Merge branch 'master' into mdatp-urls

2025-05-18 16:27:22 +00:00 · 2020-07-09 11:12:59 -07:00 · 2020-07-09 11:12:59 -07:00 · 3ea5b3b144
commit 3ea5b3b144
parent 03517bb7f8 b675c3fd51
6 changed files with 241 additions and 184 deletions
--- a/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png
+++ b/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@ -1,22 +1,19 @@
 ---
 title: WindowsDefenderApplicationGuard CSP
-description: Configure the settings in Windows Defender Application Guard by using the WindowsDefenderApplicationGuard configuration service provider (CSP).
+description: Configure the settings in Microsoft Defender Application Guard by using the WindowsDefenderApplicationGuard configuration service provider (CSP).
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
-ms.date: 09/10/2018
+ms.date: 07/07/2020
 ms.reviewer: 
 manager: dansimp
 ---

 # WindowsDefenderApplicationGuard CSP

-> [!WARNING]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Windows Defender Application Guard. This CSP was added in Windows 10, version 1709.
+The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709.

 The following diagram shows the WindowsDefenderApplicationGuard configuration service provider in tree format.

@ -29,215 +26,275 @@ Root node. Supported operation is Get.
 Interior node. Supported operation is Get.

 <a href="" id="allowwindowsdefenderapplicationguard"></a>**Settings/AllowWindowsDefenderApplicationGuard**  
-Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Turn on Microsoft Defender Application Guard in Enterprise Mode. 

+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+The following list shows the supported values:  
 - 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment.
 - 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container. 

 <a href="" id="clipboardfiletype"></a>**Settings/ClipboardFileType**  
-Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-<!--ADMXMapped-->
-ADMX Info:  
-   GP English name: Configure Windows Defender Application Guard clipboard settings
-   GP name: AppHVSIClipboardFileType
-   GP path: Windows Components/Windows Defender Application Guard
-   GP ADMX file name: AppHVSI.admx
+Determines the type of content that can be copied from the host to Application Guard environment and vice versa. 
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.

-<!--/ADMXMapped-->
 The following list shows the supported values:  
-
- 0 - Disables content copying. 
 - 1 - Allow text copying.
 - 2 - Allow image copying.
 - 3 - Allow text and image copying.

-<a href="" id="clipboardsettings"></a>**Settings/ClipboardSettings**  
-This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete
 <!--ADMXMapped-->
 ADMX Info:  
-   GP English name: Configure Windows Defender Application Guard clipboard settings
-   GP name: AppHVSIClipboardSettings
-   GP path: Windows Components/Windows Defender Application Guard
-   GP ADMX file name: AppHVSI.admx
-
+- GP English name: *Configure Microsoft Defender Application Guard clipboard settings*
+- GP name: *AppHVSIClipboardFileType*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
 <!--/ADMXMapped-->
-The following list shows the supported values:

+<a href="" id="clipboardsettings"></a>**Settings/ClipboardSettings**  
+This policy setting allows you to decide how the clipboard behaves while in Application Guard.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+The following list shows the supported values:  
 - 0 (default) - Completely turns Off the clipboard functionality for the Application Guard.
- 1 - Turns On clipboard operation from an isolated session to the host
- 2 - Turns On clipboard operation from the host to an isolated session
- 3 - Turns On clipboard operation in both the directions
+- 1 - Turns On clipboard operation from an isolated session to the host.
+- 2 - Turns On clipboard operation from the host to an isolated session.
+- 3 - Turns On clipboard operation in both the directions.

 > [!IMPORTANT]
 > Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended. 

-<a href="" id="printingsettings"></a>**Settings/PrintingSettings**  
-This policy setting allows you to decide how the print functionality behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
 <!--ADMXMapped-->
 ADMX Info:  
-   GP English name: Configure Windows Defender Application Guard Print Settings
-   GP name: AppHVSIPrintingSettings
-   GP path: Windows Components/Windows Defender Application Guard
-   GP ADMX file name: AppHVSI.admx
-
+- GP English name: *Configure Microsoft Defender Application Guard clipboard settings*
+- GP name: *AppHVSIClipboardSettings*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
 <!--/ADMXMapped-->
-The following list shows the supported values:

