**NotPaused**: The device was last reported to not have any pause on this content type. |
diff --git a/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md
index 7ef5f590b2..056d243859 100644
--- a/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md
+++ b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md
@@ -18,7 +18,7 @@ ms.topic: article
WUDOAggregatedStatus records provide information, across all devices, on their bandwidth utilization for a specific content type in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq), over the past 28 days.
-These fields are briefly described in this article, to learn more about Delivery Optimization in general, check out the [Delivery Optimization Reference](./waas-delivery-optimization-reference.md).
+These fields are briefly described in this article, to learn more about Delivery Optimization in general, check out the [Delivery Optimization Reference](../do/waas-delivery-optimization-reference.md).
|Field |Type |Example |Description |
|-|-|-|-|
@@ -30,5 +30,5 @@ These fields are briefly described in this article, to learn more about Delivery
|**BytesFromIntPeers** |[long](/azure/kusto/query/scalar-data-types/long) |`328350` |Total number of bytes downloaded from Internet Peers. |
|**BytesFromPeers** |[long](/azure/kusto/query/scalar-data-types/long) |`43145` |Total number of bytes downloaded from peers. |
|**ContentType** |[int](/azure/kusto/query/scalar-data-types/int) |`Quality Updates` |The type of content being downloaded.|
-|**DownloadMode** |[string](/azure/kusto/query/scalar-data-types/string) |`HTTP+LAN (1)` |Device's Delivery Optimization [Download Mode](./waas-delivery-optimization-reference.md#download-mode) configuration for this device. |
+|**DownloadMode** |[string](/azure/kusto/query/scalar-data-types/string) |`HTTP+LAN (1)` |Device's Delivery Optimization [Download Mode](../do/waas-delivery-optimization-reference.md#download-mode) configuration for this device. |
|**TimeGenerated** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`1601-01-01T00:00:00Z` |A DateTime corresponding to the moment Azure Monitor Logs ingested this record to your Log Analytics workspace.|
\ No newline at end of file
diff --git a/windows/deployment/update/update-compliance-schema-wudostatus.md b/windows/deployment/update/update-compliance-schema-wudostatus.md
index 29099d3b8f..16fc2ce481 100644
--- a/windows/deployment/update/update-compliance-schema-wudostatus.md
+++ b/windows/deployment/update/update-compliance-schema-wudostatus.md
@@ -21,7 +21,7 @@ ms.topic: article
WUDOStatus records provide information, for a single device, on their bandwidth utilization for a specific content type in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq), and other information to create more detailed reports and splice on certain common characteristics.
-These fields are briefly described in this article, to learn more about Delivery Optimization in general, check out the [Delivery Optimization Reference](./waas-delivery-optimization-reference.md).
+These fields are briefly described in this article, to learn more about Delivery Optimization in general, check out the [Delivery Optimization Reference](../do/waas-delivery-optimization-reference.md).
|Field |Type |Example |Description |
|-|-|-|-|
@@ -36,10 +36,10 @@ These fields are briefly described in this article, to learn more about Delivery
|**BytesFromGroupPeers** |[long](/azure/kusto/query/scalar-data-types/long) |`523132` |Total number of bytes downloaded from Group Peers. |
|**BytesFromIntPeers** |[long](/azure/kusto/query/scalar-data-types/long) |`328350` |Total number of bytes downloaded from Internet Peers. |
|**BytesFromPeers** |[long](/azure/kusto/query/scalar-data-types/long) |`43145` |Total number of bytes downloaded from peers. |
-|**ContentDownloadMode** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |Device's Delivery Optimization [Download Mode](./waas-delivery-optimization-reference.md#download-mode) configuration for this content. |
+|**ContentDownloadMode** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |Device's Delivery Optimization [Download Mode](../do/waas-delivery-optimization-reference.md#download-mode) configuration for this content. |
|**ContentType** |[int](/azure/kusto/query/scalar-data-types/int) |`Quality Updates` |The type of content being downloaded. |
|**DOStatusDescription** |[string](/azure/kusto/query/scalar-data-types/string) | |A short description of DO's status, if any. |
-|**DownloadMode** |[string](/azure/kusto/query/scalar-data-types/string) |`HTTP+LAN (1)` |Device's Delivery Optimization [Download Mode](./waas-delivery-optimization-reference.md#download-mode) configuration for this device. |
+|**DownloadMode** |[string](/azure/kusto/query/scalar-data-types/string) |`HTTP+LAN (1)` |Device's Delivery Optimization [Download Mode](../do/waas-delivery-optimization-reference.md#download-mode) configuration for this device. |
|**DownloadModeSrc** |[string](/azure/kusto/query/scalar-data-types/string) |`Default` |The source of the DownloadMode configuration. |
|**GroupID** |[string](/azure/kusto/query/scalar-data-types/string) | |The DO Group ID. |
|**NoPeersCount** |[long](/azure/kusto/query/scalar-data-types/long) | |The number of peers this device interacted with. |
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index 3537d1c157..660ea98100 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -29,7 +29,7 @@ In this section you'll learn how to use Update Compliance to monitor your device
Update Compliance:
- Provides detailed deployment monitoring for Windows client feature and quality updates.
- Reports when devices need attention due to issues related to update deployment.
-- Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](waas-delivery-optimization.md).
+- Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](../do/waas-delivery-optimization.md).
- Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities.
## The Update Compliance tile
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index 9cfa2f188d..72d95901a5 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -24,7 +24,7 @@ ms.custom: seo-marvel-apr2020
BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
-- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows client: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
+- Distributed Cache mode operates like the [Delivery Optimization](../do/waas-delivery-optimization.md) feature in Windows client: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
>[!TIP]
>Distributed Cache mode is preferred to Hosted Cache mode for Windows clients updates to get the most benefit from peer-to-peer distribution.
diff --git a/windows/deployment/update/waas-delivery-optimization-faq.md b/windows/deployment/update/waas-delivery-optimization-faq.md
index cfdbb2a1ca..0f59183964 100644
--- a/windows/deployment/update/waas-delivery-optimization-faq.md
+++ b/windows/deployment/update/waas-delivery-optimization-faq.md
@@ -36,7 +36,7 @@ Delivery Optimization also communicates with its cloud service by using HTTP/HTT
## What are the requirements if I use a proxy?
-For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](./delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting.md).
+For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting.md).
## What hostnames should I allow through my firewall to support Delivery Optimization?
@@ -64,9 +64,9 @@ Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relie
Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
-If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
+If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
-If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN.
+If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN.
With split tunneling, make sure to allow direct access to these endpoints:
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 3d2daa50ef..042a03a950 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -336,7 +336,7 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
|  | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) |
|  | [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) |
|  | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) |
-|  | [Optimize update delivery for Windows client updates](waas-optimize-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows client updates](../do/waas-optimize-windows-10-updates.md) |
|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or Deploy Windows client updates using Windows Server Update Services (this topic)or [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
diff --git a/windows/deployment/update/waas-microsoft-connected-cache.md b/windows/deployment/update/waas-microsoft-connected-cache.md
deleted file mode 100644
index 5363df4aeb..0000000000
--- a/windows/deployment/update/waas-microsoft-connected-cache.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: What is Microsoft Connected Cache?
-manager: dougeby
-description: This article provides information about Microsoft Connected Cache, a software-only caching solution.
-keywords: oms, operations management suite, wdav, updates, downloads, log analytics
-ms.prod: w10
-ms.mktglfcycl: deploy
-audience: itpro
-author: carmenf
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.collection:
-- M365-modern-desktop
-- m365initiative-coredeploy
-- highpri
-ms.topic: article
-ms.custom: seo-marvel-apr2020
----
-
-# What is Microsoft Connected Cache?
