Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into minorupdate

2025-06-16 19:03:46 +00:00 · 2022-03-08 15:43:37 -08:00
parent 20efba33cc 24ea6b8542
commit 3cbe00ba1d
8 changed files with 152 additions and 148 deletions
--- a/windows/client-management/mdm/config-lock.md
+++ b/windows/client-management/mdm/config-lock.md
@ -48,31 +48,31 @@ The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Int
    - **Profile type**: Templates
    - **Template name**: Custom
-    :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="create profile":::
+    :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates":::
 1. Name your profile.
 1. When you reach the Configuration Settings step, select “Add” and add the following information:
    - **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
    - **Data type**: Integer
    - **Value**: 1 </br>
-    To turn off Config Lock. Change value to 0.
+    To turn off Config Lock, change the value to 0.
-    :::image type="content" source="images/configlock-mem-editrow.png" alt-text="edit row":::
+    :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of Config Lock, a Description of Turn on Config Lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1":::
 1. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”.
 1. You'll not need to set any applicability rules for test purposes.
 1. Review the Configuration and select “Create” if everything is correct.
 1. After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled.
-    :::image type="content" source="images/configlock-mem-dev.png" alt-text="status":::
+    :::image type="content" source="images/configlock-mem-dev.png" alt-text="The Profile assignment status dashboard when viewing the Config Lock device configuration profile, showing one device has succeeded in having this profile applied":::
-    :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="device status":::
+    :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="The Device Status for the Config Lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending":::
-## Disabling
+## Configuring Secured-Core PC features
-Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured.  IT Admins retain the ability to change (enabled/disable) SCPC features via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune.
+Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured.  IT Admins retain the ability to change (enable/disable) SCPC features (for example Firmware protection) via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune.
-:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="firmware protect":::
+:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off":::
 ## FAQ
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@ -7,7 +7,7 @@ ms.prod: w10
 ms.technology: windows
 author: dansimp
 ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 03/03/2022
 ms.reviewer: 
 manager: dansimp
 ---
@ -1084,15 +1084,15 @@ The following list shows the supported values:
 <!--/Scope-->
 <!--Description-->
-Specifies whether the emoji button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the emoji button on touch keyboard is disabled.
+Specifies whether the emoji, GIF (only in Windows 11), and kaomoji (only in Windows 11) buttons are available or unavailable for the touch keyboard. When this policy is set to disabled, the buttons are hidden and unavailable.
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:
-   0 (default) - The OS determines when it's most appropriate to be available.
+- 0 (default) - The OS determines when buttons are most appropriate to be available.
-   1 - Emoji button on keyboard is always available.
+- 1 - Emoji, GIF, and Kaomoji buttons on the touch keyboard are always available.
-   2 - Emoji button on keyboard is always disabled.
+- 2 - Emoji, GIF, and Kaomoji buttons on the touch keyboard are always unavailable.
 <!--/SupportedValues-->
 <!--/Policy-->
--- a/windows/configuration/provisioning-packages/provisioning-multivariant.md
+++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md
@ -121,30 +121,30 @@ Follow these steps to create a provisioning package with multivariant capabiliti
    The following example shows the contents of a sample customizations.xml file.
    ```XML
-   &lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt; 
+   <?xml version="1.0" encoding="utf-8"?>
-   <WindowsCustomizatons> 
+   <WindowsCustomizations>
-   <PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0"> 
+     <PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
-    <ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID> 
+       <ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID>
-    <Name>My Provisioning Package</Name> 
+       <Name>My Provisioning Package</Name>
-    <Version>1.0</Version> 
+       <Version>1.0</Version>
-    <OwnerType>OEM</OwnerType> 
+       <OwnerType>OEM</OwnerType>
-    <Rank>50</Rank> 
+       <Rank>50</Rank>
-   </PackageConfig> 
+     </PackageConfig>
-   <Settings xmlns="urn:schemas-microsoft-com:windows-provisioning"> 
+     <Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
-    <Customizations> 
+       <Customizations>
-      <Common> 
+         <Common>
-        <Policies> 
+           <Policies>
-          <AllowBrowser>0</AllowBrowser> 
+             <AllowBrowser>0</AllowBrowser>
-          <AllowCamera>0</AllowCamera> 
+             <AllowCamera>0</AllowCamera>
-          <AllowBluetooth>0</AllowBluetooth> 
+             <AllowBluetooth>0</AllowBluetooth>
-        </Policies> 
+           </Policies>
-        <HotSpot> 
+           <HotSpot>
-          <Enabled>0</Enabled> 
+             <Enabled>0</Enabled>
-        </HotSpot> 
+           </HotSpot>
-      </Common> 
+         </Common>
-    </Customizations> 
+       </Customizations>
-   </Settings> 
+     </Settings>
-   </WindowsCustomizatons> 
+   </WindowsCustomizations> 
    ```
 5. Edit the customizations.xml file to create a **Targets** section to describe the conditions that will handle your multivariant settings. 
