-OR-
-- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only)
### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges
You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes.
@@ -235,7 +235,7 @@ After you’ve collected your data, you’ll need to get the local files off of
-OR-
- Collect your hardware inventory using the MOF Editor with a .MOF import file.
-OR-
-- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only)
### Collect your hardware inventory using the MOF Editor while connected to a client device
You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices.
@@ -277,8 +277,8 @@ You can collect your hardware inventory using the MOF Editor and a .MOF import f
4. Click **OK** to close the default windows.
Your environment is now ready to collect your hardware inventory and review the sample reports.
-### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
-You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
+### Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only)
+You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
**To collect your inventory**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 63709888c6..24265e0261 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -142,7 +142,7 @@ Before you can start to collect your data, you must run the provided PowerShell
-OR-
- Collect your hardware inventory using the MOF Editor with a .MOF import file.
-OR-
-- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only)
### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges
You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes.
@@ -239,7 +239,7 @@ After you’ve collected your data, you’ll need to get the local files off of
-OR-
- Collect your hardware inventory using the MOF Editor with a .MOF import file.
-OR-
-- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only)
### Collect your hardware inventory using the MOF Editor while connected to a client device
You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices.
@@ -281,8 +281,8 @@ You can collect your hardware inventory using the MOF Editor and a .MOF import f
4. Click **OK** to close the default windows.
Your environment is now ready to collect your hardware inventory and review the sample reports.
-### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
-You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
+### Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only)
+You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
**To collect your inventory**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
index 3ec3c7c763..13e84a6792 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
@@ -75,7 +75,7 @@ If you use Automatic Updates in your company, but want to stop your users from a
> [!NOTE]
>The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-for-it-pros-ie11.yml).
-- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit.
+- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit.
> [!NOTE]
> If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company.
diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml
index 178595abf4..618ec339b5 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml
+++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml
@@ -22,7 +22,7 @@ summary: |
Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
> [!Important]
- > If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment.
+ > If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment.
- [Automatic updates delivery process](/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit#automatic-updates-delivery-process)
@@ -47,7 +47,7 @@ sections:
- question: |
Whtools cI use to manage Windows Updates and Microsoft Updates in my company?
answer: |
- We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You calso use the more advanced configuration management tool, [System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682041(v=technet.10)).
+ We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You calso use the more advanced configuration management tool, [Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682041(v=technet.10)).
- question: |
How long does the blocker mechanism work?
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 37e9cba645..6ecad551d4 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -485,7 +485,7 @@ Table 9. Management systems and deployment resources
|--- |--- |
|Windows provisioning packages|
Find the Windows Update service, right-click it, and then select Stop. If prompted, enter your credentials.Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.
Restart the Windows Update service.|
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index b942f83a14..d568f05eef 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -613,7 +613,7 @@ To use the device (or VM) for other purposes after completion of this lab, you n
### Delete (deregister) Autopilot device
-You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), log into the MEM admin center, then go to **Intune > Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu.
+You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), log into the Microsoft Endpoint Manager admin center, then go to **Intune > Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu.
> [!div class="mx-imgBorder"]
> 
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index cd1cb3afe6..c2f6129519 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -1314,7 +1314,7 @@ The following fields are available:
- **IsEDPEnabled** Represents if Enterprise data protected on the device.
- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
-- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise System Center Configuration Manager environment.
+- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment.
- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier.
@@ -3140,7 +3140,7 @@ The following fields are available:
- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin.
- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled.
- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS.
-- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft System Center Configuration Manager.
+- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager.
- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely.
- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix.
- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index 6a19d4f822..079490dd99 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -3148,7 +3148,7 @@ The following fields are available:
- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin.
- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled.
- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS.
-- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft System Center Configuration Manager.
+- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager.
- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely.
- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix.
- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index cf9e96bf73..912861438f 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -4550,7 +4550,7 @@ The following fields are available:
- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin.
- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled.
- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS.
-- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft System Center Configuration Manager.
+- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager.
- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely.
- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix.
- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index e1d9c05c8c..645690fd3d 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -3362,7 +3362,7 @@ The following fields are available:
- **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network.
- **IsDeviceOobeBlocked** Indicates whether user approval is required to install updates on the device.
- **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device.
-- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft System Center Configuration Manager to keep the operating system and applications up to date.
+- **IsDeviceSccmManaged** Indicates whether the device is running the Configuration Manager to keep the operating system and applications up to date.
- **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated.
- **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications.
- **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services).
@@ -6058,7 +6058,7 @@ The following fields are available:
- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS.
- **RemediationShellDeviceProSku** Indicates whether a Windows 10 Professional edition is detected.
- **RemediationShellDeviceQualityUpdatesPaused** Indicates whether Quality Updates are paused on the device.
-- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft System Center Configuration Manager.
+- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager.
- **RemediationShellDeviceSedimentMutexInUse** Indicates whether the Sediment Pack mutual exclusion object (mutex) is in use.
- **RemediationShellDeviceSetupMutexInUse** Indicates whether device setup is in progress.
- **RemediationShellDeviceWuRegistryBlocked** Indicates whether the Windows Update is blocked on the device via the registry.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
index 69a1cecb22..c474b2d518 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -3623,7 +3623,7 @@ The following fields are available:
- **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network.
- **IsDeviceOobeBlocked** Indicates whether the OOBE (Out of Box Experience) is blocked on the device.
- **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device.
-- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft System Center Configuration Manager to keep the operating system and applications up to date.
+- **IsDeviceSccmManaged** Indicates whether the device is running the Configuration Manager to keep the operating system and applications up to date.
- **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated.
- **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications.
- **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services).
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index 7a06722124..a3f4153369 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -99,7 +99,7 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ
- Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to users. You can use NDES to register devices directly, or Microsoft Intune where it’s available to manage mobile device participation in Windows Hello.
- The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Windows Hello IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 domain controllers required.
-- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document.
+- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document.
## Related topics
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index e5df19b1b9..1b234aad34 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -30,7 +30,7 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been pu
## Managing domain-joined computers and moving to cloud
-Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 or later can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md).
+Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md).
Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
index 8c2b314e2b..86efc39597 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
@@ -32,7 +32,7 @@ ms.technology: windows-sec
Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId Tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId Tagging policy, use one of the following methods to deploy:
1. [Deploy AppId Tagging Policies with MDM](#deploy-appid-tagging-policies-with-mdm)
-1. [Deploy policies with MEMCM](#deploy-appid-tagging-policies-with-memcm)
+1. [Deploy policies with Microsoft Endpoint Configuration Manager](#deploy-appid-tagging-policies-with-memcm)
1. [Deploy policies using scripting](#deploy-appid-tagging-policies-via-scripting)
1. [Deploy using the ApplicationControl CSP](#deploying-policies-via-the-applicationcontrol-csp)
@@ -42,7 +42,7 @@ Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI fe
## Deploy AppId Tagging Policies with MEMCM
-Custom AppId Tagging policies can deployed via MEMCM using the [deployment task sequences](/deployment/deploy-windows-defender-application-control-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users.
+Custom AppId Tagging policies can deployed via Configuration Manager using the [deployment task sequences](/deployment/deploy-windows-defender-application-control-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users.
### Deploy AppId Tagging Policies via Scripting
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
index 7f1f74be4f..e7fccafbfd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -125,7 +125,7 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS
```
-4. Verify your AppLocker policy. The following example shows a complete AppLocker policy that sets Microsoft Endpoint Config Manager (MEMCM)and Microsoft Endpoint Manager Intune as managed installers. Only those AppLocker rule collections that have actual rules defined are included in the final XML. This ensures the policy will merge successfully on devices which may already have an AppLocker policy in place.
+4. Verify your AppLocker policy. The following example shows a complete AppLocker policy that sets Configuration Manager and Microsoft Endpoint Manager Intune as managed installers. Only those AppLocker rule collections that have actual rules defined are included in the final XML. This ensures the policy will merge successfully on devices which may already have an AppLocker policy in place.
```xml
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
index a5b01bd9ff..b5aca1e44a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
@@ -157,7 +157,7 @@ Policies should be thoroughly evaluated and first rolled out in audit mode befor
1. Mobile Device Management (MDM): [Deploy Windows Defender Application Control (WDAC) policies using Mobile Device Management (MDM) (Windows)](deploy-windows-defender-application-control-policies-using-intune.md)
-2. Microsoft Endpoint Configuration Manager (MEMCM): [Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Endpoint Configuration Manager (MEMCM) (Windows)](deployment/deploy-wdac-policies-with-memcm.md)
+2. Configuration Manager: [Deploy Windows Defender Application Control (WDAC) policies by using Configuration Manager (Windows)](deployment/deploy-wdac-policies-with-memcm.md)
3. Scripting [Deploy Windows Defender Application Control (WDAC) policies using script (Windows)](deployment/deploy-wdac-policies-with-script.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
index d777bcb8fe..283ec90d38 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -46,13 +46,9 @@ Alice previously created a policy for the organization's lightly managed devices
Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully managed devices:
- All clients are running Windows 10 version 1903 or above or Windows 11;
-- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
-
-> [!NOTE]
-> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager.
-
-- Most, but not all, apps are deployed using MEMCM;
-- Sometimes, IT staff install apps directly to these devices without using MEMCM;
+- All clients are managed by Microsoft Endpoint Manager either with Configuration Manager or with Intune;
+- Most, but not all, apps are deployed using Configuration Manager;
+- Sometimes, IT staff install apps directly to these devices without using Configuration Manager;
- All users except IT are standard users on these devices.
Alice's team develops a simple console application, called *LamnaITInstaller.exe*, which will become the authorized way for IT staff to install apps directly to devices. *LamnaITInstaller.exe* allows the IT pro to launch another process, such as an app installer. Alice will configure *LamnaITInstaller.exe* as an additional managed installer for WDAC and allows her to remove the need for filepath rules.
@@ -64,8 +60,8 @@ Based on the above, Alice defines the pseudo-rules for the policy:
- WHQL (3rd party kernel drivers)
- Windows Store signed apps
-2. **"MEMCM works”** rules that include signer and hash rules for MEMCM components to properly function
-3. **Allow Managed Installer** (MEMCM and *LamnaITInstaller.exe* configured as a managed installer)
+2. **"MEMCM works”** rules that include signer and hash rules for Configuration Manager components to properly function.
+3. **Allow Managed Installer** (Configuration Manager and *LamnaITInstaller.exe* configured as a managed installer)
The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are:
@@ -74,14 +70,14 @@ The critical differences between this set of pseudo-rules and those defined for
## Create a custom base policy using an example WDAC base policy
-Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's fully-managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs.
+Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's fully-managed devices. She decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs.
Alice follows these steps to complete this task:
> [!NOTE]
-> If you do not use MEMCM or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy.
+> If you do not use Configuration Manager or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy.
-1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above, or Windows 11.
+1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above, or Windows 11.
2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
@@ -91,7 +87,7 @@ Alice follows these steps to complete this task:
$MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
```
-3. Copy the policy created by MEMCM to the desktop:
+3. Copy the policy created by Configuration Manager to the desktop:
```powershell
cp $MEMCMPolicy $LamnaPolicy
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 90b3e0fd6e..8ed966bba8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -46,12 +46,8 @@ For the majority of users and devices, Alice wants to create an initial policy t
Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly managed devices, which currently include most end-user devices:
- All clients are running Windows 10 version 1903 and above, or Windows 11;
-- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
-
- > [!NOTE]
- > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager.
-
-- Some, but not all, apps are deployed using MEMCM;
+- All clients are managed by Microsoft Endpoint Manager either with Configuration Manager or with Intune.
+- Some, but not all, apps are deployed using Configuration Manager;
- Most users are local administrators on their devices;
- Some teams may need additional rules to authorize specific apps that don't apply generally to all other users.
@@ -62,8 +58,8 @@ Based on the above, Alice defines the pseudo-rules for the policy:
- WHQL (3rd party kernel drivers)
- Windows Store signed apps
-2. **"MEMCM works”** rules which include signer and hash rules for MEMCM components to properly function
-3. **Allow Managed Installer** (MEMCM configured as a managed installer)
+2. **"MEMCM works”** rules which include signer and hash rules for Configuration Manager components to properly function
+3. **Allow Managed Installer** (Configuration Manager configured as a managed installer)
4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
5. **Admin-only path rules** for the following locations:
- C:\Program Files\*
@@ -72,14 +68,14 @@ Based on the above, Alice defines the pseudo-rules for the policy:
## Create a custom base policy using an example WDAC base policy
-Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs.
+Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. She decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs.
Alice follows these steps to complete this task:
> [!NOTE]
-> If you do not use MEMCM or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy.
+> If you do not use Configuration Manager or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy.
-1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 and above, or Windows 11.
+1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 and above, or Windows 11.
2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
@@ -89,7 +85,7 @@ Alice follows these steps to complete this task:
$MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
```
-3. Copy the policy created by MEMCM to the desktop:
+3. Copy the policy created by Configuration Manager to the desktop:
```powershell
cp $MEMCMPolicy $LamnaPolicy
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
index 4c931b2732..856b95f0a8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
@@ -31,18 +31,18 @@ You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Window
## Use MEMCM's built-in policies
-MEMCM includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow:
+Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow:
- Windows components
- Microsoft Store apps
-- Apps installed by MEMCM (MEMCM self-configured as a managed installer)
+- Apps installed by Configuration Manager (Configuration Manager self-configured as a managed installer)
- [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG)
-- [Optional] Apps and executables already installed in admin-definable folder locations that MEMCM will allow through a one-time scan during policy creation on managed endpoints.
+- [Optional] Apps and executables already installed in admin-definable folder locations that Configuration Manager will allow through a one-time scan during policy creation on managed endpoints.
-Note that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
+Note that Configuration Manager does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
-For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager).
+For more information on using Configuration Manager's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager).
## Deploy custom WDAC policies using Packages/Programs or Task Sequences
-Using MEMCM's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in MEMCM too limiting. To define your own circle-of-trust, you can use MEMCM to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences.
+Using Configuration Manager's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in Configuration Manager too limiting. To define your own circle-of-trust, you can use Configuration Manager to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences.
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
index bd792e1029..441c4694e4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -42,4 +42,4 @@ When you create policies for use with Windows Defender Application Control (WDAC
| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](/windows/security/threat-protection/device-guard/memory-integrity) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [Device Guard Signing Service NuGet Package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client) |
-| **MEM Configuration Manager** | Customers who use MEM Configuration Manager (MEMCM) can deploy a policy with MEMCM's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
+| **MEM Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index 0435921894..d51eeb7f4d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -34,7 +34,7 @@ ms.technology: windows-sec
|-------------|------|-------------|
| Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later | Available on Windows 8 or later |
| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
Policies deployed through MDM are effective on all SKUs. |
-| Management solutions | - [Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)
- [Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
- [Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md)
- PowerShell
| - [Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
- MEMCM (custom policy deployment via Software Distribution only)
- [Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)
- PowerShell
|
+| Management solutions | - [Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)
- [Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
- [Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md)
- PowerShell
| - [Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
- Configuration Manager (custom policy deployment via Software Distribution only)
- [Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)
- PowerShell
|
| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
| Kernel mode policies | Available on all Windows 10 versions and Windows 11 | Not available |
| Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available |
diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
index aa692dacf2..6497855a49 100644
--- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
@@ -46,10 +46,7 @@ In the next set of topics, we will explore each of the above scenarios using a f
Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff.
-Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response.
-
-> [!NOTE]
-> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager.
+Lamna uses [Microsoft Endpoint Manager (MEM)](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) in hybrid mode with both Configuration Manager and Intune. Although they use MEM to deploy many applications, Lamna has always had relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response.
Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an application control policy. In response, Lamna's executive board has authorized a number of new security IT responses, including tightening policies for application use and introducing application control.
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index 0746ce1d5f..9729e7515d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -50,7 +50,7 @@ The first step is to define the desired "circle-of-trust" for your WDAC policies
For example, the DefaultWindows policy, which can be found under %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies, establishes a "circle-of-trust" that allows Windows, 3rd-party hardware and software kernel drivers, and applications from the Microsoft Store.
-Microsoft Endpoint Configuration Manager, previously known as System Center Configuration Manager, uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow Configuration Manager and its dependencies, sets the managed installer policy rule, and additionally configures Configuration Manager as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the Configuration Manager administrator, which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for Configuration Manager's native WDAC integration.
+Configuration Manager uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow Configuration Manager and its dependencies, sets the managed installer policy rule, and additionally configures Configuration Manager as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the Configuration Manager administrator, which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for Configuration Manager's native WDAC integration.
The following questions can help you plan your Windows Defender Application Control deployment and determine the right "circle-of-trust" for your policies. They are not in priority or sequential order, and are not meant to be an exhaustive set of design considerations.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 2f813ad6a4..d16be550a8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -43,7 +43,7 @@ If the file with good reputation is an application installer, its reputation wil
WDAC periodically re-queries the reputation data on a file. Additionally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option.
>[!NOTE]
->Admins should make sure there is a Windows Defender Application Control policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, such as custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Manager Configuration Manager (MEMCM) and Microsoft Endpoint Manager Intune (MEM Intune) can be used to create and push a WDAC policy to your client machines.
+>Admins should make sure there is a Windows Defender Application Control policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, such as custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Configuration Manager and Microsoft Endpoint Manager Intune can be used to create and push a WDAC policy to your client machines.
## Configuring Intelligent Security Graph authorization for Windows Defender Application Control
@@ -90,7 +90,7 @@ In order for the heuristics used by the ISG to function properly, a number of co
appidtel start
```
-This step isn't required for Windows Defender Application Control policies deployed over MDM, as the CSP will enable the necessary components. This step is also not required when the ISG is configured using MEMCM's WDAC integration.
+This step isn't required for Windows Defender Application Control policies deployed over MDM, as the CSP will enable the necessary components. This step is also not required when the ISG is configured using Configuration Manager's WDAC integration.
## Security considerations with the Intelligent Security Graph
From 2208287b4bc73208a7184139e8127d8a4f71c9d1 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com>
Date: Mon, 13 Jun 2022 12:25:56 +0530
Subject: [PATCH 023/158] MEM updates
---
.../private-app-repository-mdm-company-portal-windows-11.md | 2 +-
windows/client-management/mdm/applicationcontrol-csp.md | 4 ++--
.../update/update-compliance-configuration-mem.md | 2 +-
.../AppIdTagging/deploy-appid-tagging-policies.md | 6 +++---
...ure-authorized-apps-deployed-with-a-managed-installer.md | 2 +-
.../create-wdac-policy-for-fully-managed-devices.md | 2 +-
.../create-wdac-policy-for-lightly-managed-devices.md | 2 +-
...ultiple-windows-defender-application-control-policies.md | 4 ++--
...ws-defender-application-control-policies-using-intune.md | 2 +-
.../deployment/deploy-wdac-policies-with-memcm.md | 4 ++--
.../deployment/deploy-wdac-policies-with-script.md | 2 +-
.../example-wdac-base-policies.md | 2 +-
.../types-of-devices.md | 2 +-
...r-application-control-with-intelligent-security-graph.md | 2 +-
...windows-defender-application-control-deployment-guide.md | 2 +-
windows/security/zero-trust-windows-device-health.md | 4 ++--
16 files changed, 22 insertions(+), 22 deletions(-)
diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
index 17fe815f82..45f7dec8fa 100644
--- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
+++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
@@ -26,7 +26,7 @@ This article discusses the Company Portal app installation options, adding organ
## Before you begin
-The Company Portal app is included with Microsoft Endpoint Manager (MEM). Endpoint Manager is a Mobile Device Management (MDM) and Mobile Application manager (MAM) provider. It help manages your devices, and manage apps on your devices.
+The Company Portal app is included with Microsoft Endpoint Manager. Endpoint Manager is a Mobile Device Management (MDM) and Mobile Application manager (MAM) provider. It help manages your devices, and manage apps on your devices.
If you're not managing your devices using an MDM provider, the following resources may help you get started:
diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index 8440d7e79f..970bfa5103 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -150,9 +150,9 @@ Scope is dynamic. Supported operation is Get.
Value type is char.
-## Microsoft Endpoint Manager (MEM) Intune Usage Guidance
+## Microsoft Endpoint Manager Intune Usage Guidance
-For customers using Intune standalone or hybrid management with Microsoft Endpoint Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
+For customers using Intune standalone or hybrid management with Microsoft Endpoint Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
## Generic MDM Server Usage Guidance
diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md
index 8422a69d5e..50064f0555 100644
--- a/windows/deployment/update/update-compliance-configuration-mem.md
+++ b/windows/deployment/update/update-compliance-configuration-mem.md
@@ -25,7 +25,7 @@ ms.topic: article
> [!NOTE]
> As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables.
-This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager (MEM)](/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps:
+This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within Microsoft Endpoint Manager itself. Configuring devices for Update Compliance in Microsoft Endpoint Manager breaks down to the following steps:
1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured.
2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured.
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
index 86efc39597..359d1150a6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
@@ -32,7 +32,7 @@ ms.technology: windows-sec
Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId Tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId Tagging policy, use one of the following methods to deploy:
1. [Deploy AppId Tagging Policies with MDM](#deploy-appid-tagging-policies-with-mdm)
-1. [Deploy policies with Microsoft Endpoint Configuration Manager](#deploy-appid-tagging-policies-with-memcm)
+1. [Deploy policies with Configuration Manager](#deploy-appid-tagging-policies-with-memcm)
1. [Deploy policies using scripting](#deploy-appid-tagging-policies-via-scripting)
1. [Deploy using the ApplicationControl CSP](#deploying-policies-via-the-applicationcontrol-csp)
@@ -40,7 +40,7 @@ Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId Tagg
Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
-## Deploy AppId Tagging Policies with MEMCM
+## Deploy AppId Tagging Policies with Configuration Manager
Custom AppId Tagging policies can deployed via Configuration Manager using the [deployment task sequences](/deployment/deploy-windows-defender-application-control-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users.
@@ -54,7 +54,7 @@ Multiple WDAC policies can be managed from an MDM server through ApplicationCont
However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
-For more information, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) to deploy multiple policies, and optionally use MEM Intune's Custom OMA-URI capability.
+For more information, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) to deploy multiple policies, and optionally use Microsoft Endpoint Manager Intune's Custom OMA-URI capability.
> [!NOTE]
> WMI and GP do not currently support multiple policies. Instead, customers who can't directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
index e7fccafbfd..839aa3a791 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -39,7 +39,7 @@ You can then configure WDAC to trust files that are installed by a managed insta
## Security considerations with managed installer
-Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. The managed installer is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM).
+Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. The managed installer is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager.
Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
index 283ec90d38..c0296ea8e6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -30,7 +30,7 @@ ms.technology: windows-sec
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access.
+This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access.
> [!NOTE]
> Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 8ed966bba8..d03bb18a75 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -58,7 +58,7 @@ Based on the above, Alice defines the pseudo-rules for the policy:
- WHQL (3rd party kernel drivers)
- Windows Store signed apps
-2. **"MEMCM works”** rules which include signer and hash rules for Configuration Manager components to properly function
+2. **"MEMCM works”** rules which include signer and hash rules for Configuration Manager components to properly function.
3. **Allow Managed Installer** (Configuration Manager configured as a managed installer)
4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
5. **Admin-only path rules** for the following locations:
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index 50a9a80492..37126d5855 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -91,7 +91,7 @@ When merging, the policy type and ID of the leftmost/first policy specified is u
## Deploying multiple policies
-In order to deploy multiple Windows Defender Application Control policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by MEM Intune's Custom OMA-URI feature.
+In order to deploy multiple Windows Defender Application Control policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by Microsoft Endpoint Manager Intune's Custom OMA-URI feature.
### Deploying multiple policies locally
@@ -109,7 +109,7 @@ Multiple Windows Defender Application Control policies can be managed from an MD
However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
-See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
+See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using Microsoft Endpoint Manager Intune's Custom OMA-URI capability.
> [!NOTE]
> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 61a0f3ce27..143fbdcc2e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -29,7 +29,7 @@ ms.technology: windows-sec
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager (MEM) Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
+You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
## Use Intune's built-in policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
index 856b95f0a8..b8f3362555 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
@@ -27,11 +27,11 @@ ms.localizationpriority: medium
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Windows Defender Application Control (WDAC) on client machines.
+You can use Microsoft Endpoint Configuration Manager to configure Windows Defender Application Control (WDAC) on client machines.
## Use MEMCM's built-in policies
-Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow:
+Microsoft Endpoint Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow:
- Windows components
- Microsoft Store apps
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
index e57deda422..28a74c5e9f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@@ -80,7 +80,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
## Deploying signed policies
-In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically.
+In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [Microsoft Endpoint Manager](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically.
1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt:
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
index 441c4694e4..601db3b421 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -36,7 +36,7 @@ When you create policies for use with Windows Defender Application Control (WDAC
| **Example Base Policy** | **Description** | **Where it can be found** |
|----------------------------|---------------------------------------------------------------|--------|
-| **DefaultWindows.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Endpoint Manager(MEM)](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **DefaultWindows.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](/windows/security/threat-protection/device-guard/memory-integrity) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
index 6497855a49..6ff71e34a5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
@@ -46,7 +46,7 @@ In the next set of topics, we will explore each of the above scenarios using a f
Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff.
-Lamna uses [Microsoft Endpoint Manager (MEM)](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) in hybrid mode with both Configuration Manager and Intune. Although they use MEM to deploy many applications, Lamna has always had relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response.
+Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) in hybrid mode with both Configuration Manager and Intune. Although they use Microsoft Endpoint Manager to deploy many applications, Lamna has always had relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response.
Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an application control policy. In response, Lamna's executive board has authorized a number of new security IT responses, including tightening policies for application use and introducing application control.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index d16be550a8..4e1abd6929 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -130,4 +130,4 @@ Packaged apps are not supported with the Microsoft Intelligent Security Graph he
The ISG doesn't authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.
>[!NOTE]
-> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. MEM Intune's built-in Windows Defender Application Control support includes the option to trust apps with good reputation via the Microsoft Intelligent Security Graph, but it has no option to add explicit allow or deny rules. In most circumstances, customers enforcing application control need to deploy a custom WDAC policy (which can include the Microsoft Intelligent Security Graph option if desired) using [Intune's OMA-URI functionality](deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
+> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Endpoint Manager Intune's built-in Windows Defender Application Control support includes the option to trust apps with good reputation via the Microsoft Intelligent Security Graph, but it has no option to add explicit allow or deny rules. In most circumstances, customers enforcing application control need to deploy a custom WDAC policy (which can include the Microsoft Intelligent Security Graph option if desired) using [Intune's OMA-URI functionality](deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
index e4cc911cca..d87ee2f357 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
@@ -42,6 +42,6 @@ All Windows Defender Application Control policy changes should be deployed in au
There are several options to deploy Windows Defender Application Control policies to managed endpoints, including:
1. [Deploy using a Mobile Device Management (MDM) solution](deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune
-2. [Deploy using Microsoft Endpoint Configuration Manager (MEMCM)](deployment/deploy-wdac-policies-with-memcm.md)
+2. [Deploy using Microsoft Endpoint Configuration Manager](deployment/deploy-wdac-policies-with-memcm.md)
3. [Deploy via script](deployment/deploy-wdac-policies-with-script.md)
4. [Deploy via Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md
index 6953ab042b..aec0a97576 100644
--- a/windows/security/zero-trust-windows-device-health.md
+++ b/windows/security/zero-trust-windows-device-health.md
@@ -50,7 +50,7 @@ A summary of the steps involved in attestation and Zero Trust on the device side
3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation).
-4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger (MEM) integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with AAD conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device.
+4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manager integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with AAD conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device.
5. The attestation service does the following:
@@ -60,7 +60,7 @@ A summary of the steps involved in attestation and Zero Trust on the device side
6. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service.
-7. The device then sends the report to the MEM cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules.
+7. The device then sends the report to the Microsoft Endpoint Manager cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules.
8. Conditional access, along with device-compliance state then decides to allow or deny access.
From 5e7aa338a9318dd196dd5b36117e9644a84225db Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com>
Date: Mon, 13 Jun 2022 12:57:22 +0530
Subject: [PATCH 024/158] Fixed warning
---
.../AppIdTagging/deploy-appid-tagging-policies.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
index 359d1150a6..2f9bc3249f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
@@ -32,7 +32,7 @@ ms.technology: windows-sec
Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId Tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId Tagging policy, use one of the following methods to deploy:
1. [Deploy AppId Tagging Policies with MDM](#deploy-appid-tagging-policies-with-mdm)
-1. [Deploy policies with Configuration Manager](#deploy-appid-tagging-policies-with-memcm)
+1. [Deploy policies with Configuration Manager](#deploy-appid-tagging-policies-with-configuration manager)
1. [Deploy policies using scripting](#deploy-appid-tagging-policies-via-scripting)
1. [Deploy using the ApplicationControl CSP](#deploying-policies-via-the-applicationcontrol-csp)
From 19119c4179ba728216eb1cd7508f5db8d0fc6095 Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 14 Jun 2022 15:05:52 +0200
Subject: [PATCH 025/158] #10364
#10364
---
.../applocker/script-rules-in-applocker.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index 48095da0ce..0daa8696c8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -29,6 +29,7 @@ ms.technology: windows-sec
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+
This topic describes the file formats and available default rules for the script rule collection.
AppLocker defines script rules to include only the following file formats:
@@ -46,6 +47,9 @@ The following table lists the default rules that are available for the script ru
| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: %windir%\*|
| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: %programfiles%\*|
+>[!NOTE]
+>Windows Defender Application Control cannot be used to block Powershell scripts. Applocker just forces Powershell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event - which literally states the script will be blocked. After which the script runs.
+
## Related topics
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
From b54238312d20f7a29714179d9536fe1bfabd07dc Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 14 Jun 2022 15:24:06 +0200
Subject: [PATCH 026/158] #10384
#10384
---
...ty-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index f53a1e1665..a4973e313a 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -25,6 +25,9 @@ ms.technology: windows-sec
Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting.
+
+>[!NOTE]
+>To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](https://github.com/MicrosoftDocs/windowsserverdocs/edit/main/WindowsServerDocs/remote/remote-desktop-services/clients/remote-desktop-allow-access.md)
## Reference
The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system.
From 8c08b60f3ed7a16b4f5dfe6ee98e193671a3a74a Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 14 Jun 2022 15:26:06 +0200
Subject: [PATCH 027/158] Update
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-cert-trust-validate-ad-prereq.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 35d754ebe4..22b2eb2e66 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -25,7 +25,7 @@ ms.reviewer:
- On-premises deployment
- Certificate trust
-The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
+The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
**If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the 'Updating the Schema' and 'Create the KeyCredential Admins Security Global Group' steps below.**
From 1b41f5d390694de82096210c25d07d97d39af19b Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 14 Jun 2022 15:26:53 +0200
Subject: [PATCH 028/158] Update
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-cert-trust-validate-ad-prereq.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 22b2eb2e66..e1bb8e2f6e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -27,7 +27,8 @@ ms.reviewer:
The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
-**If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the 'Updating the Schema' and 'Create the KeyCredential Admins Security Global Group' steps below.**
+> [!NOTE]
+> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow.**
Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role.
From cb967191c257d57de2b1145cf2c732f4f72443af Mon Sep 17 00:00:00 2001
From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com>
Date: Wed, 15 Jun 2022 18:40:23 +0200
Subject: [PATCH 029/158] Set Policy Driven Update path's are wrong
All Updates SetPolicyDrivenUpdateSource path's are wrong - there needs an "Updates" added to the settings name.
Verified under 21H2 -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Update
---
.../mdm/policy-csp-update.md | 34 +++++++++----------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 4c9d94d790..b06a5e7de2 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3478,7 +3478,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForDriver**
+**Update/SetPolicyDrivenUpdateSourceForDriverUpdates**
The table below shows the applicability of Windows:
@@ -3508,9 +3508,9 @@ The table below shows the applicability of Windows:
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
-- SetPolicyDrivenUpdateSourceForFeature
-- SetPolicyDrivenUpdateSourceForQuality
-- SetPolicyDrivenUpdateSourceForOther
+- SetPolicyDrivenUpdateSourceForFeatureUpdates
+- SetPolicyDrivenUpdateSourceForQualityUpdates
+- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
@@ -3536,7 +3536,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForFeature**
+**Update/SetPolicyDrivenUpdateSourceForFeatureUpdates**
The table below shows the applicability of Windows:
@@ -3566,9 +3566,9 @@ The table below shows the applicability of Windows:
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
-- SetPolicyDrivenUpdateSourceForQuality
-- SetPolicyDrivenUpdateSourceForDriver
-- SetPolicyDrivenUpdateSourceForOther
+- SetPolicyDrivenUpdateSourceForQualityUpdates
+- SetPolicyDrivenUpdateSourceForDriverUpdates
+- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
@@ -3594,7 +3594,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForOther**
+**Update/SetPolicyDrivenUpdateSourceForOtherUpdates**
The table below shows the applicability of Windows:
@@ -3624,9 +3624,9 @@ The table below shows the applicability of Windows:
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
-- SetPolicyDrivenUpdateSourceForFeature
-- SetPolicyDrivenUpdateSourceForQuality
-- SetPolicyDrivenUpdateSourceForDriver
+- SetPolicyDrivenUpdateSourceForFeatureUpdates
+- SetPolicyDrivenUpdateSourceForQualityUpdates
+- SetPolicyDrivenUpdateSourceForDriverUpdates
>[!NOTE]
>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
@@ -3652,7 +3652,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForQuality**
+**Update/SetPolicyDrivenUpdateSourceForQualityUpdates**
The table below shows the applicability of Windows:
@@ -3682,9 +3682,9 @@ The table below shows the applicability of Windows:
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
-- SetPolicyDrivenUpdateSourceForFeature
-- SetPolicyDrivenUpdateSourceForDriver
-- SetPolicyDrivenUpdateSourceForOther
+- SetPolicyDrivenUpdateSourceForFeatureUpdates
+- SetPolicyDrivenUpdateSourceForDriverUpdates
+- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
@@ -4013,4 +4013,4 @@ ADMX Info:
## Related topics
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
From c20c99a86a0e3ee86a6b3ffff72c6b75593e2ff0 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 15 Jun 2022 14:27:05 -0700
Subject: [PATCH 030/158] Update policy-csp-update.md
---
windows/client-management/mdm/policy-csp-update.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index b06a5e7de2..cce978a298 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
-ms.date: 03/18/2022
+ms.date: 06/15/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
From 6d075ad8eb48607df0038b9de7a12fc20bd3f4f7 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 15 Jun 2022 14:33:16 -0700
Subject: [PATCH 031/158] Update
network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
---
...estrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index a4973e313a..9453c4b573 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 06/15/2022
ms.technology: windows-sec
---
@@ -26,8 +26,9 @@ ms.technology: windows-sec
Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting.
->[!NOTE]
->To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](https://github.com/MicrosoftDocs/windowsserverdocs/edit/main/WindowsServerDocs/remote/remote-desktop-services/clients/remote-desktop-allow-access.md)
+> [!NOTE]
+> To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access)
+
## Reference
The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system.
From 1c082992e615bdf995feec9306d0086ef644dbd9 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 15 Jun 2022 14:36:26 -0700
Subject: [PATCH 032/158] Update script-rules-in-applocker.md
---
.../applocker/script-rules-in-applocker.md | 30 +++++++++----------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index 0daa8696c8..a39cc39fd3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 06/15/2022
ms.technology: windows-sec
---
@@ -26,30 +26,30 @@ ms.technology: windows-sec
- Windows 11
- Windows Server 2016 and above
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-This topic describes the file formats and available default rules for the script rule collection.
+This article describes the file formats and available default rules for the script rule collection.
AppLocker defines script rules to include only the following file formats:
-- .ps1
-- .bat
-- .cmd
-- .vbs
-- .js
+- `.ps1`
+- `.bat`
+- `.cmd`
+- `.vbs`
+- `.js`
The following table lists the default rules that are available for the script rule collection.
| Purpose | Name | User | Rule condition type |
| - | - | - | - |
-| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: *|
-| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: %windir%\*|
-| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: %programfiles%\*|
+| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: `*\` |
+| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: `%windir%\*` |
+| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`|
->[!NOTE]
->Windows Defender Application Control cannot be used to block Powershell scripts. Applocker just forces Powershell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event - which literally states the script will be blocked. After which the script runs.
+> [!NOTE]
+> Windows Defender Application Control cannot be used to block Powershell scripts. Applocker just forces Powershell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event - which literally states the script will be blocked. After which the script runs.
-## Related topics
+## Related articles
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
From dffa3bc0c690f37e84768882928ceb21819a00f1 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 15 Jun 2022 14:37:23 -0700
Subject: [PATCH 033/158] Update script-rules-in-applocker.md
---
.../applocker/script-rules-in-applocker.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index a39cc39fd3..14bf0eec35 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -48,7 +48,7 @@ The following table lists the default rules that are available for the script ru
| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`|
> [!NOTE]
-> Windows Defender Application Control cannot be used to block Powershell scripts. Applocker just forces Powershell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event - which literally states the script will be blocked. After which the script runs.
+> Windows Defender Application Control cannot be used to block PowerShell scripts. Applocker just forces PowerShell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs.
## Related articles
From a317f8cb080e88fd35fa7daccf51ca6eaa9cff7b Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 15 Jun 2022 14:40:56 -0700
Subject: [PATCH 034/158] Update
use-windows-defender-application-control-with-dynamic-code-security.md
---
...s-defender-application-control-with-dynamic-code-security.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
index 6b32d76c52..3720558b80 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 09/23/2021
+ms.date: 06/15/2022
ms.technology: windows-sec
---
From 46e8636041b5f7d37ba9f0a16d005fdb1ba0b836 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Thu, 16 Jun 2022 05:58:39 +0500
Subject: [PATCH 035/158] Update policy-csp-newsandinterests.md
---
.../mdm/policy-csp-newsandinterests.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md
index 5d8350eed5..6eb42f6671 100644
--- a/windows/client-management/mdm/policy-csp-newsandinterests.md
+++ b/windows/client-management/mdm/policy-csp-newsandinterests.md
@@ -34,11 +34,11 @@ manager: dansimp
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
-|Pro|Yes|Yes|
+|Pro|No|Yes|
|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
@@ -83,4 +83,4 @@ ADMX Info:
## Related topics
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
From f622faf1f8130332b2c5da457dd5b01295398c7d Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Thu, 16 Jun 2022 06:49:21 +0500
Subject: [PATCH 036/158] Update
interactive-logon-do-not-require-ctrl-alt-del.md
---
.../interactive-logon-do-not-require-ctrl-alt-del.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
index 4131998946..867bda657e 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -36,6 +36,9 @@ Microsoft developed this feature to make it easier for users with certain types
A malicious user might install malware that looks like the standard logon dialog box for the Windows operating system, and capture a user's password. The attacker can then log on to the compromised account with whatever level of user rights that user has.
+>[!NOTE]
+>When the policy is defined, registry value **DisableCAD** located in **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System** is created. To revert the changes made by this policy, it is not enough to set its value to **Not defined**, this registry value need to be removed as well.
+
### Possible values
- Enabled
From c489de57b57b98d64645ac19c3f30c09d911a3f8 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com>
Date: Thu, 16 Jun 2022 12:33:54 +0530
Subject: [PATCH 037/158] Acrolinx fixes
---
windows/deployment/deploy-windows-to-go.md | 19 ++++++------
...oyment-considerations-for-windows-to-go.md | 31 +++++++++----------
...-compliance-schema-waasdeploymentstatus.md | 11 ++++---
3 files changed, 31 insertions(+), 30 deletions(-)
diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md
index 508d7d773d..d398777f84 100644
--- a/windows/deployment/deploy-windows-to-go.md
+++ b/windows/deployment/deploy-windows-to-go.md
@@ -13,11 +13,12 @@ ms.custom: seo-marvel-apr2020
# Deploy Windows To Go in your organization
+
**Applies to**
- Windows 10
-This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment.