- 0 - Disables all print functionality (default)
- 1 - Enables only XPS printing
- 2 - Enables only PDF printing
- 3 - Enables both PDF and XPS printing
- 4 - Enables only local printing
- 5 - Enables both local and XPS printing    - 6 - Enables both local and PDF printing
- 7 - Enables local, PDF, and XPS printing
- 8 - Enables only network printing
- 9 - Enables both network and XPS printing
- 10 - Enables both network and PDF printing
- 11 - Enables network, PDF, and XPS printing
- 12 - Enables both network and local printing
- 13 - Enables network, local, and XPS printing
- 14 - Enables network, local, and PDF printing
- 15 - Enables all printing
+<a href="" id="printingsettings"></a>**Settings/PrintingSettings**  
+This policy setting allows you to decide how the print functionality behaves while in Application Guard. 
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+The following list shows the supported values:  
+- 0 (default) - Disables all print functionality.
+- 1 - Enables only XPS printing.
+- 2 - Enables only PDF printing.
+- 3 - Enables both PDF and XPS printing.
+- 4 - Enables only local printing.
+- 5 - Enables both local and XPS printing.
+- 6 - Enables both local and PDF printing.
+- 7 - Enables local, PDF, and XPS printing.
+- 8 - Enables only network printing.
+- 9 - Enables both network and XPS printing.
+- 10 - Enables both network and PDF printing.
+- 11 - Enables network, PDF, and XPS printing.
+- 12 - Enables both network and local printing.
+- 13 - Enables network, local, and XPS printing.
+- 14 - Enables network, local, and PDF printing.
+- 15 - Enables all printing.
+
+<!--ADMXMapped-->
+ADMX Info:  
+- GP English name: *Configure Microsoft Defender Application Guard print settings*
+- GP name: *AppHVSIPrintingSettings*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
+<!--/ADMXMapped-->

 <a href="" id="blocknonenterprisecontent"></a>**Settings/BlockNonEnterpriseContent**  
-This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. 
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+The following list shows the supported values:  
+- 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
+- 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard.
+
+> [!NOTE]
+> This policy setting is no longer supported in the new Microsoft Edge browser.
+
 <!--ADMXMapped-->
 ADMX Info:  
-   GP English name: Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer
-   GP name: BlockNonEnterpriseContent
-   GP path: Windows Components/Windows Defender Application Guard
-   GP ADMX file name: AppHVSI.admx
-
+- GP English name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer*
+- GP name: *BlockNonEnterpriseContent*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
 <!--/ADMXMapped-->
-The following list shows the supported values:
-
- 0 (default) -  Non-enterprise content embedded in enterprise sites is allowed to open outside of the Windows Defender Application Guard container, directly in Internet Explorer and Microsoft Edge..
- 1  - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Windows Defender Application Guard.

 <a href="" id="allowpersistence"></a>**Settings/AllowPersistence**  
-This policy setting allows you to decide whether data should persist across different sessions in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-<!--ADMXMapped-->
-ADMX Info:  
-   GP English name: Allow data persistence for Windows Defender Application Guard
-   GP name: AllowPersistence
-   GP path: Windows Components/Windows Defender Application Guard
-   GP ADMX file name: AppHVSI.admx
+This policy setting allows you to decide whether data should persist across different sessions in Application Guard. 
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.

-<!--/ADMXMapped-->
 The following list shows the supported values:  
-
 - 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
 - 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

-<a href="" id="allowvirtualgpu"></a>**Settings/AllowVirtualGPU**  
-Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual GPU to process graphics. Supported operations are Add, Get, Replace, and Delete. Value type is integer.  
 <!--ADMXMapped-->
 ADMX Info:  
-   GP English name: Allow hardware-accelerated rendering for Windows Defender Application Guard
-   GP name: AllowVirtualGPU
-   GP path: Windows Components/Windows Defender Application Guard
-   GP ADMX file name: AppHVSI.admx
-
+- GP English name: *Allow data persistence for Microsoft Defender Application Guard*
+- GP name: *AllowPersistence*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
 <!--/ADMXMapped-->
-The following list shows the supported values:

+<a href="" id="allowvirtualgpu"></a>**Settings/AllowVirtualGPU**  
+Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics. 
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.  
+
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering.
+
+The following list shows the supported values:  
 - 0 (default) - Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0).
 - 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container. 

