Merge branch 'main' into vp-csp-changes

2025-06-17 19:33:37 +00:00 · 2023-07-26 13:13:13 -04:00
parent fb757273c2 fec0e07f65
commit 30e1318efd
19 changed files with 14271 additions and 14211 deletions
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@ -70,12 +70,12 @@
                    items:
                      - name: Manage Windows feature updates
                        href: operate/windows-autopatch-groups-manage-windows-feature-update-release.md
-                  - name: Microsoft 365 Apps for enterprise
-                    href: operate/windows-autopatch-microsoft-365-apps-enterprise.md
-                  - name: Microsoft Edge
-                    href: operate/windows-autopatch-edge.md
-                  - name: Microsoft Teams
-                    href: operate/windows-autopatch-teams.md
+              - name: Microsoft 365 Apps for enterprise
+                href: operate/windows-autopatch-microsoft-365-apps-enterprise.md
+              - name: Microsoft Edge
+                href: operate/windows-autopatch-edge.md
+              - name: Microsoft Teams
+                href: operate/windows-autopatch-teams.md
        - name: Windows quality and feature update reports
          href: operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
          items:
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
@ -14,11 +14,11 @@ The EA set on the NI file only applies to the currently active WDAC policies. If

 In some cases, if an NI file is blocked, you may see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [WDAC Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues#net-native-images-may-generate-false-positive-block-events).

-To mitigate any performance impact caused when the WDAC EA isn't valid or missing, use any of the following strategies:
+To mitigate any performance impact caused when the WDAC EA isn't valid or missing:

-1. Work with the app developer to pre-compile their NI and digitally sign it. Then, ensure your WDAC policies allow that signature;
-2. Run *ngen.exe update* to force .NET to regenerate all NI files immediately after applying changes to your WDAC policies;
-3. [Create and sign a catalog file](/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control) for the native images
+- Avoid updating the WDAC policies often.
+- Run `ngen update` (on all machine architectures) to force .NET to regenerate all NI files immediately after applying changes to your WDAC policies.
+- Migrate applications to .NET Core (.NET 6 or greater).

 ## WDAC and .NET hardening

--- a/windows/security/hardware-security/toc.yml
+++ b/windows/security/hardware-security/toc.yml
@ -48,7 +48,9 @@ items:
        href: https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815
      - name: Secured-core PC 🔗
        href: /windows-hardware/design/device-experiences/oem-highly-secure-11
+      - name: Secured-core PC configuration lock
+        href: /windows/client-management/config-lock 🔗
      - name: Kernel Direct Memory Access (DMA) protection
        href: kernel-dma-protection-for-thunderbolt.md
      - name: System Guard Secure Launch
-        href: system-guard-secure-launch-and-smm-protection.md
+        href: system-guard-secure-launch-and-smm-protection.md
--- a/windows/security/identity-protection/toc.yml
+++ b/windows/security/identity-protection/toc.yml
@ -43,6 +43,8 @@ items:
    href: ../threat-protection/security-policy-settings/security-policy-settings.md
  - name: Advanced credential protection
    items:
+    - name: Configuring LSA Protection
+      href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
    - name: Windows Defender Credential Guard
      href: credential-guard/toc.yml
    - name: Windows Defender Remote Credential Guard
--- a/windows/security/operating-system-security/toc.yml
+++ b/windows/security/operating-system-security/toc.yml
@ -7,7 +7,7 @@ items:
  href: virus-and-threat-protection/toc.yml
 - name: Network security
  href: network-security/toc.yml
- name: Data protection
+- name: Encryption and data protection
  href: data-protection/toc.yml
 - name: Device management
  href: device-management/toc.yml
--- a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
+++ b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
@ -1,8 +1,6 @@
 items:
  - name: Microsoft Defender Antivirus 🔗
    href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
-  - name: Configuring LSA Protection
-    href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
    preserveContext: true
  - name: Attack surface reduction (ASR) 🔗
    href: /microsoft-365/security/defender-endpoint/attack-surface-reduction