+This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you've reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment.
> [!IMPORTANT]
> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
@@ -26,7 +27,7 @@ This topic helps you to deploy Windows To Go in your organization. Before you be
The following is a list of items that you should be aware of before you start the deployment process:
-* Only use recommended USB drives for Windows To Go. Use of other drives is not supported. Check the list at [Windows To Go: feature overview](planning/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives.
+* Only use recommended USB drives for Windows To Go. Use of other drives isn't supported. Check the list at [Windows To Go: feature overview](planning/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives.
* After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted.
@@ -34,20 +35,20 @@ The following is a list of items that you should be aware of before you start th
* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. You can download Configuration Manager for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkId=618746). For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)).
-* If you are planning on using a USB drive duplicator to duplicate Windows To Go drives, do not configure offline domain join or BitLocker on the drive.
+* If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive.
## Basic deployment steps
-Unless you are using a customized operating system image, your initial Windows To Go workspace will not be domain joined and will not contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications. This section describes the instructions for creating the correct disk layout on the USB drive, applying the operating system image and the core Windows To Go specific configurations to the drive. The following steps are used in both small-scale and large-scale Windows To Go deployment scenarios.
+Unless you're using a customized operating system image, your initial Windows To Go workspace won't be domain joined and won't contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications. This section describes the instructions for creating the correct disk layout on the USB drive, applying the operating system image and the core Windows To Go specific configurations to the drive. The following steps are used in both small-scale and large-scale Windows To Go deployment scenarios.
-Completing these steps will give you a generic Windows To Go drive that can be distributed to your users and then customized for their usage as needed. This drive is also appropriate for use with USB drive duplicators. Your specific deployment scenarios will involve more than just these basic steps but these additional deployment considerations are similar to traditional PC deployment and can be incorporated into your Windows To Go deployment plan. For additional information, see [Windows Deployment Options](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825230(v=win.10)).
+Completing these steps will give you a generic Windows To Go drive that can be distributed to your users and then customized for their usage as needed. This drive is also appropriate for use with USB drive duplicators. Your specific deployment scenarios will involve more than just these basic steps but these additional deployment considerations are similar to traditional PC deployment and can be incorporated into your Windows To Go deployment plan. For more information, see [Windows Deployment Options](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825230(v=win.10)).
>[!WARNING]
>If you plan to use the generic Windows To Go drive as the master drive in a USB duplicator, the drive should not be booted. If the drive has been booted inadvertently it should be reprovisioned prior to duplication.
### Create the Windows To Go workspace
-In this step we are creating the operating system image that will be used on the Windows To Go drives. You can use the Windows To Go Creator Wizard or you can [do this manually](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using a combination of Windows PowerShell and command-line tools.
+In this step we're creating the operating system image that will be used on the Windows To Go drives. You can use the Windows To Go Creator Wizard or you can [do this manually](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using a combination of Windows PowerShell and command-line tools.
>[!WARNING]
>The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education.
@@ -69,7 +70,7 @@ In this step we are creating the operating system image that will be used on the
6. On the **Choose a Windows image** page, click **Add Search Location** and then navigate to the .wim file location and click select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then click **Next**.
-7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you do not wish to encrypt the drive at this time, click **Skip**. If you decide you want to add BitLocker protection later, see [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) for instructions.
+7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you don't wish to encrypt the drive at this time, click **Skip**. If you decide you want to add BitLocker protection later, see [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) for instructions.
r
>[!WARNING]
@@ -77,7 +78,7 @@ r
If you choose to encrypt the Windows To Go drive now:
- - Type a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware does not support non-ASCII characters.
+ - Type a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware doesn't support non-ASCII characters.
~~~
@@ -100,7 +101,7 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as
1. Using Cortana, search for **powershell**, right-click **Windows PowerShell**, and then select **Run as administrator**.
-2. In the Windows PowerShell session type the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware:
+2. In the Windows PowerShell session type, the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware:
```
# The following command will set $Disk to all USB drives with >20 GB of storage
diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
index 0fd8883965..76eadc45f9 100644
--- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
@@ -12,7 +12,6 @@ ms.custom: seo-marvel-apr2020
# Deployment considerations for Windows To Go
-
**Applies to**
- Windows 10
@@ -42,7 +41,7 @@ The following diagrams illustrate the two different methods you could use to pro
-When a Windows To Go workspace is first used at the workplace, the Windows To Go workspace can be joined to the domain through the normal procedures that occur when a new computer is introduced. It obtains a lease, applicable policies are applied and set, and user account tokens are placed appropriately. BitLocker protection can be applied and the BitLocker recovery key automatically stored in Active Directory Domain Services. The user can access network resources to install software and get access to data sources. When the workspace is subsequently booted at a different location either on or off premises, the configuration required for it to connect back to the work network using either DirectAccess or a virtual private network connection can be configured. It is not necessary to configure the workspace for offline domain join. DirectAccess can make connecting to organizational resources easier, but is not required.
+When a Windows To Go workspace is first used at the workplace, the Windows To Go workspace can be joined to the domain through the normal procedures that occur when a new computer is introduced. It obtains a lease, applicable policies are applied and set, and user account tokens are placed appropriately. BitLocker protection can be applied and the BitLocker recovery key automatically stored in Active Directory Domain Services. The user can access network resources to install software and get access to data sources. When the workspace is subsequently booted at a different location either on or off premises, the configuration required for it to connect back to the work network using either DirectAccess or a virtual private network connection can be configured. It isn't necessary to configure the workspace for offline domain join. DirectAccess can make connecting to organizational resources easier, but isn't required.
@@ -51,7 +50,7 @@ When the Windows To Go workspace is going to be used first on an off-premises co
> [!TIP]
> Applying BitLocker Drive Encryption to the drives before provisioning is a much faster process than encrypting the drives after data has already been stored on them due to a new feature called used-disk space only encryption. For more information, see [What's New in BitLocker](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn306081(v=ws.11)).
-DirectAccess can be used to ensure that the user can log in with their domain credentials without needing a local account. For instructions on setting up a DirectAccess solution, for a small pilot deployment see [Deploy a Single Remote Access Server using the Getting Started Wizard](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831520(v=ws.11)) for a larger scale deployment, see [Deploy Remote Access in an Enterprise](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134200(v=ws.11)). If you do not want to use DirectAccess as an alternative user could log on using a local user account on the Windows To Go workspace and then use a virtual private network for remote access to your organizational network.
+DirectAccess can be used to ensure that the user can log in with their domain credentials without needing a local account. For instructions on setting up a DirectAccess solution, for a small pilot deployment see [Deploy a Single Remote Access Server using the Getting Started Wizard](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831520(v=ws.11)) for a larger scale deployment, see [Deploy Remote Access in an Enterprise](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134200(v=ws.11)). If you don't want to use DirectAccess as an alternative user could log on using a local user account on the Windows To Go workspace and then use a virtual private network for remote access to your organizational network.
### Image deployment and drive provisioning considerations
@@ -59,18 +58,18 @@ The Image Deployment process can be accomplished either by a centralized IT proc
-The simplest way to provision a Windows To Go drive is to use the Windows To Go Creator. After a single Windows To Go workspace has been created, it can be duplicated as many times as necessary using widely available USB duplicator products as long as the device has not been booted. After the Windows To Go drive is initialized, it should not be duplicated. Alternatively, Windows To Go Workspace Creator can be run multiple times to create multiple Windows To Go drives.
+The simplest way to provision a Windows To Go drive is to use the Windows To Go Creator. After a single Windows To Go workspace has been created, it can be duplicated as many times as necessary using widely available USB duplicator products as long as the device hasn't been booted. After the Windows To Go drive is initialized, it shouldn't be duplicated. Alternatively, Windows To Go Workspace Creator can be run multiple times to create multiple Windows To Go drives.
> [!TIP]
> When you create your Windows To Go image use sysprep /generalize, just as you do when you deploy Windows 10 to a standard PC. In fact, if appropriate, use the same image for both deployments.
**Driver considerations**
-Windows includes most of the drivers that you will need to support a wide variety of host computers. However, you will occasionally need to download drivers from Windows Update to take advantage of the full functionality of a device. If you are using Windows To Go on a set of known host computers, you can add any additional drivers to the image used on Windows To Go to make Windows To Go drives more quickly usable by your employees. Especially ensure that network drivers are available so that the user can connect to Windows Update to get additional drivers if necessary.
+Windows includes most of the drivers that you'll need to support a wide variety of host computers. However, you'll occasionally need to download drivers from Windows Update to take advantage of the full functionality of a device. If you're using Windows To Go on a set of known host computers, you can add any more drivers to the image used on Windows To Go to make Windows To Go drives more quickly usable by your employees. Especially ensure that network drivers are available so that the user can connect to Windows Update to get more drivers if necessary.
Wi-Fi network adapter drivers are one of the most important drivers to make sure that you include in your standard image so that users can easily connect to the internet for any additional updates. IT administrators that are attempting to build Windows 10 images for use with Windows To Go should consider adding additional Wi-Fi drivers to their image to ensure that their users have the best chance of still having basic network connectivity when roaming between systems.
-The following list of commonly used Wi-Fi network adapters that are not supported by the default drivers provided with Windows 10 is provided to help you ascertain whether or not you need to add drivers to your image.
+The following list of commonly used Wi-Fi network adapters that aren't supported by the default drivers provided with Windows 10 is provided to help you ascertain whether or not you need to add drivers to your image.
|Vendor name|Product description|HWID|Windows Update availability|
|--- |--- |--- |--- |
@@ -94,11 +93,11 @@ The following list of commonly used Wi-Fi network adapters that are not supporte
|Ralink|Wireless LAN Card V1|pci\ven_1814&dev_0302&subsys_3a711186&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619097)[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619098)|
|Ralink|D-Link AirPlus G DWL-G510 Wireless PCI Adapter(rev.C)|pci\ven_1814&dev_0302&subsys_3c091186&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619099)
[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619100)|
-IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that is not supported by class drivers. Some consumer devices require OEM-specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825212(v=win.10)).
+IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that isn't supported by class drivers. Some consumer devices require OEM-specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825212(v=win.10)).
### Application installation and domain join
-Unless you are using a customized Windows image that includes unattended installation settings, the initial Windows To Go workspace will not be domain joined and will not contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications
+Unless you're using a customized Windows image that includes unattended installation settings, the initial Windows To Go workspace won't be domain joined and won't contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications
### Management of Windows To Go using Group Policy
@@ -110,20 +109,20 @@ The use of the Store on Windows To Go workspaces that are running Windows 8 can
- **Allow hibernate (S4) when started from a Windows To Go workspace**
- This policy setting specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. By default, hibernation is disabled when using Windows To Go workspace, so enabling this setting explicitly turns this ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk is resumed, it is important that the hardware attached to the system, as well as the disk itself, are unchanged. This is inherently incompatible with roaming between PC hosts. Hibernation should only be used when the Windows To Go workspace is not being used to roam between host PCs.
+ This policy setting specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. By default, hibernation is disabled when using Windows To Go workspace, so enabling this setting explicitly turns this ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk is resumed, it's important that the hardware attached to the system, and the disk itself, are unchanged. This is inherently incompatible with roaming between PC hosts. Hibernation should only be used when the Windows To Go workspace isn't being used to roam between host PCs.
> [!IMPORTANT]
> For the host-PC to resume correctly when hibernation is enabled the Windows To Go workspace must continue to use the same USB port.
- **Disallow standby sleep states (S1-S3) when starting from a Windows To Go workspace**
- This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The Sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it is shut down. It could be very easy for a user to think that a Windows To Go workspace in sleep mode was actually shut down and they could remove the Windows To Go drive and take it home. Removing the Windows To Go drive in this scenario is equivalent to an unclean shutdown, which may result in the loss of unsaved user data or the corruption on the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC, which still happens to be in the sleep state, it will lead to an arbitrary crash and eventually corruption of the drive and result in the workspace becoming unusable. If you enable this policy setting, the Windows To Go workspace cannot use the standby states to cause the PC to enter sleep mode. If you disable or do not configure this policy setting, the Windows To Go workspace can place the PC in sleep mode.
+ This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The Sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it's shut down. It could be easy for a user to think that a Windows To Go workspace in sleep mode was actually shut down and they could remove the Windows To Go drive and take it home. Removing the Windows To Go drive in this scenario is equivalent to an unclean shutdown, which may result in the loss of unsaved user data or the corruption on the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC, which still happens to be in the sleep state, it will lead to an arbitrary crash and eventually corruption of the drive and result in the workspace becoming unusable. If you enable this policy setting, the Windows To Go workspace can't use the standby states to cause the PC to enter sleep mode. If you disable or don't configure this policy setting, the Windows To Go workspace can place the PC in sleep mode.
**Settings for host PCs**
- **Windows To Go Default Startup Options**
- This policy setting controls whether the host computer will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the **Windows To Go Startup Options** settings dialog. If you enable this policy setting, booting to Windows To Go when a USB device is connected will be enabled and users will not be able to make changes using the **Windows To Go Startup Options** settings dialog. If you disable this policy setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the firmware. If you do not configure this policy setting, users who are members of the local Administrators group can enable or disable booting from USB using the **Windows To Go Startup Options** settings dialog.
+ This policy setting controls whether the host computer will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the **Windows To Go Startup Options** settings dialog. If you enable this policy setting, booting to Windows To Go when a USB device is connected will be enabled and users won't be able to make changes using the **Windows To Go Startup Options** settings dialog. If you disable this policy setting, booting to Windows To Go when a USB device is connected won't be enabled unless a user configures the option manually in the firmware. If you don't configure this policy setting, users who are members of the local Administrators group can enable or disable booting from USB using the **Windows To Go Startup Options** settings dialog.
> [!IMPORTANT]
> Enabling this policy setting will cause PCs running Windows to attempt to boot from any USB device that is inserted into the PC before it is started.
@@ -135,7 +134,7 @@ The biggest hurdle for a user wanting to use Windows To Go is configuring their
> [!NOTE]
> Enabling a system to always boot from USB first has implications that you should consider. For example, a USB device that includes malware could be booted inadvertently to compromise the system, or multiple USB drives could be plugged in to cause a boot conflict. For this reason, the Windows To Go startup options are disabled by default. In addition, administrator privileges are required to configure Windows To Go startup options.
-If you are going to be using a Windows 7 computer as a host-PC, see the wiki article [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951).
+If you're going to be using a Windows 7 computer as a host-PC, see the wiki article [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951).
### Roaming between different firmware types
@@ -143,9 +142,9 @@ Windows supports two types of PC firmware: Unified Extensible Firmware Interface
-This presented a unique challenge for Windows To Go because the firmware type is not easily determined by end users—a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware.
+This presented a unique challenge for Windows To Go because the firmware type isn't easily determined by end users—a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware.
-To enable booting Windows To Go on both types of firmware, a new disk layout is provided for Windows 8 or later that contains both sets of boot components on a FAT32 system partition and a new command-line option was added to bcdboot.exe to support this configuration. The **/f** option is used with the **bcdboot /s** command to specify the firmware type of the target system partition by appending either **UEFI**, **BIOS** or **ALL**. When creating Windows To Go drives manually you must use the **ALL** parameter to provide the Windows To Go drive the ability to boot on both types of firmware. For example, on volume H: (your Windows To Go USB drive letter), you would use the command **bcdboot C:\\windows /s H: /f ALL**. The following diagram illustrates the disk layout that results from that command:
+To enable booting Windows To Go on both types of firmware, a new disk layout is provided for Windows 8 or later that contains both sets of boot components on a FAT32 system partition and a new command-line option was added to bcdboot.exe to support this configuration. The **/f** option is used with the **bcdboot /s** command to specify the firmware type of the target system partition by appending either **UEFI**, **BIOS** or **ALL**. When creating Windows To Go drives manually, you must use the **ALL** parameter to provide the Windows To Go drive the ability to boot on both types of firmware. For example, on volume H: (your Windows To Go USB drive letter), you would use the command **bcdboot C:\\windows /s H: /f ALL**. The following diagram illustrates the disk layout that results from that command:
@@ -153,7 +152,7 @@ This is the only supported disk configuration for Windows To Go. With this disk
### Configure Windows To Go startup options
-Windows To Go Startup Options is a setting available on Windows 10-based PCs that enables the computer to be booted from a USB without manually changing the firmware settings of the PC. To configure Windows To Go Startup Options you must have administrative rights on the computer and the **Windows To Go Default Startup Options** Group Policy setting must not be configured.
+Windows To Go Startup Options is a setting available on Windows 10-based PCs that enables the computer to be booted from a USB without manually changing the firmware settings of the PC. To configure Windows To Go Startup Options, you must have administrative rights on the computer and the **Windows To Go Default Startup Options** Group Policy setting must not be configured.
**To configure Windows To Go startup options**
@@ -170,7 +169,7 @@ Windows To Go Startup Options is a setting available on Windows 10-based PCs tha
### Change firmware settings
-If you choose to not use the Windows To Go startup options or are using a PC running Windows 7 as your host computer you will need to manually configure the firmware settings. The process used to accomplish this will depend on the firmware type and manufacturer. If your host computer is protected by BitLocker and running Windows 7 you should suspend BitLocker before making the change to the firmware settings. After the firmware settings have been successfully reconfigured, resume BitLocker protection. If you do not suspend BitLocker first, BitLocker will assume that the computer has been tampered with and will boot into BitLocker recovery mode.
+If you choose to not use the Windows To Go startup options or are using a PC running Windows 7 as your host computer, you'll need to manually configure the firmware settings. The process used to accomplish this will depend on the firmware type and manufacturer. If your host computer is protected by BitLocker and running Windows 7, you should suspend BitLocker before making the change to the firmware settings. After the firmware settings have been successfully reconfigured, resume BitLocker protection. If you don't suspend BitLocker first, BitLocker will assume that the computer has been tampered with and will boot into BitLocker recovery mode.
## Related topics
diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
index fedb300b66..ec78a072db 100644
--- a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
+++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
@@ -12,6 +12,7 @@ ms.topic: article
# WaaSDeploymentStatus
+
WaaSDeploymentStatus records track a specific update's installation progress on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, and one tracking a Windows Quality Update, at the same time.
|Field |Type |Example |Description |
@@ -19,10 +20,10 @@ WaaSDeploymentStatus records track a specific update's installation progress on
|**Computer** |[string](/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enroll devices in Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). |
|**ComputerID** |[string](/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user managed service account is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. |
|**DeferralDays** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |The deferral policy for this content type or `UpdateCategory` (Windows `Feature` or `Quality`). |
-|**DeploymentError** |[string](/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there is either no string matching the error or there is no error. |
-|**DeploymentErrorCode** |[int](/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there is either no error or there is *no error code*, meaning that the issue raised does not correspond to an error, but some inferred issue. |
-|**DeploymentStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Failed` |The high-level status of installing this update on this device. Possible values are:
- **Update completed**: Device has completed the update installation.
- **In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.
- **Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.
- **Canceled**: The update was canceled.
- **Blocked**: There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.
- **Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that have not sent any deployment data for that update will have the status `Unknown`.
- **Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update.
- **Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.|
-|**DetailedStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:
- **Not Started**: Update hasn't started because the device is not targeting the latest 2 builds
- **Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred.
- **Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered.
- **Update offered**: The device has been offered the update, but has not begun downloading it.
- **Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update.
- **Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information, see [Feature Update Status report](update-compliance-feature-update-status.md#safeguard-holds).
- **Download started**: The update has begun downloading on the device.
- **Download Succeeded**: The update has successfully completed downloading.
- **Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed.
- **Install Started**: Installation of the update has begun.
- **Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed.
- **Reboot Pending**: The device has a scheduled reboot to apply the update.
- **Reboot Initiated**: The scheduled reboot has been initiated.
- **Commit**: Changes are being committed post-reboot. This is another step of the installation process.
- **Update Completed**: The update has successfully installed.|
+|**DeploymentError** |[string](/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there's either no string matching the error or there's no error. |
+|**DeploymentErrorCode** |[int](/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there's either no error or there's *no error code*, meaning that the issue raised doesn't correspond to an error, but some inferred issue. |
+|**DeploymentStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Failed` |The high-level status of installing this update on this device. Possible values are:
- **Update completed**: Device has completed the update installation.
- **In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.
- **Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.
- **Canceled**: The update was canceled.
- **Blocked**: There's a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.
- **Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that haven't sent any deployment data for that update will have the status `Unknown`.
- **Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update.
- **Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.|
+|**DetailedStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:
- **Not Started**: Update hasn't started because the device isn't targeting the latest 2 builds
- **Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred.
- **Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered.
- **Update offered**: The device has been offered the update, but hasn't begun downloading it.
- **Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update.
- **Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and won't resume the update until the hold has been cleared. For more information, see [Feature Update Status report](update-compliance-feature-update-status.md#safeguard-holds).
- **Download started**: The update has begun downloading on the device.
- **Download Succeeded**: The update has successfully completed downloading.
- **Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed.
- **Install Started**: Installation of the update has begun.
- **Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed.
- **Reboot Pending**: The device has a scheduled reboot to apply the update.
- **Reboot Initiated**: The scheduled reboot has been initiated.
- **Commit**: Changes are being committed post-reboot. This is another step of the installation process.
- **Update Completed**: The update has successfully installed.|
|**ExpectedInstallDate** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/28/2020, 1:00:01.318 PM`|Rather than the expected date this update will be installed, this should be interpreted as the minimum date Windows Update will make the update available for the device. This takes into account Deferrals. |
|**LastScan** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|The last point in time that this device sent Update Session data. |
|**OriginBuild** |[string](/azure/kusto/query/scalar-data-types/string) |`18363.719` |The build originally installed on the device when this Update Session began. |
@@ -30,7 +31,7 @@ WaaSDeploymentStatus records track a specific update's installation progress on
|**OSRevisionNumber** |[int](/azure/kusto/query/scalar-data-types/int) |`719` |The revision of the OSBuild installed on the device. |
|**OSServicingBranch** |[string](/azure/kusto/query/scalar-data-types/string) |`Semi-Annual` |The Servicing Branch or [Servicing Channel](./waas-overview.md#servicing-channels) the device is on. Dictates which Windows updates the device receives and the cadence of those updates. |
|**OSVersion** |[string](/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. |
-|**PauseState** |[string](/azure/kusto/query/scalar-data-types/string) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Feature Updates.
- **Expired**: The pause period has expired.
- **NotConfigured**: Pause is not configured.
- **Paused**: The device was last reported to be pausing this content type.
- **NotPaused**: The device was last reported to not have any pause on this content type. |
+|**PauseState** |[string](/azure/kusto/query/scalar-data-types/string) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Feature Updates.
- **Expired**: The pause period has expired.
- **NotConfigured**: Pause isn't configured.
- **Paused**: The device was last reported to be pausing this content type.
- **NotPaused**: The device was last reported to not have any pause on this content type. |
|**RecommendedAction** |[string](/azure/kusto/query/scalar-data-types/string) | |The recommended action to take in the event this device needs attention, if any. |
|**ReleaseName** |[string](/azure/kusto/query/scalar-data-types/string) |`KB4551762` |The KB Article corresponding to the TargetOSRevision, if any. |
|**TargetBuild** |[string](/azure/kusto/query/scalar-data-types/string) |`18363.720` |The target OSBuild, the update being installed or considered as part of this WaaSDeploymentStatus record. |
From 309b18cc5b7ede21c2f6e2fe776d4832ff50d6eb Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 17 Jun 2022 09:58:39 +0500
Subject: [PATCH 038/158] Update edit-an-applocker-policy.md
---
.../applocker/edit-an-applocker-policy.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
index 811e3ab499..7c697728f5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
@@ -40,7 +40,9 @@ There are three methods you can use to edit an AppLocker policy:
- [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo)
## Editing an AppLocker policy by using Mobile Device Management (MDM)
+If you deployed AppLocker policy using the AppLocker configuration service provider, you can edit the policies in your MDM solution by altering the content in the string value of policy node.
+For more information, see the [AppLocker CSP](/windows/client-management/mdm/applocker-csp).
## Editing an AppLocker policy by using Group Policy
From 50e6636ce877b0d0c658c71a17ef2bfc274718bf Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 17 Jun 2022 14:59:30 +0500
Subject: [PATCH 039/158] Update kernel-dma-protection-for-thunderbolt.md
---
.../kernel-dma-protection-for-thunderbolt.md | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 1d0b0ea803..400250bf8d 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -92,7 +92,10 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to
- Reboot system into Windows.
>[!NOTE]
- > **Hyper-V - Virtualization Enabled in Firmware** is not available when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is displayed. This means that **Hyper-V - Virtualization Enabled in Firmware** is set to Yes and the **Hyper-V** Windows feature is enabled. Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
+ > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown on the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
+
+ >[!NOTE]
+ > Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.
From 4bc96cd544f814598bb6dc2ab7fae500c5e29691 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 17 Jun 2022 15:01:19 +0500
Subject: [PATCH 040/158] Update
windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../interactive-logon-do-not-require-ctrl-alt-del.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
index 867bda657e..028bd47b3f 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -36,8 +36,8 @@ Microsoft developed this feature to make it easier for users with certain types
A malicious user might install malware that looks like the standard logon dialog box for the Windows operating system, and capture a user's password. The attacker can then log on to the compromised account with whatever level of user rights that user has.
->[!NOTE]
->When the policy is defined, registry value **DisableCAD** located in **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System** is created. To revert the changes made by this policy, it is not enough to set its value to **Not defined**, this registry value need to be removed as well.
+> [!NOTE]
+> When the policy is defined, registry value **DisableCAD** located in **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System** is created. To revert the changes made by this policy, it is not enough to set its value to **Not defined**, this registry value needs to be removed as well.
### Possible values
From feb179fa52f5a26b848e00cf31c29dd10bd6b16d Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 17 Jun 2022 15:02:30 +0500
Subject: [PATCH 041/158] Update
windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../applocker/edit-an-applocker-policy.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
index 7c697728f5..b96a2525dd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
@@ -40,7 +40,7 @@ There are three methods you can use to edit an AppLocker policy:
- [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo)
## Editing an AppLocker policy by using Mobile Device Management (MDM)
-If you deployed AppLocker policy using the AppLocker configuration service provider, you can edit the policies in your MDM solution by altering the content in the string value of policy node.
+If you deployed the AppLocker policy using the AppLocker configuration service provider, you can edit the policies in your MDM solution by altering the content in the string value of the policy node.
For more information, see the [AppLocker CSP](/windows/client-management/mdm/applocker-csp).
From a710084b28d6ff1b8c2d7960c9a91a51d23dda59 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sat, 18 Jun 2022 10:30:14 +0500
Subject: [PATCH 042/158] Update
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../kernel-dma-protection-for-thunderbolt.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 400250bf8d..6a487163f9 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -92,7 +92,7 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to
- Reboot system into Windows.
>[!NOTE]
- > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown on the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
+ > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
>[!NOTE]
> Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
From 744379863d5164ea3c894ca9f43f2815116cac9a Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sat, 18 Jun 2022 10:30:26 +0500
Subject: [PATCH 043/158] Update
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../kernel-dma-protection-for-thunderbolt.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 6a487163f9..80250e13f2 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -94,7 +94,7 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to
>[!NOTE]
> If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
- >[!NOTE]
+ > [!NOTE]
> Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.
From e3b3a40d6ff1b08902a20f607297e2fb642c1080 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sat, 18 Jun 2022 10:31:32 +0500
Subject: [PATCH 044/158] Update
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../kernel-dma-protection-for-thunderbolt.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 80250e13f2..4460e09f34 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -91,7 +91,7 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to
- Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
- Reboot system into Windows.
- >[!NOTE]
+ > [!NOTE]
> If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
> [!NOTE]
From c92a5e0e6927081ff6c4f963d4beee47521bb90a Mon Sep 17 00:00:00 2001
From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com>
Date: Mon, 20 Jun 2022 09:11:34 +0200
Subject: [PATCH 045/158] Update
windows/client-management/mdm/policy-csp-update.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/mdm/policy-csp-update.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index cce978a298..77f35e5754 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3687,7 +3687,7 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
From 845f03172dc8cfbb78731eff710342ad47f9b818 Mon Sep 17 00:00:00 2001
From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com>
Date: Mon, 20 Jun 2022 09:11:42 +0200
Subject: [PATCH 046/158] Update
windows/client-management/mdm/policy-csp-update.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/mdm/policy-csp-update.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 77f35e5754..2ab0e8e657 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3571,7 +3571,7 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
From 3d016d5abd51705d4912cb852840328a6c84c8b5 Mon Sep 17 00:00:00 2001
From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com>
Date: Mon, 20 Jun 2022 09:11:50 +0200
Subject: [PATCH 047/158] Update
windows/client-management/mdm/policy-csp-update.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/mdm/policy-csp-update.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 2ab0e8e657..04dd37b084 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3629,7 +3629,7 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForDriverUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
From aca0ce5659c2e9eb95dfd090261b1062c6fe0ab1 Mon Sep 17 00:00:00 2001
From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com>
Date: Mon, 20 Jun 2022 09:11:57 +0200
Subject: [PATCH 048/158] Update
windows/client-management/mdm/policy-csp-update.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/mdm/policy-csp-update.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 04dd37b084..69a315b2b4 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3513,7 +3513,7 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
From cb60adb6ec249e8505f14e6ec3efe0c4f247429b Mon Sep 17 00:00:00 2001
From: Jitin Mathew
Date: Mon, 20 Jun 2022 19:41:45 +0530
Subject: [PATCH 049/158] Updated-6020449-B2
Bulk metadata update.
---
.../identity-protection/access-control/access-control.md | 4 ----
.../access-control/active-directory-accounts.md | 4 ----
.../access-control/active-directory-security-groups.md | 4 ----
.../access-control/dynamic-access-control.md | 4 ----
.../identity-protection/access-control/local-accounts.md | 4 ----
.../access-control/microsoft-accounts.md | 4 ----
.../access-control/security-identifiers.md | 4 ----
.../access-control/security-principals.md | 4 ----
.../identity-protection/access-control/service-accounts.md | 4 ----
.../access-control/special-identities.md | 4 ----
.../credential-guard/additional-mitigations.md | 4 ----
.../credential-guard/credential-guard-considerations.md | 4 ----
.../credential-guard/credential-guard-how-it-works.md | 4 ----
.../credential-guard/credential-guard-known-issues.md | 4 ----
.../credential-guard/credential-guard-manage.md | 4 ----
.../credential-guard-not-protected-scenarios.md | 4 ----
.../credential-guard/credential-guard-protection-limits.md | 4 ----
.../credential-guard/credential-guard-requirements.md | 4 ----
.../credential-guard/credential-guard-scripts.md | 4 ----
.../credential-guard/credential-guard.md | 5 -----
.../credential-guard/dg-readiness-tool.md | 4 ----
.../identity-protection/hello-for-business/WebAuthnAPIs.md | 4 ----
.../hello-for-business/feature-multifactor-unlock.md | 5 -----
.../hello-for-business/hello-aad-join-cloud-only-deploy.md | 5 -----
.../hello-for-business/hello-adequate-domain-controllers.md | 5 -----
.../hello-for-business/hello-and-password-changes.md | 5 -----
.../hello-for-business/hello-biometrics-in-enterprise.md | 6 ------
.../hello-for-business/hello-cert-trust-adfs.md | 5 -----
.../hello-for-business/hello-cert-trust-policy-settings.md | 5 -----
.../hello-cert-trust-validate-ad-prereq.md | 5 -----
.../hello-cert-trust-validate-deploy-mfa.md | 5 -----
.../hello-for-business/hello-cert-trust-validate-pki.md | 5 -----
.../hello-for-business/hello-deployment-cert-trust.md | 5 -----
.../hello-for-business/hello-deployment-guide.md | 5 -----
.../hello-for-business/hello-deployment-issues.md | 5 -----
.../hello-for-business/hello-deployment-key-trust.md | 5 -----
.../hello-for-business/hello-deployment-rdp-certs.md | 5 -----
.../hello-for-business/hello-errors-during-pin-creation.md | 6 ------
.../hello-for-business/hello-event-300.md | 6 ------
.../hello-for-business/hello-feature-conditional-access.md | 5 -----
.../hello-for-business/hello-feature-dual-enrollment.md | 5 -----
.../hello-for-business/hello-feature-dynamic-lock.md | 5 -----
.../hello-for-business/hello-feature-pin-reset.md | 5 -----
.../hello-for-business/hello-feature-remote-desktop.md | 5 -----
.../hello-for-business/hello-how-it-works-authentication.md | 4 ----
.../hello-for-business/hello-how-it-works-provisioning.md | 4 ----
.../hello-for-business/hello-how-it-works-technology.md | 4 ----
.../hello-for-business/hello-how-it-works.md | 4 ----
.../hello-for-business/hello-hybrid-aadj-sso-base.md | 5 -----
.../hello-for-business/hello-hybrid-aadj-sso-cert.md | 5 -----
.../hello-for-business/hello-hybrid-aadj-sso.md | 5 -----
.../hello-for-business/hello-hybrid-cert-new-install.md | 5 -----
.../hello-for-business/hello-hybrid-cert-trust-devreg.md | 5 -----
.../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 5 -----
.../hello-for-business/hello-hybrid-cert-trust.md | 5 -----
.../hello-for-business/hello-hybrid-cert-whfb-provision.md | 5 -----
.../hello-hybrid-cert-whfb-settings-ad.md | 5 -----
.../hello-hybrid-cert-whfb-settings-adfs.md | 5 -----
.../hello-hybrid-cert-whfb-settings-dir-sync.md | 5 -----
.../hello-hybrid-cert-whfb-settings-pki.md | 5 -----
.../hello-hybrid-cert-whfb-settings-policy.md | 5 -----
.../hello-for-business/hello-hybrid-cert-whfb-settings.md | 5 -----
.../hello-for-business/hello-hybrid-cloud-trust.md | 5 -----
.../hello-for-business/hello-hybrid-key-new-install.md | 5 -----
.../hello-for-business/hello-hybrid-key-trust-devreg.md | 5 -----
.../hello-for-business/hello-hybrid-key-trust-dirsync.md | 5 -----
.../hello-for-business/hello-hybrid-key-trust-prereqs.md | 5 -----
.../hello-for-business/hello-hybrid-key-trust.md | 5 -----
.../hello-for-business/hello-hybrid-key-whfb-provision.md | 5 -----
.../hello-for-business/hello-hybrid-key-whfb-settings-ad.md | 5 -----
.../hello-hybrid-key-whfb-settings-dir-sync.md | 5 -----
.../hello-hybrid-key-whfb-settings-pki.md | 5 -----
.../hello-hybrid-key-whfb-settings-policy.md | 5 -----
.../hello-for-business/hello-hybrid-key-whfb-settings.md | 5 -----
.../hello-for-business/hello-identity-verification.md | 6 ------
.../hello-for-business/hello-key-trust-adfs.md | 5 -----
.../hello-for-business/hello-key-trust-policy-settings.md | 5 -----
.../hello-key-trust-validate-ad-prereq.md | 5 -----
.../hello-key-trust-validate-deploy-mfa.md | 5 -----
.../hello-for-business/hello-key-trust-validate-pki.md | 5 -----
.../hello-for-business/hello-manage-in-organization.md | 6 ------
.../hello-for-business/hello-overview.md | 5 -----
.../hello-for-business/hello-planning-guide.md | 5 -----
.../hello-for-business/hello-prepare-people-to-use.md | 6 ------
.../identity-protection/hello-for-business/hello-videos.md | 5 -----
.../hello-why-pin-is-better-than-password.md | 6 ------
.../hello-for-business/microsoft-compatible-security-key.md | 5 -----
.../hello-for-business/reset-security-key.md | 5 -----
.../hello-for-business/retired/hello-how-it-works.md | 3 ---
.../smart-cards/smart-card-and-remote-desktop-services.md | 4 ----
.../smart-cards/smart-card-architecture.md | 4 ----
.../smart-card-certificate-propagation-service.md | 4 ----
.../smart-card-certificate-requirements-and-enumeration.md | 4 ----
.../smart-cards/smart-card-debugging-information.md | 4 ----
.../identity-protection/smart-cards/smart-card-events.md | 4 ----
.../smart-card-group-policy-and-registry-settings.md | 4 ----
.../smart-card-how-smart-card-sign-in-works-in-windows.md | 4 ----
.../smart-cards/smart-card-removal-policy-service.md | 4 ----
.../smart-card-smart-cards-for-windows-service.md | 4 ----
99 files changed, 465 deletions(-)
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 2ba26987bb..2dfc4dc841 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -2,10 +2,6 @@
title: Access Control Overview (Windows 10)
description: Access Control Overview
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index f2d6c64736..404f1abb50 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -2,10 +2,6 @@
title: Active Directory Accounts (Windows 10)
description: Active Directory Accounts
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 2ec117c8b9..7a469d0fc0 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -2,10 +2,6 @@
title: Active Directory Security Groups
description: Active Directory Security Groups
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/dynamic-access-control.md b/windows/security/identity-protection/access-control/dynamic-access-control.md
index c68a4e721f..b19feb4975 100644
--- a/windows/security/identity-protection/access-control/dynamic-access-control.md
+++ b/windows/security/identity-protection/access-control/dynamic-access-control.md
@@ -2,10 +2,6 @@
title: Dynamic Access Control Overview (Windows 10)
description: Learn about Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 655ef0f5b4..654b12daed 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -2,10 +2,6 @@
title: Local Accounts (Windows 10)
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md
index 992afda9d6..7d9575a8f4 100644
--- a/windows/security/identity-protection/access-control/microsoft-accounts.md
+++ b/windows/security/identity-protection/access-control/microsoft-accounts.md
@@ -2,10 +2,6 @@
title: Microsoft Accounts (Windows 10)
description: Microsoft Accounts
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index 8564378d9c..eebc241c56 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -2,10 +2,6 @@
title: Security identifiers (Windows 10)
description: Security identifiers
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md
index d6bdc4569e..3120899040 100644
--- a/windows/security/identity-protection/access-control/security-principals.md
+++ b/windows/security/identity-protection/access-control/security-principals.md
@@ -2,10 +2,6 @@
title: Security Principals (Windows 10)
description: Security Principals
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md
index 2614ab30e4..cd6db0f4f7 100644
--- a/windows/security/identity-protection/access-control/service-accounts.md
+++ b/windows/security/identity-protection/access-control/service-accounts.md
@@ -2,10 +2,6 @@
title: Service Accounts (Windows 10)
description: Service Accounts
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
index db7379ba1f..82f5cbbcda 100644
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@@ -3,10 +3,6 @@ title: Special Identities (Windows 10)
description: Special Identities
ms.prod: m365-security
ms.technology: windows-sec
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index 9ca5657e1d..5be4c34c1e 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -2,11 +2,7 @@
title: Additional mitigations
description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
index f9dce14935..2634efbb7e 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@@ -2,11 +2,7 @@
title: Advice while using Windows Defender Credential Guard (Windows)
description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index 0d09f98a43..4af6dabc3f 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -2,11 +2,7 @@
title: How Windows Defender Credential Guard works
description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index 7d71cc00ce..0d96d6c124 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -2,11 +2,7 @@
title: Windows Defender Credential Guard - Known issues (Windows)
description: Windows Defender Credential Guard - Known issues in Windows Enterprise
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index b63bf80703..1091223def 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -2,11 +2,7 @@
title: Manage Windows Defender Credential Guard (Windows)
description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: v-tappelgate
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
index 170018c2c2..fba979bcbb 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -2,11 +2,7 @@
title: Windows Defender Credential Guard protection limits & mitigations (Windows)
description: Scenarios not protected by Windows Defender Credential Guard in Windows, and additional mitigations you can use.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
index 9cab64d757..ca22714733 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@@ -2,11 +2,7 @@
title: Windows Defender Credential Guard protection limits (Windows)
description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 4762a25d8b..cd0217dffe 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -2,11 +2,7 @@
title: Windows Defender Credential Guard Requirements (Windows)
description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
index 709bc9de64..ac96f2cc37 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
@@ -2,11 +2,7 @@
title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows)
description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dulcemontemayor
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index 4153f5223b..1541b47dfd 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -1,14 +1,9 @@
---
title: Protect derived domain credentials with Windows Defender Credential Guard (Windows)
description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
-ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
index a3c6d35840..1128ef5604 100644
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@@ -2,11 +2,7 @@
title: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
description: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool script
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: SteveSyfuhs
ms.author: stsyfuhs
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
index 9b8365686e..af4b0207cd 100644
--- a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
+++ b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
@@ -2,10 +2,6 @@
title: WebAuthn APIs
description: Learn how to use WebAuthn APIs to enable password-less authentication for your sites and apps.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index bb8984236d..46c5ce15d2 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -1,12 +1,7 @@
---
title: Multi-factor Unlock
description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index 0ea88cb07e..a22fdc4c4b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -1,12 +1,7 @@
---
title: Azure Active Directory join cloud only deployment
description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device.