@ -152,48 +152,48 @@ Follow these steps to create a provisioning package with multivariant capabiliti
    The following example shows the customizations.xml, which has been modified to include several conditions including **ProcessorName**, **ProcessorType**, **MCC**, and **MNC**.
    ```XML
-    <?xml version="1.0" encoding="utf-8"?> 
+   <?xml version="1.0" encoding="utf-8"?>
-   <WindowsCustomizatons> 
+   <WindowsCustomizations>
-   <PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0"> 
+     <PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
-    <ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID> 
+       <ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID>
-    <Name>My Provisioning Package</Name> 
+       <Name>My Provisioning Package</Name>
-    <Version>1.0</Version> 
+       <Version>1.0</Version>
-    <OwnerType>OEM</OwnerType> 
+       <OwnerType>OEM</OwnerType>
-    <Rank>50</Rank> 
+       <Rank>50</Rank>
-   </PackageConfig> 
+     </PackageConfig>
-   <Settings xmlns="urn:schemas-microsoft-com:windows-provisioning"> 
+     <Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
-    <Customizations> 
+       <Customizations>
-      <Common> 
+         <Common>
-        <Policies> 
+           <Policies>
-          <AllowBrowser>0</AllowBrowser> 
+             <AllowBrowser>0</AllowBrowser>
-          <AllowCamera>0</AllowCamera> 
+             <AllowCamera>0</AllowCamera>
-          <AllowBluetooth>0</AllowBluetooth> 
+             <AllowBluetooth>0</AllowBluetooth>
-        </Policies> 
+           </Policies>
-        <HotSpot> 
+           <HotSpot>
-          <Enabled>0</Enabled> 
+             <Enabled>0</Enabled>
-        </HotSpot> 
+           </HotSpot>
-      </Common> 
+         </Common>
-      <Targets> 
+         <Targets>
-        <Target Id="Unique target identifier for desktop"> 
+           <Target Id="Unique target identifier for desktop">
-          <TargetState> 
+             <TargetState>
-            <Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /> 
+               <Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" />
-            <Condition Name="ProcessorType" Value="Pattern:.*(I|i)ntel.*" /> 
+               <Condition Name="ProcessorType" Value="Pattern:.*(I|i)ntel.*" />
-          </TargetState> 
+             </TargetState>
-          <TargetState> 
+             <TargetState>
-            <Condition Name="ProcessorName" Value="Barton" /> 
+               <Condition Name="ProcessorName" Value="Barton" />
-            <Condition Name="ProcessorType" Value="Athlon MP" /> 
+               <Condition Name="ProcessorType" Value="Athlon MP" />
-          </TargetState> 
+             </TargetState>
-        </Target> 
+           </Target>
-        <Target Id="Mobile target"> 
+           <Target Id="Mobile target">
-          <TargetState> 
+             <TargetState>
-            <Condition Name="MCC" Value="Range:310, 320" /> 
+               <Condition Name="MCC" Value="Range:310, 320" />
-            <Condition Name="MNC" Value="!Range:400, 550" /> 
+               <Condition Name="MNC" Value="!Range:400, 550" />
-          </TargetState> 
+             </TargetState>
-        </Target> 
+           </Target>
-      </Targets> 
+         </Targets>
-    </Customizations> 
+       </Customizations>
-   </Settings> 
+     </Settings>
-   </WindowsCustomizatons> 
+   </WindowsCustomizations> 
    ```
 6. In the customizations.xml file, create a **Variant** section for the settings you need to customize. To do this:
@ -212,56 +212,56 @@ Follow these steps to create a provisioning package with multivariant capabiliti
    The following example shows the customizations.xml updated to include a **Variant** section and the moved settings that will be applied if the conditions for the variant are met.