-<a href="" id="savefilestohost"></a>**Settings/SaveFilesToHost**  
-Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. Supported operations are Add, Get, Replace, and Delete. Value type is integer. 
+> [!WARNING]
+> Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
+
 <!--ADMXMapped-->
 ADMX Info:  
-   GP English name: Allow files to download and save to the host operating system from Windows Defender Application Guard
-   GP name: SaveFilesToHost
-   GP path: Windows Components/Windows Defender Application Guard
-   GP ADMX file name: AppHVSI.admx
-
+- GP English name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard*
+- GP name: *AllowVirtualGPU*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
 <!--/ADMXMapped-->
-The following list shows the supported values:

+<a href="" id="savefilestohost"></a>**Settings/SaveFilesToHost**  
+Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. 
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete. 
+
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+The following list shows the supported values:  
 - 0 (default) - The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0).
 - 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.  

-<a href="" id="filetrustcriteria"></a>**Settings/FileTrustCriteria**  
-Placeholder for future use. Do not use in production code.
-
-<a href="" id="filetrustoriginremovablemedia"></a>**Settings/FileTrustOriginRemovableMedia**  
-Placeholder for future use. Do not use in production code.
-
-<a href="" id="filetrustoriginnetworkshare"></a>**Settings/FileTrustOriginNetworkShare**  
-Placeholder for future use. Do not use in production code.
-
-<a href="" id="filetrustoriginmarkoftheweb"></a>**Settings/FileTrustOriginMarkOfTheWeb**  
-Placeholder for future use. Do not use in production code.
+<!--ADMXMapped-->
+ADMX Info:  
+- GP English name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard*
+- GP name: *SaveFilesToHost*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
+<!--/ADMXMapped-->

 <a href="" id="certificatethumbprints"></a>**Settings/CertificateThumbprints**  
-Added in Windows 10, version 1809. This policy setting allows certain Root Certificates to  be shared with the Windows Defender Application Guard container. 
-<!--ADMXMapped-->
-ADMX Info:  
-   GP English name: Allow Windows Defender Application Guard to use Root Certificate Authorities from the user's device
-   GP name: CertificateThumbprints
-   GP path: Windows Components/Windows Defender Application Guard
-   GP ADMX file name: AppHVSI.admx
+Added in Windows 10, version 1809. This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container. 

-<!--/ADMXMapped-->
 Value type is string. Supported operations are Add, Get, Replace, and Delete.

-If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. You can specify multiple certificates using a comma to separate the thumbprints for each certificate you want to transfer.
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.

-Example:  b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924
+If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer.

-If you disable or don’t configure this setting, certificates are not shared with the Windows Defender Application Guard container.
+Here's an example:  
+b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924
+
+If you disable or don’t configure this setting, certificates are not shared with the Microsoft Defender Application Guard container.
+
+<!--ADMXMapped-->
+ADMX Info:  
+- GP English name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device*
+- GP name: *CertificateThumbprints*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
+<!--/ADMXMapped-->

 <a href="" id="allowcameramicrophoneredirection"></a>**Settings/AllowCameraMicrophoneRedirection**  
-Added in Windows 10, version 1809. The policy allows you to determine whether applications inside Windows Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device.
-<!--ADMXMapped-->
-ADMX Info:  
-   GP English name: Allow camera and microphone access in Windows Defender Application Guard
-   GP name: AllowCameraMicrophoneRedirection
-   GP path: Windows Components/Windows Defender Application Guard
-   GP ADMX file name: AppHVSI.admx
+Added in Windows 10, version 1809. This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device.

-<!--/ADMXMapped-->
 Value type is integer. Supported operations are Add, Get, Replace, and Delete.

-If you enable this policy, applications inside Windows Defender Application Guard will be able to access the camera and microphone on the user’s device.
+This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.

-If you disable or don't configure this policy, applications inside Windows Defender Application Guard will be unable to access the camera and microphone on the user’s device.
+If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the user’s device.
+
+If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user’s device.
+
+The following list shows the supported values:  
+- 0 (default) - Microsoft Defender Application Guard cannot access the device’s camera and microphone. When the policy is not configured, it is the same as disabled (0).
+- 1 - Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone.

 > [!IMPORTANT]
-> If you turn on this policy, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.  To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed.
+> If you turn on this policy setting, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed.