-keywords: identity, Hello, Active Directory, cloud,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index cbaecf9da3..201f155223 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -1,12 +1,7 @@
---
title: Having enough Domain Controllers for Windows Hello for Business deployments
description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
index ce4fee62d1..409d7ad594 100644
--- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
+++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
@@ -1,13 +1,8 @@
---
title: Windows Hello and password changes (Windows)
description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
-ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index fb5244ee95..1b7fc74348 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -1,13 +1,7 @@
---
title: Windows Hello biometrics in the enterprise (Windows)
description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
-ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc
-keywords: Windows Hello, enterprise biometrics
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index c9023f3eab..7c1152e8bf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -1,12 +1,7 @@
---
title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business)
description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 18e5489911..d1a9db8854 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -1,12 +1,7 @@
---
title: Configure Windows Hello for Business Policy settings - certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 53a69d9ca8..13a1157148 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -1,12 +1,7 @@
---
title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business)
description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index baa09b6712..865759bf10 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -1,12 +1,7 @@
---
title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
description: How to Validate and Deploy Multi-factor Authentication (MFA) Services for Windows Hello for Business with certificate trust
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 1972c3d210..d6356353aa 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -1,12 +1,7 @@
---
title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business)
description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
index ca84dfc5d4..278560bbc5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment
description: A guide to on premises, certificate trust Windows Hello for Business deployment.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 1a167b69c6..afe7fdf157 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Deployment Overview
description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index 0b7c8c940f..47d8b38c53 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -1,13 +1,8 @@
---
title: Windows Hello for Business Deployment Known Issues
description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues
-keywords: identity, PIN, biometric, Hello, passport
params: siblings_only
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
index 0798dee5a2..280f51120d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Deployment Guide - On Premises Key Deployment
description: A guide to on premises, key trust Windows Hello for Business deployment.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 2ce62675f6..5df469ff3e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -1,12 +1,7 @@
---
title: Deploying Certificates to Key Trust Users to Enable RDP
description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 194607bd44..631d982e36 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -1,13 +1,7 @@
---
title: Windows Hello errors during PIN creation (Windows)
description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step.
-ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
-keywords: PIN, error, create a work PIN
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md
index c5e10be931..3e481d0f4d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-event-300.md
+++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md
@@ -1,14 +1,8 @@
---
title: Event ID 300 - Windows Hello successfully created (Windows)
description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
-ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04
ms.reviewer:
-keywords: ngc
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
index ac9768add5..5dac00754e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
@@ -1,12 +1,7 @@
---
title: Conditional Access
description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
index 066da6e651..445df8f5a8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@@ -1,12 +1,7 @@
---
title: Dual Enrollment
description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, dual enrollment,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 7025fb4173..93301a4171 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -1,12 +1,7 @@
---
title: Dynamic lock
description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 4158e8838a..2ee149c236 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -1,12 +1,7 @@
---
title: Pin Reset
description: Learn how Microsoft PIN reset services enables you to help users recover who have forgotten their PIN.
-keywords: identity, PIN, Hello, passport, WHFB, hybrid, cert-trust, device, reset
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index fc797a8b6e..b622e6277f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -1,12 +1,7 @@
---
title: Remote Desktop
description: Learn how Windows Hello for Business supports using biometrics with remote desktop
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index 443d3adc15..76b94b5ddb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -2,10 +2,6 @@
title: How Windows Hello for Business works - Authentication
description: Learn about the authentication flow for Windows Hello for Business.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 96b5a3b434..c81ed991e1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -2,10 +2,6 @@
title: How Windows Hello for Business works - Provisioning
description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index a7e607516e..bd667aac11 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -2,10 +2,6 @@
title: How Windows Hello for Business works - Technology and Terms
description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 23efa578c0..768b3a0e02 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -2,10 +2,6 @@
title: How Windows Hello for Business works
description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index 2029789901..51f303b2ba 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -1,12 +1,7 @@
---
title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business
description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them.
-keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 807592de85..65b35c88d1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -1,12 +1,7 @@
---
title: Using Certificates for AADJ On-premises Single-sign On single sign-on
description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps.
-keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index 6d2ac37a80..1acba0f5b3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -1,12 +1,7 @@
---
title: Azure AD Join Single Sign-on Deployment
description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business.
-keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
index 6de21388aa..546fe98a8e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business)
description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on.
-keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index c45b19aa4d..2d15af954c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -1,12 +1,7 @@
---
title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business
description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index 6432ef517b..edba57fd05 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Prerequisites
description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index bec180c498..f9c3cf3feb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -1,12 +1,7 @@
---
title: Hybrid Certificate Trust Deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index f3d6ed1281..f6e69dad32 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business)
description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
index 94462ebe1d..f8b0c788c1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD)
description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB, ad
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index 93dcb39b92..ed13229f6a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -1,12 +1,7 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS)
description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB, adfs
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index 7ef3176f22..3dea044165 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch
description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index e6408a1ce4..0a7da03055 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -1,12 +1,7 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI)
description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
index a7bc32dc4c..bba12adf27 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@@ -1,12 +1,7 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy
description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
index dcffcfc154..ec22d31a65 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business)
description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
index f8d135a315..11fa549fa2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
@@ -1,12 +1,7 @@
---
title: Hybrid Cloud Trust Deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 4f8c8153c4..66a720d026 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation
description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations.
-keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
index 90cbd52d95..4d064c210c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@@ -1,12 +1,7 @@
---
title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, device, registration
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
index 705b84df66..299e93c00c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
@@ -1,12 +1,7 @@
---
title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business
description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, directory, synchronization, AADConnect
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 90aaa2b968..0850fae7f7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business)
description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: mapalko
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index db6d3e0a33..833968247b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -1,12 +1,7 @@
---
title: Hybrid Key Trust Deployment (Windows Hello for Business)
description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index c7dd159a00..925d6d12e8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business)
description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
index 46ba983c83..bbdde28351 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
@@ -1,12 +1,7 @@
---
title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD)
description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, ad, key trust, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index b964f460e9..0ed4142f70 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization
description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization
-keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect, Windows Hello, AD Connect, key trust, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 418298f89e..a43a8e5673 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined key trust Windows Hello for Business
description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI, Windows Hello, key trust, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index d98732f5c2..26b31e209b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
description: Configuring Hybrid key trust Windows Hello for Business - Group Policy
-keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, key trust, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index 38b7194d9c..29c29de56f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings
description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 4135615f1c..185768fe63 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -1,13 +1,7 @@
---
title: Windows Hello for Business Deployment Prerequisite Overview
description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
-ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index d608421337..d2c141ca3a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -1,12 +1,7 @@
---
title: Prepare & Deploy Windows Active Directory Federation Services with key trust (Windows Hello for Business)
description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business using key trust.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index b67d63f1b7..5baf31a055 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -1,12 +1,7 @@
---
title: Configure Windows Hello for Business Policy settings - key trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index 2ba08c716b..c8227d9536 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -1,13 +1,8 @@
---
title: Key registration for on-premises deployment of Windows Hello for Business
description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
author: GitPrakhar13
-audience: ITPro
ms.author: prsriva
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index e0d299b2df..968ae0d5b0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -1,12 +1,7 @@
---
title: Validate and Deploy MFA for Windows Hello for Business with key trust
description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with key trust
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index debf3022c5..809720fdba 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -1,12 +1,7 @@
---
title: Validate Public Key Infrastructure - key trust model (Windows Hello for Business)
description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a key trust model.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 4b44e661ec..c38b18d8a2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -1,13 +1,7 @@
---
title: Manage Windows Hello in your organization (Windows)
description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
-ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
-keywords: identity, PIN, biometric, Hello
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 86a2a82c99..12ccee58a9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -2,12 +2,7 @@
title: Windows Hello for Business Overview (Windows)
ms.reviewer: An overview of Windows Hello for Business
description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 7436890316..3212485067 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -1,12 +1,7 @@
---
title: Planning a Windows Hello for Business Deployment
description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 8ab37765f1..6b57daee9c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -1,14 +1,8 @@
---
title: Prepare people to use Windows Hello (Windows)
description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
-ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B
ms.reviewer:
-keywords: identity, PIN, biometric, Hello
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
index 013f236742..ab3bdc0500 100644
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Videos
description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
-keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 6c4c54aee9..ef30d59ed1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -1,13 +1,7 @@
---
title: Why a PIN is better than an online password (Windows)
description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password .
-ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212
-keywords: pin, security, password, hello
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
index 556f49c888..75645f288d 100644
--- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
@@ -1,12 +1,7 @@
---
title: Microsoft-compatible security key
description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key.
-keywords: FIDO2, security key, CTAP, Hello, WHFB
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md
index 99df1a799a..e2f9b9e978 100644
--- a/windows/security/identity-protection/hello-for-business/reset-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md
@@ -1,12 +1,7 @@
---
title: Reset-security-key
description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key
-keywords: FIDO2, security key, CTAP, Microsoft-compatible security key
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index 7a06722124..030af93d47 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -2,9 +2,6 @@
title: How Windows Hello for Business works (Windows)
description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: mapalko
ms.localizationpriority: high
ms.author: mapalko
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 99de6899d4..101b50087d 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -2,10 +2,6 @@
title: Smart Card and Remote Desktop Services (Windows)
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 3ce6180ae9..ddc63b2e02 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -2,10 +2,6 @@
title: Smart Card Architecture (Windows)
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index 1ad9d49a24..ad0699cf6a 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -2,10 +2,6 @@
title: Certificate Propagation Service (Windows)
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index eea206d53d..701f3dccd8 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -2,10 +2,6 @@
title: Certificate Requirements and Enumeration (Windows)
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index f557a5a713..50881d1ef8 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -2,10 +2,6 @@
title: Smart Card Troubleshooting (Windows)
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index 0d7a79fdac..9585fdfb5e 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -2,10 +2,6 @@
title: Smart Card Events (Windows)
description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index a74dfed7b2..897140b630 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -2,10 +2,6 @@
title: Smart Card Group Policy and Registry Settings (Windows)
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index d6656c1427..9fb023c25f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -2,10 +2,6 @@
title: How Smart Card Sign-in Works in Windows
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 77c8c9d18b..5757f75aa1 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -2,10 +2,6 @@
title: Smart Card Removal Policy Service (Windows)
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index 0d26cf1289..0345ccac67 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -2,10 +2,6 @@
title: Smart Cards for Windows Service (Windows)
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
From 52eed4d4f58de413208183ef9ec36484f3be2334 Mon Sep 17 00:00:00 2001
From: Jitin Mathew
Date: Mon, 20 Jun 2022 20:08:03 +0530
Subject: [PATCH 050/158] Updated-6020449-B2
Articles updated to meet Acrolinx requirements.
---
.../credential-guard-considerations.md | 24 +++++++++----------
.../credential-guard-how-it-works.md | 6 ++---
.../credential-guard-protection-limits.md | 12 +++++-----
3 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
index 2634efbb7e..7b1cc141be 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@@ -22,27 +22,27 @@ ms.reviewer:
Passwords are still weak. We recommend that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
-Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported.
+Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, aren't supported.
## Wi-fi and VPN Considerations
-When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You will be forced to enter your credentials to use these protocols and cannot save the credentials for future use. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.
+When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use. If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.
## Kerberos Considerations
When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. Use constrained or resource-based Kerberos delegation instead.
## 3rd Party Security Support Providers Considerations
-Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it does not allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package) on MSDN.
+Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package) on MSDN.
## Upgrade Considerations
As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, subsequent releases of Windows 10 with Windows Defender Credential Guard running may impact scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard.
### Saved Windows Credentials Protected
-Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites are not protected since the applications require your cleartext password. If the application does not need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
-* Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed."
+Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites aren't protected since the applications require your cleartext password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
+* Windows credentials saved by Remote Desktop Client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed."
* Applications that extract Windows credentials fail.
-* When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials.
+* When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you can't restore those credentials.
## Clearing TPM Considerations
Virtualization-based Security (VBS) uses the TPM to protect its key. So when the TPM is cleared then the TPM protected key used to encrypt VBS secrets is lost.
@@ -57,17 +57,17 @@ As a result Credential Guard can no longer decrypt protected data. VBS creates a
> Credential Guard obtains the key during initialization. So the data loss will only impact persistent data and occur after the next system startup.
### Windows credentials saved to Credential Manager
-Since Credential Manager cannot decrypt saved Windows Credentials, they are deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard.
+Since Credential Manager can't decrypt saved Windows Credentials, they're deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard.
### Domain-joined device’s automatically provisioned public key
Beginning with Windows 10 and Windows Server 2016, domain-devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
-Since Credential Guard cannot decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it cannot authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
### Breaking DPAPI on domain-joined devices
-On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery is not possible.
+On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery isn't possible.
>[!IMPORTANT]
> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior.
@@ -75,11 +75,11 @@ Auto VPN configuration is protected with user DPAPI. User may not be able to use
If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following.
-Domain user sign-in on a domain-joined device after clearing a TPM for as long as there is no connectivity to a domain controller:
+Domain user sign-in on a domain-joined device after clearing a TPM for as long as there's no connectivity to a domain controller:
|Credential Type | Windows version | Behavior
|---|---|---|
-| Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI does not work at all. |
+| Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. |
| Password | Windows 10 v1709 or later | If the user signed-in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected.
| Password | Windows 10 v1703 | If the user signed-in with a password prior to clearing the TPM, then they can sign-in with that password and are unaffected.
| Password | Windows 10 v1607 or earlier | Existing user DPAPI protected data is unusable. User DPAPI is able to protect new data.
@@ -87,7 +87,7 @@ Domain user sign-in on a domain-joined device after clearing a TPM for as long a
Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted.
#### Impact of DPAPI failures on Windows Information Protection
-When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook 2016 is unable to start and work protected documents cannot be opened. If DPAPI is working, then newly created work data is protected and can be accessed.
+When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook 2016 is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed.
**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index 4af6dabc3f..787063e450 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -21,13 +21,13 @@ ms.reviewer:
- Windows Server 2019
-Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
-When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which are not protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, are not to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
+When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, aren't to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
-When Windows Defender Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
+When Windows Defender Credential Guard is enabled, Kerberos doesn't allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
Here's a high-level overview on how the LSA is isolated by using Virtualization-based security:
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
index ca22714733..1b47f91c82 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@@ -24,18 +24,18 @@ Some ways to store credentials are not protected by Windows Defender Credential
- Software that manages credentials outside of Windows feature protection
- Local accounts and Microsoft Accounts
-- Windows Defender Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
+- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server 2016 domain controllers. It also doesn't protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
- Key loggers
- Physical attacks
-- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
+- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
- Third-party security packages
- Digest and CredSSP credentials
- When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
-- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.-
-- Kerberos service tickets are not protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is.
-- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
+- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well.-
+- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is.
+- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host.
- Windows logon cached password verifiers (commonly called "cached credentials")
-do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
+don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available.
## See also
From 8cfcf1e15a6d35e5d3b86f773a806f2349c4e750 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Mon, 20 Jun 2022 12:38:08 -0600
Subject: [PATCH 051/158] Update docfx.json
Delete duplicate "audience".
Add aliases to contrib to exclude list:
"AngelaMotherofDragons",
"dstrome",
"v-dihans",
---
education/docfx.json | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/education/docfx.json b/education/docfx.json
index 04a27cb629..38f8413d5f 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -32,7 +32,6 @@
"ms.topic": "article",
"ms.technology": "windows",
"manager": "dansimp",
- "audience": "ITPro",
"breadcrumb_path": "/education/breadcrumb/toc.json",
"ms.date": "05/09/2017",
"feedback_system": "None",
@@ -51,6 +50,9 @@
"Kellylorenebaker",
"jborsecnik",
"tiburd",
+ "AngelaMotherofDragons",
+ "dstrome",
+ "v-dihans",
"garycentric"
]
},
From bec0a9d00ac34fecc24205323f057e5d4833b06e Mon Sep 17 00:00:00 2001
From: valemieux <98555474+valemieux@users.noreply.github.com>
Date: Mon, 20 Jun 2022 13:19:42 -0700
Subject: [PATCH 052/158] 40012854 - Clarify LogAnalytics may extract MI logs
after opt-in
---
.../event-id-explanations.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 1b9d67ff10..0c3579cf09 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -52,6 +52,9 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
## Diagnostic events for Intelligent Security Graph (ISG) and Managed Installer (MI)
+> [!NOTE]
+> When Managed Installer is enabled, customers using LogAnalytics should be aware that Managed Installer may fire many 3091 events. Customers may need to filter out these events to avoid high LogAnalytics costs.
+
Events 3090, 3091 and 3092 prove helpful diagnostic information when the ISG or MI option is enabled by any WDAC policy. These events can help you debug why something was allowed/denied based on managed installer or ISG. These events do not necessarily indicate a problem but should be reviewed in context with other events like 3076 or 3077 described above.
| Event ID | Explanation |
From 210cc4b2bbfa0bad13212bbba799a8ae1403b41a Mon Sep 17 00:00:00 2001
From: valemieux <98555474+valemieux@users.noreply.github.com>
Date: Mon, 20 Jun 2022 14:03:21 -0700
Subject: [PATCH 053/158] 40023533 - UTF-8 certificates are incompatible with
signed WDAC policy
---
...t-windows-defender-application-control-against-tampering.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index f99d35706c..ee63feb1cf 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -48,6 +48,9 @@ To sign a WDAC policy with SignTool.exe, you need the following components:
> [!NOTE]
> All policies (base and supplemental and single-policy format) must be pkcs7 signed. [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652)
+>
+>Certificate fields, like 'subject common name' and 'issuer common name,' cannot be UTF-8 encoded, otherwise, blue screens may occur. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
+
If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
From 5a171c035ff28ce31c70fd203886eeaa7dc5badb Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 21 Jun 2022 12:10:35 +0200
Subject: [PATCH 054/158] Update
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-cert-trust-validate-ad-prereq.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index e1bb8e2f6e..9174af8148 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -28,7 +28,7 @@ ms.reviewer:
The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
> [!NOTE]
-> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow.**
+> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow.
Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role.
From eea3f1f959aebf019324d8c95d4975c8a4c6b5e3 Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 21 Jun 2022 12:13:34 +0200
Subject: [PATCH 055/158] Update
windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../applocker/script-rules-in-applocker.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index 14bf0eec35..aee609a7fd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -48,7 +48,7 @@ The following table lists the default rules that are available for the script ru
| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`|
> [!NOTE]
-> Windows Defender Application Control cannot be used to block PowerShell scripts. Applocker just forces PowerShell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs.
+> Windows Defender Application Control cannot be used to block PowerShell scripts. AppLocker just forces PowerShell scripts to be run in Constrained Language mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs.
## Related articles
From 7ba112e7445142bc6fd2b9e2a8023fbb7259c94b Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 21 Jun 2022 12:14:03 +0200
Subject: [PATCH 056/158] Update
windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
...ity-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index 9453c4b573..f4c0cda9aa 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -27,7 +27,7 @@ Describes the best practices, location, values, management aspects, and security
> [!NOTE]
-> To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access)
+> To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access).
## Reference
From 276813068702f61b2d7ad1d576a41fa751ac1763 Mon Sep 17 00:00:00 2001
From: Diana Hanson
Date: Tue, 21 Jun 2022 10:41:19 -0600
Subject: [PATCH 057/158] Update
windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
---
.../AppIdTagging/deploy-appid-tagging-policies.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
index 2f9bc3249f..07dfa8e8f7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
@@ -32,7 +32,7 @@ ms.technology: windows-sec
Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId Tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId Tagging policy, use one of the following methods to deploy:
1. [Deploy AppId Tagging Policies with MDM](#deploy-appid-tagging-policies-with-mdm)
-1. [Deploy policies with Configuration Manager](#deploy-appid-tagging-policies-with-configuration manager)
+1. [Deploy policies with Configuration Manager](#deploy-appid-tagging-policies-with-configuration-manager)
1. [Deploy policies using scripting](#deploy-appid-tagging-policies-via-scripting)
1. [Deploy using the ApplicationControl CSP](#deploying-policies-via-the-applicationcontrol-csp)
From cd2da0c7c7415eec676f419812e9d52c2054bbc6 Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Tue, 21 Jun 2022 10:36:01 -0700
Subject: [PATCH 058/158] Remove win-access-protection in
.openpublishing.publish.config.json under live branch.
---
.openpublishing.publish.config.json | 824 ++++++++++++++--------------
1 file changed, 404 insertions(+), 420 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index bb46e48d14..b0bfa9c5ff 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -1,421 +1,405 @@
-{
- "build_entry_point": "",
- "docsets_to_publish": [
- {
- "docset_name": "education",
- "build_source_folder": "education",
- "build_output_subfolder": "education",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "hololens",
- "build_source_folder": "devices/hololens",
- "build_output_subfolder": "hololens",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "internet-explorer",
- "build_source_folder": "browsers/internet-explorer",
- "build_output_subfolder": "internet-explorer",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "keep-secure",
- "build_source_folder": "windows/keep-secure",
- "build_output_subfolder": "keep-secure",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "microsoft-edge",
- "build_source_folder": "browsers/edge",
- "build_output_subfolder": "microsoft-edge",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "release-information",
- "build_source_folder": "windows/release-information",
- "build_output_subfolder": "release-information",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "smb",
- "build_source_folder": "smb",
- "build_output_subfolder": "smb",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "store-for-business",
- "build_source_folder": "store-for-business",
- "build_output_subfolder": "store-for-business",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-access-protection",
- "build_source_folder": "windows/access-protection",
- "build_output_subfolder": "win-access-protection",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-app-management",
- "build_source_folder": "windows/application-management",
- "build_output_subfolder": "win-app-management",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-client-management",
- "build_source_folder": "windows/client-management",
- "build_output_subfolder": "win-client-management",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-configuration",
- "build_source_folder": "windows/configuration",
- "build_output_subfolder": "win-configuration",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-deployment",
- "build_source_folder": "windows/deployment",
- "build_output_subfolder": "win-deployment",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-device-security",
- "build_source_folder": "windows/device-security",
- "build_output_subfolder": "win-device-security",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-configure",
- "build_source_folder": "windows/configure",
- "build_output_subfolder": "windows-configure",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-deploy",
- "build_source_folder": "windows/deploy",
- "build_output_subfolder": "windows-deploy",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-hub",
- "build_source_folder": "windows/hub",
- "build_output_subfolder": "windows-hub",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-plan",
- "build_source_folder": "windows/plan",
- "build_output_subfolder": "windows-plan",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-privacy",
- "build_source_folder": "windows/privacy",
- "build_output_subfolder": "windows-privacy",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-security",
- "build_source_folder": "windows/security",
- "build_output_subfolder": "windows-security",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-update",
- "build_source_folder": "windows/update",
- "build_output_subfolder": "windows-update",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-threat-protection",
- "build_source_folder": "windows/threat-protection",
- "build_output_subfolder": "win-threat-protection",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-whats-new",
- "build_source_folder": "windows/whats-new",
- "build_output_subfolder": "win-whats-new",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- }
- ],
- "notification_subscribers": [
- "elizapo@microsoft.com"
- ],
- "sync_notification_subscribers": [
- "dstrome@microsoft.com"
- ],
- "branches_to_filter": [
- ""
- ],
- "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs",
- "git_repository_branch_open_to_public_contributors": "public",
- "skip_source_output_uploading": false,
- "need_preview_pull_request": true,
- "resolve_user_profile_using_github": true,
- "dependent_repositories": [
- {
- "path_to_root": "_themes.pdf",
- "url": "https://github.com/Microsoft/templates.docs.msft.pdf",
- "branch": "main",
- "branch_mapping": {}
- },
- {
- "path_to_root": "_themes",
- "url": "https://github.com/Microsoft/templates.docs.msft",
- "branch": "main",
- "branch_mapping": {}
- }
- ],
- "branch_target_mapping": {
- "live": [
- "Publish",
- "Pdf"
- ],
- "main": [
- "Publish",
- "Pdf"
- ]
- },
- "need_generate_pdf_url_template": true,
- "targets": {
- "Pdf": {
- "template_folder": "_themes.pdf"
- }
- },
- "docs_build_engine": {},
- "contribution_branch_mappings": {},
- "need_generate_pdf": false,
- "need_generate_intellisense": false
+{
+ "build_entry_point": "",
+ "docsets_to_publish": [
+ {
+ "docset_name": "education",
+ "build_source_folder": "education",
+ "build_output_subfolder": "education",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "hololens",
+ "build_source_folder": "devices/hololens",
+ "build_output_subfolder": "hololens",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "internet-explorer",
+ "build_source_folder": "browsers/internet-explorer",
+ "build_output_subfolder": "internet-explorer",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "keep-secure",
+ "build_source_folder": "windows/keep-secure",
+ "build_output_subfolder": "keep-secure",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "microsoft-edge",
+ "build_source_folder": "browsers/edge",
+ "build_output_subfolder": "microsoft-edge",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "release-information",
+ "build_source_folder": "windows/release-information",
+ "build_output_subfolder": "release-information",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "smb",
+ "build_source_folder": "smb",
+ "build_output_subfolder": "smb",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "store-for-business",
+ "build_source_folder": "store-for-business",
+ "build_output_subfolder": "store-for-business",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-app-management",
+ "build_source_folder": "windows/application-management",
+ "build_output_subfolder": "win-app-management",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-client-management",
+ "build_source_folder": "windows/client-management",
+ "build_output_subfolder": "win-client-management",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-configuration",
+ "build_source_folder": "windows/configuration",
+ "build_output_subfolder": "win-configuration",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-deployment",
+ "build_source_folder": "windows/deployment",
+ "build_output_subfolder": "win-deployment",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-device-security",
+ "build_source_folder": "windows/device-security",
+ "build_output_subfolder": "win-device-security",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-configure",
+ "build_source_folder": "windows/configure",
+ "build_output_subfolder": "windows-configure",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-deploy",
+ "build_source_folder": "windows/deploy",
+ "build_output_subfolder": "windows-deploy",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-hub",
+ "build_source_folder": "windows/hub",
+ "build_output_subfolder": "windows-hub",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-plan",
+ "build_source_folder": "windows/plan",
+ "build_output_subfolder": "windows-plan",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-privacy",
+ "build_source_folder": "windows/privacy",
+ "build_output_subfolder": "windows-privacy",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-security",
+ "build_source_folder": "windows/security",
+ "build_output_subfolder": "windows-security",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-update",
+ "build_source_folder": "windows/update",
+ "build_output_subfolder": "windows-update",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-threat-protection",
+ "build_source_folder": "windows/threat-protection",
+ "build_output_subfolder": "win-threat-protection",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-whats-new",
+ "build_source_folder": "windows/whats-new",
+ "build_output_subfolder": "win-whats-new",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ }
+ ],
+ "notification_subscribers": [
+ "elizapo@microsoft.com"
+ ],
+ "sync_notification_subscribers": [
+ "dstrome@microsoft.com"
+ ],
+ "branches_to_filter": [
+ ""
+ ],
+ "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs",
+ "git_repository_branch_open_to_public_contributors": "public",
+ "skip_source_output_uploading": false,
+ "need_preview_pull_request": true,
+ "resolve_user_profile_using_github": true,
+ "dependent_repositories": [
+ {
+ "path_to_root": "_themes.pdf",
+ "url": "https://github.com/Microsoft/templates.docs.msft.pdf",
+ "branch": "main",
+ "branch_mapping": {}
+ },
+ {
+ "path_to_root": "_themes",
+ "url": "https://github.com/Microsoft/templates.docs.msft",
+ "branch": "main",
+ "branch_mapping": {}
+ }
+ ],
+ "branch_target_mapping": {
+ "live": [
+ "Publish",
+ "Pdf"
+ ],
+ "main": [
+ "Publish",
+ "Pdf"
+ ]
+ },
+ "need_generate_pdf_url_template": true,
+ "targets": {
+ "Pdf": {
+ "template_folder": "_themes.pdf"
+ }
+ },
+ "docs_build_engine": {},
+ "contribution_branch_mappings": {},
+ "need_generate_pdf": false,
+ "need_generate_intellisense": false
}
\ No newline at end of file
From eed514af7a80f4f945267c535361d4ec3d4f2a31 Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Tue, 21 Jun 2022 10:36:03 -0700
Subject: [PATCH 059/158] Remove win-access-protection in
.openpublishing.publish.config.json under main branch.
---
.openpublishing.publish.config.json | 824 ++++++++++++++--------------
1 file changed, 404 insertions(+), 420 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index bb46e48d14..b0bfa9c5ff 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -1,421 +1,405 @@
-{
- "build_entry_point": "",
- "docsets_to_publish": [
- {
- "docset_name": "education",
- "build_source_folder": "education",
- "build_output_subfolder": "education",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "hololens",
- "build_source_folder": "devices/hololens",
- "build_output_subfolder": "hololens",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "internet-explorer",
- "build_source_folder": "browsers/internet-explorer",
- "build_output_subfolder": "internet-explorer",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "keep-secure",
- "build_source_folder": "windows/keep-secure",
- "build_output_subfolder": "keep-secure",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "microsoft-edge",
- "build_source_folder": "browsers/edge",
- "build_output_subfolder": "microsoft-edge",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "release-information",
- "build_source_folder": "windows/release-information",
- "build_output_subfolder": "release-information",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "smb",
- "build_source_folder": "smb",
- "build_output_subfolder": "smb",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "store-for-business",
- "build_source_folder": "store-for-business",
- "build_output_subfolder": "store-for-business",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-access-protection",
- "build_source_folder": "windows/access-protection",
- "build_output_subfolder": "win-access-protection",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-app-management",
- "build_source_folder": "windows/application-management",
- "build_output_subfolder": "win-app-management",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-client-management",
- "build_source_folder": "windows/client-management",
- "build_output_subfolder": "win-client-management",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-configuration",
- "build_source_folder": "windows/configuration",
- "build_output_subfolder": "win-configuration",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-deployment",
- "build_source_folder": "windows/deployment",
- "build_output_subfolder": "win-deployment",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-device-security",
- "build_source_folder": "windows/device-security",
- "build_output_subfolder": "win-device-security",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-configure",
- "build_source_folder": "windows/configure",
- "build_output_subfolder": "windows-configure",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-deploy",
- "build_source_folder": "windows/deploy",
- "build_output_subfolder": "windows-deploy",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-hub",
- "build_source_folder": "windows/hub",
- "build_output_subfolder": "windows-hub",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-plan",
- "build_source_folder": "windows/plan",
- "build_output_subfolder": "windows-plan",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-privacy",
- "build_source_folder": "windows/privacy",
- "build_output_subfolder": "windows-privacy",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-security",
- "build_source_folder": "windows/security",
- "build_output_subfolder": "windows-security",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-update",
- "build_source_folder": "windows/update",
- "build_output_subfolder": "windows-update",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-threat-protection",
- "build_source_folder": "windows/threat-protection",
- "build_output_subfolder": "win-threat-protection",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-whats-new",
- "build_source_folder": "windows/whats-new",
- "build_output_subfolder": "win-whats-new",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- }
- ],
- "notification_subscribers": [
- "elizapo@microsoft.com"
- ],
- "sync_notification_subscribers": [
- "dstrome@microsoft.com"
- ],
- "branches_to_filter": [
- ""
- ],
- "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs",
- "git_repository_branch_open_to_public_contributors": "public",
- "skip_source_output_uploading": false,
- "need_preview_pull_request": true,
- "resolve_user_profile_using_github": true,
- "dependent_repositories": [
- {
- "path_to_root": "_themes.pdf",
- "url": "https://github.com/Microsoft/templates.docs.msft.pdf",
- "branch": "main",
- "branch_mapping": {}
- },
- {
- "path_to_root": "_themes",
- "url": "https://github.com/Microsoft/templates.docs.msft",
- "branch": "main",
- "branch_mapping": {}
- }
- ],
- "branch_target_mapping": {
- "live": [
- "Publish",
- "Pdf"
- ],
- "main": [
- "Publish",
- "Pdf"
- ]
- },
- "need_generate_pdf_url_template": true,
- "targets": {
- "Pdf": {
- "template_folder": "_themes.pdf"
- }
- },
- "docs_build_engine": {},
- "contribution_branch_mappings": {},
- "need_generate_pdf": false,
- "need_generate_intellisense": false
+{
+ "build_entry_point": "",
+ "docsets_to_publish": [
+ {
+ "docset_name": "education",
+ "build_source_folder": "education",
+ "build_output_subfolder": "education",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "hololens",
+ "build_source_folder": "devices/hololens",
+ "build_output_subfolder": "hololens",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "internet-explorer",
+ "build_source_folder": "browsers/internet-explorer",
+ "build_output_subfolder": "internet-explorer",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "keep-secure",
+ "build_source_folder": "windows/keep-secure",
+ "build_output_subfolder": "keep-secure",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "microsoft-edge",
+ "build_source_folder": "browsers/edge",
+ "build_output_subfolder": "microsoft-edge",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "release-information",
+ "build_source_folder": "windows/release-information",
+ "build_output_subfolder": "release-information",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "smb",
+ "build_source_folder": "smb",
+ "build_output_subfolder": "smb",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "store-for-business",
+ "build_source_folder": "store-for-business",
+ "build_output_subfolder": "store-for-business",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-app-management",
+ "build_source_folder": "windows/application-management",
+ "build_output_subfolder": "win-app-management",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-client-management",
+ "build_source_folder": "windows/client-management",
+ "build_output_subfolder": "win-client-management",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-configuration",
+ "build_source_folder": "windows/configuration",
+ "build_output_subfolder": "win-configuration",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-deployment",
+ "build_source_folder": "windows/deployment",
+ "build_output_subfolder": "win-deployment",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-device-security",
+ "build_source_folder": "windows/device-security",
+ "build_output_subfolder": "win-device-security",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-configure",
+ "build_source_folder": "windows/configure",
+ "build_output_subfolder": "windows-configure",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-deploy",
+ "build_source_folder": "windows/deploy",
+ "build_output_subfolder": "windows-deploy",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-hub",
+ "build_source_folder": "windows/hub",
+ "build_output_subfolder": "windows-hub",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-plan",
+ "build_source_folder": "windows/plan",
+ "build_output_subfolder": "windows-plan",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-privacy",
+ "build_source_folder": "windows/privacy",
+ "build_output_subfolder": "windows-privacy",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-security",
+ "build_source_folder": "windows/security",
+ "build_output_subfolder": "windows-security",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-update",
+ "build_source_folder": "windows/update",
+ "build_output_subfolder": "windows-update",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-threat-protection",
+ "build_source_folder": "windows/threat-protection",
+ "build_output_subfolder": "win-threat-protection",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-whats-new",
+ "build_source_folder": "windows/whats-new",
+ "build_output_subfolder": "win-whats-new",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ }
+ ],
+ "notification_subscribers": [
+ "elizapo@microsoft.com"
+ ],
+ "sync_notification_subscribers": [
+ "dstrome@microsoft.com"
+ ],
+ "branches_to_filter": [
+ ""
+ ],
+ "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs",
+ "git_repository_branch_open_to_public_contributors": "public",
+ "skip_source_output_uploading": false,
+ "need_preview_pull_request": true,
+ "resolve_user_profile_using_github": true,
+ "dependent_repositories": [
+ {
+ "path_to_root": "_themes.pdf",
+ "url": "https://github.com/Microsoft/templates.docs.msft.pdf",
+ "branch": "main",
+ "branch_mapping": {}
+ },
+ {
+ "path_to_root": "_themes",
+ "url": "https://github.com/Microsoft/templates.docs.msft",
+ "branch": "main",
+ "branch_mapping": {}
+ }
+ ],
+ "branch_target_mapping": {
+ "live": [
+ "Publish",
+ "Pdf"
+ ],
+ "main": [
+ "Publish",
+ "Pdf"
+ ]
+ },
+ "need_generate_pdf_url_template": true,
+ "targets": {
+ "Pdf": {
+ "template_folder": "_themes.pdf"
+ }
+ },
+ "docs_build_engine": {},
+ "contribution_branch_mappings": {},
+ "need_generate_pdf": false,
+ "need_generate_intellisense": false
}
\ No newline at end of file
From 1d632da97f3df18729e58bfc0c02f29eeb995058 Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Tue, 21 Jun 2022 10:39:01 -0700
Subject: [PATCH 060/158] Remove windows-configure in
.openpublishing.publish.config.json under live branch.
---
.openpublishing.publish.config.json | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index b0bfa9c5ff..c34631fbe0 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -209,22 +209,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "windows-configure",
- "build_source_folder": "windows/configure",
- "build_output_subfolder": "windows-configure",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "windows-deploy",
"build_source_folder": "windows/deploy",
From b755b10b46d6961f9ed945466eff0aeb31e2d856 Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Tue, 21 Jun 2022 10:39:02 -0700
Subject: [PATCH 061/158] Remove windows-configure in
.openpublishing.publish.config.json under main branch.
---
.openpublishing.publish.config.json | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index b0bfa9c5ff..c34631fbe0 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -209,22 +209,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "windows-configure",
- "build_source_folder": "windows/configure",
- "build_output_subfolder": "windows-configure",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "windows-deploy",
"build_source_folder": "windows/deploy",
From 83f1ef39a67eb2c81753b48c46109e32caf910b0 Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Tue, 21 Jun 2022 10:39:27 -0700
Subject: [PATCH 062/158] Remove windows-deploy in
.openpublishing.publish.config.json under live branch.
---
.openpublishing.publish.config.json | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index c34631fbe0..c04926735a 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -209,22 +209,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "windows-deploy",
- "build_source_folder": "windows/deploy",
- "build_output_subfolder": "windows-deploy",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "windows-hub",
"build_source_folder": "windows/hub",
From 612f42cf99d8fa3139ea51d3972de26228b716c2 Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Tue, 21 Jun 2022 10:39:28 -0700
Subject: [PATCH 063/158] Remove windows-deploy in
.openpublishing.publish.config.json under main branch.
---
.openpublishing.publish.config.json | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index c34631fbe0..c04926735a 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -209,22 +209,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "windows-deploy",
- "build_source_folder": "windows/deploy",
- "build_output_subfolder": "windows-deploy",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "windows-hub",
"build_source_folder": "windows/hub",
From 2d5bce7d32cea501fdb53cce6325e3028c426db8 Mon Sep 17 00:00:00 2001
From: jweston-1 <81715805+jweston-1@users.noreply.github.com>
Date: Tue, 21 Jun 2022 12:41:37 -0700
Subject: [PATCH 064/158] revision to nav steps per Yong. Minor file cleanup
---
...or-the-use-of-removable-storage-devices.md | 44 +++++++++----------
1 file changed, 22 insertions(+), 22 deletions(-)
diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
index 0c0339615a..5a4185bc2d 100644
--- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
+++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
@@ -20,7 +20,6 @@ ms.technology: windows-sec
# Monitor the use of removable storage devices
-
This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects.
If you configure this policy setting, an audit event is generated each time a user attempts to copy, move, or save a resource to a removable storage device.
@@ -29,34 +28,34 @@ Use the following procedures to monitor the use of removable storage devices and
Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
-> [!NOTE]
+> [!NOTE]
> When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](/previous-versions/ff541299(v=vs.85)). This may require the device to restart to apply the new security descriptor.
-
-**To configure settings to monitor removable storage devices**
-1. Sign in to your domain controller by using domain administrator credentials.
-2. In Server Manager, point to **Tools**, and then click **Group Policy Management**.
-3. In the console tree, right-click the flexible access Group Policy Object on the domain controller, and then click **Edit**.
-4. Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Object Access**, and then double-click **Audit Removable Storage**.
-5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
-6. If you selected the **Failure** check box, double-click **Audit Handle Manipulation**, select the **Configure the following audit events check box**, and then select **Failure**.
-7. Click **OK**, and then close the Group Policy Management Editor.
+## To configure settings to monitor removable storage devices
+
+1. Sign in to your domain controller by using domain administrator credentials.
+2. In Server Manager, point to **Tools**, and then click **Group Policy Management**.
+3. In the console tree, right-click the flexible access Group Policy Object on the domain controller, and then click **Edit**.
+4. Double-click **Computer Configuration**, double-click **Policies**, double-click **Windows Settings**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Object Access**, and then double-click **Audit Removable Storage**.
+5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
+6. If you selected the **Failure** check box, double-click **Audit Handle Manipulation**, select the **Configure the following audit events check box**, and then select **Failure**.
+7. Click **OK**, and then close the Group Policy Management Editor.
After you configure the settings to monitor removable storage devices, use the following procedure to verify that the settings are active.
-**To verify that removable storage devices are monitored**
+## To verify that removable storage devices are monitored
-1. Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and then type **cmd** to open a Command Prompt window.
+1. Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and then type **cmd** to open a Command Prompt window.
> [!NOTE]
> If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
-
-2. Type **gpupdate /force**, and press ENTER.
-3. Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with the Removable Storage Audit policy.
-4. In Server Manager, click **Tools**, and then click **Event Viewer**.
-5. Expand **Windows Logs**, and then click **Security**.
-6. Look for event 4663, which logs successful attempts to write to or read from a removable storage device. Failures will log event 4656. Both events include **Task Category = Removable Storage device**.
-
+
+2. Type **gpupdate /force**, and press ENTER.
+3. Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with the Removable Storage Audit policy.
+4. In Server Manager, click **Tools**, and then click **Event Viewer**.
+5. Expand **Windows Logs**, and then click **Security**.
+6. Look for event 4663, which logs successful attempts to write to or read from a removable storage device. Failures will log event 4656. Both events include **Task Category = Removable Storage device**.
+
For more information, see [Audit Removable Storage](audit-removable-storage.md).
Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted.
@@ -66,7 +65,8 @@ After you configure the settings to monitor removable storage devices, use the f
> [!NOTE]
> We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event.
-
+
### Related resource
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
\ No newline at end of file
+- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+- [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control)
From 15365b21a0b6783c8aeb9a2dc753b2ac46a8e22d Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Tue, 21 Jun 2022 14:48:03 -0600
Subject: [PATCH 065/158] Apply suggestions from code review
Line 72: Fix absolute link.
---
.../auditing/monitor-the-use-of-removable-storage-devices.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
index 5a4185bc2d..054bdf5247 100644
--- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
+++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
@@ -69,4 +69,4 @@ After you configure the settings to monitor removable storage devices, use the f
### Related resource
- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
-- [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control)
+- [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control)
From d8f9d081f0b38d1fea213ee815b35515633837a0 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Tue, 21 Jun 2022 14:52:50 -0600
Subject: [PATCH 066/158] Update
windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
Line 71: Change link to relative
---
.../auditing/monitor-the-use-of-removable-storage-devices.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
index 054bdf5247..b3e07f18ac 100644
--- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
+++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
@@ -68,5 +68,5 @@ After you configure the settings to monitor removable storage devices, use the f
### Related resource
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+- [Using advanced security auditing options to monitor dynamic access control objects](/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects)
- [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control)
From 8498bc03cf82f169265bebd4c928fbbfebc52cc0 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Tue, 21 Jun 2022 14:59:13 -0600
Subject: [PATCH 067/158] Update
windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
Line 71: Revert to previous link method.
---
.../auditing/monitor-the-use-of-removable-storage-devices.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
index b3e07f18ac..054bdf5247 100644
--- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
+++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
@@ -68,5 +68,5 @@ After you configure the settings to monitor removable storage devices, use the f
### Related resource
-- [Using advanced security auditing options to monitor dynamic access control objects](/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects)
+- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
- [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control)
From 409b8610a596bde702756aa80fbc62fc8eab840f Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Wed, 22 Jun 2022 10:15:12 -0700
Subject: [PATCH 068/158] Modified wording for clarity.
---
.../windows-autopatch/overview/windows-autopatch-overview.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index f2bb7d8615..a724359a90 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -61,7 +61,7 @@ Microsoft remains committed to the security of your data and the [accessibility]
### Prepare
-The following articles describe the mandatory steps to prepare for enrollment, including:
+The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:
- [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
- [Configure your network](../prepare/windows-autopatch-configure-network.md)
@@ -70,7 +70,7 @@ The following articles describe the mandatory steps to prepare for enrollment, i
### Deploy
-Once you're ready to enroll, this section includes the following articles:
+Once you've enrolled your tenant, this section instructs you to:
- [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
- [Register your devices](../deploy/windows-autopatch-register-devices.md)
From 4941deb2b924dd3a3a1e808027936fbd4da9460f Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 22 Jun 2022 15:21:42 -0700
Subject: [PATCH 069/158] fix broken links from 6/19 RUN ID
92f59a3d-bdfc-483c-9281-d7f370b7d945
---
windows/client-management/mdm/eap-configuration.md | 2 +-
windows/client-management/mdm/healthattestation-csp.md | 5 ++---
.../mdm/new-in-windows-mdm-enrollment-management.md | 2 +-
windows/client-management/troubleshoot-windows-freeze.md | 2 +-
4 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md
index 0041ba939a..6eff7f2a44 100644
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@@ -129,7 +129,7 @@ For information about EAP settings, see .
+For more information about extended key usage (EKU), see .
For information about adding EKU to a certificate, see .
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index 0670d82890..4eb0e57c7d 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -834,9 +834,8 @@ When the MDM-Server receives the above data, it must:
- Forward (HTTP Post) the XML data struct (including the nonce that was appended in the previous step) to the assigned DHA-Service that runs on:
- - DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: [https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3](https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3)
- - DHA-OnPrem or DHA-EMC: [https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3](https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3)
-
+ - DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: `https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3`
+ - DHA-OnPrem or DHA-EMC: `https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3`
### Step 7: Receive response from the DHA-service
When the Microsoft Device Health Attestation Service receives a request for verification, it performs the following steps:
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index b2b8adde86..1c9068aa93 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -88,7 +88,7 @@ For information about EAP Settings, see .
+For more information about extended key usage, see .
For information about adding extended key usage (EKU) to a certificate, see .
diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md
index 9820130606..aeb80a0007 100644
--- a/windows/client-management/troubleshoot-windows-freeze.md
+++ b/windows/client-management/troubleshoot-windows-freeze.md
@@ -225,7 +225,7 @@ If the physical computer is still running in a frozen state, follow these steps
Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag.
-For more information, see [How to use Memory Pool Monitor to troubleshoot kernel mode memory leaks](https://support.microsoft.com/topic/4f4a05c2-ef8a-fca4-3ae0-670b940af398).
+For more information, see [Using PoolMon to Find a Kernel-Mode Memory Leak](/windows-hardware/drivers/debugger/using-poolmon-to-find-a-kernel-mode-memory-leak) and [PoolMon Examples](/windows-hardware/drivers/devtest/poolmon-examples).
### Use memory dump to collect data for the virtual machine that's running in a frozen state
From d43bb5d0f6c46fd31ddb67c27ce94afd77e57136 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 22 Jun 2022 15:32:49 -0700
Subject: [PATCH 070/158] win-app-mgmt-docset links
---
.../app-v/appv-deploying-microsoft-office-2010-wth-appv.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
index d767f2dfc4..c7e2267354 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
@@ -31,7 +31,7 @@ The following table shows the App-V versions, methods of Office package creation
## Creating Office 2010 App-V using the sequencer
-Sequencing Office 2010 is one of the main methods for creating an Office 2010 package on App-V. Microsoft has provided a detailed recipe through a Knowledge Base article. For detailed instructions about how to create an Office 2010 package on App-V, see [How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/kb/2830069).
+Sequencing Office 2010 is one of the main methods for creating an Office 2010 package on App-V. For more information, see [How to Sequence a New Application with App-V 5.0](s/microsoft-desktop-optimization-pack/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030).
## Creating Office 2010 App-V packages using package accelerators
From ad9018b385b13ad171ea5f84f4b114e1a54957e7 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 22 Jun 2022 15:57:02 -0700
Subject: [PATCH 071/158] win-deployment
---
windows/deployment/update/update-compliance-v2-enable.md | 2 +-
.../deploy/windows-autopatch-register-devices.md | 2 +-
.../windows-autopatch/overview/windows-autopatch-faq.yml | 2 +-
.../windows-autopatch/references/windows-autopatch-privacy.md | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/deployment/update/update-compliance-v2-enable.md b/windows/deployment/update/update-compliance-v2-enable.md
index 4a6330cbed..313d748f40 100644
--- a/windows/deployment/update/update-compliance-v2-enable.md
+++ b/windows/deployment/update/update-compliance-v2-enable.md
@@ -52,7 +52,7 @@ Update Compliance is offered as an Azure Marketplace application that's linked t
1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You might need to sign into your Azure subscription to access this page.
1. Select **Get it now**.
-1. Select **Continue** to agree to the [terms of use](https://azure.microsoft.com/[support/legal/) and the [privacy policy](https://privacy.microsoft.com/en-us/privacystatement) to create the app in Azure.
+1. Select **Continue** to agree to the [terms of use](https://azure.microsoft.com/support/legal/) and the [privacy policy](https://privacy.microsoft.com/en-us/privacystatement) to create the app in Azure.
1. Sign into the [Azure portal](https://portal.azure.com) to finish creating the Update Compliance solution.
1. Select the following settings:
- **Subscription**: The Azure subscription to use.
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index 67f32f3f6c..f23ef5f8ec 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -57,7 +57,7 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
- [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client)
- Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported).
- Managed by Microsoft Endpoint Manager.
- - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) or [Co-management](/prepare/windows-autopatch-prerequisites.md#co-management-requirements).
+ - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) or [Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements).
- [Switch Microsoft Endpoint Manager-Configuration Manager Co-management workloads to Microsoft Endpoint Manager-Intune](/mem/configmgr/comanage/how-to-switch-workloads) (either set to Pilot Intune or Intune). This includes the following workloads:
- Windows updates policies
- Device configuration
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 6aed402396..64041a261e 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -43,7 +43,7 @@ sections:
- [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune)
Additional pre-requisites for devices managed by Configuration Manager:
- - [Co-management](/prepare/windows-autopatch-prerequisites.md#co-management-requirements)
+ - [Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements)
- [A supported version of Configuration Manager](/mem/configmgr/core/servers/manage/updates#supported-versions)
- [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.)
- question: What are the licensing requirements for Windows Autopatch?
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
index ec15b0ace9..7d992eafee 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
@@ -28,7 +28,7 @@ The sources include Azure Active Directory (AD), Microsoft Intune, and Microsoft
| [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) | Uses Windows 10 Enterprise diagnostic data to provide additional information on Windows 10/11 update. |
| [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) | Device management and to keep your data secure. The following data sources fall under Microsoft Endpoint Manager:
- [Microsoft Azure Active Directory](/azure/active-directory/): Authentication and identification of all user accounts.
- [Microsoft Intune](/mem/intune/): Distributing device configurations, device management and application management.
| [Windows Autopatch](https://endpoint.microsoft.com/#home) | Data provided by the customer or generated by the service during running of the service. |
-| [Microsoft 365 Apps for enterprise](/microsoft-365/enterprise/compare-office-365-plans?rtc=1)| Management of Microsoft 365 Apps. |
+| [Microsoft 365 Apps for enterprise](https://www.microsoft.com/microsoft-365/enterprise/compare-office-365-plans)| Management of Microsoft 365 Apps. |
## Windows Autopatch data process and storage
From 1f3c2f48ca9ea5d341c0ac7b7c48101f4adc9411 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 22 Jun 2022 16:05:33 -0700
Subject: [PATCH 072/158] fix typo
---
.../app-v/appv-deploying-microsoft-office-2010-wth-appv.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
index c7e2267354..34683ed7d8 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
@@ -31,7 +31,7 @@ The following table shows the App-V versions, methods of Office package creation
## Creating Office 2010 App-V using the sequencer
-Sequencing Office 2010 is one of the main methods for creating an Office 2010 package on App-V. For more information, see [How to Sequence a New Application with App-V 5.0](s/microsoft-desktop-optimization-pack/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030).
+Sequencing Office 2010 is one of the main methods for creating an Office 2010 package on App-V. For more information, see [How to Sequence a New Application with App-V 5.0](/microsoft-desktop-optimization-pack/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030).
## Creating Office 2010 App-V packages using package accelerators
From e391b756708309767a2c9bfdd671eb26bdaef736 Mon Sep 17 00:00:00 2001
From: Jordan Geurten
Date: Thu, 23 Jun 2022 17:34:16 -0400
Subject: [PATCH 073/158] Added PE hash explanation to the WDAC docs
---
.../select-types-of-rules-to-create.md | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 94be9da4e5..a6c838737d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -88,7 +88,7 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
| Rule level | Description |
|----------- | ----------- |
-| **Hash** | Specifies individual hash values for each discovered binary. This is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
+| **Hash** | Specifies individual [Authenticode/PE image hash values](#More-information-about-hashes) for each discovered binary. This is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
| **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. |
| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. More information about FilePath level rules can be found below. |
| **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. |
@@ -146,6 +146,10 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
## More information about hashes
+WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calcuating the hash of a file. Unlike the more popular, but less secure, [flat file hash](https://docs.microsoft.com/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file does not change when the file is re-signed or timestamped, or the digital signature is removed from the file. By using the Authenticode hash, WDAC provides added security and less management overhead so customers do not need to revise the policy hash rules when the digital signature on the file is updated.
+
+The Authenticode/PE image hash can be calculated for digitally-signed and unsigned files.
+
### Why does scan create four hash rules per XML file?
The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.
From bee7236457d0f3d4155d5ac4a8a5fd4364950733 Mon Sep 17 00:00:00 2001
From: cbrito01
Date: Thu, 23 Jun 2022 20:56:02 -0500
Subject: [PATCH 074/158] Update personalization-csp.md
Personalization CSP is supported in Windows 11 SE. Changed the top table from No to Yes on Windows 11
---
windows/client-management/mdm/personalization-csp.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md
index 736959df4e..7eca48b485 100644
--- a/windows/client-management/mdm/personalization-csp.md
+++ b/windows/client-management/mdm/personalization-csp.md
@@ -19,7 +19,7 @@ The table below shows the applicability of Windows:
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
-|Windows SE|No|No|
+|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
From 8dcfa37ade97e254ba7b0d525185277d1b0ed1d9 Mon Sep 17 00:00:00 2001
From: ansonhsho
Date: Fri, 24 Jun 2022 07:44:05 -0700
Subject: [PATCH 075/158] Update to include SE customizations settings
Updated wallpaper and lock screen image customization settings based on Carlos Brito's suggestions
---
education/windows/windows-11-se-settings-list.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md
index 0e70e1cad2..2415619fce 100644
--- a/education/windows/windows-11-se-settings-list.md
+++ b/education/windows/windows-11-se-settings-list.md
@@ -45,7 +45,9 @@ The following table lists and describes the settings that can be changed by admi
| Block external extensions | Default: Blocked
In Microsoft Edge, users can't install external extensions.
[BlockExternalExtensions](/DeployEdge/microsoft-edge-policies#blockexternalextensions)|
| Configure new tab page | Default: `Office.com`
In Microsoft Edge, the new tab page defaults to `office.com`.
[Configure the new tab page URL](/DeployEdge/microsoft-edge-policies#configure-the-new-tab-page-url)|
| Configure homepage | Default: `Office.com`
In Microsoft Edge, the homepage defaults to `office.com`.
[HomepageIsNewTabPage](/DeployEdge/microsoft-edge-policies#homepageisnewtabpage)|
-| Prevent SmartScreen prompt override | Default: Enabled
In Microsoft Edge, users can't override Windows Defender SmartScreen warnings.
[PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride)|
+| Prevent SmartScreen prompt override | Default: Enabled
In Microsoft Edge, users can't override Windows Defender SmartScreen warnings.
[PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride)|\
+| Wallpaper Image Customization | Default:
Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.
[DesktopImageUrl](/windows/client-management/mdm/personalization-csp)|
+| Lock Screen Image Customization | Default:
Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.
[LockScreenImageUrl](/windows/client-management/mdm/personalization-csp)|
## Settings that can't be changed
From efb9f3d5ec6c179a9abae71959552611a9f9494e Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 24 Jun 2022 09:57:06 -0700
Subject: [PATCH 076/158] fix syntax error and cleanup syntax
---
.../windows/windows-11-se-settings-list.md | 36 +++++++++----------
1 file changed, 18 insertions(+), 18 deletions(-)
diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md
index 2415619fce..2db2717126 100644
--- a/education/windows/windows-11-se-settings-list.md
+++ b/education/windows/windows-11-se-settings-list.md
@@ -30,24 +30,24 @@ The following table lists and describes the settings that can be changed by admi
| Setting | Description |
| --- | --- |
-| Block manual unenrollment | Default: Blocked
Users can't unenroll their devices from device management services.
[Experience/AllowManualMDMUnenrollment CSP](/windows/client-management/mdm/policy-csp-experience#experience-allowmanualmdmunenrollment)|
-| Allow option to Show Network | Default: Allowed
Gives users the option to see the **Show Network** folder in File Explorer. |
-| Allow option to Show This PC | Default: Allowed
Gives user the option to see the **Show This PC** folder in File Explorer. |
-| Set Allowed Folder location | Default folders: Documents, Desktop, Pictures, and Downloads
Gives user access to these folders. |
-| Set Allowed Storage Locations | Default: Blocks Local Drives and Network Drives
Blocks user access to these storage locations. |
-| Allow News and Interests | Default: Hide
Hides Widgets. |
-| Disable advertising ID | Default: Disabled
Blocks apps from using usage data to tailor advertisements.
[Privacy/DisableAdvertisingId CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) |
-| Visible settings pages | Default:
|
-| Enable App Install Control | Default: Turned On
Users can’t download apps from the internet.
[SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)|
-| Configure Storage Sense Cloud Content Dehydration Threshold | Default: 30 days
If a file hasn’t been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again.
[Storage/ConfigStorageSenseCloudContentDehydrationThreshold CSP](/windows/client-management/mdm/policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) |
-| Allow Telemetry | Default: Required Telemetry Only
Sends only basic device info, including quality-related data, app compatibility, and similar data to keep the device secure and up-to-date.
[System/AllowTelemetry CSP](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |
-| Allow Experimentation | Default: Disabled
Microsoft can't experiment with the product to study user preferences or device behavior.
[System/AllowExperimentation CSP](/windows/client-management/mdm/policy-csp-system#system-allowexperimentation) |
-| Block external extensions | Default: Blocked
In Microsoft Edge, users can't install external extensions.
[BlockExternalExtensions](/DeployEdge/microsoft-edge-policies#blockexternalextensions)|
-| Configure new tab page | Default: `Office.com`
In Microsoft Edge, the new tab page defaults to `office.com`.
[Configure the new tab page URL](/DeployEdge/microsoft-edge-policies#configure-the-new-tab-page-url)|
-| Configure homepage | Default: `Office.com`
In Microsoft Edge, the homepage defaults to `office.com`.
[HomepageIsNewTabPage](/DeployEdge/microsoft-edge-policies#homepageisnewtabpage)|
-| Prevent SmartScreen prompt override | Default: Enabled
In Microsoft Edge, users can't override Windows Defender SmartScreen warnings.
[PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride)|\
-| Wallpaper Image Customization | Default:
Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.
[DesktopImageUrl](/windows/client-management/mdm/personalization-csp)|
-| Lock Screen Image Customization | Default:
Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.
[LockScreenImageUrl](/windows/client-management/mdm/personalization-csp)|
+| Block manual unenrollment | Default: Blocked
Users can't unenroll their devices from device management services.
[Experience/AllowManualMDMUnenrollment CSP](/windows/client-management/mdm/policy-csp-experience#experience-allowmanualmdmunenrollment) |
+| Allow option to Show Network | Default: Allowed
Gives users the option to see the **Show Network** folder in File Explorer. |
+| Allow option to Show This PC | Default: Allowed
Gives user the option to see the **Show This PC** folder in File Explorer. |
+| Set Allowed Folder location | Default folders: Documents, Desktop, Pictures, and Downloads
Gives user access to these folders. |
+| Set Allowed Storage Locations | Default: Blocks Local Drives and Network Drives
Blocks user access to these storage locations. |
+| Allow News and Interests | Default: Hide
Hides Widgets. |
+| Disable advertising ID | Default: Disabled
Blocks apps from using usage data to tailor advertisements.
[Privacy/DisableAdvertisingId CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) |
+| Visible settings pages | Default:
|
+| Enable App Install Control | Default: Turned On
Users can't download apps from the internet.
[SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)|
+| Configure Storage Sense Cloud Content Dehydration Threshold | Default: 30 days
If a file hasn't been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again.
[Storage/ConfigStorageSenseCloudContentDehydrationThreshold CSP](/windows/client-management/mdm/policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) |
+| Allow Telemetry | Default: Required Telemetry Only
Sends only basic device info, including quality-related data, app compatibility, and similar data to keep the device secure and up-to-date.
[System/AllowTelemetry CSP](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |
+| Allow Experimentation | Default: Disabled
Microsoft can't experiment with the product to study user preferences or device behavior.
[System/AllowExperimentation CSP](/windows/client-management/mdm/policy-csp-system#system-allowexperimentation) |
+| Block external extensions | Default: Blocked
In Microsoft Edge, users can't install external extensions.
[BlockExternalExtensions](/DeployEdge/microsoft-edge-policies#blockexternalextensions) |
+| Configure new tab page | Default: `Office.com`
In Microsoft Edge, the new tab page defaults to `office.com`.
[Configure the new tab page URL](/DeployEdge/microsoft-edge-policies#configure-the-new-tab-page-url) |
+| Configure homepage | Default: `Office.com`
In Microsoft Edge, the homepage defaults to `office.com`.
[HomepageIsNewTabPage](/DeployEdge/microsoft-edge-policies#homepageisnewtabpage) |
+| Prevent SmartScreen prompt override | Default: Enabled
In Microsoft Edge, users can't override Windows Defender SmartScreen warnings.
[PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride) |
+| Wallpaper Image Customization | Default:
Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.
[DesktopImageUrl](/windows/client-management/mdm/personalization-csp) |
+| Lock Screen Image Customization | Default:
Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.
[LockScreenImageUrl](/windows/client-management/mdm/personalization-csp) |
## Settings that can't be changed
From b32e0ad39af86be61f743423fbb05645fb5be3c1 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 24 Jun 2022 10:32:41 -0700
Subject: [PATCH 077/158] style tweaks
---
education/windows/windows-11-se-settings-list.md | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md
index 2db2717126..b2b9df5de8 100644
--- a/education/windows/windows-11-se-settings-list.md
+++ b/education/windows/windows-11-se-settings-list.md
@@ -34,20 +34,20 @@ The following table lists and describes the settings that can be changed by admi
| Allow option to Show Network | Default: Allowed
Gives users the option to see the **Show Network** folder in File Explorer. |
| Allow option to Show This PC | Default: Allowed
Gives user the option to see the **Show This PC** folder in File Explorer. |
| Set Allowed Folder location | Default folders: Documents, Desktop, Pictures, and Downloads
Gives user access to these folders. |
-| Set Allowed Storage Locations | Default: Blocks Local Drives and Network Drives
Blocks user access to these storage locations. |
-| Allow News and Interests | Default: Hide
Hides Widgets. |
+| Set Allowed Storage Locations | Default: Blocks local drives and network drives
Blocks user access to these storage locations. |
+| Allow News and Interests | Default: Hide
Hides widgets. |
| Disable advertising ID | Default: Disabled
Blocks apps from using usage data to tailor advertisements.
[Privacy/DisableAdvertisingId CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) |
| Visible settings pages | Default:
|
-| Enable App Install Control | Default: Turned On
Users can't download apps from the internet.
[SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)|
-| Configure Storage Sense Cloud Content Dehydration Threshold | Default: 30 days
If a file hasn't been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again.
[Storage/ConfigStorageSenseCloudContentDehydrationThreshold CSP](/windows/client-management/mdm/policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) |
+| Enable App Install Control | Default: Turned On
Users can't download apps from the internet.
[SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)|
+| Configure Storage Sense Cloud Content Dehydration Threshold | Default: 30 days
If a file hasn't been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again.
[Storage/ConfigStorageSenseCloudContentDehydrationThreshold CSP](/windows/client-management/mdm/policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) |
| Allow Telemetry | Default: Required Telemetry Only
Sends only basic device info, including quality-related data, app compatibility, and similar data to keep the device secure and up-to-date.
[System/AllowTelemetry CSP](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |
| Allow Experimentation | Default: Disabled
Microsoft can't experiment with the product to study user preferences or device behavior.
[System/AllowExperimentation CSP](/windows/client-management/mdm/policy-csp-system#system-allowexperimentation) |
| Block external extensions | Default: Blocked
In Microsoft Edge, users can't install external extensions.
[BlockExternalExtensions](/DeployEdge/microsoft-edge-policies#blockexternalextensions) |
-| Configure new tab page | Default: `Office.com`
In Microsoft Edge, the new tab page defaults to `office.com`.
[Configure the new tab page URL](/DeployEdge/microsoft-edge-policies#configure-the-new-tab-page-url) |
-| Configure homepage | Default: `Office.com`
In Microsoft Edge, the homepage defaults to `office.com`.
[HomepageIsNewTabPage](/DeployEdge/microsoft-edge-policies#homepageisnewtabpage) |
+| Configure new tab page | Default: `Office.com`
In Microsoft Edge, the new tab page defaults to `Office.com`.
[Configure the new tab page URL](/DeployEdge/microsoft-edge-policies#configure-the-new-tab-page-url) |
+| Configure homepage | Default: `Office.com`
In Microsoft Edge, the homepage defaults to `Office.com`.
[HomepageIsNewTabPage](/DeployEdge/microsoft-edge-policies#homepageisnewtabpage) |
| Prevent SmartScreen prompt override | Default: Enabled
In Microsoft Edge, users can't override Windows Defender SmartScreen warnings.
[PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride) |
-| Wallpaper Image Customization | Default:
Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.
[DesktopImageUrl](/windows/client-management/mdm/personalization-csp) |
-| Lock Screen Image Customization | Default:
Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.
[LockScreenImageUrl](/windows/client-management/mdm/personalization-csp) |
+| Wallpaper Image Customization | Default:
Specify a jpg, jpeg, or png image to be used as the desktop image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.
[DesktopImageUrl](/windows/client-management/mdm/personalization-csp) |
+| Lock Screen Image Customization | Default:
Specify a jpg, jpeg, or png image to be used as lock screen image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.
[LockScreenImageUrl](/windows/client-management/mdm/personalization-csp) |
## Settings that can't be changed
From 23cd1973a3dbf7298e903c758186711a52f0509a Mon Sep 17 00:00:00 2001
From: Jitin Mathew
Date: Sat, 25 Jun 2022 01:19:29 +0530
Subject: [PATCH 078/158] Updated-6020449-B3
Bulk metadata update.
---
windows/security/identity-protection/configure-s-mime.md | 6 ------
.../identity-protection/enterprise-certificate-pinning.md | 4 ----
windows/security/identity-protection/index.md | 4 ----
.../security/identity-protection/password-support-policy.md | 3 ---
.../security/identity-protection/remote-credential-guard.md | 4 ----
.../smart-cards/smart-card-tools-and-settings.md | 4 ----
.../smart-card-windows-smart-card-technical-reference.md | 4 ----
.../user-account-control/how-user-account-control-works.md | 5 -----
...ccount-control-group-policy-and-registry-key-settings.md | 4 ----
.../user-account-control/user-account-control-overview.md | 5 -----
.../user-account-control-security-policy-settings.md | 5 -----
.../virtual-smart-card-deploy-virtual-smart-cards.md | 4 ----
.../virtual-smart-card-evaluate-security.md | 4 ----
.../virtual-smart-cards/virtual-smart-card-get-started.md | 4 ----
.../virtual-smart-cards/virtual-smart-card-overview.md | 4 ----
.../virtual-smart-cards/virtual-smart-card-tpmvscmgr.md | 4 ----
.../virtual-smart-card-understanding-and-evaluating.md | 4 ----
.../virtual-smart-card-use-virtual-smart-cards.md | 4 ----
...re-diffie-hellman-protocol-over-ikev2-vpn-connections.md | 3 ---
...use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md | 3 ---
.../security/identity-protection/vpn/vpn-authentication.md | 3 ---
.../identity-protection/vpn/vpn-auto-trigger-profile.md | 3 ---
.../identity-protection/vpn/vpn-conditional-access.md | 3 ---
.../security/identity-protection/vpn/vpn-connection-type.md | 3 ---
windows/security/identity-protection/vpn/vpn-guide.md | 2 --
.../security/identity-protection/vpn/vpn-name-resolution.md | 3 ---
.../identity-protection/vpn/vpn-office-365-optimization.md | 4 ----
.../security/identity-protection/vpn/vpn-profile-options.md | 4 ----
windows/security/identity-protection/vpn/vpn-routing.md | 3 ---
.../identity-protection/vpn/vpn-security-features.md | 3 ---
.../windows-credential-theft-mitigation-guide-abstract.md | 5 -----
windows/security/includes/improve-request-performance.md | 5 -----
windows/security/includes/microsoft-defender-api-usgov.md | 5 -----
.../bitlocker/bcd-settings-and-bitlocker.md | 5 -----
.../bitlocker/bitlocker-basic-deployment.md | 5 -----
.../bitlocker/bitlocker-countermeasures.md | 5 -----
.../bitlocker/bitlocker-deployment-comparison.md | 4 ----
.../bitlocker-device-encryption-overview-windows-10.md | 4 ----
.../bitlocker/bitlocker-group-policy-settings.md | 5 -----
.../bitlocker/bitlocker-how-to-deploy-on-windows-server.md | 5 -----
.../bitlocker/bitlocker-how-to-enable-network-unlock.md | 5 -----
.../bitlocker/bitlocker-management-for-enterprises.md | 4 ----
.../information-protection/bitlocker/bitlocker-overview.md | 5 -----
.../bitlocker/bitlocker-recovery-guide-plan.md | 5 -----
...-bitlocker-drive-encryption-tools-to-manage-bitlocker.md | 5 -----
.../bitlocker-use-bitlocker-recovery-password-viewer.md | 5 -----
...your-organization-for-bitlocker-planning-and-policies.md | 5 -----
...ared-volumes-and-storage-area-networks-with-bitlocker.md | 5 -----
.../bitlocker/troubleshoot-bitlocker.md | 2 --
.../bitlocker/ts-bitlocker-cannot-encrypt-issues.md | 2 --
.../bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md | 2 --
.../bitlocker/ts-bitlocker-config-issues.md | 2 --
.../bitlocker/ts-bitlocker-decode-measured-boot-logs.md | 2 --
.../bitlocker/ts-bitlocker-intune-issues.md | 2 --
.../bitlocker/ts-bitlocker-recovery-issues.md | 2 --
.../bitlocker/ts-bitlocker-tpm-issues.md | 2 --
.../security/information-protection/encrypted-hard-drive.md | 4 ----
.../tpm/backup-tpm-recovery-information-to-ad-ds.md | 5 -----
.../tpm/change-the-tpm-owner-password.md | 5 -----
.../information-protection/tpm/how-windows-uses-the-tpm.md | 5 -----
.../tpm/initialize-and-configure-ownership-of-the-tpm.md | 5 -----
.../information-protection/tpm/manage-tpm-commands.md | 5 -----
.../information-protection/tpm/manage-tpm-lockout.md | 5 -----
.../tpm/switch-pcr-banks-on-tpm-2-0-devices.md | 5 -----
.../security/information-protection/tpm/tpm-fundamentals.md | 5 -----
.../information-protection/tpm/tpm-recommendations.md | 5 -----
.../tpm/trusted-platform-module-overview.md | 5 -----
...rusted-platform-module-services-group-policy-settings.md | 5 -----
.../tpm/trusted-platform-module-top-node.md | 4 ----
.../windows-information-protection/app-behavior-with-wip.md | 5 -----
.../collect-wip-audit-event-logs.md | 4 ----
.../create-and-verify-an-efs-dra-certificate.md | 5 -----
.../create-vpn-and-wip-policy-using-intune-azure.md | 5 -----
.../create-wip-policy-using-configmgr.md | 6 ------
.../create-wip-policy-using-intune-azure.md | 4 ----
.../deploy-wip-policy-using-intune-azure.md | 5 -----
.../enlightened-microsoft-apps-and-wip.md | 6 ------
.../guidance-and-best-practices-wip.md | 6 ------
.../windows-information-protection/limitations-with-wip.md | 5 -----
.../mandatory-settings-for-wip.md | 5 -----
.../overview-create-wip-policy-configmgr.md | 5 -----
.../overview-create-wip-policy.md | 5 -----
.../protect-enterprise-data-using-wip.md | 6 ------
.../recommended-network-definitions-for-wip.md | 5 -----
.../testing-scenarios-for-wip.md | 6 ------
.../windows-information-protection/using-owa-with-wip.md | 5 -----
.../wip-app-enterprise-context.md | 5 -----
87 files changed, 372 deletions(-)
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index c6922f3901..9184e9a43d 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -1,14 +1,8 @@
---
title: Configure S/MIME for Windows
description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them.
-ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05
ms.reviewer:
-keywords: encrypt, digital signature
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index b41236db4a..bba1605784 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -1,9 +1,6 @@
---
title: Enterprise Certificate Pinning
-ms.mktglfcycl: manage
-ms.sitesec: library
description: Enterprise certificate pinning is a Windows feature for remembering; or pinning a root issuing certificate authority, or end entity certificate to a given domain name.
-audience: ITPro
author: dulcemontemayor
ms.author: dansimp
manager: dansimp
@@ -11,7 +8,6 @@ ms.collection: M365-identity-device-management
ms.topic: article
ms.prod: m365-security
ms.technology: windows-sec
-ms.pagetype: security
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.reviewer:
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
index 7883dbd5b9..330cc0041d 100644
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@@ -2,10 +2,6 @@
title: Identity and access management (Windows 10)
description: Learn more about identity and access protection technologies in Windows.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/password-support-policy.md b/windows/security/identity-protection/password-support-policy.md
index 88d73b87aa..c4aeddc3cd 100644
--- a/windows/security/identity-protection/password-support-policy.md
+++ b/windows/security/identity-protection/password-support-policy.md
@@ -8,13 +8,10 @@ ms.custom:
- CSSTroubleshoot
ms.author: v-tappelgate
ms.prod: m365-security
-ms.sitesec: library
-ms.pagetype: security
author: Teresa-Motiv
ms.topic: article
ms.localizationpriority: medium
ms.date: 11/20/2019
-audience: ITPro
---
# Technical support policy for lost or forgotten passwords
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index e919cee245..a477d48218 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -2,10 +2,6 @@
title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10)
description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index 935f57edf3..a7c1c2bfa4 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -2,10 +2,6 @@
title: Smart Card Tools and Settings (Windows)
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index 377f4811d2..7f577b80dd 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -2,10 +2,6 @@
title: Smart Card Technical Reference (Windows)
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index bbc7256c6d..ded2f140d2 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -1,13 +1,8 @@
---
title: How User Account Control works (Windows)
description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
-ms.assetid: 9f921779-0fd3-4206-b0e4-05a19883ee59
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: operate
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index 98cfc580cb..eb97277ed7 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -2,10 +2,6 @@
title: User Account Control Group Policy and registry key settings (Windows)
description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index 3d91177ca0..2e12c5d66e 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -1,14 +1,9 @@
---
title: User Account Control (Windows)
description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
-ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: operate
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
index 4b29de5fe4..d5a71d6a7b 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
@@ -1,13 +1,8 @@
---
title: User Account Control security policy settings (Windows)
description: You can use security policies to configure how User Account Control works in your organization.
-ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index 7b01e6dec2..a6b311b8f1 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -2,10 +2,6 @@
title: Deploy Virtual Smart Cards (Windows 10)
description: This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
index 852c4af6d4..cb90ff6746 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
@@ -2,10 +2,6 @@
title: Evaluate Virtual Smart Card Security (Windows 10)
description: This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index 799487b7f9..a1371cb4aa 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -2,10 +2,6 @@
title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10)
description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
index cfdee83c74..f81458d9ea 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -2,10 +2,6 @@
title: Virtual Smart Card Overview (Windows 10)
description: Learn more about the virtual smart card technology that was developed by Microsoft. Find links to additional topics about virtual smart cards.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
index 48cbc570a2..e6674037f9 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
@@ -2,10 +2,6 @@
title: Tpmvscmgr (Windows 10)
description: This topic for the IT professional describes the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
index f64d08cdbe..49bd1fbfff 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
@@ -2,10 +2,6 @@
title: Understanding and Evaluating Virtual Smart Cards (Windows 10)
description: Learn how smart card technology can fit into your authentication design. Find links to additional topics about virtual smart cards.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index da45445e1a..3d09432ada 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -2,10 +2,6 @@
title: Use Virtual Smart Cards (Windows 10)
description: This topic for the IT professional describes requirements for virtual smart cards and provides information about how to use and manage them.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index 9e47da731c..647e58e84b 100644
--- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -2,9 +2,6 @@
title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10 and Windows 11)
description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.author: dansimp
ms.localizationpriority: medium
diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index a3e52561e5..317751d40d 100644
--- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -2,9 +2,6 @@
title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10 and Windows 11)
description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.date: 03/22/2022
ms.reviewer:
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 70d6af4858..65de4f3780 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -2,9 +2,6 @@
title: VPN authentication options (Windows 10 and Windows 11)
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 09/23/2021
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 441d05936f..8b3e2dbebd 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -2,9 +2,6 @@
title: VPN auto-triggered profile options (Windows 10 and Windows 11)
description: Learn about the types of auto-trigger rules for VPNs in Windows, which start a VPN when it is needed to access a resource.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 09/23/2021
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index ec2a6bed29..0912af9374 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -2,9 +2,6 @@
title: VPN and conditional access (Windows 10 and Windows 11)
description: Learn how to integrate the VPN client with the Conditional Access Platform, so you can create access rules for Azure Active Directory (Azure AD) connected apps.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index 75cbde62de..75b93889b6 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -2,9 +2,6 @@
title: VPN connection types (Windows 10 and Windows 11)
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 08/23/2021
diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
index 58f9b162de..58fa8e9068 100644
--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@@ -2,8 +2,6 @@
title: Windows VPN technical guide (Windows 10 and Windows 11)
description: Learn about decisions to make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: dansimp
ms.localizationpriority: medium
ms.date: 02/21/2022
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
index a07cf8e0c7..fe3269e28b 100644
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@@ -2,9 +2,6 @@
title: VPN name resolution (Windows 10 and Windows 11)
description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 09/23/2021
diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
index a0a8aecf5e..2022a4e863 100644
--- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
+++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
@@ -2,10 +2,6 @@
title: Optimizing Office 365 traffic for remote workers with the native Windows 10 or Windows 11 VPN client
description: tbd
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
-audience: ITPro
ms.topic: article
author: kelleyvice-msft
ms.localizationpriority: medium
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index cca873649e..b0cd4195ee 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -1,13 +1,9 @@
---
title: VPN profile options (Windows 10 and Windows 11)
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
-ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
ms.reviewer:
manager: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.author: dansimp
ms.localizationpriority: medium
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
index 3ba700ab9e..291f5adaf9 100644
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@@ -2,9 +2,6 @@
title: VPN routing decisions (Windows 10 and Windows 10)
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 09/23/2021
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
index 31f424f860..2efb2617f3 100644
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@@ -2,9 +2,6 @@
title: VPN security features (Windows 10 and Windows 11)
description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 09/03/2021
diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
index 0465f35ec4..abe5fd0462 100644
--- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
@@ -1,13 +1,8 @@
---
title: Windows Credential Theft Mitigation Guide Abstract
description: Provides a summary of the Windows credential theft mitigation guide.
-ms.assetid: 821ddc1a-f401-4732-82a7-40d1fff5a78a
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md
index 2048d9f516..89b07558ea 100644
--- a/windows/security/includes/improve-request-performance.md
+++ b/windows/security/includes/improve-request-performance.md
@@ -1,17 +1,12 @@
---
title: Improve request performance
description: Improve request performance
-keywords: server, request, performance
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
diff --git a/windows/security/includes/microsoft-defender-api-usgov.md b/windows/security/includes/microsoft-defender-api-usgov.md
index 536dab4a74..288e5a9769 100644
--- a/windows/security/includes/microsoft-defender-api-usgov.md
+++ b/windows/security/includes/microsoft-defender-api-usgov.md
@@ -1,17 +1,12 @@
---
title: Microsoft Defender for Endpoint API URIs for US Government
description: Microsoft Defender for Endpoint API URIs for US Government
-keywords: defender, endpoint, api, government, gov
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
index fea16b36fc..6c6d9669a2 100644
--- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -1,17 +1,12 @@
---
title: BCD settings and BitLocker (Windows 10)
description: This topic for IT professionals describes the BCD settings that are used by BitLocker.
-ms.assetid: c4ab7ac9-16dc-4c7e-b061-c0b0deb2c4fa
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 6bb70b5515..f5a1fecb16 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -1,17 +1,12 @@
---
title: BitLocker basic deployment
description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
-ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index 619291134f..4f129193e8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -1,17 +1,12 @@
---
title: BitLocker Countermeasures (Windows 10)
description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key.
-ms.assetid: ebdb0637-2597-4da1-bb18-8127964686ea
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index df216aa4e3..68c9d667d6 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -2,14 +2,10 @@
title: BitLocker deployment comparison (Windows 10)
description: This article shows the BitLocker deployment comparison chart.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: lovina-saldanha
ms.author: v-lsaldanha
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 05/20/2021
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index 359a620b10..e1d313bfbc 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -2,14 +2,10 @@
title: Overview of BitLocker Device Encryption in Windows
description: This article provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 442bafb9c2..7f02986150 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -1,17 +1,12 @@
---
title: BitLocker Group Policy settings (Windows 10)
description: This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
-ms.assetid: 4904e336-29fe-4cef-bb6c-3950541864af
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
index f743aedb8a..c8b01291fb 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
@@ -1,17 +1,12 @@
---
title: BitLocker How to deploy on Windows Server 2012 and later
description: This article for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later
-ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index da9fd23653..efdb32240c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -1,17 +1,12 @@
---
title: BitLocker - How to enable Network Unlock (Windows 10)
description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it.
-ms.assetid: be45bc28-47db-4931-bfec-3c348151d2e9
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index 1b234aad34..faf5dfd19a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -2,14 +2,10 @@
title: BitLocker Management Recommendations for Enterprises (Windows 10)
description: Refer to relevant documentation, products, and services to learn about managing BitLocker for enterprises and see recommendations for different computers.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index 41c1be27f1..92b67559cf 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -1,16 +1,11 @@
---
title: BitLocker
description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
-ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 88a6971b32..28426e5d60 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -1,17 +1,12 @@
---
title: BitLocker recovery guide (Windows 10)
description: This article for IT professionals describes how to recover BitLocker keys from AD DS.
-ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index f33bdd77ff..15738e7ad1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -1,17 +1,12 @@
---
title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10)
description: This article for the IT professional describes how to use tools to manage BitLocker.
-ms.assetid: e869db9c-e906-437b-8c70-741dd61b5ea6
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
index 53a8a654a2..dd79eb176a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
@@ -1,17 +1,12 @@
---
title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10)
description: This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer.
-ms.assetid: 04c93ac5-5dac-415e-b636-de81435753a2
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index ba7ecc2d18..4cda103d80 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -1,17 +1,12 @@
---
title: Prepare your organization for BitLocker Planning and policies (Windows 10)
description: This topic for the IT professional explains how can you plan your BitLocker deployment.
-ms.assetid: 6e3593b5-4e8a-40ac-808a-3fdbc948059d
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index d176a4f457..1d51dfda83 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -1,17 +1,12 @@
---
title: Protecting cluster shared volumes and storage area networks with BitLocker (Windows 10)
description: This article for IT pros describes how to protect CSVs and SANs with BitLocker.
-ms.assetid: ecd25a10-42c7-4d31-8a7e-ea52c8ebc092
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
index 89bcd638f5..7242269177 100644
--- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
@@ -4,12 +4,10 @@ description: Describes approaches for investigating BitLocker issues, including
ms.reviewer: kaushika
ms.technology: windows-sec
ms.prod: m365-security
-ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
-audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
index 5da7725f1d..ef0e081dee 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
@@ -4,12 +4,10 @@ description: Provides guidance for troubleshooting known issues that may prevent
ms.reviewer: kaushika
ms.technology: windows-sec
ms.prod: m365-security
-ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
-audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
index 2609cccafb..cff0ac038d 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
@@ -4,12 +4,10 @@ description: Provides guidance for troubleshooting known issues that may prevent
ms.reviewer: kaushika
ms.technology: windows-sec
ms.prod: m365-security
-ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
-audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/18/2019
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
index 6898a72c8c..0cd7aa0c07 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
@@ -4,12 +4,10 @@ description: Describes common issues that involve your BitLocker configuration a
ms.reviewer: kaushika
ms.technology: windows-sec
ms.prod: m365-security
-ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
-audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
index 101da7a83b..c36cc4ab98 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
@@ -4,12 +4,10 @@ description: Provides instructions for installing and using a tool for analyzing
ms.reviewer: kaushika
ms.technology: windows-sec
ms.prod: m365-security
-ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
-audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
index a15efdcb28..abea61f37e 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@@ -4,12 +4,10 @@ description: provides assistance for issues that you may see if you use Microsof
ms.reviewer: kaushika
ms.technology: windows-sec
ms.prod: m365-security
-ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
-audience: ITPro
ms.collection:
- Windows Security Technologies\BitLocker
- highpri
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
index cd0ae7ec94..163cc0e029 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
@@ -4,12 +4,10 @@ description: Describes common issues that can occur that prevent BitLocker from
ms.reviewer: kaushika
ms.technology: windows-sec
ms.prod: m365-security
-ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
-audience: ITPro
ms.collection:
- Windows Security Technologies\BitLocker
- highpri
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
index fe62dc41cc..6a0c6cf979 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
@@ -4,12 +4,10 @@ description: Describes common issues that relate directly to the TPM, and provid
ms.reviewer: kaushika
ms.technology: windows-sec
ms.prod: m365-security
-ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
-audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/18/2019
diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md
index 7fe79ded9f..6cf2060ecb 100644
--- a/windows/security/information-protection/encrypted-hard-drive.md
+++ b/windows/security/information-protection/encrypted-hard-drive.md
@@ -1,14 +1,10 @@
---
title: Encrypted Hard Drive (Windows)
description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dulcemontemayor
ms.date: 04/02/2019
---
diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
index 5356f4bc2d..3ad6efecd1 100644
--- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
@@ -1,16 +1,11 @@
---
title: Back up the TPM recovery information to AD DS (Windows)
description: This topic for the IT professional describes backup of Trusted Platform Module (TPM) information.
-ms.assetid: 62bcec80-96a1-464e-8b3f-d177a7565ac5
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/03/2021
diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
index 7260afb4d5..4337bd6dac 100644
--- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
+++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
@@ -1,16 +1,11 @@
---
title: Change the TPM owner password (Windows)
description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
-ms.assetid: e43dcff3-acb4-4a92-8816-d6b64b7f2f45
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 01/18/2022
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index c54c2521ad..9b2fa9a1f7 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -1,17 +1,12 @@
---
title: How Windows uses the TPM
description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it to enhance security.
-ms.assetid: 0f7e779c-bd25-42a8-b8c1-69dfb54d0c7f
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
index a4f56fec1e..b6e14ea7da 100644
--- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -1,16 +1,11 @@
---
title: Troubleshoot the TPM (Windows)
description: This article for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM).
-ms.assetid: 1166efaf-7aa3-4420-9279-435d9c6ac6f8
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md
index f998c94a96..697fdc3840 100644
--- a/windows/security/information-protection/tpm/manage-tpm-commands.md
+++ b/windows/security/information-protection/tpm/manage-tpm-commands.md
@@ -1,15 +1,10 @@
---
title: Manage TPM commands (Windows)
description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
-ms.assetid: a78e751a-2806-43ae-9c20-2e7ca466b765
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dulcemontemayor
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md
index 814498c4c7..a28ed8f612 100644
--- a/windows/security/information-protection/tpm/manage-tpm-lockout.md
+++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md
@@ -1,16 +1,11 @@
---
title: Manage TPM lockout (Windows)
description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
-ms.assetid: bf27adbe-404c-4691-a644-29ec722a3f7b
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dulcemontemayor
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/06/2021
diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index dff3ed5386..22a4d729b0 100644
--- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -1,16 +1,11 @@
---
title: Understanding PCR banks on TPM 2.0 devices (Windows)
description: This topic for the IT professional provides background about what happens when you switch PCR banks on TPM 2.0 devices.
-ms.assetid: 743FCCCB-99A9-4636-8F48-9ECB3A3D10DE
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md
index 972a59fcc1..391fb0e733 100644
--- a/windows/security/information-protection/tpm/tpm-fundamentals.md
+++ b/windows/security/information-protection/tpm/tpm-fundamentals.md
@@ -1,16 +1,11 @@
---
title: Trusted Platform Module (TPM) fundamentals (Windows)
description: Inform yourself about the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and how they are used to mitigate dictionary attacks.
-ms.assetid: ac90f5f9-9a15-4e87-b00d-4adcf2ec3000
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index 5a343e626c..1790a62ef4 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -1,17 +1,12 @@
---
title: TPM recommendations (Windows)
description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
-ms.assetid: E85F11F5-4E6A-43E7-8205-672F77706561
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index 07705c394b..942d2ff588 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -1,17 +1,12 @@
---
title: Trusted Platform Module Technology Overview (Windows)
description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
-ms.assetid: face8932-b034-4319-86ac-db1163d46538
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: high
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
index c70105fc3b..5dadb45989 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -1,16 +1,11 @@
---
title: TPM Group Policy settings (Windows)
description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
-ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
index c1799559bf..85807ba447 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
@@ -2,14 +2,10 @@
title: Trusted Platform Module (Windows)
description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
index 57044c576d..4d6e18a29e 100644
--- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
@@ -1,16 +1,11 @@
---
title: Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) (Windows 10)
description: Learn how unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) network policies, app configuration, and other criteria
-keywords: WIP, Enterprise Data Protection, EDP, Windows Information Protection, unenlightened apps, enlightened apps
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
index f7bfc44de4..49dd0c2647 100644
--- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
@@ -2,14 +2,10 @@
title: How to collect Windows Information Protection (WIP) audit event logs (Windows 10)
description: How to collect & understand Windows Information Protection audit event logs via the Reporting configuration service provider (CSP) or Windows Event Forwarding.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index 1b4ece02db..3f1a5747a9 100644
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -1,16 +1,11 @@
---
title: Make & verify an EFS Data Recovery Agent certificate (Windows 10)
description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate.
-keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 03/05/2019
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index 3c7680cf51..de0d27d47c 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -1,16 +1,11 @@
---
title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune (Windows 10)
description: After you've created and deployed your Windows Information Protection (WIP) policy, use Microsoft Intune to link it to your Virtual Private Network (VPN) policy
-keywords: WIP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index fdbf865d8a..0c4214d344 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -1,18 +1,12 @@
---
title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10)
description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data.
-ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
ms.reviewer:
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager, MEMCM, Microsoft Endpoint Configuration Manager
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 01/09/2020
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 3fa8df029b..39ff0696bb 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -2,13 +2,9 @@
title: Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune (Windows 10)
description: Learn how to use the Azure portal for Microsoft Intune to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 05/13/2019
diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
index c81eea7fca..d097f3b77a 100644
--- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
@@ -1,16 +1,11 @@
---
title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune (Windows 10)
description: After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 03/05/2019
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 21a45af6ca..021ea7ed44 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -1,18 +1,12 @@
---
title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10)
description: Learn the difference between enlightened and unenlightened apps. Find out which enlightened apps are provided by Microsoft. Learn how to allow-list them.
-ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
ms.reviewer:
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 05/02/2019
diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
index 1f6aaa6f4e..df344aface 100644
--- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
+++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
@@ -1,18 +1,12 @@
---
title: General guidance and best practices for Windows Information Protection (WIP) (Windows 10)
description: Find resources about apps that can work with Windows Information Protection (WIP) to protect data. Enlightened apps can tell corporate and personal data apart.
-ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0
ms.reviewer:
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index 18726f1c02..d984b38ce8 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -1,15 +1,10 @@
---
title: Limitations while using Windows Information Protection (WIP) (Windows 10)
description: This section includes info about the common problems you might encounter while using Windows Information Protection (WIP).
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/05/2019
diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
index 6c2ccfde53..26beadd011 100644
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -1,16 +1,11 @@
---
title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10)
description: Review all of the tasks required for Windows to turn on Windows Information Protection (WIP), formerly enterprise data protection (EDP), in your enterprise.
-keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Protected apps list
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 05/25/2022
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
index c017a7e4f6..f60db36a4f 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
@@ -1,17 +1,12 @@
---
title: Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10)
description: Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
-ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
index 348af05f36..9c4593f028 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
@@ -1,17 +1,12 @@
---
title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
description: Microsoft Intune and Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy.
-ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 03/11/2019
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 89d703af97..f5e201aa75 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -1,17 +1,11 @@
---
title: Protect your enterprise data using Windows Information Protection (WIP) (Windows 10)
description: Learn how to prevent accidental enterprise data leaks through apps and services, such as email, social media, and the public cloud.
-ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, DLP, data loss prevention, data leakage protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index c55f4fe75b..14f23ff7f7 100644
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -1,16 +1,11 @@
---
title: Recommended URLs for Windows Information Protection (Windows 10)
description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Neutral Resources, WIP and Enterprise Cloud Resources
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 03/25/2019
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index 247a47ecf5..4f2fdaa90d 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -1,18 +1,12 @@
---
title: Testing scenarios for Windows Information Protection (WIP) (Windows 10)
description: A list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
-ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2
ms.reviewer:
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 03/05/2019
diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
index c1188fad4b..78349eb5ab 100644
--- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
@@ -1,16 +1,11 @@
---
title: Using Outlook on the web with WIP (Windows 10)
description: Options for using Outlook on the web with Windows Information Protection (WIP).
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and OWA configuration, OWA, Outlook Web access
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
index 84dae48f11..20d519622f 100644
--- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -1,16 +1,11 @@
---
title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP) (Windows 10)
description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP).
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Task Manager, app context, enterprise context
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
From 3b4ee04a27e87b019db878ff7d2d1e838f08952a Mon Sep 17 00:00:00 2001
From: Jitin Mathew
Date: Sat, 25 Jun 2022 01:48:42 +0530
Subject: [PATCH 079/158] Updated-6020449-B3
Article updated to meet Acrolinx target.
---
.../identity-protection/password-support-policy.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/security/identity-protection/password-support-policy.md b/windows/security/identity-protection/password-support-policy.md
index c4aeddc3cd..5cc29b63a0 100644
--- a/windows/security/identity-protection/password-support-policy.md
+++ b/windows/security/identity-protection/password-support-policy.md
@@ -16,7 +16,7 @@ ms.date: 11/20/2019
# Technical support policy for lost or forgotten passwords
-Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating system, and other Microsoft products include passwords to help secure your information. This article provides some options that you can use to reset or recover your password if you forget it. Be aware that, if these options don’t work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password.
+Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating system, and other Microsoft products include passwords to help secure your information. This article provides some options that you can use to reset or recover your password if you forget it. If these options don’t work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password.
If you lose or forget a password, you can use the links in this article to find published support information that will help you reset the password.
@@ -28,7 +28,7 @@ If you lose or forget the password for a domain account, contact your IT adminis
If you lose or forget the password for your Microsoft Account, use the [Recover your account](https://account.live.com/ResetPassword.aspx) wizard.
-This wizard requests your security proofs. If you have forgotten your security proofs, or no longer have access to them, select **I no longer have these anymore**. After you select this option, fill out a form for the Microsoft Account team. Provide as much information as you can on this form. The Microsoft Account team reviews the information that you provide to determine whether you are the account holder. This decision is final. Microsoft does not influence the team's choice of action.
+This wizard requests your security proofs. If you've forgotten your security proofs, or no longer have access to them, select **I no longer have these anymore**. After you select this option, fill out a form for the Microsoft Account team. Provide as much information as you can on this form. The Microsoft Account team reviews the information that you provide to determine whether you're the account holder. This decision is final. Microsoft doesn't influence the team's choice of action.
## How to reset a password for a local account on a Windows device
@@ -48,8 +48,8 @@ If you lose or forget the password for the hardware BIOS of a device, contact th
## How to reset a password for an individual file
-Some applications let you password-protect individual files. If you lose or forget such a password, you can rely on that application only to reset or recover it. Microsoft support engineers cannot help you reset, retrieve, or circumvent such passwords.
+Some applications let you password-protect individual files. If you lose or forget such a password, you can rely on that application only to reset or recover it. Microsoft support engineers can't help you reset, retrieve, or circumvent such passwords.
## Using third-party password tools
-Some third-party companies claim to be able to circumvent passwords that have been applied to files and features that Microsoft programs use. For legal reasons, we cannot recommend or endorse any one of these companies. If you want help to circumvent or reset a password, you can locate and contact a third party for this help. However, you use such third-party products and services at your own risk.
+Some third-party companies claim to be able to circumvent passwords that have been applied to files and features that Microsoft programs use. For legal reasons, we can't recommend or endorse any one of these companies. If you want help to circumvent or reset a password, you can locate and contact a third party for this help. However, you use such third-party products and services at your own risk.
From b9b341580b84c6aa808a5d490ee958023060b2cc Mon Sep 17 00:00:00 2001
From: Andre Della Monica
Date: Fri, 24 Jun 2022 15:42:12 -0500
Subject: [PATCH 080/158] Updates to Dual state AAD records
---
.../windows-autopatch-register-devices.md | 20 ++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index f23ef5f8ec..99fecd54da 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -1,13 +1,13 @@
---
title: Register your devices
description: This article details how to register devices in Autopatch
-ms.date: 06/15/2022
+ms.date: 06/24/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
-author: tiaraquan
-ms.author: tiaraquan
+author: andredm7
+ms.author: andredm7
manager: dougeby
msreviewer: andredm7
---
@@ -50,6 +50,17 @@ Azure AD groups synced up from:
> [!TIP]
> You can also use the **Discover Devices** button in either the Ready or Not ready tab to discover devices from the Windows Autopatch Device Registration Azure AD group on demand.
+### Cleaning up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant
+
+[Azure AD dual state](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state) happens when a device is initially connected to Azure AD as an [Azure AD Registered](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-register) device, but then as you enable Hybrid Azure AD join, the same device is connected twice to Azure AD but now as a [Hybrid Azure AD device](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+
+When dual state happens, you end up having two Azure AD device records with different join types for the same device. in this case, the Hybrid Azure AD device record takes precedence over the Azure AD registered device record for any type of authentication in Azure AD, which makes the Azure AD registered device record stale.
+
+It's recommended to detect and clean up stale devices in Azure AD before registering devices with Windows Autopatch, see [How To: Manage state devices in Azure AD](https://docs.microsoft.com/azure/active-directory/devices/manage-stale-devices).
+
+> [!WARNING]
+> If you don't clean up stale devices in Azure AD before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the pre-requisite check **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** in the **Not ready** tab as it's expected that these Azure AD stale devices are not enrolled into the Intune service anymore.
+
## Prerequisites for device registration
To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites:
@@ -57,7 +68,7 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
- [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client)
- Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported).
- Managed by Microsoft Endpoint Manager.
- - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) or [Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements).
+ - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) or [Configuration Manager Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements).
- [Switch Microsoft Endpoint Manager-Configuration Manager Co-management workloads to Microsoft Endpoint Manager-Intune](/mem/configmgr/comanage/how-to-switch-workloads) (either set to Pilot Intune or Intune). This includes the following workloads:
- Windows updates policies
- Device configuration
@@ -82,7 +93,6 @@ Windows Autopatch introduces a new user interface to help IT admins detect and t
A role defines the set of permissions granted to users assigned to that role. You can use one of the following built-in roles in Windows Autopatch to register devices:
- Azure AD Global Administrator
-- Service Support Administrator
- Intune Service Administrator
- Modern Workplace Intune Administrator
From 7f0bcf5c061cc73e4e98bf866407ad0484626312 Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Fri, 24 Jun 2022 13:50:40 -0700
Subject: [PATCH 081/158] Update windows-autopatch-register-devices.md
Reviewed for grammar/style
---
.../deploy/windows-autopatch-register-devices.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index 99fecd54da..2257dda4ce 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -50,16 +50,16 @@ Azure AD groups synced up from:
> [!TIP]
> You can also use the **Discover Devices** button in either the Ready or Not ready tab to discover devices from the Windows Autopatch Device Registration Azure AD group on demand.
-### Cleaning up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant
+### Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant
-[Azure AD dual state](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state) happens when a device is initially connected to Azure AD as an [Azure AD Registered](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-register) device, but then as you enable Hybrid Azure AD join, the same device is connected twice to Azure AD but now as a [Hybrid Azure AD device](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+[Azure AD dual state](/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state) happens when a device is initially connected to Azure AD as an [Azure AD Registered](/azure/active-directory/devices/concept-azure-ad-register) device. However, when you enable Hybrid Azure AD join, the same device is connected twice to Azure AD but as a [Hybrid Azure AD device](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
-When dual state happens, you end up having two Azure AD device records with different join types for the same device. in this case, the Hybrid Azure AD device record takes precedence over the Azure AD registered device record for any type of authentication in Azure AD, which makes the Azure AD registered device record stale.
+In dual state, you end up having two Azure AD device records with different join types for the same device. In this case, the Hybrid Azure AD device record takes precedence over the Azure AD registered device record for any type of authentication in Azure AD, which makes the Azure AD registered device record stale.
-It's recommended to detect and clean up stale devices in Azure AD before registering devices with Windows Autopatch, see [How To: Manage state devices in Azure AD](https://docs.microsoft.com/azure/active-directory/devices/manage-stale-devices).
+It's recommended to detect and clean up stale devices in Azure AD before registering devices with Windows Autopatch, see [How To: Manage state devices in Azure AD](/azure/active-directory/devices/manage-stale-devices).
> [!WARNING]
-> If you don't clean up stale devices in Azure AD before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the pre-requisite check **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** in the **Not ready** tab as it's expected that these Azure AD stale devices are not enrolled into the Intune service anymore.
+> If you don't clean up stale devices in Azure AD before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** pre-requisite check in the **Not ready** tab because it's expected that these stale Azure AD devices are not enrolled into the Intune service anymore.
## Prerequisites for device registration
From f7669ecbe8708607a99618cbd2e964805186467e Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Fri, 24 Jun 2022 13:51:57 -0700
Subject: [PATCH 082/158] Update windows-autopatch-register-devices.md
---
.../deploy/windows-autopatch-register-devices.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index 2257dda4ce..d9c598be61 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -6,8 +6,8 @@ ms.prod: w11
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
-author: andredm7
-ms.author: andredm7
+author: tiaraquan
+ms.author: tiaraquan
manager: dougeby
msreviewer: andredm7
---
From 35ac007e4a6423017e5cece46e20724f0be71018 Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Fri, 24 Jun 2022 13:54:49 -0700
Subject: [PATCH 083/158] Update windows-autopatch-register-devices.md
---
.../deploy/windows-autopatch-register-devices.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index d9c598be61..a522a08253 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -52,9 +52,9 @@ Azure AD groups synced up from:
### Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant
-[Azure AD dual state](/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state) happens when a device is initially connected to Azure AD as an [Azure AD Registered](/azure/active-directory/devices/concept-azure-ad-register) device. However, when you enable Hybrid Azure AD join, the same device is connected twice to Azure AD but as a [Hybrid Azure AD device](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+An [Azure AD dual state](/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state) occurs when a device is initially connected to Azure AD as an [Azure AD Registered](/azure/active-directory/devices/concept-azure-ad-register) device. However, when you enable Hybrid Azure AD join, the same device is connected twice to Azure AD but as a [Hybrid Azure AD device](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
-In dual state, you end up having two Azure AD device records with different join types for the same device. In this case, the Hybrid Azure AD device record takes precedence over the Azure AD registered device record for any type of authentication in Azure AD, which makes the Azure AD registered device record stale.
+In the dual state, you end up having two Azure AD device records with different join types for the same device. In this case, the Hybrid Azure AD device record takes precedence over the Azure AD registered device record for any type of authentication in Azure AD, which makes the Azure AD registered device record stale.
It's recommended to detect and clean up stale devices in Azure AD before registering devices with Windows Autopatch, see [How To: Manage state devices in Azure AD](/azure/active-directory/devices/manage-stale-devices).
From a80d6df2e9ecfcdb69a42d1b488f78bc74c27fe2 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 27 Jun 2022 16:15:34 -0700
Subject: [PATCH 084/158] Update event-id-explanations.md
---
.../event-id-explanations.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 2e324713fc..e96c186076 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -9,7 +9,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
-ms.date: 05/09/2022
+ms.date: 06/27/2022
ms.topic: reference
---
From 9b6f93fda97bcd9ea0c0be49d2483357fdab4755 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 27 Jun 2022 16:15:49 -0700
Subject: [PATCH 085/158] Update
use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
---
...-windows-defender-application-control-against-tampering.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index ef443c5c9f..1b87884a5e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 05/03/2018
+ms.date: 06/27/2022
ms.technology: windows-sec
---
@@ -111,4 +111,4 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
> [!NOTE]
-> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
\ No newline at end of file
+> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
From c64e32e065cbf4d265700fd36111a913b0b4805e Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 27 Jun 2022 16:16:30 -0700
Subject: [PATCH 086/158] Update select-types-of-rules-to-create.md
---
.../select-types-of-rules-to-create.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index a6c838737d..4e2e839d51 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -14,7 +14,7 @@ author: dansimp
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 01/26/2022
+ms.date: 06/27/2022
ms.technology: windows-sec
---
From 1ebab7ccf17f53425bce730ff4a38ffceba75315 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 27 Jun 2022 16:26:11 -0700
Subject: [PATCH 087/158] Update select-types-of-rules-to-create.md
---
.../select-types-of-rules-to-create.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index ee1790a3c9..c950b5e298 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -146,7 +146,7 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
## More information about hashes
-WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calcuating the hash of a file. Unlike the more popular, but less secure, [flat file hash](https://docs.microsoft.com/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file does not change when the file is re-signed or timestamped, or the digital signature is removed from the file. By using the Authenticode hash, WDAC provides added security and less management overhead so customers do not need to revise the policy hash rules when the digital signature on the file is updated.
+WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calcuating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file does not change when the file is re-signed or timestamped, or the digital signature is removed from the file. By using the Authenticode hash, WDAC provides added security and less management overhead so customers do not need to revise the policy hash rules when the digital signature on the file is updated.
The Authenticode/PE image hash can be calculated for digitally-signed and unsigned files.
From fe0b2a9084677fdef712746fdab4a23605bf1a97 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 27 Jun 2022 16:26:50 -0700
Subject: [PATCH 088/158] Update select-types-of-rules-to-create.md
---
.../select-types-of-rules-to-create.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index c950b5e298..d59f353405 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -88,7 +88,7 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
| Rule level | Description |
|----------- | ----------- |
-| **Hash** | Specifies individual [Authenticode/PE image hash values](#More-information-about-hashes) for each discovered binary. This is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
+| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
| **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. |
| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. More information about FilePath level rules can be found below. |
| **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. |
From 5c56265e13b95801430eda31eef96e2c66288c95 Mon Sep 17 00:00:00 2001
From: denisebmsft
Date: Tue, 28 Jun 2022 05:09:08 -0700
Subject: [PATCH 089/158] Update select-types-of-rules-to-create.md
---
.../select-types-of-rules-to-create.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index d59f353405..6b53f74788 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -14,7 +14,7 @@ author: dansimp
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 06/27/2022
+ms.date: 06/28/2022
ms.technology: windows-sec
---
@@ -26,8 +26,8 @@ ms.technology: windows-sec
- Windows 11
- Windows Server 2016 and above
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11, by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
From f60948f39677a824c8905e74c68efcb7d2c19f0c Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Tue, 28 Jun 2022 08:12:44 -0700
Subject: [PATCH 090/158] update personalization csp for SE
---
windows/client-management/mdm/personalization-csp.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md
index 736959df4e..2a21d44f28 100644
--- a/windows/client-management/mdm/personalization-csp.md
+++ b/windows/client-management/mdm/personalization-csp.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
-ms.date: 06/26/2017
+ms.date: 06/28/2022
ms.reviewer:
manager: dansimp
---
@@ -19,7 +19,7 @@ The table below shows the applicability of Windows:
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
-|Windows SE|No|No|
+|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
From ffa8efe8213de19a6c2c3de5d5025814db030fcc Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Tue, 28 Jun 2022 08:14:56 -0700
Subject: [PATCH 091/158] Added hyperlink to what a service profile is.
---
.../operate/windows-autopatch-microsoft-365-apps-enterprise.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
index 2175c45a94..5a95e0b786 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -102,7 +102,7 @@ Window Autopatch deploys mobile device management (MDM) policies to configure Mi
## Microsoft 365 Apps servicing profiles
-A service profile takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management.
+A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management.
However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [update type](windows-autopatch-update-management.md#update-types), see the Device eligibility section of each respective update type.
From 557e056eb0088be0d31466ad8644537a135406e1 Mon Sep 17 00:00:00 2001
From: Bob Clements <72577850+bobclements-msft@users.noreply.github.com>
Date: Tue, 28 Jun 2022 08:36:04 -0700
Subject: [PATCH 092/158] Update
windows-autopatch-microsoft-365-apps-enterprise.md
Section edit for Servicing Profile. Re-labeled section to point out compatibility. Added links to Servicing Profile resources. Added intro statement for readers that are not familiar with Servicing Profiles.
---
.../windows-autopatch-microsoft-365-apps-enterprise.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
index 2175c45a94..05111912f8 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -100,7 +100,9 @@ Window Autopatch deploys mobile device management (MDM) policies to configure Mi
| Hide update notifications from users | Turned off | Users should be notified when Microsoft 365 Apps are being updated |
| Hide the option to turn on or off automatic Office updates | Turned on | Prevents users from disabling automatic updates |
-## Microsoft 365 Apps servicing profiles
+## Compatibility with Servicing Profiles
+
+[Servicing profiles](/deployoffice/admincenter/servicing-profile) is a feature in the [Microsoft 365 Apps admin center](https://config.office.com/) that provides controlled update management of monthly Office updates, including controls for user and device targeting, scheduling, rollback, and reporting.
A service profile takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management.
From f2feb22443793e545848c58b24f21aad173df7d5 Mon Sep 17 00:00:00 2001
From: Rebecca Agiewich
Date: Tue, 28 Jun 2022 09:42:54 -0700
Subject: [PATCH 093/158] fixed spelling error
---
.../select-types-of-rules-to-create.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 6b53f74788..1b68313de8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -146,7 +146,7 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
## More information about hashes
-WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calcuating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file does not change when the file is re-signed or timestamped, or the digital signature is removed from the file. By using the Authenticode hash, WDAC provides added security and less management overhead so customers do not need to revise the policy hash rules when the digital signature on the file is updated.
+WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file does not change when the file is re-signed or timestamped, or the digital signature is removed from the file. By using the Authenticode hash, WDAC provides added security and less management overhead so customers do not need to revise the policy hash rules when the digital signature on the file is updated.
The Authenticode/PE image hash can be calculated for digitally-signed and unsigned files.
From df919101303d667c951a72783e1fe82ac81f1f8b Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Tue, 28 Jun 2022 11:35:12 -0700
Subject: [PATCH 094/158] Move info about data proc config changes
---
...s-to-windows-diagnostic-data-collection.md | 59 ++++++++++++++++---
...ws-diagnostic-data-in-your-organization.md | 59 +------------------
.../windows-10-and-privacy-compliance.md | 2 +-
3 files changed, 52 insertions(+), 68 deletions(-)
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index b672974ebd..d8bef9aa31 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -74,18 +74,59 @@ The following provides information on the current configurations:
- [Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/device-policies#windows-diagnostic-data)
- [Desktop Analytics](/mem/configmgr/desktop-analytics/overview)
-## New Windows diagnostic data processor configuration
+## Significant changes coming to the Windows diagnostic data processor configuration
-> [!IMPORTANT]
-> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](configure-windows-diagnostic-data-in-your-organization.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+Currently, to enroll devices in the [Window diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) option, IT admins can use policies, such as the “Allow commercial data pipeline” policy, at the individual device level.
-Enterprise customers have an option for controlling their Windows diagnostic data for their Azure Active Directory-joined devices. This configuration option is supported on the following versions of Windows:
+To enable efficiencies and help us implement our plan to [store and process EU Data for European enterprise customers in the EU](https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boundary/), we'll be introducing the following significant change for enterprise Windows devices that have diagnostic data turned on.
-- Windows 11 Enterprise, Professional, and Education
-- Windows 10, Enterprise, Professional, and Education, version 1809 with at least the July 2021 update.
+***We’ll stop using policies, such as the “Allow commercial data pipeline” policy, to configure the processor option. Instead, we’ll be introducing an organization-wide configuration based on Azure Active Directory (Azure AD) to determine Microsoft’s role in data processing.***
-Previously, enterprise customers had two options in managing their Windows diagnostic data: 1) allow Microsoft to be the [controller](/compliance/regulatory/gdpr#terminology) of that data and responsible for determining the purposes and means of the processing of Windows diagnostic data in order to improve the Windows operating system and deliver analytical services, or 2) turn off diagnostic data flows altogether.
+We’re making this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way, and in the same geographic region.
-Now, customers will have a third option that allows them to be the controller for their Windows diagnostic data, while still benefiting from the purposes that this data serves, such as quality of updates and device drivers. Under this approach, Microsoft will act as a data [processor](/compliance/regulatory/gdpr#terminology), processing Windows diagnostic data on behalf of the controller.
+### Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA)
-This new option will enable customers to use familiar tools to manage, export, or delete data to help them meet their compliance obligations. For example, using the Microsoft Azure portal, customers will have the means to respond to their own users’ requests, such as delete and export diagnostic data. Admins can easily enable the Windows diagnostic data processor configuration for Windows devices using group policy or mobile device management ([MDM](/windows/client-management/mdm/policy-csp-system)). For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
+For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe.
+
+From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users’ [data subject requests](/compliance/regulatory/gdpr-dsr-windows).
+
+### Devices in Azure AD tenants with a billing address outside of the EU and EFTA
+
+For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data:
+
+- [Update Compliance](/windows/deployment/update/update-compliance-monitor)
+- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview)
+- [Microsoft Managed Desktop](/managed-desktop/intro/)
+- [Endpoint analytics (in Microsoft Endpoint Manager)](/mem/analytics/overview)
+
+*(Additional licensing requirements may apply to use these services.)*
+
+If you don’t sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data.
+
+> [!NOTE]
+> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
+
+### Rollout plan for this change
+
+This change will roll out initially to Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program no earlier than July 2022. Once the rollout is initiated, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option.
+
+During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA:
+
+- Devices can't be enabled for the Windows diagnostic data processor configuration at this time.
+- The processor configuration will be disabled in any devices that were previously enabled.
+- Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
+
+It's recommended Insiders on these devices pause flighting if these changes aren't acceptable.
+
+For Windows devices in the Dev Channel that aren't joined to an Azure AD tenant, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
+
+For other Windows devices (not in the Dev Channel), additional details on supported versions of Windows 11 and Windows 10 will be announced at a later date. These changes will roll out no earlier than the last quarter of calendar year 2022.
+
+To prepare for this change, ensure that you meet the [prerequisites](#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD, and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services.
+
+As part of this change, the following policies will no longer be supported to configure the processor option:
+ - Allow commercial data pipeline
+ - Allow Desktop Analytics Processing
+ - Allow Update Compliance Processing
+ - Allow WUfB Cloud Processing
+ - Configure the Commercial ID
\ No newline at end of file
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 9278a481b7..c28627092b 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -256,7 +256,7 @@ Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm
## Enable Windows diagnostic data processor configuration
> [!IMPORTANT]
-> There are some significant changes planned for diagnostic data processor configuration. To learn more, [review this information](#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+> There are some significant changes planned for diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration)
The Windows diagnostic data processor configuration enables you to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from your Windows devices that meet the configuration requirements.
@@ -325,63 +325,6 @@ Windows Update for Business:
- [How to enable deployment protections](/windows/deployment/update/deployment-service-overview#how-to-enable-deployment-protections)
-### Significant changes coming to the Windows diagnostic data processor configuration
-
-Currently, to enroll devices in the Window diagnostic data processor configuration option, IT admins can use policies, such as the “Allow commercial data pipeline” policy, at the individual device level.
-
-To enable efficiencies and help us implement our plan to [store and process EU Data for European enterprise customers in the EU](https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boundary/), we'll be introducing the following significant change for enterprise Windows devices that have diagnostic data turned on.