    ```XML
-   &lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt; 
+   <?xml version="1.0" encoding="utf-8"?>
-   <WindowsCustomizatons> 
+   <WindowsCustomizations>
-   <PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
+     <PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
-    <ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID> 
+       <ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID>
-    <Name>My Provisioning Package</Name> 
+       <Name>My Provisioning Package</Name>
-    <Version>1.0</Version> 
+       <Version>1.0</Version>
-    <OwnerType>OEM</OwnerType> 
+       <OwnerType>OEM</OwnerType>
-    <Rank>50</Rank> 
+       <Rank>50</Rank>
-   </PackageConfig> 
+     </PackageConfig>
-   <Settings xmlns="urn:schemas-microsoft-com:windows-provisioning"> 
+     <Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
-    <Customizations> 
+       <Customizations>
-      <Common> 
+         <Common>
-      </Common> 
+         </Common>
-      <Targets> 
+         <Targets>
-        <Target Id="Unique target identifier for desktop"> 
+           <Target Id="Unique target identifier for desktop">
-          <TargetState> 
+             <TargetState>
-            <Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /> 
+               <Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" />
-            <Condition Name="ProcessorType" Value="Pattern:.*(I|i)ntel.*" /> 
+               <Condition Name="ProcessorType" Value="Pattern:.*(I|i)ntel.*" />
-          </TargetState> 
+             </TargetState>
-          <TargetState> 
+             <TargetState>
-            <Condition Name="ProcessorName" Value="Barton" /> 
+               <Condition Name="ProcessorName" Value="Barton" />
-            <Condition Name="ProcessorType" Value="Athlon MP" /> 
+               <Condition Name="ProcessorType" Value="Athlon MP" />
-          </TargetState> 
+             </TargetState>
-        </Target> 
+           </Target>
-        <Target Id="Mobile target"> 
+           <Target Id="Mobile target">
-          <TargetState> 
+             <TargetState>
-            <Condition Name="MCC" Value="Range:310, 320" /> 
+               <Condition Name="MCC" Value="Range:310, 320" />
-            <Condition Name="MNC" Value="!Range:400, 550" /> 
+               <Condition Name="MNC" Value="!Range:400, 550" />
-          </TargetState> 
+             </TargetState>
-        </Target>
+           </Target>
-      </Targets> 
+         </Targets>
-      <Variant> 
+         <Variant>
-        <TargetRefs> 
+           <TargetRefs>
-          <TargetRef Id="Unique target identifier for desktop" /> 
+             <TargetRef Id="Unique target identifier for desktop" />
-          <TargetRef Id="Mobile target" /> 
+             <TargetRef Id="Mobile target" />
-        </TargetRefs> 
+           </TargetRefs>
-        <Settings> 
+           <Settings>
-          <Policies> 
+             <Policies>
-            <AllowBrowser>1</AllowBrowser> 
+               <AllowBrowser>1</AllowBrowser>
-            <AllowCamera>1</AllowCamera> 
+               <AllowCamera>1</AllowCamera>
-            <AllowBluetooth>1</AllowBluetooth> 
+               <AllowBluetooth>1</AllowBluetooth>
-          </Policies> 
+             </Policies>
-          <HotSpot> 
+             <HotSpot>
-            <Enabled>1</Enabled> 
+               <Enabled>1</Enabled>
-          </HotSpot> 
+             </HotSpot>
-        </Settings> 
+           </Settings>
-      </Variant> 
+         </Variant>
-    </Customizations> 
+       </Customizations>
-   </Settings> 
+     </Settings>
-   </WindowsCustomizatons> 
+   </WindowsCustomizations> 
    ```
 7. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step.
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@ -45,11 +45,15 @@ sections:
      - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager?
        answer: |
-          Windows Hello for Business deployments using Configuration Manager should follow the hybrid deployment model that uses Active Directory Federation Services. In Configuration Manager version 1910 and later, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](/configmgr/protect/deploy-use/windows-hello-for-business-settings).
+          Windows Hello for Business deployments using Configuration Manager should follow the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](/configmgr/protect/deploy-use/windows-hello-for-business-settings).
      - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Manager Intune?
        answer: |
          Windows Hello for Business deployments using Intune allow for a great deal of flexibility in deployment. For more information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello).
      - question: How many users can enroll for Windows Hello for Business on a single Windows 10 computer?
        answer: |
-          The maximum number of supported enrollments on a single Windows 10 computer is 10. This limit lets 10 users each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we'll strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available.
+          The maximum number of supported enrollments on a single Windows 10 computer is 10. This lets 10 users each enroll their face and up to 10 fingerprints. For devices with more than 10 users, we strongly encourage the use of FIDO2 security keys.
      - question: How can a PIN be more secure than a password?
        answer: |
@ -101,8 +105,8 @@ sections:
          [Windows Hello for Business forgotten PIN user experience](hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience)
-          For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network.