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
-
-Microsoft Connected Cache is a hybrid (mix of on-prem and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. Microsoft Connected Cache will be a Linux IoT Edge module running on the Windows Host OS.
-
-Even though your Microsoft Connected Cache scenario is not related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage Microsoft Connected Cache on your edge device:
-
-1. Installs and updates Microsoft Connected Cache on your edge device.
-2. Maintains Azure IoT Edge security standards on your edge device.
-3. Ensures that Microsoft Connected Cache is always running.
-4. Reports Microsoft Connected Cache health and usage to the cloud for remote monitoring.
-
-To deploy a functional Microsoft Connected Cache to your device, you must obtain the necessary keys to provision the Connected Cache instance that communicates with Delivery Optimization services, and enable the device to cache and deliver content. The architecture of Microsoft Connected Cache is described below.
-
-For more details information on Azure IoT Edge, please see the Azure IoT Edge [documentation](/azure/iot-edge/about-iot-edge).
-
-## How Microsoft Connected Cache Works
-
-1. The Azure Management Portal is used to create Microsoft Connected Cache nodes.
-2. The Microsoft Connected Cache container is deployed and provisioned to the server using the installer provided in the portal.
-3. Client policy is set in your management solution to point to the IP address or FQDN of the cache server.
-4. Microsoft end-user devices make range requests for content from the Microsoft Connected Cache node.
-5. The Microsoft Connected Cache node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
-6. Subsequent requests from end-user devices for content will now come from cache.
-7. If the Microsoft Connected Cache node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers.
-
-See the following diagram.
-
-
-
-## Also see
-
-[Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898)
\ No newline at end of file
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index f98345cef2..8dd780d36a 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -142,6 +142,6 @@ There are many tools you can use to service Windows as a service. Each option ha
| Windows Update | Yes (manual) | No | Delivery Optimization | None|
| Windows Update for Business | Yes | No | Delivery Optimization | Other Group Policy objects |
| WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability |
-| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache, or Delivery Optimization. For the latter, see [peer-to-peer content distribution](/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#peer-to-peer-content-distribution) and [Optimize Windows Update Delivery](./waas-optimize-windows-10-updates.md) | Distribution points, multiple deployment options |
+| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache, or Delivery Optimization. For the latter, see [peer-to-peer content distribution](/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#peer-to-peer-content-distribution) and [Optimize Windows Update Delivery](../do/waas-optimize-windows-10-updates.md) | Distribution points, multiple deployment options |
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index 6f20c17750..7ef84ba4b5 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -3,9 +3,9 @@ title: Manage device restarts after updates (Windows 10)
description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows 10 update is installed.
ms.prod: w10
ms.mktglfcycl: deploy
-author: jaimeo
+author: carmenf
ms.localizationpriority: medium
-ms.author: jaimeo
+ms.author: carmenf
manager: dougeby
ms.topic: article
ms.custom:
@@ -201,7 +201,7 @@ There are three different registry combinations for controlling restart behavior
- [Update Windows 10 in the enterprise](index.md)
- [Overview of Windows as a service](waas-overview.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure Delivery Optimization for Windows 10 updates](../do/waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md
index a034dba7a3..f1fb5fafcf 100644
--- a/windows/deployment/update/windows-as-a-service.md
+++ b/windows/deployment/update/windows-as-a-service.md
@@ -105,7 +105,7 @@ Secure your organization's deployment investment.
[Configure Windows Update for Business](waas-configure-wufb.md)
-[Express update delivery](waas-optimize-windows-10-updates.md#express-update-delivery)
+[Express update delivery](../do/waas-optimize-windows-10-updates.md#express-update-delivery)
[Windows 10 deployment considerations](../planning/windows-10-deployment-considerations.md)
diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md
index 8173d6ca5b..addbc016f4 100644
--- a/windows/deployment/update/windows-update-resources.md
+++ b/windows/deployment/update/windows-update-resources.md
@@ -82,6 +82,10 @@ If all else fails, try resetting the Windows Update Agent by running these comma
Ren %Systemroot%\SoftwareDistribution\Download Download.bak
Ren %Systemroot%\System32\catroot2 catroot2.bak
```
+
+ > [!IMPORTANT]
+ > The **reset** step below using sc.exe will **overwrite** your existing security ACLs on the BITS and Windows Update service and set them to default. Skip this step unless the other steps to reset Windows Update components have not resolved the issue.
+
2. Reset the **BITS service** and the **Windows Update service** to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
sc.exe sdset bits D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index 2c6e89c1e2..4153f5223b 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -16,7 +16,7 @@ ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
-ms.date: 08/17/2017
+ms.date: 03/10/2022
---
# Protect derived domain credentials with Windows Defender Credential Guard
@@ -38,12 +38,8 @@ By enabling Windows Defender Credential Guard, the following features and soluti
## Related topics
-- [Isolated User Mode in Windows 10 with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-in-Windows-10-with-Dave-Probert)
-- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel)
-- [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/More-on-Processes-and-Features-in-Windows-10-Isolated-User-Mode-with-Dave-Probert)
-- [Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Credential-Theft-using-the-Windows-10-Isolated-User-Mode)
- [Protecting network passwords with Windows Defender Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)
- [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382)
- [What's New in Kerberos Authentication for Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11))
- [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897(v=ws.10))
-- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
\ No newline at end of file
+- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 9f55046b76..a6f347396d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -45,11 +45,15 @@ sections:
- question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager?
answer: |
- Windows Hello for Business deployments using Configuration Manager should follow the hybrid deployment model that uses Active Directory Federation Services. In Configuration Manager version 1910 and later, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](/configmgr/protect/deploy-use/windows-hello-for-business-settings).
+ Windows Hello for Business deployments using Configuration Manager should follow the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](/configmgr/protect/deploy-use/windows-hello-for-business-settings).
+
+ - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Manager Intune?
+ answer: |
+ Windows Hello for Business deployments using Intune allow for a great deal of flexibility in deployment. For more information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello).
- question: How many users can enroll for Windows Hello for Business on a single Windows 10 computer?
answer: |
- The maximum number of supported enrollments on a single Windows 10 computer is 10. This limit lets 10 users each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we'll strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available.
+ The maximum number of supported enrollments on a single Windows 10 computer is 10. This lets 10 users each enroll their face and up to 10 fingerprints. For devices with more than 10 users, we strongly encourage the use of FIDO2 security keys.
- question: How can a PIN be more secure than a password?
answer: |
@@ -101,8 +105,8 @@ sections:
[Windows Hello for Business forgotten PIN user experience](hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience)
- For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network.
-
+ For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see [PIN reset](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
+
- question: What URLs do I need to allow for a hybrid deployment?
answer: |
Communicating with Azure Active Directory uses the following URLs:
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 0635a17b37..6c4c54aee9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -1,6 +1,6 @@
---
-title: Why a PIN is better than a password (Windows)
-description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password .
+title: Why a PIN is better than an online password (Windows)
+description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password .
ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212
keywords: pin, security, password, hello
ms.prod: m365-security
@@ -19,42 +19,44 @@ ms.localizationpriority: medium
ms.date: 10/23/2017
---
-# Why a PIN is better than a password
+# Why a PIN is better than an online password
**Applies to**
- Windows 10
- Windows 11
-Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
-On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
+Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password?
+On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password.
-Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password.
+Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than an online password.
> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA]
## PIN is tied to the device
-One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
+One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your online password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
## PIN is local to the device
-A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server.
+An online password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server.
When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
+However, note that even though local passwords are also local to the device, they are still less secure than a PIN, as described in the next section.
>[!NOTE]
>For details on how Hello uses asymetric key pairs for authentication, see [Windows Hello for Business](hello-overview.md#benefits-of-windows-hello).
## PIN is backed by hardware
-The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Many modern devices have TPM.
+The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Many modern devices have TPM. Windows 10, on the other hand, has a defect of not linking local passwords to TPM. This is the reason why PINs are considered more secure than local passwords.
User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised.
The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
+
## PIN can be complex
The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](hello-manage-in-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index 2b18579a8c..26f5413422 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -14,7 +14,7 @@ ms.collection:
- M365-security-compliance
- highpri
ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 03/10/2022
ms.custom: bitlocker
---
@@ -64,6 +64,7 @@ Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the
## Deploy hard drive encryption
BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 11 and Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Preinstallation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows is not yet installed), it takes only a few seconds to enable BitLocker.
+
With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which significantly delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10.
## BitLocker Device Encryption
@@ -130,11 +131,11 @@ For more information about how to configure Network Unlock, see [BitLocker: How
## Microsoft BitLocker Administration and Monitoring
-Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features:
+Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administration and Monitoring (MBAM) makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features:
* Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.
* Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself.
-* Provides centralized reporting and hardware management with Microsoft Microsoft Endpoint Configuration Manager.
+* Provides centralized reporting and hardware management with Microsoft Endpoint Configuration Manager.
* Reduces the workload on the help desk to assist end users with BitLocker recovery requests.
* Enables end users to recover encrypted devices independently by using the Self-Service Portal.
* Enables security officers to easily audit access to recovery key information.
@@ -144,4 +145,9 @@ Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage
* Offers an IT-customizable recovery user experience.
* Supports Windows 10.
-For more information about MBAM, including how to obtain it, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/) on the MDOP TechCenter.
+> [!IMPORTANT]
+> Enterprises could use MBAM to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ended in July 2019, or they could receive extended support until April 2026.
+
+Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more details, see [Features in Configuration Manager technical preview version 1909](/mem/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker).
+
+Enterprises not using Configuration Manager can use the built-in features of Azure AD and Microsoft Intune in Microsoft Endpoint Manager for administration and monitoring. For more details, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).
diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
index b9edd5b644..75d0561ae3 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
@@ -15,7 +15,7 @@ metadata:
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
- ms.date: 02/28/2019
+ ms.date: 03/14/2022
ms.custom: bitlocker
title: BitLocker Security FAQ
@@ -41,7 +41,7 @@ sections:
- question: |
What are the implications of using the sleep or hibernate power management options?
answer: |
- BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. For improved security, we recommend disabling sleep mode and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp).
+ BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it is configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since it remains unprotected data in RAM. Therefore, for improved security, we recommend disabling sleep mode and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp).
- question: |
What are the advantages of a TPM?
@@ -50,4 +50,4 @@ sections:
> [!NOTE]
> Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.
-
\ No newline at end of file
+
diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md
index 36de3f06bf..960336ca09 100644
--- a/windows/security/threat-protection/intelligence/phishing.md
+++ b/windows/security/threat-protection/intelligence/phishing.md
@@ -81,11 +81,7 @@ If you feel you've been a victim of a phishing attack:
- **Microsoft Office Outlook**: While in the suspicious message, select **Report message** from the ribbon, and then select **Phishing**.
-- **Microsoft**: Create a new, blank email message with the one of the following recipients:
- - Junk: junk@office365.microsoft.com
- - Phishing: phish@office365.microsoft.com
-
- Drag and drop the junk or phishing message into the new message. This will save the junk or phishing message as an attachment in the new message. Don't copy and paste the content of the message or forward the message (we need the original message so we can inspect the message headers). For more information, see [Report messages and files to Microsoft](/microsoft-365/security/office-365-security/report-junk-email-messages-to-microsoft).
+- **Microsoft 365**: Use the [Submissions portal in Microsoft 365 Defender](/microsoft-365/security/office-365-security/report-junk-email-messages-to-microsoft) to submit the junk or phishing sample to Microsoft for analysis. For more information, see [Report messages and files to Microsoft](/microsoft-365/security/office-365-security/report-junk-email-messages-to-microsoft).
- **Anti-Phishing Working Group**: phishing-report@us-cert.gov. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved.
diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
index 0441e00ed4..272227666c 100644
--- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
@@ -45,9 +45,7 @@ Test Provider | Lab Test Type | Minimum Level / Score
AV-Comparatives | Real-World Protection Test https://www.av-comparatives.org/testmethod/real-world-protection-tests/ |“Approved” rating from AV Comparatives
AV-Test | Must pass tests for Windows. Certifications for Mac and Linux aren't accepted https://www.av-test.org/en/about-the-institute/certification/ | Achieve "AV-TEST Certified" (for home users) or "AV-TEST Approved” (for corporate users)
ICSA Labs | Endpoint Anti-Malware Detection https://www.icsalabs.com/technology-program/anti-virus/criteria |PASS/Certified
-NSS Labs | Advanced Endpoint Protection AEP 3.0, which covers automatic threat prevention and threat event reporting capabilities https://www.nsslabs.com/tested-technologies/advanced-endpoint-protection/ |“Neutral” rating from NSS
SKD Labs | Certification Requirements Product: Anti-virus or Antimalware http://www.skdlabs.com/html/english/ http://www.skdlabs.com/cert/ |SKD Labs Star Check Certification Requirements Pass >= 98.5% with On Demand, On Access and Total Detection tests
-SE Labs | Protection A rating or Small Business EP A rating or Enterprise EP Protection A rating https://selabs.uk/en/reports/consumers |Home or Enterprise “A” rating
VB 100 | VB100 Certification Test V1.1 https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1/ | VB100 Certification
West Coast Labs | Checkmark Certified http://www.checkmarkcertified.com/sme/ | “A” Rating on Product Security Performance
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
index 725a653863..99819da4d5 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 09/20/2021
+ms.date: 03/10/2022
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -31,13 +31,13 @@ Application Guard uses both network isolation and application-specific settings.
These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
> [!NOTE]
-> You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the "Domains categorized as both work and personal" policy.
+> You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the **Domains categorized as both work and personal** policy.
|Policy name|Supported versions|Description|
|-----------|------------------|-----------|
|Private network ranges for apps | At least Windows Server 2012, Windows 8, or Windows RT| A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
-|Enterprise resource domains hosted in the cloud| At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. **NOTE**: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
-|Domains categorized as both work and personal| At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.
**NOTE**: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
+|Enterprise resource domains hosted in the cloud| At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (`|`) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.
Note that this list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
+|Domains categorized as both work and personal| At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.
Note that this list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
## Network isolation settings wildcards
@@ -49,7 +49,7 @@ These settings, located at `Computer Configuration\Administrative Templates\Netw
|`..contoso.com`|2|Trust all levels of the domain hierarchy that are to the left of the dot. Matching sites include `shop.contoso.com`, `us.shop.contoso.com`, `www.us.shop.contoso.com`, but NOT `contoso.com` itself.|
## Application-specific settings
-These settings, located at `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard`, can help you to manage your company's implementation of Application Guard.
+These settings, located at `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard`, can help you to manage your organization's implementation of Application Guard.
|Name|Supported versions|Description|Options|
|-----------|------------------|-----------|-------|
@@ -63,3 +63,9 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.|
|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** event logs aren't collected from your Application Guard container.|
+
+## Application Guard support dialog settings
+
+These settings are located at `Administrative Templates\Windows Components\Windows Security\Enterprise Customization`. If an error is encountered, you are presented with a dialog box. By default, this dialog box only contains the error information and a button for you to report it to Microsoft via the feedback hub. However, it is possible to provide additional information in the dialog box.
+
+[Use Group Policy to enable and customize contact information](/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information#use-group-policy-to-enable-and-customize-contact-information).
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
index 867be41703..bb6166a66f 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -9,7 +9,7 @@ metadata:
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
- ms.date: 09/30/2021
+ ms.date: 03/14/2022
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -220,6 +220,11 @@ sections:
1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`.
2. Reboot the device.
+
+ - question: |
+ What does the _Allow users to trust files that open in Microsoft Defender Application Guard_ option in the Group policy do?
+ answer: |
+ This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office.
additionalContent: |
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index cf455c976a..d5400d4de7 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -10,7 +10,7 @@ author: denisebmsft
ms.author: deniseb
ms.reviewer:
manager: dansimp
-ms.date: 09/09/2021
+ms.date: 03/14/2022
ms.custom: asr
ms.technology: windows-sec
---
@@ -215,20 +215,6 @@ You have the option to change each of these settings to work with your enterpris
- Windows 10 Professional edition, version 1809
- Windows 11
-#### File trust options
-
-1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow users to trust files that open in Microsoft Defender Application Guard** setting.
-
-2. Click **Enabled**, set **Options** to **2**, and click **OK**.
-
- 
-
-3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
-
-4. Open a file in Edge, such an Office 365 file.
-
-5. Check to see that an antivirus scan completed before the file was opened.
-
#### Camera and microphone options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow camera and microphone access in Microsoft Defender Application Guard** setting.
@@ -267,5 +253,5 @@ Once a user has the extension and its companion app installed on their enterpris
3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
-4. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window**
- 
\ No newline at end of file
+4. Open a new Application Guard window, by selecting the Microsoft Defender Application Guard icon, then **New Application Guard Window**
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index 7928508380..74efe115ae 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -62,11 +62,11 @@ Additional settings that can be included in a custom Passfilt.dll are the use of
> [!TIP]
> For the latest best practices, see [Password Guidance](https://www.microsoft.com/research/publication/password-guidance).
-Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible.
+Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 159,238,157,238,528 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible.
The use of ALT key character combinations may greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements might result in unhappy users and an over-worked Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of that range can represent standard alphanumeric characters that do not add more complexity to the password.)
-Passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and meet complexity requirements.
+Short passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and/or meet complexity requirements.
### Location
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
index 4368a1ce60..e7c5dca396 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@@ -10,7 +10,7 @@ ms.reviewer: jogeurte
ms.author: jogeurte
ms.manager: jsuther
manager: dansimp
-ms.date: 11/06/2021
+ms.date: 03/08/2022
ms.technology: windows-sec
ms.topic: article
ms.localizationpriority: medium
@@ -88,8 +88,8 @@ In addition to the steps outlined above, the binary policy file must also be cop
$MountPoint = 'C:\EFI'
$EFIDestinationFolder = "$MountPoint\Microsoft\Boot\CiPolicies\Active"
$EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]
- mkdir $EFIDestinationFolder
mountvol $MountPoint $EFIPartition
+ mkdir $EFIDestinationFolder
```
2. Copy the signed policy to the created folder:
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index f486f73efc..ddc5e3e2fe 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -46,7 +46,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
```xml
- 10.0.22530.0
+ 10.0.25070.0
{D2BDA982-CCF6-4344-AC5B-0B44427B6816}
{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}
@@ -64,6 +64,8 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
@@ -108,6 +110,10 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
+
+
@@ -396,6 +402,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
@@ -406,6 +413,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
@@ -418,6 +426,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
@@ -473,6 +482,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
@@ -513,6 +523,16 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
+
+
+
+
+
+
+
+
@@ -544,9 +564,11 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
@@ -600,6 +622,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
@@ -698,6 +721,12 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
+
+
+
+
@@ -728,16 +757,20 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
-
+
+
+
@@ -802,6 +835,10 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
+
+
+
+
@@ -1106,7 +1143,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
- 10.0.22530.0
+ 10.0.25070.0
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 2a3f6d6dc3..65b8c21047 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -29,6 +29,9 @@ Windows Sandbox has the following properties:
- **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
- **Efficient:** Uses the integrated kernel scheduler, smart memory management, and virtual GPU.
+ > [!IMPORTANT]
+ > Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking).
+
The following video provides an overview of Windows Sandbox.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4rFAo]