-<a href="" id="status"></a>**Status**  
-Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get.
-
- Bit 0   - Set to 1 when	WDAG is enabled into enterprise manage mode
- Bit 1	- Set to 1 when	the client machine is Hyper-V capable
- Bit 2	- Set to 1 when	the client machine has a valid OS license and SKU 
- Bit 3	- Set to 1 when	WDAG installed on the client machine
- Bit 4	- Set to 1 when	required Network Isolation Policies are configured
- Bit 5	- Set to 1 when the client machine meets minimum hardware requirements
-
-<a href="" id="installwindowsdefenderapplicationguard"></a>**InstallWindowsDefenderApplicationGuard**  
-Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.
-
- Install - Will initiate feature install
- Uninstall - Will initiate feature uninstall
-
-<a href="" id="audit"></a>**Audit**  
-Interior node. Supported operation is Get
-
-<a href="" id="auditapplicationguard"></a>**Audit/AuditApplicationGuard**  
-This policy setting allows you to decide whether auditing events can be collected from Application Guard. Value type in integer. Supported operations are Add, Get, Replace, and Delete.
 <!--ADMXMapped-->
 ADMX Info:  
-   GP English name: Allow auditing events in Windows Defender Application Guard
-   GP name: AuditApplicationGuard
-   GP path: Windows Components/Windows Defender Application Guard
-   GP ADMX file name: AppHVSI.admx
-
+- GP English name: *Allow camera and microphone access in Microsoft Defender Application Guard*
+- GP name: *AllowCameraMicrophoneRedirection*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
 <!--/ADMXMapped-->
-The following list shows the supported values:

- 0 (default) - - Audit event logs aren't collected for Application Guard.
- 1 - Application Guard inherits its auditing policies from Microsoft Edge and starts to audit system events specifically for Application Guard.
+<a href="" id="status"></a>**Status**  
+Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. 
+
+Value type is integer. Supported operation is Get.
+
+- Bit 0 - Set to 1 when	Application Guard is enabled into enterprise manage mode.
+- Bit 1	- Set to 1 when	the client machine is Hyper-V capable.
+- Bit 2	- Set to 1 when	the client machine has a valid OS license and SKU.
+- Bit 3	- Set to 1 when	Application Guard installed on the client machine.
+- Bit 4	- Set to 1 when	required Network Isolation Policies are configured.
+- Bit 5	- Set to 1 when the client machine meets minimum hardware requirements.
+- Bit 6 - Set to 1 when system reboot is required.
+
+<a href="" id="platformstatus"></a>**PlatformStatus**  
+Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device. 
+
+Value type is integer. Supported operation is Get.
+
+- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
+- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
+- Bit 2 - Reserved for Microsoft.
+- Bit 3 - Set to 1 when Application Guard is installed on the client machine.
+- Bit 4 - Reserved for Microsoft.
+- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
+
+<a href="" id="installwindowsdefenderapplicationguard"></a>**InstallWindowsDefenderApplicationGuard**  
+Initiates remote installation of Application Guard feature. 
+
+Supported operations are Get and Execute.
+
+The following list shows the supported values: 
+- Install - Will initiate feature install.
+- Uninstall - Will initiate feature uninstall.
+
+<a href="" id="audit"></a>**Audit**  
+Interior node. Supported operation is Get.
+
+<a href="" id="auditapplicationguard"></a>**Audit/AuditApplicationGuard**  
+This policy setting allows you to decide whether auditing events can be collected from Application Guard. 
+
+Value type in integer. Supported operations are Add, Get, Replace, and Delete.
+
+This policy setting is supported on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.
+
+The following list shows the supported values:  
+- 0 (default) - Audit event logs aren't collected for Application Guard.
+- 1 - Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.
+
+<!--ADMXMapped-->
+ADMX Info:  
+- GP English name: *Allow auditing events in Microsoft Defender Application Guard*
+- GP name: *AuditApplicationGuard*
+- GP path: *Windows Components/Microsoft Defender Application Guard*
+- GP ADMX file name: *AppHVSI.admx*
+<!--/ADMXMapped-->
--- a/windows/deployment/update/update-compliance-configuration-script.md
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@ -35,6 +35,10 @@ The script is organized into two folders **Pilot** and **Deployment**. Both fold
 > [!IMPORTANT]
 > If you encounter an issue with Update Compliance, the first step should be to run the script in Pilot mode on a device you are encountering issues with, and save these Logs for reference with Support.

+> [!IMPORTANT]
+> The script must be run in the System context. To do this, use the PsExec tool included in the file. For more about PsExec, see [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec).
+
+
 When using the script in the context of troubleshooting, use `Pilot`. Enter `RunConfig.bat`, and configure it as follows:

 1. Configure `logPath` to a path where the script will have write access and a place you can easily access. This specifies the output of the log files generated when the script is in Verbose mode.
--- a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune2.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-intune2.png
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
@ -15,6 +15,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: conceptual
+ROBOTS: noindex,nofollow
 ---

 # New configuration profiles for macOS Catalina and newer versions of macOS
@ -55,7 +56,7 @@ Add the following JAMF payload to grant Full Disk Access to the Microsoft Defend
 A web content filtering policy is needed to run the network extension. Add the following web content filtering policy:

 >[!NOTE]
->Note: JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed. 
+>JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed.
 >As such, the following steps provide a workaround that involve signing the web content filtering configuration profile.

 1. Save the following content to your device as `com.apple.webcontent-filter.mobileconfig`
@ -140,7 +141,28 @@ A web content filtering policy is needed to run the network extension. Add the f

 ## Intune

-### Create the Custom Configuration Profile
+### System Extensions Policy
+
+To approve the system extensions:
+
+1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
+2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**. Select **Create**.
+3. In the `Basics` tab, give a name to this new profile.
+4. In the `Configuration settings` tab, add the following entries in the `Allowed system extensions` section:
+
+    Bundle identifier         | Team identifier
+    --------------------------|----------------
+    com.microsoft.wdav.epsext | UBF8T346G9
+    com.microsoft.wdav.netext | UBF8T346G9
+
+    ![System configuration profiles screenshot](images/mac-system-extension-intune2.png)
+
+5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
+6. Review and create this configuration profile.
+
+### Create and deploy the Custom Configuration Profile
+
+The following configuration profile enables the web content filter and grants Full Disk Access to the Endpoint Security system extension. 

 Save the following content to a file named **sysext.xml**:

@ -236,46 +258,23 @@ Save the following content to a file named **sysext.xml**:
                    </array>
                </dict>
            </dict>
-            <dict>
-                <key>PayloadUUID</key>
-                <string>E6F96207-631F-462C-994A-37A6AD7BDED8</string>
-                <key>PayloadType</key>
-                <string>com.apple.system-extension-policy</string>
-                <key>PayloadOrganization</key>
-                <string>Microsoft Corporation</string>
-                <key>PayloadIdentifier</key>
-                <string>E6F96207-631F-462C-994A-37A6AD7BDED8</string>
-                <key>PayloadDisplayName</key>
-                <string>System Extensions</string>
-                <key>PayloadDescription</key>
-                <string/>
-                <key>PayloadVersion</key>
-                <integer>1</integer>
-                <key>PayloadEnabled</key>
-                <true/>
-                <key>AllowUserOverrides</key>
-                <true/>
-                <key>AllowedSystemExtensions</key>
-                <dict>
-                    <key>UBF8T346G9</key>
-                    <array>
-                        <string>com.microsoft.wdav.epsext</string>
-                        <string>com.microsoft.wdav.netext</string>
-                    </array>
-                </dict>
-            </dict>
        </array>
    </dict>
 </plist>
 ```

-### Deploy the Custom Configuration Profile
+Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs `OK`:

-To configure the system extensions in Intune:
+    ```bash
+    $ plutil -lint sysext.xml
+    sysext.xml: OK
+    ```
+
+To deploy this custom configuration profile:

 1.	In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create profile**.
 2. Choose a name for the profile. Change **Platform=macOS** and **Profile type=Custom**. Select **Configure**.
-3.	Open the configuration profile and upload sysext.xml. This file was created in the preceding step.
+3.	Open the configuration profile and upload **sysext.xml**. This file was created in the preceding step.
 4.	Select **OK**.

    ![System extension in Intune screenshot](images/mac-system-extension-intune.png)
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
@ -32,9 +32,6 @@ ms.topic: article

 Microsoft Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.

-> [!IMPORTANT]
-> This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more information, see [Preview features](preview.md).
-
 To onboard down-level Windows client endpoints to Microsoft Defender ATP, you'll need to:
 - Configure and update System Center Endpoint Protection clients.
 - Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP as instructed below.