-
-***We’ll stop using policies, such as the “Allow commercial data pipeline” policy, to configure the processor option. Instead, we’ll be introducing an organization-wide configuration based on Azure Active Directory (Azure AD) to determine Microsoft’s role in data processing.***
-
-We’re making this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way, and in the same geographic region.
-
-#### Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA)
-
-For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe.
-
-From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users’ [data subject requests](/compliance/regulatory/gdpr-dsr-windows).
-
-#### Devices in Azure AD tenants with a billing address outside of the EU and EFTA
-
-For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data:
-
-- [Update Compliance](/windows/deployment/update/update-compliance-monitor)
-- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview)
-- [Microsoft Managed Desktop](/managed-desktop/intro/)
-- [Endpoint analytics (in Microsoft Endpoint Manager)](/mem/analytics/overview)
-
-*(Additional licensing requirements may apply to use these services.)*
-
-If you don’t sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data.
-
-> [!NOTE]
-> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
-
-#### Rollout plan for this change
-
-This change will roll out initially to Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program no earlier than July 2022. Once the rollout is initiated, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option.
-
-During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA:
-
-- Devices can't be enabled for the Windows diagnostic data processor configuration at this time.
-- The processor configuration will be disabled in any devices that were previously enabled.
-- Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
-
-It's recommended Insiders on these devices pause flighting if these changes aren't acceptable.
-
-For Windows devices in the Dev Channel that aren't joined to an Azure AD tenant, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
-
-For other Windows devices (not in the Dev Channel), additional details on supported versions of Windows 11 and Windows 10 will be announced at a later date. These changes will roll out no earlier than the last quarter of calendar year 2022.
-
-To prepare for this change, ensure that you meet the [prerequisites](#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD, and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services.
-
-As part of this change, the following policies will no longer be supported to configure the processor option:
- - Allow commercial data pipeline
- - Allow Desktop Analytics Processing
- - Allow Update Compliance Processing
- - Allow WUfB Cloud Processing
- - Configure the Commercial ID
-
## Limit optional diagnostic data for Desktop Analytics
For more information about how to limit the diagnostic data to the minimum required by Desktop Analytics, see [Enable data sharing for Desktop Analytics](/mem/configmgr/desktop-analytics/enable-data-sharing).
diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md
index 831b6eb589..6da75f6110 100644
--- a/windows/privacy/windows-10-and-privacy-compliance.md
+++ b/windows/privacy/windows-10-and-privacy-compliance.md
@@ -147,7 +147,7 @@ An administrator can disable a user’s ability to delete their device’s diagn
#### _2.3.7 Diagnostic data: Enabling the Windows diagnostic data processor configuration_
> [!IMPORTANT]
-> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](configure-windows-diagnostic-data-in-your-organization.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information]((changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration)).
**Applies to:**
From 7e4310ec45a9fe26b277963517f4af3935c20c5e Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Tue, 28 Jun 2022 11:57:08 -0700
Subject: [PATCH 095/158] fix link issues
---
.../privacy/changes-to-windows-diagnostic-data-collection.md | 2 +-
windows/privacy/windows-10-and-privacy-compliance.md | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index d8bef9aa31..5e15ca25f9 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -122,7 +122,7 @@ For Windows devices in the Dev Channel that aren't joined to an Azure AD tenant,
For other Windows devices (not in the Dev Channel), additional details on supported versions of Windows 11 and Windows 10 will be announced at a later date. These changes will roll out no earlier than the last quarter of calendar year 2022.
-To prepare for this change, ensure that you meet the [prerequisites](#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD, and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services.
+To prepare for this change, ensure that you meet the [prerequisites](configure-windows-diagnostic-data-in-your-organization.md#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD, and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services.
As part of this change, the following policies will no longer be supported to configure the processor option:
- Allow commercial data pipeline
diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md
index 6da75f6110..e4e7e22ec9 100644
--- a/windows/privacy/windows-10-and-privacy-compliance.md
+++ b/windows/privacy/windows-10-and-privacy-compliance.md
@@ -147,7 +147,7 @@ An administrator can disable a user’s ability to delete their device’s diagn
#### _2.3.7 Diagnostic data: Enabling the Windows diagnostic data processor configuration_
> [!IMPORTANT]
-> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information]((changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration)).
+> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
**Applies to:**
From e42b13922d3b1615edf56d02c8445c78428b8915 Mon Sep 17 00:00:00 2001
From: valemieux <98555474+valemieux@users.noreply.github.com>
Date: Tue, 28 Jun 2022 12:09:40 -0700
Subject: [PATCH 096/158] 37251356 - Add note about garrulous events caused by
MI/ISG enablements
---
.../operations/known-issues.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
index a54661c0b2..2463f2312e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
@@ -31,6 +31,10 @@ ms.localizationpriority: medium
This topic covers tips and tricks for admins as well as known issues with WDAC.
Test this configuration in your lab before enabling it in production.
+## ManagedInstaller/ISG enablements may cause garrulous events
+
+These events do not indicate an issue with the policy, and we are servicing the code to turn them off by default. This will be resolved in the September 2022 C release.
+
## .NET native images may generate false positive block events
In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fallback to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window.
From 568e1da35e86cb065d7341d918c1483401b50528 Mon Sep 17 00:00:00 2001
From: valemieux <98555474+valemieux@users.noreply.github.com>
Date: Tue, 28 Jun 2022 12:33:35 -0700
Subject: [PATCH 097/158] Update known-issues.md
---
.../operations/known-issues.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
index 34b4026eb5..57efc3c9da 100644
--- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
@@ -28,20 +28,20 @@ ms.localizationpriority: medium
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-This topic covers tips and tricks for admins as well as known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.
+This topic covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.
## ManagedInstaller/ISG enablements may cause garrulous events
-These events do not indicate an issue with the policy, and we are servicing the code to turn them off by default. This will be resolved in the September 2022 C release.
+These events don't indicate an issue with the policy, and we're servicing the code to turn them off by default. This issue will be resolved in the September 2022 C release.
## .NET native images may generate false positive block events
-In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fallback to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window.
+In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fall back to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window.
## MSI Installations launched directly from the internet are blocked by WDAC
Installing .msi files directly from the internet to a computer protected by WDAC will fail.
-For example, this command will not work:
+For example, this command won't work:
```console
msiexec –i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi
From eb65c39ea16740b6f7acab6235e01d3a96bd3036 Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Tue, 28 Jun 2022 13:45:07 -0700
Subject: [PATCH 098/158] Add missing punctuation
---
.../configure-windows-diagnostic-data-in-your-organization.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index c28627092b..b8cdecf995 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -256,7 +256,7 @@ Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm
## Enable Windows diagnostic data processor configuration
> [!IMPORTANT]
-> There are some significant changes planned for diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration)
+> There are some significant changes planned for diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
The Windows diagnostic data processor configuration enables you to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from your Windows devices that meet the configuration requirements.
From f3f40d05bbf77178b8c973af37ca115fb381b3a0 Mon Sep 17 00:00:00 2001
From: Harman Thind <63820404+hathin@users.noreply.github.com>
Date: Tue, 28 Jun 2022 13:54:41 -0700
Subject: [PATCH 099/158] New URLs added
added 2 new urls for Windows Autopatch service
---
.../prepare/windows-autopatch-configure-network.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index a1fb48b746..93a0fbe3bd 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -32,7 +32,7 @@ The Windows Autopatch URL is used for anything our service runs on the customer
| Microsoft service | URLs required on allowlist |
| ----- | ----- |
-| Windows Autopatch | - mmdcustomer.microsoft.com
- mmdls.microsoft.com
|
+| Windows Autopatch | - mmdcustomer.microsoft.com
- mmdls.microsoft.com
- logcollection.mmd.microsoft.com
- support.mmd.microsoft.com
|
### Required Microsoft product endpoints
From c6758d8894de1abbaf2ff6866edb53fa282ddffa Mon Sep 17 00:00:00 2001
From: valemieux <98555474+valemieux@users.noreply.github.com>
Date: Wed, 29 Jun 2022 05:51:34 -0700
Subject: [PATCH 100/158] Update known-issues.md
---
.../operations/known-issues.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
index 57efc3c9da..1c179e8e7a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
@@ -30,9 +30,9 @@ ms.localizationpriority: medium
This topic covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.
-## ManagedInstaller/ISG enablements may cause garrulous events
+## Managed Installer and ISG will cause garrulous events
-These events don't indicate an issue with the policy, and we're servicing the code to turn them off by default. This issue will be resolved in the September 2022 C release.
+When Managed Installer and ISG are enabled, 3091 and 3092 events will be logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. Beginning with the September 2022 C release, these events will be moved to the verbose channel since the events don't indicate an issue with the policy.
## .NET native images may generate false positive block events
From 760934a6e94ce88cf664e0be990e31d49e4e833e Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Wed, 29 Jun 2022 17:41:53 -0700
Subject: [PATCH 101/158] Added new URLs.
---
.../prepare/windows-autopatch-configure-network.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index a1fb48b746..93a0fbe3bd 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -32,7 +32,7 @@ The Windows Autopatch URL is used for anything our service runs on the customer
| Microsoft service | URLs required on allowlist |
| ----- | ----- |
-| Windows Autopatch | - mmdcustomer.microsoft.com
- mmdls.microsoft.com
|
+| Windows Autopatch | - mmdcustomer.microsoft.com
- mmdls.microsoft.com
- logcollection.mmd.microsoft.com
- support.mmd.microsoft.com
|
### Required Microsoft product endpoints
From 51d59eca5646496f1f7c666fb8169e230eba99f7 Mon Sep 17 00:00:00 2001
From: Julian Lemmerich <41118534+JM-Lemmi@users.noreply.github.com>
Date: Thu, 30 Jun 2022 09:58:33 +0200
Subject: [PATCH 102/158] align table correctly
fix #10673
---
.../applocker/dll-rules-in-applocker.md | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
index 5c09c86d2e..6921eeb8f7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
@@ -40,12 +40,9 @@ The following table lists the default rules that are available for the DLL rule
| Purpose | Name | User | Rule condition type |
| - | - | - | - |
-| Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs|
-| BUILTIN\Administrators | Path: *|
-| Allow all users to run DLLs in the Windows folder| (Default Rule) Microsoft Windows DLLs |
-| Everyone | Path: %windir%\*|
-| Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder|
-| Everyone | Path: %programfiles%\*|
+| Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs| BUILTIN\Administrators | Path: *|
+| Allow all users to run DLLs in the Windows folder| (Default Rule) Microsoft Windows DLLs | Everyone | Path: %windir%\*|
+| Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder| Everyone | Path: %programfiles%\*|
> [!IMPORTANT]
> If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps
From 0d8c35f1cf5f9f2fd3a0dcbb29644d7b29ef397b Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Thu, 30 Jun 2022 11:55:44 -0700
Subject: [PATCH 103/158] delete minecraft promotion article
---
.openpublishing.redirection.json | 5 ++
.../windows/get-minecraft-device-promotion.md | 90 -------------------
2 files changed, 5 insertions(+), 90 deletions(-)
delete mode 100644 education/windows/get-minecraft-device-promotion.md
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 9a87d541b5..04826145f2 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -19559,6 +19559,11 @@
"source_path": "windows/deployment/deploy-windows-mdt/deploy-a-windows-11-image-using-mdt.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt",
"redirect_document_id": false
+ },
+ {
+ "source_path": "education/windows/get-minecraft-device-promotion.md",
+ "redirect_url": "/education/windows/get-minecraft-for-education",
+ "redirect_document_id": false
}
]
}
diff --git a/education/windows/get-minecraft-device-promotion.md b/education/windows/get-minecraft-device-promotion.md
deleted file mode 100644
index 258525651d..0000000000
--- a/education/windows/get-minecraft-device-promotion.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-title: Get Minecraft Education Edition with your Windows 10 device promotion
-description: Windows 10 device promotion for Minecraft Education Edition licenses
-keywords: school, Minecraft, education edition
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-ms.localizationpriority: medium
-author: dansimp
-searchScope:
- - Store
-ms.author: dansimp
-ms.date: 06/05/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Get Minecraft: Education Edition with Windows 10 device promotion
-
-**Applies to:**
-
-- Windows 10
-
-The **Minecraft: Education Edition** with Windows 10 device promotion ended January 31, 2018.
-
-Qualifying customers that received one-year subscriptions for Minecraft: Education Edition as part of this program and wish to continue using the game in their schools can purchase new subscriptions in Microsoft Store for Education.
-For more information on purchasing Minecraft: Education Edition, see [Add Minecraft to your Store for Education](./school-get-minecraft.md?toc=%2fmicrosoft-store%2feducation%2ftoc.json).
-
->[!Note]
->**Minecraft: Education Edition** with Windows 10 device promotion subscriptions are valid for 1 year from the time
-of redemption. At the end of 1 year, the promotional subscriptions will expire and any people using these subscriptions will be reverted to a trial license of **Minecraft: Education Edition**.
-
-To prevent being reverted to a trial license, admins or teachers need to purchase new **Minecraft: Education Edition** subscriptions from Store for Education, and assign licenses to users who used a promotional subscription.
-
-
-
\ No newline at end of file
From e30aa032818b7592e7b4a8343db1532f3f73cc34 Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Thu, 30 Jun 2022 12:01:59 -0700
Subject: [PATCH 104/158] remove minecraft promotion from TOC
---
education/windows/TOC.yml | 2 --
1 file changed, 2 deletions(-)
diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml
index 3a592b8263..717ae6c902 100644
--- a/education/windows/TOC.yml
+++ b/education/windows/TOC.yml
@@ -53,8 +53,6 @@
href: teacher-get-minecraft.md
- name: "For IT administrators: get Minecraft Education Edition"
href: school-get-minecraft.md
- - name: "Get Minecraft: Education Edition with Windows 10 device promotion"
- href: get-minecraft-device-promotion.md
- name: Test Windows 10 in S mode on existing Windows 10 education devices
href: test-windows10s-for-edu.md
- name: Enable Windows 10 in S mode on Surface Go devices
From 43a55e57508d2957dfbea754f801048ba03e687f Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Thu, 30 Jun 2022 12:37:17 -0700
Subject: [PATCH 105/158] Remove windows-update in
.openpublishing.publish.config.json under live branch.
---
.openpublishing.publish.config.json | 18 +-----------------
1 file changed, 1 insertion(+), 17 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index c04926735a..6b0aff2a70 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -273,22 +273,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "windows-update",
- "build_source_folder": "windows/update",
- "build_output_subfolder": "windows-update",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "win-threat-protection",
"build_source_folder": "windows/threat-protection",
@@ -360,13 +344,13 @@
"Pdf"
]
},
- "need_generate_pdf_url_template": true,
"targets": {
"Pdf": {
"template_folder": "_themes.pdf"
}
},
"docs_build_engine": {},
+ "need_generate_pdf_url_template": true,
"contribution_branch_mappings": {},
"need_generate_pdf": false,
"need_generate_intellisense": false
From 07d2e54d883048371dcf12b2250944ad3bcc0933 Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Thu, 30 Jun 2022 12:37:18 -0700
Subject: [PATCH 106/158] Remove windows-update in
.openpublishing.publish.config.json under main branch.
---
.openpublishing.publish.config.json | 18 +-----------------
1 file changed, 1 insertion(+), 17 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index c04926735a..6b0aff2a70 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -273,22 +273,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "windows-update",
- "build_source_folder": "windows/update",
- "build_output_subfolder": "windows-update",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "win-threat-protection",
"build_source_folder": "windows/threat-protection",
@@ -360,13 +344,13 @@
"Pdf"
]
},
- "need_generate_pdf_url_template": true,
"targets": {
"Pdf": {
"template_folder": "_themes.pdf"
}
},
"docs_build_engine": {},
+ "need_generate_pdf_url_template": true,
"contribution_branch_mappings": {},
"need_generate_pdf": false,
"need_generate_intellisense": false
From cb8e6de80d31cb7d7c3e748dcb18003161981bd4 Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Thu, 30 Jun 2022 12:37:38 -0700
Subject: [PATCH 107/158] Remove win-threat-protection in
.openpublishing.publish.config.json under live branch.
---
.openpublishing.publish.config.json | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 6b0aff2a70..2d771fbd37 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -273,22 +273,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "win-threat-protection",
- "build_source_folder": "windows/threat-protection",
- "build_output_subfolder": "win-threat-protection",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "win-whats-new",
"build_source_folder": "windows/whats-new",
From b87ca714a4deb815e33ec2cdec677d0ab22d221d Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Thu, 30 Jun 2022 12:37:40 -0700
Subject: [PATCH 108/158] Remove win-threat-protection in
.openpublishing.publish.config.json under main branch.
---
.openpublishing.publish.config.json | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 6b0aff2a70..2d771fbd37 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -273,22 +273,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "win-threat-protection",
- "build_source_folder": "windows/threat-protection",
- "build_output_subfolder": "win-threat-protection",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "win-whats-new",
"build_source_folder": "windows/whats-new",
From 2ce69b6f3cd762567a78454071a387e92016d047 Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Thu, 30 Jun 2022 12:38:09 -0700
Subject: [PATCH 109/158] Remove release-information in
.openpublishing.publish.config.json under live branch.
---
.openpublishing.publish.config.json | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 2d771fbd37..1f93ea6915 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -81,22 +81,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "release-information",
- "build_source_folder": "windows/release-information",
- "build_output_subfolder": "release-information",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "smb",
"build_source_folder": "smb",
From 1730a89084edad99371b485c7708a5042c96538c Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Thu, 30 Jun 2022 12:38:11 -0700
Subject: [PATCH 110/158] Remove release-information in
.openpublishing.publish.config.json under main branch.
---
.openpublishing.publish.config.json | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 2d771fbd37..1f93ea6915 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -81,22 +81,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "release-information",
- "build_source_folder": "windows/release-information",
- "build_output_subfolder": "release-information",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "smb",
"build_source_folder": "smb",
From 40905d0b2d22477609aa100c07c7fbf9496db166 Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Thu, 30 Jun 2022 12:38:28 -0700
Subject: [PATCH 111/158] Remove windows-plan in
.openpublishing.publish.config.json under live branch.
---
.openpublishing.publish.config.json | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 1f93ea6915..a1acf6deeb 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -209,22 +209,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "windows-plan",
- "build_source_folder": "windows/plan",
- "build_output_subfolder": "windows-plan",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "windows-privacy",
"build_source_folder": "windows/privacy",
From 861ae2072f1cf18eb6e10577123f0eb9a639a105 Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Thu, 30 Jun 2022 12:38:30 -0700
Subject: [PATCH 112/158] Remove windows-plan in
.openpublishing.publish.config.json under main branch.
---
.openpublishing.publish.config.json | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 1f93ea6915..a1acf6deeb 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -209,22 +209,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "windows-plan",
- "build_source_folder": "windows/plan",
- "build_output_subfolder": "windows-plan",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "windows-privacy",
"build_source_folder": "windows/privacy",
From 2ef5dfd15f269373d40609fbcbc2f8b1aefdfd2b Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Thu, 30 Jun 2022 12:38:44 -0700
Subject: [PATCH 113/158] Remove keep-secure in
.openpublishing.publish.config.json under live branch.
---
.openpublishing.publish.config.json | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index a1acf6deeb..e9a52b9400 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -49,22 +49,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "keep-secure",
- "build_source_folder": "windows/keep-secure",
- "build_output_subfolder": "keep-secure",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "microsoft-edge",
"build_source_folder": "browsers/edge",
From aa44479381967fe075566234be157bc0373abca0 Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Thu, 30 Jun 2022 12:38:45 -0700
Subject: [PATCH 114/158] Remove keep-secure in
.openpublishing.publish.config.json under main branch.
---
.openpublishing.publish.config.json | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index a1acf6deeb..e9a52b9400 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -49,22 +49,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "keep-secure",
- "build_source_folder": "windows/keep-secure",
- "build_output_subfolder": "keep-secure",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "microsoft-edge",
"build_source_folder": "browsers/edge",
From 68db9d2a956dd00d345572012f2e5e0267ee417f Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Thu, 30 Jun 2022 12:39:17 -0700
Subject: [PATCH 115/158] Remove hololens in
.openpublishing.publish.config.json under live branch.
---
.openpublishing.publish.config.json | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index e9a52b9400..253a70b3bf 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -17,22 +17,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "hololens",
- "build_source_folder": "devices/hololens",
- "build_output_subfolder": "hololens",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "internet-explorer",
"build_source_folder": "browsers/internet-explorer",
From 84828bfcb7178214fe7e22a1e8c0f0c0dd8d4b9d Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Thu, 30 Jun 2022 12:39:19 -0700
Subject: [PATCH 116/158] Remove hololens in
.openpublishing.publish.config.json under main branch.
---
.openpublishing.publish.config.json | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index e9a52b9400..253a70b3bf 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -17,22 +17,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "hololens",
- "build_source_folder": "devices/hololens",
- "build_output_subfolder": "hololens",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "internet-explorer",
"build_source_folder": "browsers/internet-explorer",
From 42cf930fdc8737bbea4edce47698e19181647802 Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Thu, 30 Jun 2022 12:39:39 -0700
Subject: [PATCH 117/158] Remove win-device-security in
.openpublishing.publish.config.json under live branch.
---
.openpublishing.publish.config.json | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 253a70b3bf..284f6f33a1 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -145,22 +145,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "win-device-security",
- "build_source_folder": "windows/device-security",
- "build_output_subfolder": "win-device-security",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "windows-hub",
"build_source_folder": "windows/hub",
From 5f285490112fb6c9a9a3e31cef3bfc8b63714be3 Mon Sep 17 00:00:00 2001
From: Christopher McClister <5713373+cmcclister@users.noreply.github.com>
Date: Thu, 30 Jun 2022 12:39:40 -0700
Subject: [PATCH 118/158] Remove win-device-security in
.openpublishing.publish.config.json under main branch.
---
.openpublishing.publish.config.json | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 253a70b3bf..284f6f33a1 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -145,22 +145,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "win-device-security",
- "build_source_folder": "windows/device-security",
- "build_output_subfolder": "win-device-security",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "windows-hub",
"build_source_folder": "windows/hub",
From 0c7f4be566e280da2687d62171f883afbaee4fbe Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 30 Jun 2022 14:29:20 -0700
Subject: [PATCH 119/158] add intune admin for 365 admin center
---
.../update/update-compliance-v2-prerequisites.md | 13 ++++++++-----
.../deployment/update/update-status-admin-center.md | 10 +++++++---
2 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/windows/deployment/update/update-compliance-v2-prerequisites.md b/windows/deployment/update/update-compliance-v2-prerequisites.md
index 2f45ad0ced..8a6a2a0c8a 100644
--- a/windows/deployment/update/update-compliance-v2-prerequisites.md
+++ b/windows/deployment/update/update-compliance-v2-prerequisites.md
@@ -8,7 +8,7 @@ author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
-ms.date: 06/06/2022
+ms.date: 06/30/2022
---
# Update Compliance prerequisites
@@ -66,11 +66,14 @@ For more information about what's included in different diagnostic levels, see [
> [!NOTE]
> Enrolling into Update Compliance from the [Azure CLI](/cli/azure) or enrolling programmatically another way currently isn't supported. You must manually add Update Compliance to your Azure subscription.
-## Microsoft 365 admin center permissions (optional)
+## Microsoft 365 admin center permissions (optional currently)
-When you use the [Microsoft admin center software updates (preview) page](update-status-admin-center.md) with Update Compliance, the following permissions are also recommended:
- - To configure settings for the **Software Updates** page: [Global Admin role](/microsoft-365/admin/add-users/about-admin-roles)
- - To view the **Software Updates** page: [Global Reader role](/microsoft-365/admin/add-users/about-admin-roles)
+When you use the [Microsoft admin center software updates (preview) page](update-status-admin-center.md) with Update Compliance, the following permissions are also needed:
+
+- To configure settings and view the **Software Updates** page:
+ - [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
+ - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
+- To view the **Software Updates** page: [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader)
## Log Analytics prerequisites
diff --git a/windows/deployment/update/update-status-admin-center.md b/windows/deployment/update/update-status-admin-center.md
index 9794557bd2..71e40f2c64 100644
--- a/windows/deployment/update/update-status-admin-center.md
+++ b/windows/deployment/update/update-status-admin-center.md
@@ -10,7 +10,7 @@ ms.collection:
- M365-analytics
- highpri
ms.topic: article
-ms.date: 05/07/2022
+ms.date: 06/20/2022
---
# Microsoft admin center software updates (preview) page
@@ -34,8 +34,12 @@ The **Software updates** page has following tabs to assist you in monitoring upd
- [Update Compliance](update-compliance-v2-overview.md) needs to be enabled with clients sending data to the solution
- An appropriate role assigned for the [Microsoft 365 admin center](https://admin.microsoft.com)
- - To configure settings for the **Software Updates** page: [Global Admin role](/microsoft-365/admin/add-users/about-admin-roles)
- - To view the **Software Updates** page: [Global Reader role](/microsoft-365/admin/add-users/about-admin-roles)
+ - To configure settings and view the **Software Updates** page:
+ - [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
+ - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
+ - To view the **Software Updates** page:
+ - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader)
+
## Limitations
From 7506612755478a76391a3b53052ddc91c851ea14 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 30 Jun 2022 14:32:41 -0700
Subject: [PATCH 120/158] add intune admin for 365 admin center
---
windows/deployment/update/update-compliance-v2-prerequisites.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/update-compliance-v2-prerequisites.md b/windows/deployment/update/update-compliance-v2-prerequisites.md
index 8a6a2a0c8a..7a1c5ae31b 100644
--- a/windows/deployment/update/update-compliance-v2-prerequisites.md
+++ b/windows/deployment/update/update-compliance-v2-prerequisites.md
@@ -66,7 +66,7 @@ For more information about what's included in different diagnostic levels, see [
> [!NOTE]
> Enrolling into Update Compliance from the [Azure CLI](/cli/azure) or enrolling programmatically another way currently isn't supported. You must manually add Update Compliance to your Azure subscription.
-## Microsoft 365 admin center permissions (optional currently)
+## Microsoft 365 admin center permissions (currently optional)
When you use the [Microsoft admin center software updates (preview) page](update-status-admin-center.md) with Update Compliance, the following permissions are also needed:
From cf09f99c05f563551085b373a14ab3f76fd7b92c Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 30 Jun 2022 14:35:03 -0700
Subject: [PATCH 121/158] add intune admin for 365 admin center
---
.../deployment/update/update-compliance-v2-prerequisites.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/deployment/update/update-compliance-v2-prerequisites.md b/windows/deployment/update/update-compliance-v2-prerequisites.md
index 7a1c5ae31b..88cfdcb10b 100644
--- a/windows/deployment/update/update-compliance-v2-prerequisites.md
+++ b/windows/deployment/update/update-compliance-v2-prerequisites.md
@@ -73,7 +73,8 @@ When you use the [Microsoft admin center software updates (preview) page](update
- To configure settings and view the **Software Updates** page:
- [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
-- To view the **Software Updates** page: [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader)
+- To view the **Software Updates** page:
+ - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader)
## Log Analytics prerequisites
From a2f544c005c6624902081088299ff8732b871853 Mon Sep 17 00:00:00 2001
From: Andre Della Monica
Date: Thu, 30 Jun 2022 17:03:10 -0500
Subject: [PATCH 122/158] More changes
---
.../deploy/windows-autopatch-register-devices.md | 15 ++++++++-------
.../prepare/windows-autopatch-prerequisites.md | 8 +++++---
2 files changed, 13 insertions(+), 10 deletions(-)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index a522a08253..4c38fd7246 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -1,7 +1,7 @@
---
title: Register your devices
description: This article details how to register devices in Autopatch
-ms.date: 06/24/2022
+ms.date: 06/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
@@ -68,16 +68,17 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
- [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client)
- Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported).
- Managed by Microsoft Endpoint Manager.
- - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) or [Configuration Manager Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements).
- - [Switch Microsoft Endpoint Manager-Configuration Manager Co-management workloads to Microsoft Endpoint Manager-Intune](/mem/configmgr/comanage/how-to-switch-workloads) (either set to Pilot Intune or Intune). This includes the following workloads:
+ - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements).
+ - Must switch the following Microsoft Endpoint Manager-Configuration Manager [Co-management workloads](/mem/configmgr/comanage/how-to-switch-workloads) to Microsoft Endpoint Manager-Intune (either set to Pilot Intune or Intune):
- Windows updates policies
- Device configuration
- Office Click-to-run
- Last Intune device check-in completed within the last 28 days.
+- Devices must have Serial Number, Model and Manufacturer.
+ > [!NOTE]
+ > Windows Autopatch doesn't support device emulators that don't generate Serial number, Model and Manufacturer. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** pre-requisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch.
-For more information on how Configuration Manager workloads work, see [How to switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads).
-
-See [Prerequisites](../prepare/windows-autopatch-prerequisites.md) for more details.
+See [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md) for more details.
## About the Ready and Not ready tabs
@@ -126,7 +127,7 @@ Once devices or Azure AD groups containing devices are added to the **Windows Au
> [!IMPORTANT]
> It might take up to an hour for a device to change its status from **Ready for User** to **Active** in the Ready tab during the public preview.
-## Additional device management lifecycle scenarios
+## Device management lifecycle scenarios
There's a few more device lifecycle management scenarios to consider when planning to register devices in Windows Autopatch.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 5d377d6e50..4484d30d3a 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -1,7 +1,7 @@
---
title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 05/30/2022
+ms.date: 06/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
@@ -21,7 +21,9 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.
For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.
- For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)
- For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).
|
-| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.
Other device management prerequisites include:
- Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
- Devices managed only by Microsoft Endpoint Configuration Manager aren't supported.
- Devices must be in communication with Microsoft Intune in the last 28 days. Otherwise, the devices won't be registered with Autopatch.
- Devices must be connected to the internet.
For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview). |
+| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.
At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.
Other device management prerequisites include:
- Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
- Devices must be managed by either Intune or Configuration Manager Co-management. Devices only managed by Configuration Manager aren't supported.
- Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.
- Devices must be connected to the internet.
- Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate these fail to meet **Intune or Clout-attached** pre-requisite check.
See [register your devices](https://docs.microsoft.com/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device pre-requisites and on how the device registration process works.
+
+For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview). |
| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). |
## More about licenses
@@ -42,7 +44,7 @@ The following Windows 64-bit editions are required for Windows Autopatch:
- Windows 10/11 Enterprise
- Windows 10/11 Pro for Workstations
-## Co-management requirements
+## Configuration Manager Co-management requirements
Windows Autopatch fully supports co-management. The following co-management requirements apply:
From bbbf4c39a3f387268471ba92086e5c65599fb92c Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Thu, 30 Jun 2022 15:29:51 -0700
Subject: [PATCH 123/158] Update windows-autopatch-prerequisites.md
---
.../prepare/windows-autopatch-prerequisites.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 4484d30d3a..431e2c3f27 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -21,7 +21,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).
For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.
For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.
- For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)
- For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).
|
-| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.
Other device management prerequisites include:
- Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
- Devices must be managed by either Intune or Configuration Manager Co-management. Devices only managed by Configuration Manager aren't supported.
- Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.
- Devices must be connected to the internet.
- Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate these fail to meet **Intune or Clout-attached** pre-requisite check.
See [register your devices](https://docs.microsoft.com/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device pre-requisites and on how the device registration process works.
+| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.
At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.
Other device management prerequisites include:
- Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
- Devices must be managed by either Intune or Configuration Manager Co-management. Devices only managed by Configuration Manager aren't supported.
- Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.
- Devices must be connected to the internet.
- Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate these fail to meet **Intune or Clout-attached** pre-requisite check.
See [Register your devices](../deploy/windows-autopatch-register-devices) for more details on device pre-requisites and on how the device registration process works.
For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview). |
| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). |
From 9dcbe8cbb4e86f1c8cc7fba1f13925c6c478b09d Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Thu, 30 Jun 2022 15:35:45 -0700
Subject: [PATCH 124/158] Update windows-autopatch-register-devices.md
---
.../deploy/windows-autopatch-register-devices.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index 4c38fd7246..bdb0f168e9 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -68,7 +68,7 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
- [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client)
- Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported).
- Managed by Microsoft Endpoint Manager.
- - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements).
+ - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#co-management-requirements).
- Must switch the following Microsoft Endpoint Manager-Configuration Manager [Co-management workloads](/mem/configmgr/comanage/how-to-switch-workloads) to Microsoft Endpoint Manager-Intune (either set to Pilot Intune or Intune):
- Windows updates policies
- Device configuration
From 97c1e235e780f80e80489a25bde9cb4f1c713b88 Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Thu, 30 Jun 2022 15:38:02 -0700
Subject: [PATCH 125/158] Update windows-autopatch-prerequisites.md
---
.../prepare/windows-autopatch-prerequisites.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 431e2c3f27..029a20632c 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -21,7 +21,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).
For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.
For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.
- For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)
- For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).
|
-| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.
Other device management prerequisites include:
- Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
- Devices must be managed by either Intune or Configuration Manager Co-management. Devices only managed by Configuration Manager aren't supported.
- Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.
- Devices must be connected to the internet.
- Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate these fail to meet **Intune or Clout-attached** pre-requisite check.
See [Register your devices](../deploy/windows-autopatch-register-devices) for more details on device pre-requisites and on how the device registration process works.
+| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.
At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.
Other device management prerequisites include:
- Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
- Devices must be managed by either Intune or Configuration Manager Co-management. Devices only managed by Configuration Manager aren't supported.
- Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.
- Devices must be connected to the internet.
- Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate these fail to meet **Intune or Clout-attached** pre-requisite check.
See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device pre-requisites and on how the device registration process works.
For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview). |
| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). |
From e4136efa95d70be9c9e36c7d3088d4ead16eaa99 Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Thu, 30 Jun 2022 15:46:23 -0700
Subject: [PATCH 126/158] Fixed broken links.
---
.../windows-autopatch/overview/windows-autopatch-faq.yml | 2 +-
.../prepare/windows-autopatch-enroll-tenant.md | 2 +-
.../prepare/windows-autopatch-prerequisites.md | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 64041a261e..e88fc29e91 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -43,7 +43,7 @@ sections:
- [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune)
Additional pre-requisites for devices managed by Configuration Manager:
- - [Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements)
+ - [Co-management](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements)
- [A supported version of Configuration Manager](/mem/configmgr/core/servers/manage/updates#supported-versions)
- [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.)
- question: What are the licensing requirements for Windows Autopatch?
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
index c594bece89..5170032f91 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
@@ -27,7 +27,7 @@ To start using the Windows Autopatch service, ensure you meet the [Windows Autop
> [!IMPORTANT]
> The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the tool again.
-The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Co-management requirements](../prepare/windows-autopatch-prerequisites.md#co-management-requirements).
+The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager Co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements).
**To access and run the Readiness assessment tool:**
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 5d377d6e50..2f24e926b6 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -42,7 +42,7 @@ The following Windows 64-bit editions are required for Windows Autopatch:
- Windows 10/11 Enterprise
- Windows 10/11 Pro for Workstations
-## Co-management requirements
+## Configuration Manager Co-management requirements
Windows Autopatch fully supports co-management. The following co-management requirements apply:
From c2be73ed32cd39163a1bf950e3c8469959cb3119 Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Thu, 30 Jun 2022 15:51:54 -0700
Subject: [PATCH 127/158] Update windows-autopatch-register-devices.md
---
.../deploy/windows-autopatch-register-devices.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index bdb0f168e9..f6dc54cf8d 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -68,7 +68,7 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
- [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client)
- Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported).
- Managed by Microsoft Endpoint Manager.
- - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#co-management-requirements).
+ - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#configuration-manager-co-management-requirements).
- Must switch the following Microsoft Endpoint Manager-Configuration Manager [Co-management workloads](/mem/configmgr/comanage/how-to-switch-workloads) to Microsoft Endpoint Manager-Intune (either set to Pilot Intune or Intune):
- Windows updates policies
- Device configuration
From 3ad2eaa8a3f72e8a6ce7bbd262bbb51cf6840fce Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Thu, 30 Jun 2022 15:52:33 -0700
Subject: [PATCH 128/158] Update windows-autopatch-faq.yml
---
.../windows-autopatch/overview/windows-autopatch-faq.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index e88fc29e91..3e968ceeab 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -43,7 +43,7 @@ sections:
- [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune)
Additional pre-requisites for devices managed by Configuration Manager:
- - [Co-management](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements)
+ - [Configuration Manager Co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements)
- [A supported version of Configuration Manager](/mem/configmgr/core/servers/manage/updates#supported-versions)
- [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.)
- question: What are the licensing requirements for Windows Autopatch?
From 858675694276b1f0964e2a118be925e1661b164d Mon Sep 17 00:00:00 2001
From: Alexander Spitaler
Date: Fri, 1 Jul 2022 14:15:48 +0200
Subject: [PATCH 129/158] 10678-UpdateCredentialGuardIntuneDocu
Changed the manual to settings catalog options
---
.../credential-guard/credential-guard-manage.md | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index b63bf80703..7637deca64 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -53,19 +53,21 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
To enforce processing of the group policy, you can run `gpupdate /force`.
-### Enable Windows Defender Credential Guard by using Intune
+### Enable Windows Defender Credential Guard by using Microsoft Endpoint Manager
-1. From **Home**, select **Microsoft Intune**.
+1. From **Microsoft Endpoint Manager admin center**, select **Devices**.
-1. Select **Device configuration**.
+1. Select **Configuration Profiles**.
-1. Select **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**.
+1. Select **Create Profile** > **Windows 10 and later** > **Settings catalog** > **Create**.
- > [!NOTE]
- > It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
+ 1. Configuration settings: In the settings picker select **Device Guard** as category and add the needed settings
+
+> [!NOTE]
+> Enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
> [!TIP]
-> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
+> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Endpoint Manager](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
### Enable Windows Defender Credential Guard by using the registry
From 980dd88868937de62dc8216960819732c0a67008 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 1 Jul 2022 10:07:52 -0700
Subject: [PATCH 130/158] Update known-issues.md
---
.../operations/known-issues.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
index 1c179e8e7a..dfddeebe3f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
@@ -10,7 +10,7 @@ ms.reviewer: jogeurte
ms.author: jogeurte
ms.manager: jsuther
manager: dansimp
-ms.date: 04/14/2021
+ms.date: 07/01/2022
ms.technology: windows-sec
ms.topic: article
ms.localizationpriority: medium
@@ -25,8 +25,8 @@ ms.localizationpriority: medium
- Windows 11
- Windows Server 2016 and above
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.
From 17c9098c9a4654cb301315c7e73caa67da8e0c81 Mon Sep 17 00:00:00 2001
From: Alexander Spitaler
Date: Sat, 2 Jul 2022 15:48:15 +0200
Subject: [PATCH 131/158] Update
windows/security/identity-protection/credential-guard/credential-guard-manage.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../credential-guard/credential-guard-manage.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 7637deca64..c2b416f149 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -61,7 +61,7 @@ To enforce processing of the group policy, you can run `gpupdate /force`.
1. Select **Create Profile** > **Windows 10 and later** > **Settings catalog** > **Create**.
- 1. Configuration settings: In the settings picker select **Device Guard** as category and add the needed settings
+ 1. Configuration settings: In the settings picker select **Device Guard** as category and add the needed settings.
> [!NOTE]
> Enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
From 6a69f49b16bd65385cba6d3e382cfaf7668e8494 Mon Sep 17 00:00:00 2001
From: Office Content Publishing 2
<44301038+officedocspr2@users.noreply.github.com>
Date: Sat, 2 Jul 2022 23:32:58 -0700
Subject: [PATCH 132/158] Uploaded file: education-content-updates.md -
2022-07-02 23:32:58.2316
---
.../includes/education-content-updates.md | 34 ++-----------------
1 file changed, 2 insertions(+), 32 deletions(-)
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index 73b3828e76..825288c869 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,39 +2,9 @@
-## Week of May 02, 2022
+## Week of June 27, 2022
| Published On |Topic title | Change |
|------|------------|--------|
-| 5/3/2022 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
-| 5/3/2022 | [Change history for Windows 10 for Education (Windows 10)](/education/windows/change-history-edu) | modified |
-| 5/3/2022 | [Change to Windows 10 Education from Windows 10 Pro](/education/windows/change-to-pro-education) | modified |
-| 5/3/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
-| 5/3/2022 | [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education) | modified |
-| 5/3/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
-| 5/3/2022 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
-| 5/3/2022 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
-| 5/3/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
-| 5/3/2022 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |
-| 5/3/2022 | [Take a Test app technical reference](/education/windows/take-a-test-app-technical) | modified |
-| 5/3/2022 | [Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) | modified |
-| 5/3/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified |
-| 5/3/2022 | [Test Windows 10 in S mode on existing Windows 10 education devices](/education/windows/test-windows10s-for-edu) | modified |
-
-
-## Week of April 25, 2022
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 4/25/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
-| 4/25/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
-
-
-## Week of April 18, 2022
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 4/21/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
+| 6/30/2022 | Get Minecraft Education Edition with your Windows 10 device promotion | removed |
From fda276c337ce533f14fa61257922833f0622dca5 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Mon, 4 Jul 2022 23:33:38 +0530
Subject: [PATCH 133/158] added windows 11
user report #10684, after reading this article, I conformed **Windows 11** OS is also supported
---
.../security-policy-settings/security-policy-settings.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index a0a8270da7..305941019b 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -23,6 +23,7 @@ ms.technology: windows-sec
**Applies to**
- Windows 10
+- Windows 11
This reference topic describes the common scenarios, architecture, and processes for security settings.
@@ -404,4 +405,4 @@ To ensure that data is copied correctly, you can use Group Policy Management Con
| - | - |
| [Administer security policy settings](administer-security-policy-settings.md) | This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.|
| [Configure security policy settings](how-to-configure-security-policy-settings.md) | Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.|
-| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.|
\ No newline at end of file
+| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.|
From 10d39dce22d6341915e5de5edbf7fce6b97892e2 Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Tue, 5 Jul 2022 20:52:03 -0700
Subject: [PATCH 134/158] Getting ready for GA.
---
.../operate/windows-autopatch-wqu-overview.md | 7 +-
...dows-autopatch-wqu-unsupported-policies.md | 95 +++++++++++++++++--
2 files changed, 94 insertions(+), 8 deletions(-)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
index 282c602973..e58e36cbfd 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
@@ -72,8 +72,11 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win
If we pause the release, a policy will be deployed which prevents devices from updating while the issue is investigated. Once the issue is resolved, the release will be resumed.
-> [!NOTE]
-> Windows Autopatch doesn't allow you to request that a release be paused or resumed during public preview.
+You can pause or resume a Windows quality update from the Release management tab in Microsoft Endpoint Manager.
+
+## Rollback
+
+Windows Autopatch will rollback updates if we detect a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md).
## Incidents and outages
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md
index a76f93d9c5..1ee72bdfda 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md
@@ -1,7 +1,7 @@
---
-title: Conflicting and unsupported policies
-description: This article explains the conflicting and unsupported policies in Windows quality updates
-ms.date: 05/30/2022
+title: Windows update policies
+description: This article explains Windows update policies in Windows Autopatch
+ms.date: 07/07/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
@@ -12,11 +12,94 @@ manager: dougeby
msreviewer: hathind
---
-# Conflicting and unsupported policies
+# Windows update policies
+
+## Update rings for Windows 10 and later
+
+The following policies contain settings which apply to both Windows quality and feature updates. After onboarding there will be four of these policies in your tenant with the following naming convention:
+
+**Modern Workplace Update Policy [ring name] – [Windows Autopatch]**
+
+### Windows 10 and later update settings
+
+| Setting name | Test | First | Fast | Broad |
+| ----- | ----- | ----- | ----- | ----- |
+| Microsoft product updates | Allow | Allow | Allow | Allow |
+| Windows drivers | Allow | Allow | Allow | Allow |
+| Quality update deferral period | 0 | 1 | 6 | 9 |
+| Feature update deferral period | 0 | 0 | 0 | 0 |
+| Upgrade Windows 10 to latest Windows 11 release | No | No | No | No |
+| Set feature update uninstall period | 30 days | 30 days | 30 days | 30 days |
+| Servicing channel | General availability | General availability | General availability | General availability |
+
+### Windows 10 and later user experience settings
+
+| Setting name | Test | First | Fast | Broad |
+| ----- | ----- | ----- | ----- | ----- |
+| Automatic update behaviour | Reset to default | Reset to default | Reset to default | Reset to default |
+| Restart checks | Allow | Allow | Allow | Allow |
+| Option to pause updates | Disable | Disable | Disable | Disable |
+| Option to check for Windows updates | Default | Default | Default | Default |
+| Change notification update level | Default | Default | Default | Default |
+| Deadline for feature updates | 5 | 5 | 5 | 5 |
+| Deadline for quality updates | 0 | 2 | 2 | 5 |
+| Grace period | 0 | 2 | 2 | 2 |
+| Auto-restart before deadline | Yes | Yes | Yes | Yes |
+
+### Windows 10 and later assignments
+
+| Setting name | Test | First | Fast | Broad |
+| ----- | ----- | ----- | ----- | ----- |
+| Included groups | Modern Workplace Devices–Windows Autopatch-Test | Modern Workplace Devices–Windows Autopatch-First | Modern Workplace Devices–Windows Autopatch-Fast | Modern Workplace Devices–Windows Autopatch-Broad |
+| Excluded groups | None | None | None | None |
+
+## Feature update policies
+
+The service deploys policies using Microsoft Intune to control how feature updates are deployed to devices.
+
+### Feature updates for Windows 10 and later
+
+These policies control the minimum target version of Windows which a device is meant to accept. Throughout the rest of the article, you will see these policies referred to as DSS policies. After onboarding there will be four of these policies in your tenant with the following naming convention:
+
+**Modern Workplace DSS Policy [ring name]**
+
+#### Feature update deployment settings
+
+| Setting name | Test | First | Fast | Broad |
+| ----- | ----- | ----- | ----- | ----- |
+| Name | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows |
+| Rollout options | Immediate start | Immediate start | Immediate start | Immediate start |
+
+#### Feature update policy assignments
+
+| Setting name | Test | First | Fast | Broad |
+| ----- | ----- | ----- | ----- | ----- |
+| Included groups | Modern Workplace Devices–Windows Autopatch-Test | Modern Workplace Devices–Windows Autopatch-First | Modern Workplace Devices–Windows Autopatch-Fast | Modern Workplace Devices–Windows Autopatch-Broad |
+| Excluded groups | Modern Workplace – Windows 11 Pre-Release Test Devices | Modern Workplace – Windows 11 Pre-Release Test Devices | Modern Workplace – Windows 11 Pre-Release Test Devices | Modern Workplace – Windows 11 Pre-Release Test Devices |
+
+#### Windows 11 testing
+
+To allow customers to test Windows 11 in their environment, there's a separate DSS policy which enables you to test Windows 11 before broadly adopting within your environment.
+
+##### Windows 11 deployment setting
+
+| Setting name | Test |
+| ----- | ----- |
+| Name | Windows 11 |
+| Rollout options | Immediate start |
+
+##### Windows 11 assignments
+
+| Setting name | Test |
+| ----- | ----- |
+| Included groups | Modern Workplace – Windows 11 Pre-Release Test Devices |
+| Excluded groups | None |
+
+## Conflicting and unsupported policies
Deploying any of the following policies to a Windows Autopatch device will make that device ineligible for management since the device will prevent us from delivering the service as designed.
-## Update policies
+### Update policies
Window Autopatch deploys mobile device management (MDM) policies to configure devices and requires a specific configuration. If any policies from the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update) are deployed to devices that aren't on the permitted list, those devices will be excluded from management.
@@ -26,7 +109,7 @@ Window Autopatch deploys mobile device management (MDM) policies to configure de
| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | Update/ActiveHoursEnd | This policy controls the end of the protected window where devices won't reboot.Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
| [Active hours max range](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange) | Update/ActiveHoursMaxRange | Allows the IT admin to specify the max active hours range.
This value sets the maximum number of active hours from the start time. Supported values are from eight through to 18. |
-## Group policy
+### Group policy
Group policy takes precedence over mobile device management (MDM) policies. For Windows quality updates, if any group policies are detected which modify the following hive in the registry, the device will be ineligible for management:
From 263697a27f06e875e9b517f45f9ec748b122a754 Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Tue, 5 Jul 2022 21:13:56 -0700
Subject: [PATCH 135/158] Updating as per Adam Nichols W365 update.
---
.../windows-autopatch-register-devices.md | 38 ++++++++++++++++++-
.../overview/windows-autopatch-faq.yml | 6 +++
2 files changed, 43 insertions(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index f6dc54cf8d..28cf8a2491 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -111,7 +111,9 @@ Registering your devices in Windows Autopatch does the following:
## Steps to register devices
-**To register devices into Windows Autopatch:**
+### Physical devices
+
+**To register physical devices into Windows Autopatch:**
1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Windows Autopatch** from the left navigation menu.
@@ -127,6 +129,40 @@ Once devices or Azure AD groups containing devices are added to the **Windows Au
> [!IMPORTANT]
> It might take up to an hour for a device to change its status from **Ready for User** to **Active** in the Ready tab during the public preview.
+### Virtual devices
+
+#### Windows Autopatch on Windows 365 Enterprise Workloads
+
+With Windows 365 Enterprise, you can include Windows Autopatch onboarding as part of your provision process providing a seamless experience for admins and users to ensure your Cloud PCs are always up to date.
+
+#### Deploy Windows Autopatch on a Windows 365 Provisioning Policy
+
+For general guidance, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy).
+
+**To deploy Windows Autopatch on a Windows 365 Provisioning Policy:**
+
+1. Go to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center.
+1. In the left pane, select **Devices**.
+1. Navigate to Provisioning > **Windows 365**.
+1. Select Provisioning policies > **Create policy**.
+1. Provide a policy name and select **Join Type**. For more information, see [Device join types](/windows-365/enterprise/identity-authentication#device-join-types).
+1. Select **Next**.
+1. Choose the desired image and select **Next**.
+1. Under the **Microsoft managed services** section, select **Windows Autopatch**. Then, select **Next**. If the *Windows Autopatch (preview) cannot manage your Cloud PCs until a Global Admin has finished setting it up.* message appears, you must [enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md) to continue.
+1. Assign your policy accordingly and select **Next**.
+1. Select **Create**. Now your newly provisioned Windows 365 Enterprise Cloud PCs will automatically be enrolled and managed by Windows Autopatch.
+
+#### Deploy Autopatch on Windows 365 for existing Cloud PC
+
+All your existing Windows 365 Enterprise workloads can be registered into Windows Autopatch by leveraging the same method as your physical devices. For more information, see [Physical devices](#physical-devices).
+
+#### Contact support
+
+Support is available either through Windows 365, or Windows Autopatch for update related incidents.
+
+- For Windows 365 support, see [Get support](/mem/get-support).
+- For Windows Autopatch support, see [Submit a support request](/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request).
+
## Device management lifecycle scenarios
There's a few more device lifecycle management scenarios to consider when planning to register devices in Windows Autopatch.
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 3e968ceeab..5b27699c20 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -59,6 +59,12 @@ sections:
- question: Can Autopatch customers individually approve or deny devices?
answer: |
No you can't individually approve or deny devices. Once a device is registered with Windows Autopatch, updates are rolled out to the devices according to its ring assignment. Individual device level control isn't supported.
+ - question: Does Autopatch on Widows 365 Cloud PCs have any feature difference from a physical device?
+ answer: |
+ No, Windows 365 Enterprise Cloud PC's support all features of Windows Autopatch. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
+ - question: Can I run Autopatch on my Windows 365 Business Workloads?
+ answer: |
+ No. Autopatch is only available on enterprise workloads. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
- name: Update Management
questions:
- question: What systems does Windows Autopatch update?
From 62c7b78a1a0b088b26f8ba5af43d2bd8e2973510 Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Tue, 5 Jul 2022 21:15:51 -0700
Subject: [PATCH 136/158] Update windows-autopatch-register-devices.md
Changed date.
---
.../deploy/windows-autopatch-register-devices.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index 28cf8a2491..1a58a87f72 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -1,7 +1,7 @@
---
title: Register your devices
description: This article details how to register devices in Autopatch
-ms.date: 06/30/2022
+ms.date: 07/06/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
From 77f1c09a2092607821eb45bb6f7c4d668b4034e2 Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Tue, 5 Jul 2022 21:20:50 -0700
Subject: [PATCH 137/158] Update windows-autopatch-faq.yml
Added a question.
---
.../windows-autopatch/overview/windows-autopatch-faq.yml | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 5b27699c20..62a912aab7 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -59,9 +59,12 @@ sections:
- question: Can Autopatch customers individually approve or deny devices?
answer: |
No you can't individually approve or deny devices. Once a device is registered with Windows Autopatch, updates are rolled out to the devices according to its ring assignment. Individual device level control isn't supported.
- - question: Does Autopatch on Widows 365 Cloud PCs have any feature difference from a physical device?
+ - question: Does Autopatch on Windows 365 Cloud PCs have any feature difference from a physical device?
answer: |
No, Windows 365 Enterprise Cloud PC's support all features of Windows Autopatch. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
+ - question: Do my Cloud PCs appear any differently in the Windows Autopatch admin center?
+ answer: |
+ Cloud PC displays the model as the license type you have provisioned. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
- question: Can I run Autopatch on my Windows 365 Business Workloads?
answer: |
No. Autopatch is only available on enterprise workloads. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
From 96205dc38cd031137012b0e39cbcdb9e1474f871 Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Tue, 5 Jul 2022 21:21:50 -0700
Subject: [PATCH 138/158] Update windows-autopatch-faq.yml
Updated date.
---
.../windows-autopatch/overview/windows-autopatch-faq.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 62a912aab7..109b68bdbe 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -4,7 +4,7 @@ metadata:
description: Answers to frequently asked questions about Windows Autopatch.
ms.prod: w11
ms.topic: faq
- ms.date: 06/02/2022
+ ms.date: 07/06/2022
audience: itpro
ms.localizationpriority: medium
manager: dougeby
From 9a8150b345bc76a12ee65bca893636964bb2065f Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Wed, 6 Jul 2022 13:51:35 -0700
Subject: [PATCH 139/158] More articles for GA.
---
windows/deployment/windows-autopatch/TOC.yml | 44 +++++---
.../windows-autopatch-admin-contacts.md | 3 -
.../media/windows-feature-force-update.png | Bin 0 -> 172513 bytes
...ndows-feature-release-process-timeline.png | Bin 0 -> 58777 bytes
...dows-feature-typical-update-experience.png | Bin 0 -> 172468 bytes
.../windows-feature-update-grace-period.png | Bin 0 -> 304212 bytes
.../windows-autopatch/operate/index.md | 4 +-
.../windows-autopatch-fu-end-user-exp.md | 73 ++++++++++++
.../operate/windows-autopatch-fu-overview.md | 106 ++++++++++++++++++
...autopatch-microsoft-365-apps-enterprise.md | 18 ---
.../windows-autopatch-unenroll-tenant.md | 59 ++++++++++
.../overview/windows-autopatch-overview.md | 9 +-
.../windows-autopatch/prepare/index.md | 2 +-
...indows-autopatch-microsoft-365-policies.md | 33 ++++++
14 files changed, 307 insertions(+), 44 deletions(-)
create mode 100644 windows/deployment/windows-autopatch/media/windows-feature-force-update.png
create mode 100644 windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png
create mode 100644 windows/deployment/windows-autopatch/media/windows-feature-typical-update-experience.png
create mode 100644 windows/deployment/windows-autopatch/media/windows-feature-update-grace-period.png
create mode 100644 windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md
create mode 100644 windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md
create mode 100644 windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
create mode 100644 windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index 97e466d258..d5071f8114 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -17,8 +17,9 @@
href: prepare/windows-autopatch-configure-network.md
- name: Enroll your tenant
href: prepare/windows-autopatch-enroll-tenant.md
- - name: Fix issues found by the Readiness assessment tool
- href: prepare/windows-autopatch-fix-issues.md
+ items:
+ - name: Fix issues found by the Readiness assessment tool
+ href: prepare/windows-autopatch-fix-issues.md
- name: Deploy
href: deploy/index.md
items:
@@ -32,17 +33,23 @@
- name: Update management
href: operate/windows-autopatch-update-management.md
items:
- - name: Windows quality updates
- href: operate/windows-autopatch-wqu-overview.md
- items:
- - name: Windows quality end user experience
- href: operate/windows-autopatch-wqu-end-user-exp.md
- - name: Windows quality update signals
- href: operate/windows-autopatch-wqu-signals.md
- - name: Windows quality update communications
+ - name: Windows updates
+ href:
+ items:
+ - name: Windows quality updates
+ href: operate/windows-autopatch-wqu-overview.md
+ items:
+ - name: Windows quality end user experience
+ href: operate/windows-autopatch-wqu-end-user-exp.md
+ - name: Windows quality update signals
+ href: operate/windows-autopatch-wqu-signals.md
+ - name: Windows feature updates
+ href: operate/windows-autopatch-fu-overview.md
+ items:
+ - name: Windows feature end user experience
+ href: operate/windows-autopatch-fu-end-user-exp.md
+ - name: Windows quality and feature update communications
href: operate/windows-autopatch-wqu-communications.md
- - name: Conflicting and unsupported policies
- href: operate/windows-autopatch-wqu-unsupported-policies.md
- name: Microsoft 365 Apps for enterprise
href: operate/windows-autopatch-microsoft-365-apps-enterprise.md
- name: Microsoft Edge
@@ -51,14 +58,21 @@
href: operate/windows-autopatch-teams.md
- name: Deregister a device
href: operate/windows-autopatch-deregister-devices.md
+ - name: Un-enroll your tenant
+ href: operate/windows-autopatch-unenroll-tenant.md
- name: Submit a support request
href: operate/windows-autopatch-support-request.md
- name: Reference
href:
items:
+ - name: Update policies
+ href:
+ items:
+ - name: Windows update policies
+ href: operate/windows-autopatch-wqu-unsupported-policies.md
+ - name: Microsoft 365 Apps for enterprise update policies
+ href: references/windows-autopatch-microsoft-365-policies.md
- name: Privacy
href: references/windows-autopatch-privacy.md
- name: Windows Autopatch preview addendum
- href: references/windows-autopatch-preview-addendum.md
-
-
+ href: references/windows-autopatch-preview-addendum.md
\ No newline at end of file
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
index 2ecfa99202..47d7b8677c 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
@@ -14,9 +14,6 @@ msreviewer: hathind
# Add and verify admin contacts
-> [!IMPORTANT]
-> The Admin contacts blade isn't available during public preview. However, we'll use the admin contacts provided by you during public preview onboarding.
-
There are several ways that Windows Autopatch service communicates with customers. To streamline communication and ensure we're checking with the right people when you [submit a support request](../operate/windows-autopatch-support-request.md), you must provide a set of admin contacts when you onboard with Windows Autopatch.
> [!IMPORTANT]
diff --git a/windows/deployment/windows-autopatch/media/windows-feature-force-update.png b/windows/deployment/windows-autopatch/media/windows-feature-force-update.png
new file mode 100644
index 0000000000000000000000000000000000000000..a1752b7996854038d408b0539040c21bc16de004
GIT binary patch
literal 172513
zcmeFZc{r5)|2ItbWGCC$Dtic*EQOFt_GL(DVv@4NDEpQrvWpm!t+I_>kqSc$S)!|u
zr5Ix?A$yZ$+@Et)SJ(CZet-AxzMuO!p5u6q`wu0}nDhLcpXL49-q9vTr%dCs
z%&XFsg_`&06$3^UZJZ76ej5$wO_Q}d|GlsB@VUySG&#ft@NIXt`bgSgYcuGl=byZ?
zEVs1=-`21698*}>`o7{A65T?;#Y*S!?ca)zrdp3VY+Lunvhj$xO_(I{i?C8`eg!y6WbDd3TEB+$!>C)e{l|Mwr~kr`0(rk
zS6*A6S_{InkiHR9BN(pV)2DK?izkm>-el!e0+LWNpyrLi#yL8}nu5N4^dVmXe5Gyu
zGk*-e;`|raoT}4oZ5Nc72a8d;Jq{ZM_mmSdX3yonksJ^oFQlKeg?;VHFK}NvnfKJF8g31lt+N
zJHlh@HOA@+7rGsu%otHGSw~+dzv9TnZKK58ZEs=phuiRz{^(q_JPCM6bhw&o^H{n{
z5nTW+yvFwvkCd#R`SpFW!4lf_eF=ByoyFwq=By0LN|tEM%hpbsC{kKw-DIaya-URT
z>pN)@Zldfws&W~FWT=bIy$rs@!uY5|IJ91S6e9?xhE0xRoHic3LU(P2`!Z&A4ishF
z{_oQ67mSi%1Z5cLezm){dpenTiC<9f^mJ%`4C6?&l^)Kad`AI
zNRXcghn69=61~^M>3C#;TH4J_dgn;+b)ZOVQJJl8-@hA;Lt*zAe%*R>uH_-NK7;>z
zi~k3oVx-^MMDNRK=~(q)HJKqmie{Be2tfCyYtqAmr~C
zMVW}dcSYbF@uu6N7o6u==?De%=@{&9)69!jGSD)DFP2xouR{u~OXh+YXkp?j)W(Hr
zokw5E%Ue?0)(ljcZ#y0~pP(pLV{1n!xw~q%A!-JOG?0l0;u@S`mF5#CvT&=0TxjIw
zZk~L0Me<_oM-WOj7|ZV|i-mwqAU-;Lc&tdTCb${iF5v+Wizz}0b2|qjXZP8x`Gyvu
zn!vBUeNTByl)2ADiQ(kwn)vwem=boc2!9h4nBRG~of*qF==MYF?u}gEch7y-TwxYM
zJmSdZ{oy4&n#eQaO2uuV=dD!lh!^o#nZxq0zs>MNTu!mNk8dg+>`9k@c=VOyyq_p5
zOr>*pdGG!#^XB|4g6UR%mWoMhzpLri6h%3nooU*@>$J!`tAOpD$&+omy(mm^_nTAFF#sDAQZ
zH^@%aKgMGl7~jl9*Q$`2OKBzW@D<7+5V?^wD_2v}MrpfI?ZD50@H7}Rab2>Cry8-^
zo;nvQ1TGb~{}`8Y8+f!HrMa?Q!z+9qs{4!UTFXk+D+bL{TJxa4Y0VG=*;cN_0-}u)
z*Xam018MJX>ccvRS7KyPxuf7sF*2&m(rQdso8S`^3t$7^-c-n}SI`q>u1~9>qlvX;
zrNbTV%W&4;POIVOI!?$XNRb{4CMk2F)gDF?Z7*|k^5YPkU@w!X>z{5SMlqp^F2@qY
z*K!GF*m}!Ysyh3AqiEi`v)xS(dS2;S2V7`=h>%zbaHT4L?j9p^HUTcAot0WM!*zJM
zV1q(-BEmsGOA>s5l*SvQZcf|bLW7Lz=aEft^AqAm_dhXae{($Qm!;-~k=u*&{!oWH
z8nkhP7kxn1rAwMJ^N4*|g#PAaM~Z03RdMEop)L}pu9Y$%Q0_59jEpz9M%&6o?f@K}
z6{}goRhGIKa27SwxNH%ZMpwM2;kTXpEHTw_}+y6SX%xWcJW-GqLXo6!vpv01Zn$P7L@fCu#WSNXJLIo4}+_wu4f3Gb>@S>2%V)RE+WP}faM}Jbm+26jjO?eIH2^E3zF315(Z+yF
z14kkTl`CLFgI@ph;psvb6E+f!<+dpE7GoYgsSOOgE>Zbj2ruWjkO&vLzF3u(Ta#1d
z!q&k@^nNWYx`T}|U7Gor|5OiTg)E!s7RlH2ETTV1hE+J1wd0c&!R;uVlF;7QSAS5kCBe~ZWZ7&_2js-f|&a(4~^_~dfmko6$w%@qX*ZBi4&%5II;O4GX^_p
zScN<*Y30tif9727J0}
zunmvdjJ#N~aRLU8-buq|-KO{qxstj;4C*5DL(d0SKa1&QnA`G?12|N`
z7l#&87#6Ao{>_z%fW!CKWt^d|IRIX#-EM;F$h?R2Skhr5bs
zToFGg9{UjRMALh%XuC
z&P6c`%srdQew?QhWqDp37SW*Iy{7cOTqH_N_=S;eFgS0i^LK+zA)Fq8R_lgS*&WS_z_ao?-_>XpDosI=<
zu9pdLSLHW$=)U3~YuH-u68ze4g|Kr8zz5GVNKw6XMB7a>OvTDIUQr$kd~B>OQBO%l
zJ1E}{o1nUV1eEmsaMF;<;0Lewc1JJ0VjYWQeM2V{_(sip?#j2Z5Ul!AD@STtr09?F
z48NOkRIJQZXr)*4>j-B~ar^E*p!u9SRsMS$zx(QnHmT^@=E94hc=NqfsmQBrTgV^J;e#gJouaw%o@J@ACXhzH)P6~~r<_|R4g*;%Z&
zK?DX&_4VUPY0U@dwVshSzPRjkIGh-7ieXA%#}Aa*1hDHr5YF?n*G&!g@-=2prIHC}
zpySp3bl+LwHdM+QbD@nM8TsF~Hqa`nYZZw+@#h_It~i?}gPKI8sBYi!L1}=NhDDg=
zQzXH{>F?nDg)-F*_HyoGOr=IJmDSRvWL3>4Zek~m*c@`F<6-TsR%KpueGH1=2#?~i
z-Gb0%Kal`|ON6M}ZXp}Z+x`ri5z8H0hg4ykD&?N8lXV?A_4F*c*r_y|t=0%lZ$BB1
zt%jNGfJ1w9)G@7b(RaWWUD`$&(qF{_pr?UUzdwbt7_)Q8L$Ur18c^>w!5O3;w4rT_
zmg1MVZM=@_#MG@yZ)kstiu-ew(o(NOfP1j;uhk2I4JNETJVrCD=oW$4m7}^P
z-#QfH*NhjE?k{xPyB{u^xazM5YJgvIdlkih2acpQ|l_@&dIwq+^GcnTxl0+DOA%;
zb?t*>6)vXJI0A>qLpeUG?tFt#LDVReO^na=_AJ3*OFNn}|IN;|b_j
zxyUVchDoyh`BArFqIpA@$KG=*)31X9W_q%=tCHT;t3)a=6ndwd9CWi;(d6sZ1J{5F611IW
zb#&9k8TTVRwP2h!TcV8^nF%9n8&go2P@;zmj6^c*=d_EwdMc5D7kgB%zCDE1#$8=F
zBV1Kl`WBspm)rAfYWa`-XNC8kS)>dpRy^|3XHD`bDEL6321iwifTCs77-nI+h5HIs
zsrs^jDTsD|g;K&H`sp@qDIl0p#N2O8xT9aGl)8Lb5POd^m~|2aR+xtCR_~mT*rDd1
z-JDD@F1H&m6bfe)TfsY`YkDco4ro+CNxo=YR(t7u%$JhgWIZ^
zfk~wL3PXBpbh0&6A!pCx1^9$&t#
zDT?mkOJNj)!8oFOr_hLno%@dPPv9h9egEnXi>J>Lj(fAqLFEGN@meOoNeekKX;_N2
zeVO-%M}n&RgWjMn3f)z?*cJR|B7k@I+RLWp&K@T(6k1!$G6?Cp5fuvn;IJQiWo;c`
z3NQ$|W=aX43~5LsuEZQ`H$Pb2URW
zN=_pHQ<$2bb>09@duYC7@zEv3e>lN9?qgt-ZgTxB_xq75_EybVgKq234BzQfK0jD2
zyv71!L3=-u0%-#Bf_X(n2O_&vq|6v#5cgSg6p20~gJk@ME!(ijPVA#z?aVCx(;qh;Q
zEUFio{pV}mZ)_Hw=nlurd7WZ{bGR;A)qsm_1@IH_4EcfcR
z#ogwkD{PwrfQiUPrm#yLOJdeW!l}^n$-SNx3_w!p(=@V7#jI;890R=2*
zqO6uBdRa
zwLA0}4(}M7ah*fYc+{zrsk!J(j(nfl8-=QGq~b|GUS80cdE%}fxNTM+F0`$r>ZvA(
zpSLf%&qz%A~spilW*bdkzbu5C?@ll&>pB7Yp5kKU`F3
z!bowLh{@bffP3E;F@nXK0*c_TTh~1&Gxg`$KA%CK4IAG-PP48nv0Ba^8w|5bQ(n*e
z^lvZ>=XKMZq=Wr*%Vpi@s`zI3H>T#=PgKFEEXfIVp{RyfTB!E0NB{&5UL9iT=S7YgHZ(-`WU%ML==
zo?WYqUducy*SAlPk4{I4^>BR}6
zcnIi;g>5VyEF$WUa@x4|)sMR$DB_h}`}OGnjq%E&OguxAlxesrl`l7z5*$j}0KAWZ
z?p;6!_e+mK56c4#ehBc8F~wd=jTbRB+2Cp8F&rl3;upYsum)xU!O?Eub(j)j@xd2R
z74ZM~MA->Q$WSv60*nNQ2XeYgO19P+2JRbLSa0OPCSEWNif5Au-(rD-0024swh4mK
z0MCX}l)U5Z&cADY^{8%(cJ?0-7g81e72ircJ5i+A4`>6${||3*fLBYjX}0Ij&;41y
zD0Y?PJVM){48X3R1#(!p+Gl$+R&&-}-KJbkbr+a`v6wFb$m9pz#j5z(bUXexW<~K#
zUW^ISIcvN^%^LSVI~rzB!b1A%tAaKn4?uDL>1tLz2!qFT2~E!P(Ze+pKbzd
z4r^ysgg{We{P$g=tB-Wbux-*1!W_|R586U)OJg-DD&d>*4KOi4`rtc(&2@odP~P9T1QY;36tl{snxJyOH8jBj
zl-Svcg^&uxjVGK2FOKHEWet7^L_|;kJ8nwJ?ucPX>~c!&ty*j7K@2HO-!83&D|Op!
zh4ykB)){tN?mT$82XYHOabgruS8M3|xH!=`Ht_EFXgSq{Xn^Jhi%AM;xH!|}NAtnQ
z5=#i|avP_>XDvZHUGJbd_yujFJR$umCQkA}=FozuVHuZ8{3-!3N}V%o5sdZ{d|ULg
z^QiDavT{MS#%v9^SZO8R6y=)U@GjT`==bWuI72#U>SEl$)U}*%$FtG(BbEyW9Ue|I
zffC%g2;%1fi>MFd6nevBOUNCpcAM40LB{~ZlmAfb`oKkCSo$gy5N$_ktv)Jq+Vs;A
z0Hr4CzE^f{x!TSlW~p*M#k(7ztZt3wuzFt^9%Gb#Brol_g?aW6&?aiQyZ}+I;Q{VH
zzva#+067wbG)K8FgWL6+zCSC6GC?f?Fggfcs3g`X+o2%q?VN!0h(_N-F1L|V!O()K
zJLzkO(^}&;=ts=%%K?v+Z$d6z9@Hg9fXhY#ycH8$0p>OZ^j|R*QnHQ7FTm#joymRj
z+!}Xxy2hi8uJnhHl;H_J7AQJ^mj#44T^k;}3?PsnH0>dGgGx}RcFLRMaAQ@-_Ox0q
zE?e-*lD1GHCMY|-xXvH}NW$Qa9vMYIG)N6H-{h|YG|GTna2pW}Bfv%Om@-hgI(WcC
zs!S&+WS8p
zW3pU;f6%IYc{HDZk=Kb1pKU2JeWoJS&x1Jjq1;YQ@2~nMQ5B#VRWp`l3q{xs8P7&t5!~+*G0NXJ2
z7kfoQq(mUxMV%IXA5d**d2P1eC<==Z-Yzf_jDBX+|9&rUhJiVUFe*0tf`;T-lSG3A
zPD-oS{Hm4{Cj#Li&G3~|-F?I`2x!`=W+mUV00Rk*NJr*8dQhC>5T2Cf4*atQHDF`#
zg%%os1cOC>Er?kI)l~Ua!+y(nD)w+_#Mg6n<+p#z%V3N6b&6ZAg{puJ{8eUH>@UT+
z33h7g$4>l!#3^>Q#(pU1E#7xm{90+alrg9>Cvfm%W|ttp;X&d
z*NKbc!CuvQq*jRdFZxM@Wm78wVWPJAEMdeQ>qbSpZ}Ga(@Q{Y~j>YzF1*Wsbm&_VM
zE>cCg>AeazPBf-|SE$`(O)wgh?R3j8W7hD^;p)bG@(vM*(0wasX03jl`ZCwU4qU4A
zU3fNA>NZk4Q0=H6@F_29>q`rZrmL~W_eWk|240Kj8mRoZIkm_b{n0*Hc&tzit6U8d
z9M^ikIU>{{f*vlO+j;^#H6v=JF8QD0M#xGS(Gvu!d-7Y1Ng_CKK_wf!MK7gVAV_={`Rvg3v(ss-=-h5~gzq?wCO5oY
zZ;OU|%Q=jRgaOBR5)V|}2x%BmbB(JQmo+SRN)MFVy{MUe3V6r$ZpGfgO8b^cRZ75U
z>q@LY;MhvLdEH~GX&3{S4!Ov*@#$gW#@8zcDYquzhb@^SorTYMbU(6V;sZLfIM`=F
zIm6&*F3#qvSfNK7!HiP0vXrGoN
z?r!wn6pn-(m~?Erk(fN}SWXD(d(Cpk-=2LiH5WhWRURV3?{XD3!cQ!y*s9{fTX|lv
z6{oh2{}6M)ELa(zIAvlj6GVs>pB4C8JhtUqk&p`P3K0&y$C@`6KEBwz$sK()Ba$*g
zbiUr>hy@ko%lIi|SY=Uj{7;|d+Pl*xB86M_T@jDw&RJU|R0*ivC^DCZq?-tT1G18`
zHgVb{L-DOupP$%vzEf{De8&8rBzGn~X6VzO4};va4Pw{MTiljj8_Cz_z6vt}Vh(4(
zC<86i9_uafToK1bVLe!GcoOwLYtbYB4KCV_I&~v(<8z^-C*NJ9+xv1mmqfO|U#G6g
zGs{HPhuTKr3gV9P5ns&t+5Z*Ia9Av_0VWY!v6QW8jrqPidGOR(_j09o=s8nEA6}p7
zsY#)PCd}Zq|K$nuk1}@S^MRrYEa|x>ZJGc-znR!an0tF1?*xkMj9E+Hl^NQja^Lo*
zOE>0_v=QTXJ0rIM%WWWvB9;teP$wLqS~QTT!fLUe<5D1!>8LcEv>dgsbK(MDGElCx
ztD>^LyssGB+^fdN{N%$px9QVFd<7ppbM@Jolk}DME^Wb4l7e14=_iW>G6<$9-brMP
zS(YuB7&kjI)xIM^5yL?bN}v1zX0R@o4UKb26DMyvZ*?
z{A53wos_TpoBq=HgOw~aI#K)>FZV2XwzzQgz0eB@4zFvccoH;c&uOb;B3Mj;o2p-h
z6+x~GMRw`N8tfgG8iX)VKY@pW0;&sJ0bQWe7aV61OXV~yua~H*FITaOCWt!fMi(mr
zC&q@;KK5{abF8zvu>2Z-3eqd^gv0FNNMd=(2Ch~_XwYZ>vV-N$%GvF8FiD%;0v|9)
zQCj#U7`5Jv_DqVitL~8w{W|irf`#H3_bVNpvlsnd9Tvy|^1fCJWx`7f*Y8$mn{}7a
z2^DzH83*9G@NA|ut(qEpXyOW9LM8jm9K{u43Pk&4ioq2#`A;QGvSN{{ajHZ{i&
z-f)bO0p*DfB(=vy%TdKR=##$%1)ji`Xj_b%@MGu&bwtdD{=Pn9vLY9^0ib*#^6sH~
zTPt?}m(?1&5rBWld;vKl+;S!(Yfw0%87o(Fup+3{sImH)QbX(a3yE%}fRG>Hx@It1X=ep!icJYTd$@5m);Zxl
z9MKA;tH*q*BKTbU*eT6r5-+~t>E@^4{M_BBvqcC~rUUxD90
z67%C>gu5NSrW6w1h9`S4BInCvRTlY>C6h9rq6FwJqy{k#C&~B%>)}|)M}%;l)dj!&
zv6%xJ70pqL&qUw^*46MBoj3TLCrnc}J7(|@q_s0}diTwRh9Vy}!<&<^zw2yxOM*p${
za^=v96W`x_cX#w_wNhsdB_u-4H+&mipV8bIS|4_i)B85$B(#$WN@|R^MD3S7K6V>6
z>p>Z9!)=2l&&vsm=mydi?C@8Q64lRsBa^qMYrp2~TnYG^|K2_L-YuM4J3h`Bj+bZwC
z>+pZ{E!Moh@Fi!+#xgUedb!gV@U*_h3!T2a(jBGVQZVL)Hs?|Y{{3<#LvItx!t^%*
z#+fMBa70gO~FC}2$qUFpcY!FO3Whe@&F4RJ3cgU&F|Ayo3EwW>s>C0
zCp`kk&J{Ax>(2x46))Y<+0)TfRRH@nLK>2inEOSHAJs}r0#&**%whS|K8uhgcrz0T
z;GcDXe?;B!U~6K&*tRMH;Arj!BQ&H9Mc_Rx3Fjff3pi*fxId_f#;3<^+Xo(vlU=oXlJ@R;qeAS)LE8>PlC3d~Zn&^rNa16Dm$6P?F*L$H;E
zW69WOwq@$Y5#=rS4MwcnE1|9Yp1VOVuf`yl1yK$bA<;R`u~>`@QfYT%Qfia{w;df0
zV5o(S*Vvm#*OsMiY%yX#Qgxj{A$bY8cfb+QU7JnWAb1VF2$wpoqqli03NFL=8
z;N)(c?UbYW^r^t8|D~xHp3xorsN2Ota0d?nB`+If_kWN-S~Q^(hp*UZ=V`<|i*42=
z8-bU!7|HORV-N=hi_*5|fvN6m{*glWq6dHmNmRWIJc6=f%*_bW{N=Yx!QwJolKVRL
zR++W4M}!Q)qj{x~1XkeV8g*!EOjl`*YnI=Zxg6)foOjj$20nUu|GUHz-1z*{F;c}$
zMmL;4IbAKbV}y=3s=l?)-9R1u(cK7~x8n~@u>G#q-!FBO+}i?PUDJ8S@E#@2e!c9<
zz6_>shfOYJvG?IylSFhzzcp!9tDL!hK}mbDpUR;w-4=M0QkvIlob3q}FxbZ##^
z*v=Ud(?wCb|47~JO`uvoIOIMXdJ_O{X|(K2zy$tzFlv7ds`{j}GSH
zE;HKG6#fH-OUbwV#mMzj$^0~2p-Q_p^J@@*5g>Zh2*S{&jTW_64
zv>Kcjer!|Jig+
z>ms|^hGE6PJLK}4JBvrfBiCu8KdrKbGL13VkLY>fOfKJTfL!yCMRk*guK{2`l>Uo<
zj@J1Po_S+#E#1NQN3M2MJgP+v*BX9Ail?}VNguCN*X;3tNaO)_hJb
z@mZtUoLsl=XGL4=dBcDD-M_svGGX&Kw2&_Mn693=@AS}t|
z9P>p_^|EK+cb{krXmqNd
zc`^#z9)@j(WV{(PJDffeMNy8U#Q>?kn`i~c1<
zsI>n3WWn|gc8iD!K@RSPjyFr6+vn$A3=gdv<~+_63Vf?p6VSP_`gtM;enD)@@;7b=
z;CtKIxWFUmz=a{%^~ni0w;ldtBXZ^b1A@*U2eLo+HPi0n!9T57N0OC>-y#tmnaM~<
z&mh*ZStP8)X(HPbYPer`uO*&2UhEezLVC+RR~waG*)yNBj`pDL$!&`xVpfcSy%WlC
ze2L3tzsQx|oOiEfyy+!Is&H9Kx3~Ga-J$RvUh^x&a)=Xb)y^taD3S_i(AH`-2dUNqc$h-MKuMZRbtCfe3!>nFv+vZ1=dOb6^_J>#w{Si|;mptcg;SFDZbW7*
zy#oVDl#`HD9LE;J3L+qV{y;!(jQ(kfMcxKJ;9BD`6F?B2ciN0ok2&&lPbwh3xG^4h
zY@$QN^17!_z}(tWZJ=Jup*y=sI^&ku2uHjx{YkRq2rF`CZB6Gc;5mD7V;WXIE<kb!aVopS(iBiEU1`lFts&bh@-_tu09!LBIn%-YXy8b0Cb8t6NG
zT{9JV6S(+`0jufSuhN<{^!Z(3MY%m4*VNHb>I`N(P{OIvCfu#byXb+RzW55;I4As7
zbxe4y
zU*9Yt#ww(-L9Qm+4_Dt6=xN~P{G@@PPzyN#HuTGYQ-kX;kR~4D6`;qMpaQw3R4i7|
z$jO+guDJ(2$kOS)h4t)H`*cWdY%t%CDjh)R}2%a8C^3rW&0TY%)iAGrD~fI5IuYr45yO21UU%M`VhL=YQW8_
zY2*U?xu`qHMZr;~ULeu{a#2*ln;Tve+n&m!Lhmov_1}N{`T|U2gso3$O@GwEgZKSQ
zcYd>3AG_9lwzoLOCn6X)fO+Vq>0P){ST`kPgy*C-0_sI7T_5dRD=-iC7-&NQ4$FPA
z0@iD2K=lKbd#;}dh7IH_MB6F318C5`rsGQpAlDIy3pA^ist9;2uj{yAy>XhYJL}%)p|Q
z0G2`uv1jJ4(Uf&$2S3E$D;KbUSVNqnJjwGc1~`Er(@niY*E*B|*^+>!8Wdl{!MAa{
zk58
z$Avg_U;Q+w<0Q>vl9YF)RZuRMs^gvxD;51cU-+v&>A^buaNl%k`o%;j9^nMWeJ5b{
zbBr^I_{pnniv7$NP6|Bvbt?vJh=Z7I9#ddF#nqR2n74g&59vDUzJW2!viVlGD-TXtoPu05P{;|=
zS$?LR=pj#iNdgO5o7l#zO#Mn1>d148AJ=%x)`u=@Pk&yc4VF&-cX6)*$PN&y8rK`TEd1%De2Spb70&z^{hLto(BA|~5*3Au>K2P-{9ZN3QZ*jvQ7=eyQF5THB>ko!6A5Q>WcVuJ5U
z`&ZJk!_V9O*XSJ5bUClH(a#nxs20Ialt|K*WhgrNpMLqMMkN1W$`#x|)uo){xU_`k
zn`Q%PR?M>3W)9g7OJ2kwhNG$KTpxCeRRHQkA2x_}t{V)~x3_GeVGOCV3KVwdOmg7&
z;0hT6#g+Ext0+D?E}!uaKJ%&L=JP8vtF__hnQN!IVAhAf+X1IG;6zAa#ei6&dn;lb~&}3uYAVwoXZDK{i$+$uAoqzhlqK|X8@)Wm;#{B0XM_V(f0VK%h
zNNcEf!bd6bdnzcxEZ_a20@vfL5~DL%mU~az?U~Q$j?^2PsF|`oEwZOMca2q9ZcS>@eg67!ra9L%^h2jHc+
z(C-=d)@W3_9Yi+N$`^k2T;x#brk?F;2UE~uIH|wc_3_EPXWayNueCl;+qaKOI;g9B&=MYk*TzEe@#DIboJ}dTT$z{%AejA*X5Y_
zSvl}p6A!4tfCE49QxW8rBtVf@7uSzr!Ar^O0L(S`dwP(%m-2AT9yT3xLD`R`{3gz%vDn1YE`POVr8^2pB+#$w>Qk!jGD;*7r
zr>W*amII+&NW|#3&_@?t7GmG;ZNSF-q|!rIVz1XwhRTUFE|Cl=SvvnYE?{hqi_QQ}
z=_1vH4w@x1V;Oo5O(^=AX|(j3+JNjq?4h{zgK1k0(p`j})Q3g7j01m5dj7S~X`cmA
zv;W|W27p{Si;xMNn4>CgM)7h0;FxUkD;2LRd-Tii1qlialqd%qahCmGJDt%|nd~lI
z24PZQ`~W&8u+GrUT4l+Bl>Cp}X3R5{B`OshdILU_(;6yI4E1V5T$0u1YDxq4n)Fl*&#dZ6{
zW-scQV)QN_F-1w9^?JFl+&}5y1%6gsDAH1}30rN|>R&KCZtXH$k{bC~c
zG=aBD?wLun(eFmLw5Q-b&gTY0et6n`SeqRKfmikKmNsh0(gqTHbB4(m{HC~iOJtu-
zvbzjb=L;1U3*hJ?=C2XrAD&LE&Aj%!Bggb@fg%5wF>DAG6@dAhtdtdx^r-Txl8UT1Bck)U=`BE
z7%}t2QDrb)9w~)Y*deXGM^yMAcAS6(9OMSi$zEE^$?>0+JU0L2oomxg%Jq>k(!g`?
z`C06YGHc(L@)y_2I(V@5j$D}s6I5Pu45BaicO)EJP&qbp|N7jc6r*Jv&iU}z4p11Y
zpmbv-vw-ty0k69V>sx)~?BIx~N0gv{k?|1$)yr?oA@)6mgLza6N{H^-nSKGVe-OlA
z9FoXp-oG5i(3@CtPK80@>|mD9=;yJ=#v$8Z5M}OTjgYnJ1+XGDXso``A$_~QPJ_L{>x#w(6(E9$F!rdlLIm|^2QKSjB|3PYEGi{XvA!!Q
zf8Ke$f#1Ep>IU<&rf5++?0TH0A$Rjt@4fbGt04aPt@RGxgXyy_x7{T=fg4E;OKtq4
zwBww3#P+O}2J4Yv<^*cV%7D3JAm$0is#p{EZGFW3>BzMgufGNgHyKb|dp5OyM?edC
zj9xDx<4K9uLFU=Xh)2axm;jmqpk2&Q>E_?$x5)|V-(uU~O&WoG3{rtb){ifz8ecvw
z==Vr7*6VA-w{tN`xLIL~%K_Um>aQF|r`(L2tXPcT#vg<6KdJSZhzkS=%Qn5qpOFna5{)XLY
zK*&34-O(4b{uExn>_2E9_5G{0@1&Vw+xqtUNH2$>rR@s!+IW=EdPy;TZ0yDB4N{Y6
z-7`<-c)n{MEUKTmasG@*E60P5vyujU`(LYesdN`Vt@PSMo9Ed7$E$b7n)CC^FRK;x
z+wN}!EO&@+&U;F^KfU&G4lIMpfUgbjQ_L-0zRNUgpDPnhx1WKW`k+aU+1z)S@*#4Y
z9O>Q8JG<^}yX)_yw!c{tcdYczf;(
zzIo#5_mjJ73T-d=^{Rg(_M4T9ow(cs;dCtP(vR-HegiK&cZ3J0
zcWf?;U+z{or`Eyd(o)d*q9cTE$?;fo-h+S<@>e~nPOF++RsW(
z2x@OaUeJ&(`8caK9>HTR$EgEP3pdDY$#xqOnQRmLhpKHI=n@W?Qm0asq_`+urPpHA
zDi&iBO%I`c`MH5!&l2@T-!p@i&dW^C0d7mH>Gihd(TRAd`;Ef65>;BOtoy)nDbc|n
zEb($3{z0u*%dP*&t`-=Tu9pb4ruwyW8EKyS#k$x0lXag|5o>fFYyBD9`lmPFih+~N
z8aa?Cz;o|~g5Dtio4)J3t-+e6IEPS?^S}S<#gFyV@74P6)+S4)*}0^ry;^{z^kaM=
z$jCN*M5;D~S?bt1!_Tdij(gf6`^a)H6N9O%{SviNResB#TCrp17MvoX1jTdrua)B8
z_UK&Ug8HTaTX$V+Xb`YPi~boS^EAv7w1h~WxEU)1THw_7<`&?S0q5pA)EIMYr@?w4
z;M1YaEx?I4(a{aP#l^a!I=)uo5Wv<+wf1lj05g7I68_OYVtz4^4>M>+UMOV0IM6Q+
z(*k32)ovQZATYI&7x=cx&Sua)1vI1T!oQt?a*{Ig=Cj$Xn98he=?smqRJXa&y2pZ!YV4i#gE)@T#TqQh^9^|uu11k<>21eyBJbCl}%b$tN
z;2ty8m3^NJ?Odgbt;gY|R*dhey!pmu<7~GS>J8A{aC@Q<_Bkz5SJGQe5vU+Dsh2!1
zTDq#zdziEy9gNBn)$`luoj?)Qt0lRg)bV;p@IzAlgCNt-9z+w6b$~EK1v}lawKhu@
z1kCYLq%hqXi`@s$zxOftk!ub>Q$T`P-mi8&!_Z_HLT)QD^Y@3|m9^(GWakPlHjUIa
z1u459OX@`X;GEm_6B0VAzxjiloGIdB`X5o
zKXAl>ETkNZq*SNg?EP@mgA=VOH%+SL6;W+TO8spIr!2F
zi2#E@g_m*Z{gQlZWv+g`ML=u*^8AKzEsl|Iowr&SWJIR8go;il=mJ}iC^P64qbv$q
z76Eb*@RAF;t;#@t2hj_$eiiCvJ19T$%pQ1*Om$$L(`J4+#Cp7n#be!mHJz$_AxLU)
zFr`HV9`pK>cC%$X>UYT`RH-2bX`Xci(-7*pEaZ*QKW-AGYew
zjPi)ztx`y2#5#Xc?z^PHJlOJa`KVSE4pNP(8$e!Swvf1daBcM@Po)%$-lITb?j$Op
zG$}1BvWea2&$OGUdkMh*A)CTMxAx>X0J=j6uVR=&xokg&4HsII1~}16vPX66`y7LQ
zcI@k~)~zZ0yDC{T+H3)`OMjKRyh)%@PgQzV1f}tR$SeHjKnbtgb)cXH=>yUoLj$8OrVC4{+YFvsa$$uPmL)o?kg6%s8+t+>3)8^aa2+alW=h38m%-;Fby
z_CG>kgGtP$TV2hMeOVU*8d|WTJ8p3MKde{~%(@TueS9F&A~hECNvOe7J`M
zh4i9u>Z~&|f2cLY=;sx4$a(aKvn`p46F^q$1K4dduO;98$qR<3{iNQ#4ut>a5a!_h
z84>ww$gQ%DOh8I-h0!H)j`Q!-I~mnMM^fF-Fi1uz2qpR2}F^
zvTYaGb*L@s>dw4fVEE#`w_ihcHiLQj^Mt)e+>|%x-9v2nkMFTQe&Ws_VLmSz#ECsD
z)}lv_D?~P#9cCS?{OIAYlayp2sC*sAWo6O$nz}w+?*-oXBO<*2{l}(sJZ{;=l2Q|G{pt9^QVzh2@-)
z8kd=z=9U#7k9#8mI@*5aS3T-Mc0|MDctF(5V&zI{#PS*5?1q-d#;Q@I=U>WK=$avn
zMwiihJTfxZ*8g+9_kgw25cplr${%l}w3Bfr6h?SZCfBY@smvLuByvGYUZ31M>OXl%
zpteoWQ2e;zF;I%{hCt$}x#EzC>I1#J*#Qfxo9&vUahF1!DCTVGr8%=~|CcodJ|9p~
znz3A@Hd3XE@9LkYH*aa4k?1|@$i~k64H*6d#(W1Pd(YiUSxV=t1=x0GNOk5u^4Qn<
z$2Fi&4METDy9vG2v6nqr{XP*`;!5F#g%ks9%q-5$ZGgA2ZKjt^l>B3DoNURbMNOcK7e;)>g0>w~qhOx58@^9x9`#+k*jqvR-Wzfr_l@+2+&Y(Ae4s=Vb;^s|e@31#u@-e)Q~_`~=%RIbWR;GY-)+~-qi)U>
z))1&wPwCbFk=BiQ-U#ESAxj{?#o*!MS3!rI-N(Q%Axj
zw53$9uVpx8FWI^jW_d5eV&LWrYwsSOX2HJk8F72+=P+D_JZ=0(OK>O?rDJ~T3yK`?
z;j8O|$V5MdfSv7c0kCo}$Iv7fW41XVUp(bbqlD02ty_0r)`_Gdh%dRfk`+oG0v@80
zr4M|@XT3wmS|p#{f8O;O3v~{0TCNOC|HkWde|$-}uC$Il(1=S+rL@ztGmh)K~{gtjc?-
z61s0k-4y;qsLGe}d-s@qUwvo1>8&y5*(H;a67xw=iE^n7urIcrQWIFY48Sq|r)eHRnEw
zugY$(GnKzFrnW?;_Ex>;)xv3cc^Z1$bvWG@ZBd$ZiCH104?U?M!aVyZ8K@-tf@dE^
z>4gr;EXbLf++dKVgd%0Xl+Br@Vxt0bJ3-~k
zo@HQKLw%npWRVdE$niQ53LaMenJN3(!Sq+_4fq}$)JyP1x+aB12$fcl{iU@JsKb`P
z9B3-42I@y3cDDjAm~CpVLbMsVo8WJnKaimQnX-=cvl%aV5SnZBQ|yQDxdnyqs(=r>
zUvod}E?@ee1J}aLI9uwlVWh#w^CIpLon7n|UQ`o)B+3+OZMv^D#&fT1)>aN`OcVv>Nc7x8nX2Oz*owOL_k2GtLZ!t>j+KQEAn;D
zvU_AlAR%Gt!35cUB-<$lx{g8_?1cw@Ux!K#{twpvJRa)3|KrE&q-e2}E!mQyNRsSZ
zl&I`$)~SRnW8c>zgis{17cthcj@?wYWJ`8~vCA?T`!?hIdXGA%>-t>R=X3l0zTdw(
zolcH1@ArFN&*$UuxIfbSr`u;t$z`tB=>S=b_pY_NT{qxvZD!XURO$vNCg89K8KciH
zp;$FlAj0on*d=EMfKk;1f8eD}paclc2_@i`zjhmPGm&fq;3yBKEC{+362eO4v43z`
zlW;hu21>o`LYhj*UACXhP)-5{(i_Ppfv3nDj7!)^c-c$DfmwPN_34hJ6c;whP93CW
z-}H?d@P+RBh%tbO1>}L5xDO?_cf3y6Y!;+t$YtGALMxD*;1A8F~Iu-^4uZd
zT7i&CR3UIB77)F`S3<)b2@APua-k8N`?qflzxfp^g|s)CpjV-jD!NERn?@AV6osY8
zoVfK{=0)AEfhd4lQy|&;0fNqD158Z1569TMj^Poyyka
zS>qm^u2(NX{^N(3*poM4Oi2M5OK4!#HdJ{{<$p`)Bdz)qV0)sh&m+ZZPiTxj&;l=h
z>|?{TssP!txI*v4u9=+yj@Sa-KxLo{0jHZ$qwAp?pQ%2Ys72Jt_KS>#qC?=nym7j~
z)v=s46$bb=p=it8aejZhU*QTc*MSdK;7J;_YPm0`41Fu2AR^>muV5*~RRcxM=_LTC
z>jo^8DfP?qyg1;8zsH6s0pB@^wI-wVGwYHGQlGjHB6$PR6?xy1(dEn}^rN}{1Uz7e
z?G|EbAYUCA=iu^`z6YTH0}JF9vCO3vq>m~02cqh)IpNp)>X-?>dZ6gl%*&882B6(Q
z@s+863;xmp0QW9)_l@Cm-pRKksjJ)wKq)SYZZ0JHQQE6by_sho_kR=$Zc*^}`bEGz
z7YM{zkh?hIyZ_!^)8R#p{D^>X0a?_m$4zTk#+GCknM1&~%bCIMU1gq=W4DPu^%~jQ
z79^{(&*MR2IGCSM4&J^xurUBrC!m8~wI8cJ_-~+U4%fx~lPz-0EMs%FHzjN5wiLoS5Ew!6+Q1KM?|)6m
ztgFJ3SuymS(oZ${B|QMSF}x$c;P`39B_z*@jG
zdo{@72~|Rj1$&o~SE$@~E$)j+q{H0u!&6Byr`_A?ji@0cR`xgau&O%rL}K}*=?5%vpW$&ev$m#3B9RzniC6!b8$_?%}Iy}#aPLe^Rkge&@1YwK(pI@0Eh)W
z5oSK}v|?*rnuJ4);`gC@x)b*$uQSQr
zj@dnjFP|iUlxh{wWkgIGF!iIzNZde*WR{cb(@cnJQ|Mq@UPC?RkV@
z{L%7pm%)cm%f`bcBxfd8F;|Q#Hs|i@9X1Vc2J%vIFU)rc=}{Q>ZKksC2AvqaE6}5t
zrR9t(o#&?TZUG~H&EKq~19P6r-4I)g>2!j$y6J?WMr@%Pxz%bH^K`XBFX4LsC7
z^=L-?c{7tlap>M~I&;
z3nC*k>PKjw`~8A)gLMTyWCpl)wdq~KVz$S1-da_S+DfQu8D0*=ESJ;YA8}b^q5A;s
zQUA~uAFV_B_Prs5&`}6IsDXf3QB2-~W`zKId#G~1!hs*mKLYNlJ)l~JlxE9h27dAe
z8pvM*yD+;6{w3+c^i~9LDH2cyo8GRxM5gUd#nY%19jhMkPgZ0`0dnk8s{b+m@Nt0+
z?JZVlI}38>+AD!zXK)gD)eKtV$1_UEoCm5Z8d-m*Lli;8#DwAh%!d?;CTwnAR8NTaD)muf~Z}B)fm~
z1)WqnL!GyDkkSQ(XrY3D!!h(?;znRP@&|T5+=OzI{HOW|;KIV6qayvKs?ne^(7G_b
zGn`}5RsPF1ofqiTsiGG+YX2w&tdBdw*FX0q8
z1}~=re9{ky2^zvz0_s|h#(~2z#2x_iA22Sy)wOF9Aml=0m&P149Do8G>7Synj)PD!
zu;}4+o4`R9nBkNGrD{nexpb>;YG}hc#$bEEET-zwP42eBfN0`hY*6+?d>nWekpd9>
z|3b~NE1+ng1fU-cw(UXXfq@-8yBY-hLU+mUJJH-Vt<}e#QiB70YvaSb_*4y~g4DG>
zOBI}1B6%5pIBf6pTOf5^Q@LnDX0P@rFiY(AFR5b)#07KmM#Daw=bSeb`q&win4RwA
zL3IRtrO5}1XTgwo#-BOT5SnLcxU#$HpmVb~X)?J1h|wS%Xn*1gUSs?Q_m>DT6Et-7
zC+Lw>EO1Ren_Fe6`exk^foTq{(Mqq_p4zj-tDZ!<8(a+~E>mAYH~9ul*?;CiO>5(0
za7)P3hg65Lfpmc4jc1$(UyUShW&?TCQn_JdEStplgu*p>`sVYxFVOi0McTZ1@U^h1U;jjVmMG|2l;bn^PKx3eC
z9FBXp_#s5(8oNOWDW5c~-8#AC*N=$o767rdmnI1G#*ipv7aBoW3CyjG`*W)nsm(~O
zo5665#zCNc<^zkYx7i4t!C1rI1Jz+I_D`mUQ0m0_HkKd!g36*6CYa7cm}|2i-MQY5kls
zK^&UzjVhQ4a#_b-$s`70ua&7~OkC%Gz(A-E#L|6yfqC^R$dY(XHjN=TH%RAB|4?gU(u(JHm?CV0LBy;J2a-^HnJzx^s^}NbFo3P8wFs6!|@E)pBh$qY(*
zn4W@|GZZSvgU~!_Lw>Ic`sikR68ud3w))(^MmxBjNSX3%S}zhB8|X_jjgW8)3V$+*
z>G9{m1QI9G;3QP@E8uKF3OI*tY4QZB0TuOslE(f|dFh^!7VWrgk*YvrtDWn>7^4LG{+yc3f`L;dE!QP0++DxWyq=ad~hYs*s)cJ
zxB^UH6Xa)(ur7&JKii<#3cSVUz1l(S&vNI04PH1c7fchO)_mef6?!a$cXvg-=@7mi
zwlu>&=p4IvvWEHUgQu)c-(}e%)
zr&*m${2TL^%jLj9Nz_Z7CqEzAhXrK^!&5+-C`D5p2#8(Y{jumZEkP8KElYn2m%SJv
zI!1xkZw`4f*OTilk;dpb;JcO$+uDE%3|Kwq3w$I_9H4pZHEJ(3PyXDa*T{9vxs6y5
z=K(qQARm^%95f0*3LJ^Np7ng6Z3k}3C0*8geKmKTe%+i@o!$%cDiAHLq6qi{v^7|ryu+ss4e{`oAMjX@Cl(plI$P#Zq6@1fQ|^DLXjdwU|zhF3}o>A;Rtlm@C4VA0+**CA!~|M>jvnY
znE+`7(#a6F41~Ep{-5P?vLtmBIR@?*2rL6re_mF=6LRAshsS1Jk)odSf!^L83+3O2FG>4`EY>r^tO4F^
zY0(xqBYn^Civks_bZ-GzElW#>J(_)M01;=`b?^=?yNU$vx@s&3Dkmq&;oGH}JjCZ(
zDv6e1pB?y4tF4a-Bp37!x-1S?e-;M}UFcGI578k1$3(HJC;wBB^aKK}c3i*e{*<F#ol*7GpXR#r>bA;WHE<~tET`jbYb+8aTv6b+%^1h5E3u;zI%XVbYRRRiu#*7?
zZfd!kUU&;Hs;B^u^KJNe=Y<%P?JDMhPQj42R*%^Wofa&EqI0&D!-t#|)$hi{EEYg;I
zq}g+f*+y#>5b8HOt%FW5jlsoC88nXRP0~I1%KQ8^)}&oI_yuPM@!W&uot;HA+T~g|
zpxXH2E)Qi=!T6|-2uPgX1`_p{~w>S|8MeJl@2p;
z(?jYM=3pj16#l-wl74LtNj+Das{F7_`aJ^{EsR<
z(kvE!fz)rgoewgoBsXF8*w(xlfoFUF_Kqu-ns0091P(bK#?qo>bO-b#@R{c)Ii^a2SC
zh^)nN4m4w{H~d;42ciaz=!d@L(k+J*}~
zA=RM&>{5s&N-2CvL^0x|i(0QIdyY&pd(fS#zzUm-n}p-XS7SiD&K
zRGG_s2zoL$v*!@e;j#uWTiTEkVJw>Fq+fpzYyz5Nq1WDVLW3w}nWS6}WONGz_C+uk
zT0&dI)h#eT9x=RN3vypy50~wxw{SgKiXlQ7;ktu|fwCdJDO%QEG<7-uXwekrbgzhy
ziz5uP8mT)UX1~~%=E~5Q*1uu};&2+~Rlv1KMTvr3iy%(4Ew99qwG|pD`oN%vjgAE}
zV_u-j;=|{nY%ku2tW-c4X@2radv{Vat?$Erf=tS>Yw})9Uq^0`xZgl)68p7Uoh!}Z
z-48}>Pvl)&lmj10x~&4ZKAy5-)!3^KohkR|bTsdaP>qvdci&{g$#_t75>&h>vY22k
zsG8&0VRgzF7pg+&${?pY0(CHI+e4MJ@YpWWj{r(*#h($h!>7ja-34b2X>J>0yL)3;dFyJW+6197!
zY2Rc3Sq(w23?t0M(ggxm0hDSMLJl=x9Ci$VuM#*cYIfM@nzOfiE
z13=|-yu=SIHwyTnQ2*v}n_rW`=!zrtBN~8Fdwb2
zdsdG7s2VJ`u&sxsBl{Q_*NZiiSr+h9t%;mF0Nb>p`m4_Yfbq!d-x4xNeGa{rB}cB9
zIG@OiG7mjK5$o*H4-@zC2U~ml9Yhq2N*u~rF=l1l2&14@RCl(H
z)Fu^uS+o(_
zTNu?|2)7jc@TdS~*K(OT_1klg$EW_iYOulNzhkqYlG74)PJk8{nZOOz^TOk^
zvBhz;uw~z=O`?N?2tf9kR%WQWU;$DaggxmaW=u)QC&)4o475o#Y96Q(fbJpG@Y{_)
z2=(nDV9qtb()qXReyr0iWU<&ODou$ZAG&?1zd>LO=lryb-RA{ke^ZlW!`(n&_IXt%
zxfq~p>Qvs*Fn*z1;Ii3b0t5UbwJk1MFADr5`@QFfm{9e>v|`yvw$rc5Iy62_yJvan
zkYT&3)S*Uaa337JFZF%Q>LvO&Kr2%Ksxl(if0Pog4oVq+!D>hir_rEJmgG@fA`#gC
zoFTPWN}czZm@ZM0MeAn3x7%~>=kT!zX5N!WC=hYFkez;C(o2WJh|Se;31aG^a9u{qwKnM2m&p|FD2MTJDLUjYM_{q{gdKu|fG?QNe_a3b*>rUGv-y%kpjb&OJ
z5sR%UdSriB`Pv3|_`9x;=N?L`|M_$KH9Y}_Pwr0ZQd+Ug;kC4w`H`R?{Tmu9f&XiN
zq%v9eQP6b(q&Mg|zJ)lYm2}Ai_`J5J6AKqloXv@ZD3Qee50Yr77$X;aI}fX%*~?O2
z(E8`a{Kdr7O&a+4YGyGuKwa?!0X(ZY|7XF|G15R+OIq^lEVj^0Hb))OliHey$^}()
zM0;Tn=_=VX0#nj1r2FSPH&1IVzM34%#=ePQy5Yc8@SG>?(5C*{uHTZ~8tlpoIk!6nINIy&N`N%#Erp*4S}Uu=SB{$SBUCI;
zAQ2S;iMNT4pV*5BR?5zC{L3Ei_5Q}`034f3-$UY7ZvA#DC<#6FZ`uUZ-+fYR;#qG7
zh=^sBAKhRY${kM$3_jYZ1f3s$H@C>h%7>dfw6lwcr}+>Hb>Uws`(s1HK=Cq|K>zHh
z`Co#Z|EfmKo)7bX|F3X1Fi7FIMQOXBJ%bO(_!%_6<->sixTL5}ycwhnXJMHNZw?;*
z^6e68le(WQLq3$j$CU0=lSKs}s8$+*@EVFB(=TLiFk*tvt)r?RpJeV#2YwPJh
zs?UEZT8%g(d!db{9a_U6)8xoDFt##tfQ`)k2HM&Ud9Ae8L?wZ)Od=fy(&;sQw`_pD
z5Y@yL-(_4mkfSH)J8RPz&PtelLUZK2&VyPZ1T-*~j-NdwYkHVLZm`PTkv)|&Lh^@i
z>Bg`p<}jlnfY)qM`RYY`gTxyS4D0I|w9^5=#{*!+7T{k`^6FyP7u_+I;WL&Q
z(o$K=aKaaXs0yv$v~r>5`o_eR@YwRNH6Ek9K8H)jM}$iJpljx1TS(n|rTowTzM%l{
za@v1i*6pFsBET}mC9%T9IWqiqTiKCfKxij=z8H0Emzt(NQ5#5^-71wPcp|c{6l|q@
z4%5e1Exju{2N4S~vTo9+pGS3fUws+@N}M;zsF|wZAGE|M$^WClyjv{$rH#7PaijD>xL_T
z+$onCM|en#29iNc%QuwFIoh+b*Y^mfA!fB8v%H8hAB=zh^#R&aopto@VgZ_T$`^I3Y@2UNx(q*~x6o+victFjl__U%8qiD@VKOZu7&S{`fH
z8X3DtTrM`75aywEl>I}vH--02dVm*)XmJG*
zZkhHER6eYWn8QOSx1H_p=QOmuK2g$^kYkv>JvYYutnyJN1MG2=99;6|s%V)>M?%RC
ze#ko=qYm$>dDoXUIaW6QcvLb`v0-xu{qm;wDNSksATP2Fow91=cwTU8@-NfpNNG@9
zOvPdXq8u)Rl6WW{x6Wc9vi{N>h=!8tgxbG8>xB6O()l&-?bU7}B^A2KZ4qKH)bElZ
zcdZPH_$WMFQdI@2QF#sZU!V}C3*f$*%EB|7i4K}9I>kWK2?0&seQ2QhJW|NmXZilp
zmcW?|1PdWc8esc5nyHqu`E&P8x6Q!GC6`dG$s)Z|(S7enAUZiB8T@rWCR)(F-2nT=
zRU#JpLDJQu6rlQPgTWMpZR&eZ589>XSRMnLbO)C4KfJ1tjKqgr{jAr9eNSuN_dU}Q
z?xvoR+i_9_n{>5vJ1l7yJBl4Y1FY#E%ONV;LR+1!QdIuQa2)8Yt27B}{`?3cjX$ewaE*v+7
zn>1>B+3y7KkE}0ZvAz0BEy=tvwaHeV@U@g&F{Wawcx?aDEowW!gEs0!WJk>
zS8=ypr#T7hDqom#P(|FljKd=fP?hOz^0n^=>I0QyiNvRFalqSfXC2$7F019zDXqtr
z-d2eO_CFCXIq;wM3){ciO}tub%r2Q8j-%)$Po9moXkqk
ztmef=y@2E2x!)P^k~}=`RuEof0EN&{__P^s|BQ11(nFI!5L-ThK;Y-N*sDpIh6fCt
zhwBY*)@z#t`ei$u6B$P4jXu>@emEm4yW|Eli|VBzs~0}6S76#GIsyWF(Y}I5pZneO
zjCHz%dVf|6Tu{J52zD#)9%vO^02Ms`*%PtrPn(6mSufwMq8ofA!i8f`Lyxri+P($r
zm44c;L+mV%?=kWh)?Yv$3MFVbC`kZ{o~8Y#w;o!+ms_Fb^$GT|=ksAfh#hwIj;3Ak
zGcW`n*2RNG3TRgq09z9Z;x!!}X$a>9K3@)iavVMvU=V&ribtN=MSKem9vf~L$)COn!xEoo+%PROQ`Abut&8K`-Ww^N?N;|T
z1{^fjw_kaB_swud_v%E!R}?ZtosqdiR^NqxYGJB!J>hf4?CnlP-0A&hs#B|%GH~h0
zj&;F=ie9RPlGIKWdR#*16~Ss7{QPB1Rr6)cJd=})5pFpTzCLKUvwe^o!@vxGg57Ko
z*_|ZMIiZoddr8(ubV2FewesaSR{yf|42_=tWh`Msagd#`(!q3TX==;Vb9+t?U+mi
zfc#(MG;?Z4wNxF|F_Q@I6ihB?ZJUi;z4^Vh-KVF*EC{Em!%MP_q%Ah+a09E^3e
zz3bSP4JXRMnE1C5PVf
zgFO&vWG?$wb=)*T%f0}Ze@#Kzp}tnb1`7EXpytm3>Xfm4l(F3m^*tKCC_H!k?d8&B(ZBQ@hc9NAKQ8VR&~da-
ziLY49vqS2Jx32P-dpgS_Gk=zh=T3=d^y;n#9@TN=6c^}>PaGaw?YX1V*>VXvN`Ob@
zri+Q!Tk4nTu2O9f+cI?=V?3*ytA}x`Y#Dp98G5bW^wrpzL!G%(vQB~B#ZKF5D(o)X
zUoU4{1hlmnvpWwASTJWqh`}W!IvW$E@!{Q)dL0?VC2<*vD8~Wm4A$wK4ywiS#VPSb
zU0sPQ`Elk92CZyC`pU{-y={rfc)ZWX(8lg#(>PAYpQ|$o+OIE-s{s83zJn_*we_Ae
zK(&^l3Kt1Zt{8la!n~)jofj{->Hk&v$W~|lVzMv0
zv})+=%~vY&u~FB%u=-Ap&TfxAv&B%U-7LMAEPkX>&fpVsr=BY04l$4ONIij%ie@_;
zoa&kN5<3!8aIFC-GUI0WH~n@Ywh;o(s{UqI82tf??;SJANcCV>TkJLG+6>nnii0|!
zhD+eqH7+Vj)`{g)E95se8*iN?wGl@Dq~VW#^&1zt*J@&R=F}L?%@j~y_7A1P`N#vU
zlcW+*ZSH7N`iT@1$-CR~AFdLjwZ>!Om?^5+DEzVU)o*9St_}Pw?C9BC7U=1F{o}Ur
zkgINaZ+4@;iNbAWm|)Ktqo9h7-b!$(*sC-eq%t=ejK>f1daRHk!)#@_^-~RorZHUl
z;}~u+=j4v5sB6w?#T~3Fi#b1yR2GvSg)P``vuA9m7^QBAc|Xukrxu3?tCZfR)?R&>
z5z&%=J2zo@`)7;Lz`*M+VHJ*aSt)_spHT?T3{~A?BYBQ=*0UK1&X0)>vrSo?neMpj
zSj&pbh3yOOX+ka&tB%Qp9Os!I^^KK^YJ!n*mxOvMH-H<~rV@uj4WTf7>y`5lB@$N<
zxTQICA9YP>7-585CLa=u(Zr=7nN?&~;XrwFUgf}*%6Sci`0FVpF3K*2T$PItmD_y2
z`V{wetotweH0~61>lpNRG_s8A(r$_*6PBL8>17h^q3QWXyd=l|m+Hx>^Ie|ay$^@_
zhfZpJoe8#CCa8*R0WyUJ!Q+RZj-w*8750Gaq-eI?!R_;oR;D#C0nN(sdUOP^&VRBm
zQr!HZ9GL|vq$GDBMF0LH%?3u-W~gAdCU{8US&A^8%sGt{5uSF$Z}vJTLIrt(toyb4
zsy;>5j-fl;$vYrL{L$>uEY2+OpB^LYt`@eOqL_t;ztW+wG*MOIJtj+ehGJI#e0Q~+
z+9HxhOI3rFBOt{iQlH}^wXU(0dh1E8456en@kjcVesP?cNhwo`S=<>aR!x^~XeYZ(j*p6t25U
zNce599FrXaNL)C2+#cwrbNYU>x@s#sbYC+&GgW{T9Jk7u2f03H>%#iM3`=K9a=mi=
zT}8aF7L(ZZG9cLT<(TYRHX{6$oSMI!2GSu-h^8w)1bWFCNhyKaS_-!a$1IH^2Ph(E
zk6N0p6&J?oSB7{5Y3iuf-nBf7KyV|Tm>%wq(#j~wMm$T=DW;Nj*4LBDy?}6!+;)?<
zYRc@)a3G7;^x{A~OS?_e)jse3oEwpBdU&nh+`Eb%`qt6R6thTHS-7dh{6SfQjnNN1
zxx2Nqmg)s-pr)!VWJ>qWTuv-Q@tyFLh5Kg_jbwh`LM)nm-p@OpL)?k-sRJI%TWX1A
z0um>+o__$1S-^7nH~7_T|D{6>qj>IjDIgRfr^YJgJg`|fuZ6uGlS=P*Mn|3X(%P(I
zmhYq%47@i86+Nl7j4iW?Vu4v*^~B*>MT>wmhd89nQ0e-0n4)EP%5XF{BK+l)DxU9D
z*A0zBvhq^0&S}?G)p+%%ufx#bDnk1mla;SMW+~bVxJtVgHIxZs;1!xnuQ1L1Fr}28
zY~YYz4%9d<*(;VXR%v!vn;Wr~36mYN$XM3&ioc$DA){)0LrlV^ulQb6;@kxU0ERi?
zW~%4OcNo_%4IVfKu3w8E5oM58n*~;FymIRMvMu<$Q#tXPOps)NfGFS-o3yHG?Xa6_
zQev&NT6BK;dh)p!GTi+d|DS2G8Wmt6?*5
zjx68hdy_miN0B8{U+UwxjZGLcxObOXBTp9o;P9Hs9ks0mw_XNm_C@LBSgXCOYh=^S
z_F~wqOFkxh==Egyn3W!8PhT4*ZJms@4c9{N#d|{*S}ktKx$w_hn|S)%(SLbk<5Gt8
zI1n-5mSl~Lt7Pkb-PK@a6dHH3t07@3zLLS2@=h-JM%)8Z0yVvhn7OnmEEDI{hCF@a
zY}19pQ+jqYK2#}`*CNrC{Mbs}uaIDr*5LQ+F)w>4mC#%JnqPBIr$pN{-1I
zEtUrLpYe+`^8a?)U_(IA>MKi$+TtU}*e{}g*6e)OHAv)#Nt9;eT)Y?O9d8nE
zxUe)4zg%h`xYD~;$e$FlcR1epy>;zOxbAwsa=X32^TC*Y04jyHSix>@6YQH(9iNR$+6Z<8o1EI_W6^
zlytDBCfUS6OK%D7&GVms-9=E_An`nH*FgMvBk+RbWa?d8DWe8Gb=1IPqU*JmstQLY
zF}$Y#u4NfRiGb^h=>;L*qVwoTaL-I$$BOr+EYB7hE7~H+G!=MqII;4iA6eu#&dBhS;L-+HH-Llua}Z+jT~SzmT4KqtJRo
z$$wj+mCSGU>qR8-I&5PbM$^?_gvC?C+i6QvCUQnKz1HH-=dSfz%v`DoU_M8$t7(N5
zd6q)t;Y4_{!ZGv|mSvu{KEBdF$hws$-p#|-S`>HCoyjFg(dzu6t2?ty;Ulct?w2XE
zvyFMtl)U$=*f8&}JX^wwO-5t$t4$IBYG}P`T0**aOv~E6KCm}c!VT+EIT|hGvP(6%
zyBKa`D^u|yNT?hYlRNFzhuhY@=I8O!>bP*c`o@G