, and adjust channel access.) This will take effect at the next GPO refresh cycle and has minimal impact on the client device.
The following GPO snippet performs the following:
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
index df36d5aeb6..68dee402b4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -29,7 +29,7 @@ ms.technology: windows-sec
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-With Windows Defender Application Control (WDAC), you can automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, using a feature called _managed installer_. Managed installer can help you better balance security and manageability when enforcing application control policies.
+Windows 10 (version 1703) introduced a new option for Windows Defender Application Control (WDAC), called _managed installer_, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager.
## How does a managed installer work?
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 0452284705..71779ec0d3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -89,6 +89,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
| `Brock Mammen`| |
| `Casey Smith` | `@subTee` |
| `Jimmy Bayne` | `@bohops` |
+| `Kim Oppalfens` | `@thewmiguy` |
| `Lasse Trolle Borup` | `Langkjaer Cyber Defence` |
| `Lee Christensen` | `@tifkin_` |
| `Matt Graeber` | `@mattifestation` |
@@ -164,6 +165,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
+
@@ -905,6 +907,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
+
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index 4e5251d27d..608da5aa98 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -46,14 +46,14 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
```xml
- 10.0.19565.0
+ 10.0.22493.0{D2BDA982-CCF6-4344-AC5B-0B44427B6816}{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}
-
+
@@ -173,6 +173,10 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
+
+
@@ -242,6 +246,9 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
+
@@ -311,10 +318,16 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
+
+
+
+
@@ -335,15 +348,20 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
-
+
-
+
+
+
+
@@ -405,6 +423,8 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
@@ -415,6 +435,12 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
+
+
+
+
@@ -452,7 +478,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
@@ -468,6 +493,12 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
+
+
+
+
@@ -485,6 +516,9 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
+
@@ -501,10 +535,12 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
+
+
@@ -522,8 +558,10 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
-
+
@@ -633,6 +671,10 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
+
+
@@ -702,6 +744,9 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
+
@@ -771,11 +816,17 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
+
-
-
+
+
+
+
+
@@ -794,7 +845,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
- 10.0.22417.0
+ 10.0.22493.0
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index 5fb7949fb1..22ff2acf4f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -33,7 +33,7 @@ This topic describes the decisions you need to make to establish the processes f
## Policy XML lifecycle management
-The first step in implementing application control is to consider how your policies will be managed and maintained over time. Developing a process for managing WDAC policies helps assure that WDAC continues to effectively control how applications are allowed to run in your organization.
+The first step in implementing application control is to consider how your policies will be managed and maintained over time. Developing a process for managing WDAC policies helps ensure that WDAC continues to effectively control how applications are allowed to run in your organization.
Most WDAC policies will evolve over time and proceed through a set of identifiable phases during their lifetime. Typically, these phases include:
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 6e90081708..e5bf200d59 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -29,23 +29,23 @@ ms.technology: windows-sec
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11 by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
+Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11, by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
## Windows Defender Application Control policy rules
To modify the policy rule options of an existing WDAC policy XML, use [Set-RuleOption](/powershell/module/configci/set-ruleoption). The following examples show how to use this cmdlet to add and remove a rule option on an existing WDAC policy:
-- To ensure that UMCI is enabled for a WDAC policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command:
+- To ensure that UMCI is enabled for a WDAC policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy, by running the following command:
`Set-RuleOption -FilePath -Option 0`
- A policy created without the `-UserPEs` option has no rules for user mode code. If you enable UMCI (Option 0) for such a policy, WDAC will block all applications and even critical Windows user session code. In audit mode, WDAC simply logs an event, but when enforced, all user mode code will be blocked. To create a policy that includes user mode executables (applications), run `New-CIPolicy` with the `-UserPEs` option.
+ A policy created without the `-UserPEs` option has no rules for user mode code. If you enable UMCI (Option 0) for such a policy, WDAC will block all applications, and even critical Windows user session code. In audit mode, WDAC simply logs an event, but when enforced, all user mode code will be blocked. To create a policy that includes user mode executables (applications), run `New-CIPolicy` with the `-UserPEs` option.
- To disable UMCI on an existing WDAC policy, delete rule option 0 by running the following command:
`Set-RuleOption -FilePath -Option 0 -Delete`
-You can set several rule options within a WDAC policy. Table 1 describes each rule option and whether they have supplemental policies. However, option 5 is not implemented as it is reserved for future work, and option 7 is not supported.
+You can set several rule options within a WDAC policy. Table 1 describes each rule option, and whether they have supplemental policies. However, option 5 is not implemented as it is reserved for future work, and option 7 is not supported.
> [!NOTE]
> We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. To allow these applications, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
@@ -57,28 +57,28 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **0 Enabled:UMCI** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. | No |
| **1 Enabled:Boot Menu Protection** | This option is not currently supported. | No |
| **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Kernel drivers built for Windows 10 should be WHQL certified. | No |
-| **3 Enabled:Audit Mode (Default)** | Instructs WDAC to log information about applications, binaries, and scripts that would have been blocked if the policy was enforced. You can use this option to identify the potential impact of your WDAC policy, and use the audit events to refine the policy before enforcement. To enforce a WDAC policy, delete this option. | No |
+| **3 Enabled:Audit Mode (Default)** | Instructs WDAC to log information about applications, binaries, and scripts that would have been blocked, if the policy was enforced. You can use this option to identify the potential impact of your WDAC policy, and use the audit events to refine the policy before enforcement. To enforce a WDAC policy, delete this option. | No |
| **4 Disabled:Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This option would be used by organizations that only want to run released binaries, not pre-release Windows builds. | No |
| **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. | Yes |
-| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and the certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. | Yes |
+| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. | Yes |
| **7 Allowed:Debug Policy Augmented** | This option is not currently supported. | Yes |
-| **8 Required:EV Signers** | This rule requires that drivers must be WHQL signed and have been submitted by a partner with an Extended Verification (EV) certificate. All Windows 10 and Windows 11 drivers will meet this requirement. | No |
+| **8 Required:EV Signers** | This rule requires that drivers must be WHQL signed, and have been submitted by a partner with an Extended Verification (EV) certificate. All Windows 10 and Windows 11 drivers will meet this requirement. | No |
| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No |
| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | No |
-| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows without the proper update may have unintended results. | No |
+| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows without the proper update may have unintended results. | No |
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | No |
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes |
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | Yes |
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| No |
-| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. NOTE: This option is only supported on Windows 10, version 1709, and above.| No |
-| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. | No |
-| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | Yes |
-| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | No |
-| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with expired and/or revoked certificates as "Unsigned binaries" for user-mode process/components under enterprise signing scenarios. | No |
+| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. NOTE: This option is only supported on Windows 10, version 1709 and above.| No |
+| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903 and above. | No |
+| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903 and above. | Yes |
+| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803 and above. | No |
+| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with expired and/or revoked certificates as "Unsigned binaries" for user-mode process/components, under enterprise signing scenarios. | No |
## Windows Defender Application Control file rule levels
-File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as granular as the hash of each binary or as general as a CA certificate. You specify file rule levels when using WDAC PowerShell cmdlets to create and modify policies.
+File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as granular as the hash of each binary, or as general as a CA certificate. You specify file rule levels when using WDAC PowerShell cmdlets to create and modify policies.
Each file rule level has its benefit and disadvantage. Use Table 2 to select the appropriate protection level for your available administrative resources and Windows Defender Application Control deployment scenario.
@@ -86,21 +86,21 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
| Rule level | Description |
|----------- | ----------- |
-| **Hash** | Specifies individual hash values for each discovered binary. This is the most specific level and requires additional effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
-| **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level but does not typically require a policy update when any binary is modified. |
+| **Hash** | Specifies individual hash values for each discovered binary. This is the most specific level, and requires additional effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
+| **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it does not typically require a policy update when any binary is modified. |
| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. Additional information about FilePath level rules can be found below. |
-| **SignedVersion** | This level combines the publisher rule with a version number and allows anything to run from the specified publisher with a version at or above the specified version number. |
+| **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. |
| **Publisher** | This level combines the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. You can use this rule level to trust a certificate issued by a particular CA and issued to a specific company you trust (such as Intel, for device drivers). |
| **FilePublisher** | This level combines the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. Using this level, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than other certificate levels, so the WDAC policy must be updated whenever these certificates change. |
-| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root certificate, because the scan does not validate anything beyond the certificates included in the provided signature (it does not go online or check local root stores). |
+| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root certificate because the scan does not validate anything beyond the certificates included in the provided signature (it does not go online or check local root stores). |
| **RootCertificate** | Currently unsupported. |
| **WHQL** | Trusts binaries if they have been validated and signed by WHQL. This level is primarily for kernel binaries. |
-| **WHQLPublisher** | This level combines the WHQL level and the CN on the leaf certificate and is primarily for kernel binaries. |
+| **WHQLPublisher** | This level combines the WHQL level and the CN on the leaf certificate, and is primarily for kernel binaries. |
| **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This level is primarily for kernel binaries. |
> [!NOTE]
-> When you create WDAC policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
+> When you create WDAC policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level, by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate, but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
> [!NOTE]
> - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits.
@@ -120,17 +120,17 @@ WDAC has a built-in file rule conflict logic that translates to precedence order
## More information about filepath rules
-Filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect will remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder.
+Filepath rules do not provide the same security guarantees that explicit signer rules do, since they are based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect will remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder.
By default, WDAC performs a user-writeability check at runtime that ensures that the current permissions on the specified filepath and its parent directories (recursively) do not allow standard users write access.
-There is a defined list of SIDs which WDAC recognizes as admins. If a filepath allows write permissions for any SID not in this list, the filepath is considered to be user-writeable even if the SID is associated to a custom admin user. To handle these special cases, you can override WDAC's runtime admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option described above.
+There is a defined list of SIDs that WDAC recognizes as admins. If a filepath allows write permissions for any SID not in this list, the filepath is considered to be user-writeable, even if the SID is associated to a custom admin user. To handle these special cases, you can override WDAC's runtime admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option described above.
WDAC's list of well-known admin SIDs are:
S-1-3-0; S-1-5-18; S-1-5-19; S-1-5-20; S-1-5-32-544; S-1-5-32-549; S-1-5-32-550; S-1-5-32-551; S-1-5-32-577; S-1-5-32-559; S-1-5-32-568; S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394; S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523.
-When generating filepath rules using [New-CIPolicy](/powershell/module/configci/new-cipolicy), a unique, fully qualified path rule is generated for every file discovered in the scanned path(s). To create rules that instead allow all files under a specified folder path, use [New-CIPolicyRule](/powershell/module/configci/new-cipolicyrule) to define rules containing wildcards using the [-FilePathRules](/powershell/module/configci/new-cipolicyrule#parameters) switch.
+When generating filepath rules using [New-CIPolicy](/powershell/module/configci/new-cipolicy), a unique, fully qualified path rule is generated for every file discovered in the scanned path(s). To create rules that instead allow all files under a specified folder path, use [New-CIPolicyRule](/powershell/module/configci/new-cipolicyrule) to define rules containing wildcards, using the [-FilePathRules](/powershell/module/configci/new-cipolicyrule#parameters) switch.
Wildcards can be used at the beginning or end of a path rule; only one wildcard is allowed per path rule. Wildcards placed at the end of a path authorize all files in that path and its subdirectories recursively (ex. `C:\*` would include `C:\foo\*` ). Wildcards placed at the beginning of a path will allow the exact specified filename under any path (ex. `*\bar.exe` would allow `C:\bar.exe` and `C:\foo\bar.exe`). Wildcards in the middle of a path are not supported (ex. `C:\*\foo.exe`). Without a wildcard, the rule will allow only a specific file (ex. `C:\foo\bar.exe`).
@@ -144,13 +144,13 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
### Why does scan create four hash rules per XML file?
The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.
-During validation CI will choose which hashes to calculate depending on how the file is signed. For example, if the file is page-hash signed the entire file would not get paged in to do a full sha256 authenticode and we would just match using the first page hash.
+During validation CI will choose which hashes to calculate, depending on how the file is signed. For example, if the file is page-hash signed the entire file would not get paged in to do a full sha256 authenticode, and we would just match using the first page hash.
In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI.
### Why does scan create eight hash rules for certain XML files?
-Separate rules are created for UMCI and KMCI. In some cases, files which are purely user-mode or purely kernel-mode may still generate both sets, as CI cannot always precisely determine what is purely user vs. kernel mode and errs on the side of caution.
+Separate rules are created for UMCI and KMCI. In some cases, files that are purely user-mode or purely kernel-mode may still generate both sets, since CI cannot always precisely determine what is purely user vs. kernel mode, and errs on the side of caution.
## Windows Defender Application Control filename rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index 1125c7c0ef..4ea10512bd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -29,7 +29,7 @@ ms.technology: windows-sec
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-This topic is for the IT professional and lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using Windows Defender Application Control (WDAC) within a Windows operating system environment.
+This topic is for the IT professional. It lists the design questions, possible answers, and ramifications for decisions made, when planning application control policies deployment using Windows Defender Application Control (WDAC), within a Windows operating system environment.
When you begin the design and planning process, you should consider the ramifications of your design choices. The resulting decisions will affect your policy deployment scheme and subsequent application control policy maintenance.
@@ -46,24 +46,24 @@ You should consider using WDAC as part of your organization's application contro
Beginning with Windows 10, version 1903, WDAC allows [multiple simultaneous policies](deploy-multiple-windows-defender-application-control-policies.md) to be applied to each device. This opens up many new use cases for organizations, but your policy management can easily become unwieldy without a well-thought-out plan for the number and types of policies to create.
-The first step is to define the desired "circle-of-trust" for your WDAC policies. By "circle-of-trust", we mean a description of the business intent of the policy expressed in natural language. This "circle-of-trust" definition will guide you as you create the actual policy rules for your policy XML.
+The first step is to define the desired "circle-of-trust" for your WDAC policies. By "circle-of-trust," we mean a description of the business intent of the policy expressed in natural language. This "circle-of-trust" definition will guide you as you create the actual policy rules for your policy XML.
For example, the DefaultWindows policy, which can be found under %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies, establishes a "circle-of-trust" that allows Windows, 3rd-party hardware and software kernel drivers, and applications from the Microsoft Store.
Microsoft Endpoint Configuration Manager, previously known as System Center Configuration Manager, uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow Configuration Manager and its dependencies, sets the managed installer policy rule, and additionally configures Configuration Manager as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the Configuration Manager administrator, which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for Configuration Manager's native WDAC integration.
-The following questions can help you plan your WDAC deployment and determine the right "circle-of-trust" for your policies. They are not in priority or sequential order and are not meant to be an exhaustive set of design considerations.
+The following questions can help you plan your WDAC deployment and determine the right "circle-of-trust" for your policies. They are not in priority or sequential order, and are not meant to be an exhaustive set of design considerations.
## WDAC design considerations
### How are apps managed and deployed in your organization?
-Organizations with well-defined, centrally managed app management and deployment processes can create more restrictive, more secure policies. Other organizations may be able to deploy WDAC with more relaxed rules or may choose to deploy WDAC in audit mode to gain better visibility to the apps being used in their organization.
+Organizations with well-defined, centrally managed app management and deployment processes can create more restrictive, more secure policies. Other organizations may be able to deploy WDAC with more relaxed rules, or may choose to deploy WDAC in audit mode to gain better visibility to the apps being used in their organization.
| Possible answers | Design considerations|
| - | - |
| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
-| Some apps are centrally managed and deployed, but teams can install other apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can use managed installers to install their team-specific apps or admin-only file path rules can be used to allow apps installed by admin users. |
+| Some apps are centrally managed and deployed, but teams can install other apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can use managed installers to install their team-specific apps, or admin-only file path rules can be used to allow apps installed by admin users. |
| Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | WDAC can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. |
| Users and teams are free to download and install apps without restriction. | WDAC policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.|
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index b56df7608b..578058661d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -29,14 +29,14 @@ ms.technology: windows-sec
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-Signed WDAC policies give organizations the highest level of malware protection available in Windows. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies.
+Signed WDAC policies give organizations the highest level of malware protection available in Windows—must be signed with [PKCS #7](https://datatracker.ietf.org/doc/html/rfc5652). In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies.
-Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
+Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward.
If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA.
-Before signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
+Before PKCS #7-signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
To sign a WDAC policy with SignTool.exe, you need the following components:
@@ -96,17 +96,16 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
```
-8. Sign the WDAC policy by using SignTool.exe:
+8. Sign ([PKCS #7](https://datatracker.ietf.org/doc/html/rfc5652)) the WDAC policy by using SignTool.exe:
```powershell
sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin
```
-
+
> [!NOTE]
> The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
-
> [!NOTE]
> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
index 2d52ef271b..469562b0c4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
@@ -34,10 +34,10 @@ This guide covers design and planning for Windows Defender Application Control (
## Plan for success
-A common refrain you may hear about application control is that it is "too hard". While it is true that application control is not as simple as flipping a switch, organizations can be successful if they take a methodical approach and carefully plan their approach. In reality, the issues that lead to failure with application control often arise from business issues rather than technology challenges. Organizations that have successfully deployed application control have ensured the following before starting their planning:
+A common refrain you may hear about application control is that it is "too hard." While it is true that application control is not as simple as flipping a switch, organizations can be successful, if they're methodical when carefully planning their approach. In reality, the issues that lead to failure with application control often arise from business issues rather than technology challenges. Organizations that have successfully deployed application control have ensured the following before starting their planning:
- Executive sponsorship and organizational buy-in is in place.
-- There is a clear **business** objective for using application control and it is not being planned as a purely technical problem from IT.
+- There is a clear **business** objective for using application control, and it is not being planned as a purely technical problem from IT.
- The organization has a plan to handle potential helpdesk support requests for users who are blocked from running some apps.
- The organization has considered where application control can be most useful (for example, securing sensitive workloads or business functions) and also where it may be difficult to achieve (for example, developer workstations).
@@ -48,9 +48,9 @@ Once these business factors are in place, you are ready to begin planning your W
| Topic | Description |
| - | - |
| [Plan for WDAC policy management](plan-windows-defender-application-control-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
-| [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
+| [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions, when you plan a deployment of application control policies. |
| [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. |
-| [Policy creation for common WDAC usage scenarios](types-of-devices.md) | This set of topics outlines common use case scenarios and helps you begin to develop a plan for deploying WDAC in your organization. |
+| [Policy creation for common WDAC usage scenarios](types-of-devices.md) | This set of topics outlines common use case scenarios, and helps you begin to develop a plan for deploying WDAC in your organization. |
| [Policy creation using the WDAC Wizard tool](wdac-wizard.md) | This set of topics describes how to use the WDAC Wizard desktop app to easily create, edit, and merge WDAC policies. |
-After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.
+After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers creating and testing policies, deploying the enforcement setting, and managing and maintaining policies.
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index c73336b070..7e081f6ecc 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
-ms.date: 07/01/2021
+ms.date: 11/30/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -17,7 +17,12 @@ ms.technology: windows-sec
# System Guard Secure Launch and SMM protection
-This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) to improve the startup security of Windows 10 devices. The information below is presented from a client perspective.
+**Applies to:**
+
+- Windows 11
+- Windows 10
+
+This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.
## How to enable System Guard Secure Launch
@@ -73,22 +78,22 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
|For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description|
|--------|-----------|
-|64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
-|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs are not supported, with the exception of Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.|
+|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
+|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs aren't supported, with the exception of Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.|
|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).|
-|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData ,EfiRuntimeServicesCode , EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
-|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (e.g. no OS/VMM owned memory). Must NOT contain any mappings to code sections within EfiRuntimeServicesCode. Must NOT have execute and write permissions for the same page Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType. BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
+|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
+|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example, no OS/VMM owned memory). Must NOT contain any mappings to code sections within EfiRuntimeServicesCode. Must NOT have execute and write permissions for the same page Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType. BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
-|TPM AUX Index|Platform must set up a AUX index with index, attributes, and policy that exactly corresponds to the AUX index specified in the TXT DG with a data size of exactly 104 bytes (for SHA256 AUX data). (NameAlg = SHA256) Platforms must set up a PS (Platform Supplier) index with:
Exactly the "TXT PS2" style Attributes on creation as follows:
AuthWrite
PolicyDelete
WriteLocked
WriteDefine
AuthRead
WriteDefine
NoDa
Written
PlatformCreate
A policy of exactly PolicyCommandCode(CC = TPM2_CC_UndefineSpaceSpecial) (SHA256 NameAlg and Policy)
Size of exactly 70 bytes
NameAlg = SHA256
In addition, it must have been initialized and locked (TPMA_NV_WRITTEN = 1, TPMA_NV_WRITELOCKED = 1) at time of OS launch.
PS index data DataRevocationCounters, SINITMinVersion, and PolicyControl must all be 0x00 |
+|TPM AUX Index|Platform must set up a AUX index with index, attributes, and policy that exactly corresponds to the AUX index specified in the TXT DG with a data size of exactly 104 bytes (for SHA256 AUX data). (NameAlg = SHA256) Platforms must set up a PS (Platform Supplier) index with:
Exactly the "TXT PS2" style Attributes on creation as follows:
AuthWrite
PolicyDelete
WriteLocked
WriteDefine
AuthRead
WriteDefine
NoDa
Written
PlatformCreate
A policy of exactly PolicyCommandCode(CC = TPM2_CC_UndefineSpaceSpecial) (SHA256 NameAlg and Policy)
Size of exactly 70 bytes
NameAlg = SHA256
Also, it must have been initialized and locked (TPMA_NV_WRITTEN = 1, TPMA_NV_WRITELOCKED = 1) at time of OS launch.
PS index data DataRevocationCounters, SINITMinVersion, and PolicyControl must all be 0x00 |
|AUX Policy|The required AUX policy must be as follows:
A = TPM2_PolicyLocality (Locality 3 & Locality 4)
B = TPM2_PolicyCommandCode (TPM_CC_NV_UndefineSpecial)
|
|Platform firmware|Platform firmware must carry all code required to execute an Intel® Trusted Execution Technology secure launch:
Intel® SINIT ACM must be carried in the OEM BIOS
Platforms must ship with a production ACM signed by the correct production Intel® ACM signer for the platform
|
|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
|For Qualcomm® processors with SD850 or later chipsets|Description|
|--------|-----------|
|Monitor Mode Communication|All Monitor Mode communication buffers must be implemented in either EfiRuntimeServicesData (recommended), data sections of EfiRuntimeServicesCode as described by the Memory Attributes Table, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types|
-|Monitor Mode Page Tables|All Monitor Mode page tables must:
NOT contain any mappings to EfiConventionalMemory (e.g. no OS/VMM owned memory)
They must NOT have execute and write permissions for the same page
Platforms must only allow Monitor Mode pages marked as executable
The memory map must report Monitor Mode as EfiReservedMemoryType
Platforms must provide mechanism to protect the Monitor Mode page tables from modification
NOT contain any mappings to EfiConventionalMemory (for example, no OS/VMM owned memory)
They must NOT have execute and write permissions for the same page
Platforms must only allow Monitor Mode pages marked as executable
The memory map must report Monitor Mode as EfiReservedMemoryType
Platforms must provide mechanism to protect the Monitor Mode page tables from modification
|
|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
|Platform firmware|Platform firmware must carry all code required to perform a launch.|
|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index 46cc0e4626..2d66169700 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -1,6 +1,6 @@
---
title: Microsoft Security Compliance Toolkit 1.0 Guide
-description: This article describes how to use the Security Compliance Toolkit in your organization
+description: This article describes how to use Security Compliance Toolkit 1.0 in your organization
keywords: virtualization, security, malware
ms.prod: m365-security
ms.mktglfcycl: deploy
@@ -16,7 +16,7 @@ ms.reviewer:
ms.technology: windows-sec
---
-# Microsoft Security Compliance Toolkit 1.0
+# Microsoft Security Compliance Toolkit 1.0 - How to use
## What is the Security Compliance Toolkit (SCT)?
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index 403244cfa4..459aec5b4f 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -10,10 +10,13 @@ metadata:
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
- ms.collection: windows-10
+ ms.collection:
+ - windows-10
+ - highpri
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
ms.date: 06/24/2021 #Required; mm/dd/yyyy format.
+ manager: dougeby
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index 79aab127a3..753623905e 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -11,12 +11,13 @@ ms.author: greglin
manager: dougeby
ms.localizationpriority: low
ms.topic: article
+ms.collection: highpri
---
# Windows 10 Enterprise LTSC
**Applies to**
-- Windows 10 Enterprise LTSC
+- Windows 10 Enterprise LTSC
## In this topic
diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md
index d7e404f25e..dbb8acd827 100644
--- a/windows/whats-new/whats-new-windows-10-version-20H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-20H2.md
@@ -8,15 +8,16 @@ ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.author: greglin
-manager: laurawi
+manager: dougeby
ms.localizationpriority: high
ms.topic: article
+ms.collection: highpri
---
# What's new in Windows 10, version 20H2 for IT Pros
**Applies to**
-- Windows 10, version 20H2
+- Windows 10, version 20H2
This article lists new and updated features and content that is of interest to IT Pros for Windows 10, version 20H2, also known as the Windows 10 October 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 2004.
diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md
index 70725f4a9b..06aade74c5 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H1.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H1.md
@@ -8,15 +8,16 @@ ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.author: greglin
-manager: laurawi
+manager: dougeby
ms.localizationpriority: high
ms.topic: article
+ms.collection: highpri
---
# What's new in Windows 10, version 21H1 for IT Pros
**Applies to**
-- Windows 10, version 21H1
+- Windows 10, version 21H1
This article lists new and updated features and content that is of interest to IT Pros for Windows 10, version 21H1, also known as the **Windows 10 May 2021 Update**. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 20H2.
diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
index af508674f5..f30128f026 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -1,7 +1,6 @@
---
title: What's new in Windows 10, version 21H2 for IT pros
description: Learn more about what's new in Windows 10 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
-ms.reviewer:
manager: dougeby
ms.prod: w10
ms.mktglfcycl: deploy
@@ -11,6 +10,7 @@ ms.author: mandia
author: MandiOhlinger
ms.localizationpriority: medium
ms.topic: article
+ms.collection: highpri
---
# What's new in Windows 10, version 21H2
@@ -69,9 +69,9 @@ For more information, see:
- [What's new in Azure Virtual Desktop?](/azure/virtual-desktop/whats-new)
- [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal)
-## Wi-Fi 6E support
+## Wi-Fi WPA3 H2E support
-Also known as 802.11ax, Wi-Fi 6E support is built in to Windows 10, version 21H2. Wi-Fi 6E has new channel frequencies that are dedicated to 6E devices, and is more performant for apps that use more bandwidth.
+Wi-Fi WPA3 H2E (Hash-to-Element) support is built in to Windows 10, version 21H2.
## Related articles
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index 7841ae8015..aa1f8b6d33 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -7,17 +7,17 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.author: greglin
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.localizationpriority: high
ms.topic: article
+ms.collection: highpri
---
# Plan for Windows 11
**Applies to**
-- Windows 11
+- Windows 11
## Deployment planning
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index 401e92c65f..18d9c7bbea 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -7,17 +7,17 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.author: greglin
-ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.localizationpriority: high
ms.topic: article
+ms.collection: highpri
---
# Prepare for Windows 11
**Applies to**
-- Windows 11
+- Windows 11
Windows 10 and Windows 11 are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows 11 helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows 11 deployments in the same way that you do with Windows 10.
diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md
index da34c4fa6e..2b7aee5432 100644
--- a/windows/whats-new/windows-11-requirements.md
+++ b/windows/whats-new/windows-11-requirements.md
@@ -1,7 +1,6 @@
---
title: Windows 11 requirements
description: Hardware requirements to deploy Windows 11
-ms.reviewer:
manager: dougeby
ms.audience: itpro
author: greg-lindsay
@@ -13,13 +12,14 @@ ms.localizationpriority: medium
audience: itpro
ms.topic: article
ms.custom: seo-marvel-apr2020
+ms.collection: highpri
---
# Windows 11 requirements
**Applies to**
-- Windows 11
+- Windows 11
This article lists the system requirements for Windows 11. Windows 11 is also [supported on a virtual machine (VM)](#virtual-machine-support).
diff --git a/windows/whats-new/windows-11-whats-new.md b/windows/whats-new/windows-11-whats-new.md
index af406cd7e7..f3b21b2f87 100644
--- a/windows/whats-new/windows-11-whats-new.md
+++ b/windows/whats-new/windows-11-whats-new.md
@@ -1,6 +1,6 @@
---
title: Windows 11, what's new and overview for administrators
-description: Learn more about what's new in Windows 11. Read about see the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs.
+description: Learn more about what's new in Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs.
ms.reviewer:
manager: dougeby
ms.audience: itpro
@@ -12,7 +12,7 @@ ms.sitesec: library
ms.localizationpriority: medium
audience: itpro
ms.topic: article
-ms.custom:
+ms.collection: highpri
---
# What's new in Windows 11
@@ -21,7 +21,7 @@ ms.custom:
- Windows 11
-Windows 11 is the next client operating system, and includes features that organizations should know. Windows 11 is built on the same foundation as Windows 10. If you use Windows 10, then Windows 11 is a natural transition and update to what you know, and what you're familiar with.
+Windows 11 is the next client operating system, and includes features that organizations should know. Windows 11 is built on the same foundation as Windows 10. If you use Windows 10, then Windows 11 is a natural transition. It's an update to what you know, and what you're familiar with.
It offers innovations focused on enhancing end-user productivity, and is designed to support today's hybrid work environment.
@@ -41,7 +41,7 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
For more information, see [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines).
-- **Microsoft Defender Antivirus** is built into Windows, and helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If your devices are managed with Endpoint Manager, you can create policies based on threat levels found in Microsoft Defender for Endpoint.
+- **Microsoft Defender Antivirus** is built into Windows, and helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If you use Endpoint Manager to manage devices, then you can create policies based on threat levels in Microsoft Defender for Endpoint.
For more information, see:
@@ -194,7 +194,7 @@ For more information on the security features you can configure, manage, and enf
- **Microsoft Endpoint Manager** is a mobile application management (MAM) and mobile device management (MDM) provider. It helps manage devices, and manage apps on devices in your organization. You configure policies, and then deploy these policies to users and groups. You can create and deploy policies that install apps, configure device features, enforce PIN requirements, block compromised devices, and more.
- If you currently use Group Policy to manage your Windows 10 devices, you can also use Group Policy to manage Windows 11 devices. In Endpoint Manager, there are [administrative templates](/mem/intune/configuration/administrative-templates-windows) and the [settings catalog](/mem/intune/configuration/settings-catalog) that include many of the same policies. [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) analyze your on-premises group policy objects.
+ If you use Group Policy to manage your Windows 10 devices, then you can also use Group Policy to manage Windows 11 devices. In Endpoint Manager, there are [administrative templates](/mem/intune/configuration/administrative-templates-windows) and the [settings catalog](/mem/intune/configuration/settings-catalog) that include many of the same policies. [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) analyze your on-premises group policy objects.
- **Windows Updates and Delivery optimization** helps manage updates, and manage features on your devices. Starting with Windows 11, the OS feature updates are installed annually. For more information on servicing channels, and what they are, see [Servicing channels](/windows/deployment/update/waas-overview#servicing-channels).
@@ -211,6 +211,10 @@ For more information on the security features you can configure, manage, and enf
- [Installation & updates](https://support.microsoft.com/office/installation-updates-2f9c1819-310d-48a7-ac12-25191269903c#PickTab=Windows_11)
- [Manage updates in Windows](https://support.microsoft.com/windows/manage-updates-in-windows-643e9ea7-3cf6-7da6-a25c-95d4f7f099fe)
+## Education and apps
+
+Windows 11 SE is a new edition of Windows that's designed for education. It runs on low-cost devices, and runs essential apps, including Microsoft 365. For more information, see [Windows 11 SE for Education](/education/windows/windows-11-se-overview).
+
## Next steps
- [Windows 11 requirements](windows-11-requirements.md)