+          For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see [PIN reset](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
-          
+        
      - question: What URLs do I need to allow for a hybrid deployment?
        answer: |
          Communicating with Azure Active Directory uses the following URLs:
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@ -1,6 +1,6 @@
 ---
-title: Why a PIN is better than a password (Windows)
+title: Why a PIN is better than an online password (Windows)
-description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password .
+description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password .
 ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212
 keywords: pin, security, password, hello
 ms.prod: m365-security
@ -19,42 +19,44 @@ ms.localizationpriority: medium
 ms.date: 10/23/2017
 ---
-# Why a PIN is better than a password
+# Why a PIN is better than an online password
 **Applies to**
 - Windows 10
 - Windows 11
-Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
+Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password?
-On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
+On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. 
-Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password.
+Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than an online password.
 > [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA]
 ## PIN is tied to the device
-One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
+One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your online password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
 Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
 ## PIN is local to the device
-A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server.
+An online password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server.
 When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
 However, note that even though local passwords are also local to the device, they are still less secure than a PIN, as described in the next section.
 >[!NOTE]
 >For details on how Hello uses asymetric key pairs for authentication, see [Windows Hello for Business](hello-overview.md#benefits-of-windows-hello).
 ## PIN is backed by hardware
-The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Many modern devices have TPM.
+The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Many modern devices have TPM. Windows 10, on the other hand, has a defect of not linking local passwords to TPM. This is the reason why PINs are considered more secure than local passwords.
 User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised.
 The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
 ## PIN can be complex
 The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](hello-manage-in-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
--- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
@ -45,9 +45,7 @@ Test Provider | Lab Test Type |	Minimum Level / Score
 AV-Comparatives | Real-World Protection Test </br> https://www.av-comparatives.org/testmethod/real-world-protection-tests/ |“Approved” rating from AV Comparatives
 AV-Test | Must pass tests for Windows. Certifications for Mac and Linux aren't accepted </br> https://www.av-test.org/en/about-the-institute/certification/ | Achieve "AV-TEST Certified" (for home users) or "AV-TEST Approved” (for corporate users)
 ICSA Labs |	Endpoint Anti-Malware Detection </br> https://www.icsalabs.com/technology-program/anti-virus/criteria |PASS/Certified
 NSS Labs | Advanced Endpoint Protection AEP 3.0, which covers automatic threat prevention and threat event reporting capabilities </br> https://www.nsslabs.com/tested-technologies/advanced-endpoint-protection/ |“Neutral” rating from NSS
 SKD Labs | Certification Requirements Product: Anti-virus or Antimalware </br> http://www.skdlabs.com/html/english/ </br> http://www.skdlabs.com/cert/ |SKD Labs Star Check Certification Requirements Pass >= 98.5% with On Demand, On Access and Total Detection tests 
 SE Labs | Protection A rating or Small Business EP A rating or Enterprise EP Protection A rating </br> https://selabs.uk/en/reports/consumers |Home or Enterprise “A” rating
 VB 100 |	VB100 Certification Test V1.1 </br> https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1/ | VB100 Certification
 West Coast Labs |	Checkmark Certified </br> http://www.checkmarkcertified.com/sme/  | “A” Rating on Product Security Performance
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@ -62,11 +62,11 @@ Additional settings that can be included in a custom Passfilt.dll are the use of
 > [!TIP]
 > For the latest best practices, see [Password Guidance](https://www.microsoft.com/research/publication/password-guidance).
-Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible.
+Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 159,238,157,238,528 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible.
 The use of ALT key character combinations may greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements might result in unhappy users and an over-worked Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of that range can represent standard alphanumeric characters that do not add more complexity to the password.)
-Passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and meet complexity requirements.
+Short passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and/or meet complexity requirements.
 ### Location
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@ -10,7 +10,7 @@ ms.reviewer: jogeurte
 ms.author: jogeurte
 ms.manager: jsuther
 manager: dansimp
-ms.date: 11/06/2021
+ms.date: 03/08/2022
 ms.technology: windows-sec
 ms.topic: article
 ms.localizationpriority: medium
@ -88,8 +88,8 @@ In addition to the steps outlined above, the binary policy file must also be cop
   $MountPoint = 'C:\EFI'
   $EFIDestinationFolder = "$MountPoint\Microsoft\Boot\CiPolicies\Active"
   $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]
   mkdir $EFIDestinationFolder
   mountvol $MountPoint $EFIPartition
   mkdir $EFIDestinationFolder
    ```
 2. Copy the signed policy to the created folder: