:"
```
-To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
+To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
## After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000
@@ -341,5 +341,5 @@ For more information about this technology, see [Windows Defender System Guard:
To resolve this issue, do one of the following:
-- Remove any device that uses TPM 1.2 from any group that is subject to Group Policy Objects (GPOs) that enforce Secure Launch.
+- Remove any device that uses TPM 1.2 from any group that is subject to GPOs that enforce secure launch.
- Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
index 680cbb7c42..aec78e2149 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
@@ -18,17 +18,17 @@ ms.custom: bitlocker
# BitLocker and TPM: other known issues
-This article describes common issues that relate directly to the Trusted Platform Module (TPM), and provides guidance to address these issues.
+This article describes common issues that relate directly to the trusted platform module (TPM), and provides guidance to address these issues.
-## Azure AD: Windows Hello for Business and single sign-on do not work
+## Azure AD: Windows Hello for Business and single sign-on don't work
-You have an Azure Active Directory (Azure AD)-joined client computer that cannot authenticate correctly. You experience one or more of the following symptoms:
+You have an Azure Active Directory (Azure AD)-joined client computer that can't authenticate correctly. You experience one or more of the following symptoms:
-- Windows Hello for Business does not work.
+- Windows Hello for Business doesn't work.
- Conditional access fails.
-- Single sign-on (SSO) does not work.
+- Single sign-on (SSO) doesn't work.
-Additionally, the computer logs an entry for Event ID 1026, which resembles the following:
+Additionally, the computer logs the following entry for Event ID 1026:
> Log Name: System
> Source: Microsoft-Windows-TPM-WMI
@@ -46,27 +46,27 @@ Additionally, the computer logs an entry for Event ID 1026, which resembles the
### Cause
-This event indicates that the TPM is not ready or has some setting that prevents access to the TPM keys.
+This event indicates that the TPM isn't ready or has some setting that prevents access to the TPM keys.
-Additionally, the behavior indicates that the client computer cannot obtain a [Primary Refresh Token (PRT)](/azure/active-directory/devices/concept-primary-refresh-token).
+Additionally, the behavior indicates that the client computer can't obtain a [Primary Refresh Token (PRT)](/azure/active-directory/devices/concept-primary-refresh-token).
### Resolution
-To verify the status of the PRT, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT was not issued. This may indicate that the computer could not present its certificate for authentication.
+To verify the status of the PRT, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT wasn't issued. This may indicate that the computer couldn't present its certificate for authentication.
To resolve this issue, follow these steps to troubleshoot the TPM:
1. Open the TPM management console (tpm.msc). To do this, select **Start**, and enter **tpm.msc** in the **Search** box.
1. If you see a notice to either unlock the TPM or reset the lockout, follow those instructions.
-1. If you do not see such a notice, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout.
-1. Contact the hardware vendor to determine whether there is a known fix for the issue.
-1. If you still cannot resolve the issue, clear and re-initialize the TPM. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
+1. If you don't see such a notice, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout.
+1. Contact the hardware vendor to determine whether there's a known fix for the issue.
+1. If you still can't resolve the issue, clear and reinitialize the TPM. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
> [!WARNING]
> Clearing the TPM can cause data loss.
-## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider is not ready for use
+## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use
-You have a Windows 11 or Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive a message that resembles the following:
+You have a Windows 11 or Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive the following message:
> Loading the management console failed. The device that is required by the cryptographic provider is not ready for use.
> HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY
@@ -83,26 +83,26 @@ These symptoms indicate that the TPM has hardware or firmware issues.
To resolve this issue, switch the TPM operating mode from version 1.2 to version 2.0.
-If this does not resolve the issue, consider replacing the device motherboard. After you replace the motherboard, switch the TPM operating mode from version 1.2 to version 2.0.
+If this doesn't resolve the issue, consider replacing the device motherboard. After you replace the motherboard, switch the TPM operating mode from version 1.2 to version 2.0.
-## Devices do not join hybrid Azure AD because of a TPM issue
+## Devices don't join hybrid Azure AD because of a TPM issue
-You have a device that you are trying to join to a hybrid Azure AD. However, the join operation appears to fail.
+You have a device that you're trying to join to a hybrid Azure AD. However, the join operation appears to fail.
To verify that the join succeeded, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the tool output, the following attributes indicate that the join succeeded:
- **AzureAdJoined: YES**
- **DomainName: \<*on-prem Domain name*\>**
-If the value of **AzureADJoined** is **No**, the join failed.
+If the value of **AzureADJoined** is **No**, the join operation failed.
### Causes and Resolutions
-This issue may occur when the Windows operating system is not the owner of the TPM. The specific fix for this issue depends on which errors or events you experience, as shown in the following table:
+This issue may occur when the Windows operating system isn't the owner of the TPM. The specific fix for this issue depends on which errors or events you experience, as shown in the following table:
|Message |Reason | Resolution|
| - | - | - |
-|NTE\_BAD\_KEYSET (0x80090016/-2146893802) |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. Make sure that you create the sysprep image by using a computer that is not joined to or registered in Azure AD or hybrid Azure AD. |
+|NTE\_BAD\_KEYSET (0x80090016/-2146893802) |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. Make sure that you create the sysprep image by using a computer that isn't joined to or registered in Azure AD or hybrid Azure AD. |
|TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641) |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
|TPM\_E\_NOTFIPS (0x80280036/-2144862154) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
|NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775) |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. |
diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md
index cebb1539b9..7fe79ded9f 100644
--- a/windows/security/information-protection/encrypted-hard-drive.md
+++ b/windows/security/information-protection/encrypted-hard-drive.md
@@ -23,66 +23,66 @@ ms.date: 04/02/2019
- Windows Server 2016
- Azure Stack HCI
-Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
+Encrypted hard drive uses the rapid encryption that is provided by BitLocker drive encryption to enhance data security and management.
-By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
+By offloading the cryptographic operations to a hardware, Encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
-Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. You can install Windows to Encrypted Hard Drives without additional modification beginning with Windows 8 and Windows Server 2012.
+Encrypted hard drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. You can install Windows to encrypted hard drives without additional modification, beginning with Windows 8 and Windows Server 2012.
-Encrypted Hard Drives provide:
+Encrypted hard drives provide:
- **Better performance**: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
- **Strong security based in hardware**: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system
- **Ease of use**: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted Hard Drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive.
- **Lower cost of ownership**: There's no need for new infrastructure to manage encryption keys, since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process.
-Encrypted Hard Drives are supported natively in the operating system through the following mechanisms:
+Encrypted hard drives are supported natively in the operating system through the following mechanisms:
-- **Identification**: The operating system can identify that the drive is an Encrypted Hard Drive device type
-- **Activation**: The operating system disk management utility can activate, create and map volumes to ranges/bands as appropriate
-- **Configuration**: The operating system can create and map volumes to ranges/bands as appropriate
-- **API**: API support for applications to manage Encrypted Hard Drives independently of BitLocker Drive Encryption (BDE)
-- **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end user experience.
+- **Identification**: The operating system identifies that the drive is an Encrypted hard drive device type.
+- **Activation**: The operating system disk management utility activates, creates and maps volumes to ranges/bands as appropriate.
+- **Configuration**: The operating system creates and maps volumes to ranges/bands as appropriate.
+- **API**: API support for applications to manage Encrypted hard drives independent of BitLocker drive encryption (BDE).
+- **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end-user experience.
>[!WARNING]
->Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment.
+>Self-encrypting hard drives and encrypted hard drives for Windows are not the same type of devices. Encrypted hard drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-encrypting hard drives do not have these requirements. It is important to confirm that the device type is an encrypted hard drive for Windows when planning for deployment.
If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](/previous-versions/windows/hardware/design/dn653989(v=vs.85)).
## System Requirements
-To use Encrypted Hard Drives, the following system requirements apply:
+To use encrypted hard drives, the following system requirements apply:
-For an Encrypted Hard Drive used as a **data drive**:
+For an encrypted hard drive used as a **data drive**:
- The drive must be in an uninitialized state.
- The drive must be in a security inactive state.
-For an Encrypted Hard Drive used as a **startup drive**:
+For an encrypted hard drive used as a **startup drive**:
- The drive must be in an uninitialized state.
- The drive must be in a security inactive state.
- The computer must be UEFI 2.3.1 based and have the EFI\_STORAGE\_SECURITY\_COMMAND\_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).
-- The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
+- The computer must have the compatibility support module (CSM) disabled in UEFI.
- The computer must always boot natively from UEFI.
>[!WARNING]
->All Encrypted Hard Drives must be attached to non-RAID controllers to function properly.
+>All encrypted hard drives must be attached to non-RAID controllers to function properly.
## Technical overview
-Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later, Encrypted Hard Drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system identifies an Encrypted Hard Drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk.
+Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later versions, encrypted hard drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system identifies an encrypted hard drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk.
-## Configuring Encrypted Hard Drives as Startup drives
+## Configuring encrypted hard drives as startup drives
-Configuration of Encrypted Hard Drives as startup drives is done using the same methods as standard hard drives. These methods include:
+Configuration of encrypted hard drives as startup drives is done using the same methods as standard hard drives. These methods include:
- **Deploy from media**: Configuration of Encrypted Hard Drives happens automatically through the installation process.
- **Deploy from network**: This deployment method involves booting a Windows PE environment and using imaging tools to apply a Windows image from a network share. Using this method, the Enhanced Storage optional component needs to be included in the Windows PE image. You can enable this component using Server Manager, Windows PowerShell, or the DISM command line tool. If this component isn't present, configuration of Encrypted Hard Drives won't work.
- **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](/windows-hardware/customize/desktop/unattend/microsoft-windows-enhancedstorage-adm-tcgsecurityactivationdisabled) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives.
- **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators won't work.
-## Configuring hardware-based encryption with Group Policy
+## Configuring hardware-based encryption with group policy
There are three related Group Policy settings that help you manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings aren't configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption:
@@ -90,22 +90,21 @@ There are three related Group Policy settings that help you manage how BitLocker
- [Configure use of hardware-based encryption for removable data drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-removable-data-drives)
- [Configure use of hardware-based encryption for operating system drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-operating-system-drives)
-## Encrypted Hard Drive Architecture
+## Encrypted hard drive architecture
-Encrypted Hard Drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These are the Data Encryption Key (DEK) and the Authentication Key (AK).
+Encrypted hard drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These are the data encryption key (DEK) and the authentication key (AK).
The Data Encryption Key is the key used to encrypt all of the data on the drive. The drive generates the DEK and it never leaves the device. It's stored in an encrypted format at a random location on the drive. If the DEK is changed or erased, data encrypted using the DEK is irrecoverable.
-The Authentication Key is the key used to unlock data on the drive. A hash of the key is stored on drive and requires confirmation to decrypt the DEK.
+The AK is the key used to unlock data on the drive. A hash of the key is stored on the drive and requires confirmation to decrypt the DEK.
-When a computer with an Encrypted Hard Drive is in a powered off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the Authentication Key decrypts the Data Encryption Key. Once the Authentication Key decrypts the Data
-Encryption Key, read-write operations can take place on the device.
+When a computer with an encrypted hard drive is in a powered-off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the AK decrypts the DEK. Once the AK decrypts the DEK, read-write operations can take place on the device.
When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. In the event that the DEK needs to be changed or erased, the data on the drive doesn't need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK and read-writes to the volume can continue.
-## Re-configuring Encrypted Hard Drives
+## Re-configuring encrypted hard drives
-Many Encrypted Hard Drive devices come pre-configured for use. If reconfiguration of the drive is required, use the following procedure after removing all available volumes and reverting the drive to an uninitialized state:
+Many encrypted hard drive devices come pre-configured for use. If reconfiguration of the drive is required, use the following procedure after removing all available volumes and reverting the drive to an uninitialized state:
1. Open Disk Management (diskmgmt.msc)
2. Initialize the disk and select the appropriate partition style (MBR or GPT)
diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
index 1220e20185..f7bfc44de4 100644
--- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
@@ -50,7 +50,7 @@ This table includes all available attributes/elements for the **Log** element. T
|Attribute/Element |Value type |Description |
|----------|-----------|------------|
|ProviderType |String |This is always **EDPAudit**. |
-|LogType |String |Includes:- **DataCopied.** Work data is copied or shared to a personal location.
- **ProtectionRemoved.** WIP protection is removed from a Work-defined file.
- **ApplicationGenerated.** A custom audit log provided by an app.
|
+|LogType |String |Includes:- **DataCopied.** Work data is copied or shared to a personal location.
- **ProtectionRemoved.** Windows Information Protection is removed from a Work-defined file.
- **ApplicationGenerated.** A custom audit log provided by an app.
|
|TimeStamp |Int |Uses the [FILETIME structure](/windows/win32/api/minwinbase/ns-minwinbase-filetime) to represent the time that the event happened. |
|Policy |String |How the work data was shared to the personal location:- **CopyPaste.** Work data was pasted into a personal location or app.
- **ProtectionRemoved.** Work data was changed to be unprotected.
- **DragDrop.** Work data was dropped into a personal location or app.
- **Share.** Work data was shared with a personal location or app.
- **NULL.** Any other way work data could be made personal beyond the options above. For example, when a work file is opened using a personal application (also known as, temporary access).
|
|Justification |String |Not implemented. This will always be either blank or NULL.
**Note**
Reserved for future use to collect the user justification for changing from **Work** to **Personal**. |
@@ -160,7 +160,7 @@ Here are a few examples of responses from the Reporting CSP.
## Collect WIP audit logs by using Windows Event Forwarding (for Windows desktop domain-joined devices only)
-Use Windows Event Forwarding to collect and aggregate your WIP audit events. You can view your audit events in the Event Viewer.
+Use Windows Event Forwarding to collect and aggregate your Windows Information Protection audit events. You can view your audit events in the Event Viewer.
**To view the WIP events in the Event Viewer**
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index 8a0ecac521..fdbf865d8a 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -65,12 +65,12 @@ The **Configure Windows Information Protection settings** page appears, where yo
## Add app rules to your policy
-During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
+During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through Windows Information Protection. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
>[!IMPORTANT]
->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
Care must be taken to get a support statement from the software provider that their app is safe with Windows Information Protection before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
### Add a store app rule to your policy
For this example, we're going to add Microsoft OneNote, a store app, to the **App Rules** list.
@@ -278,7 +278,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
The file is imported and the apps are added to your **App Rules** list.
### Exempt apps from WIP restrictions
-If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
+If you're running into compatibility issues where your app is incompatible with Windows Information Protection (WIP), but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
**To exempt a store app, a desktop app, or an AppLocker policy file app rule**
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index a1dba47f5e..21a45af6ca 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -37,7 +37,7 @@ Apps can be enlightened or unenlightened:
- Windows **Save As** experiences only allow you to save your files as enterprise.
-- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode.
+- **Windows Information Protection-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode.
## List of enlightened Microsoft apps
Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
@@ -75,10 +75,10 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
- Microsoft To Do
> [!NOTE]
-> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning.
+> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from Windows Information Protection policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning.
## List of WIP-work only apps from Microsoft
-Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions.
+Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with Windows Information Protection and MAM solutions.
- Skype for Business
@@ -102,7 +102,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
| PowerPoint Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.PowerPoint
**App Type:** Universal app |
| OneNote | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.OneNote
**App Type:** Universal app |
| Outlook Mail and Calendar | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.windowscommunicationsapps
**App Type:** Universal app |
-| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.
We don't recommend setting up Office by using individual paths or publisher rules. |
+| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for Windows Information Protection.
We don't recommend setting up Office by using individual paths or publisher rules. |
| Microsoft Photos | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Windows.Photos
**App Type:** Universal app |
| Groove Music | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneMusic
**App Type:** Universal app |
| Microsoft Movies & TV | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneVideo
**App Type:** Universal app |
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index 5462ca7f17..18726f1c02 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -22,7 +22,7 @@ ms.localizationpriority: medium
**Applies to:**
- Windows 10, version 1607 and later
-This following list provides info about the most common problems you might encounter while running WIP in your organization.
+This following list provides info about the most common problems you might encounter while running Windows Information Protection in your organization.
- **Limitation**: Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.
- **How it appears**:
@@ -33,12 +33,12 @@ This following list provides info about the most common problems you might encou
We strongly recommend educating employees about how to limit or eliminate the need for this decryption.
-- **Limitation**: Direct Access is incompatible with WIP.
- - **How it appears**: Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.
+- **Limitation**: Direct Access is incompatible with Windows Information Protection.
+ - **How it appears**: Direct Access might experience problems with how Windows Information Protection enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.
- **Workaround**: We recommend that you use VPN for client access to your intranet resources.
> [!NOTE]
- > VPN is optional and isn’t required by WIP.
+ > VPN is optional and isn’t required by Windows Information Protection.
- **Limitation**: **NetworkIsolation** Group Policy setting takes precedence over MDM Policy settings.
- **How it appears**: The **NetworkIsolation** Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.
@@ -48,7 +48,7 @@ This following list provides info about the most common problems you might encou
- **How it appears**: If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.
- **Workaround**: We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.
-- **Limitation**: WIP is designed for use by a single user per device.
+- **Limitation**: Windows Information Protection is designed for use by a single user per device.
- **How it appears**: A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process.
- **Workaround**: We recommend only having one user per managed device.
@@ -67,14 +67,14 @@ This following list provides info about the most common problems you might encou
- **Limitation**: Changing your primary Corporate Identity isn’t supported.
- **How it appears**: You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.
- - **Workaround**: Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.
+ - **Workaround**: Turn off Windows Information Protection for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.
-- **Limitation**: Redirected folders with Client-Side Caching are not compatible with WIP.
+- **Limitation**: Redirected folders with Client-Side Caching are not compatible with Windows Information Protection.
- **How it appears**: Apps might encounter access errors while attempting to read a cached, offline file.
- **Workaround**: Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
> [!NOTE]
- > For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
+ > For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and Windows Information Protection, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
- **Limitation**: An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.
- **How it appears**:
@@ -83,23 +83,23 @@ This following list provides info about the most common problems you might encou
- Local **Work** data copied to the WIP-managed device remains **Work** data.
- **Work** data that is copied between two apps in the same session remains ** data.
- - **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default.
+ - **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by Windows Information Protection. RDP is disabled by default.
- **Limitation**: You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.
- **How it appears**: A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.
- **Workaround**: Open File Explorer and change the file ownership to **Personal** before you upload.
- **Limitation**: ActiveX controls should be used with caution.
- - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP.
+ - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using Windows Information Protection.
- **Workaround**: We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.
For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
-- **Limitation**: Resilient File System (ReFS) isn't currently supported with WIP.
- - **How it appears**:Trying to save or transfer WIP files to ReFS will fail.
+- **Limitation**: Resilient File System (ReFS) isn't currently supported with Windows Information Protection.
+ - **How it appears**:Trying to save or transfer Windows Information Protection files to ReFS will fail.
- **Workaround**: Format drive for NTFS, or use a different drive.
-- **Limitation**: WIP isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:
+- **Limitation**: Windows Information Protection isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:
- AppDataRoaming
- Desktop
- StartMenu
@@ -116,10 +116,10 @@ This following list provides info about the most common problems you might encou
- - **How it appears**: WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.
+ - **How it appears**: Windows Information Protection isn’t turned on for employees in your organization. Error code 0x807c0008 will result if Windows Information Protection is deployed by using Microsoft Endpoint Configuration Manager.
- **Workaround**: Don’t set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders. You can configure this parameter, as described [Disable Offline Files on individual redirected folders](/windows-server/storage/folder-redirection/disable-offline-files-on-folders).
- If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline.
+ If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports Windows Information Protection, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after Windows Information Protection is already in place, you might be unable to open your files offline.
For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
@@ -134,7 +134,7 @@ This following list provides info about the most common problems you might encou
- **How it appears**: Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner.
- **Workaround**: If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
-- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with WIP.
+- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with Windows Information Protection.
- **How it appears**: OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it.
- **Workaround**: OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps:
@@ -150,6 +150,6 @@ This following list provides info about the most common problems you might encou
> [!NOTE]
>
-> - When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files.
+> - When corporate data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files.
>
> - Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
index daf5a9fac0..6c2ccfde53 100644
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -27,7 +27,7 @@ This list provides all of the tasks and settings that are required for the opera
|Task|Description|
|----|-----------|
|Add at least one app of each type (Store and Desktop) to the **Protected apps** list in your WIP policy.|You must have at least one Store app and one Desktop app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics. |
-|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
+|Choose your Windows Information Protection protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage Windows Information Protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.
Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index aabc6b7080..89d703af97 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -31,14 +31,14 @@ With the increase of employee-owned devices in the enterprise, there’s also an
Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
>[!IMPORTANT]
->While WIP can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more details about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic.
+>While Windows Information Protection can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more details about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic.
## Video: Protect enterprise data from being accidentally copied to the wrong place
> [!Video https://www.microsoft.com/videoplayer/embed/RE2IGhh]
## Prerequisites
-You’ll need this software to run WIP in your enterprise:
+You’ll need this software to run Windows Information Protection in your enterprise:
|Operating system | Management solution |
|-----------------|---------------------|
@@ -70,7 +70,7 @@ After the type of protection is set, the creating app encrypts the document so t
Finally, there’s the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would simply erase all of the corporate data from the device, along with any other personal data on the device.
## Benefits of WIP
-WIP provides:
+Windows Information Protection provides:
- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
- Additional data protection for existing line-of-business apps without a need to update the apps.
@@ -79,12 +79,12 @@ WIP provides:
- Use of audit reports for tracking issues and remedial actions.
-- Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company.
+- Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage Windows Information Protection for your company.
## Why use WIP?
-WIP is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
+Windows Information Protection is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
-- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP helps protect enterprise on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
+- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. Windows Information Protection helps protect enterprise on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
- **Manage your enterprise documents, apps, and encryption modes.**
@@ -99,21 +99,21 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give
- **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
- - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
+ - **Data encryption at rest.** Windows Information Protection helps protect enterprise data on local files and on removable media.
- Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document.
+ Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies Windows Information Protection to the new document.
- - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
+ - **Helping prevent accidental data disclosure to public spaces.** Windows Information Protection helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
- - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
+ - **Helping prevent accidental data disclosure to removable media.** Windows Information Protection helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
-- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
+- **Remove access to enterprise data from enterprise-protected devices.** Windows Information Protection gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
>[!NOTE]
>For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.
Microsoft Endpoint Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
## How WIP works
-WIP helps address your everyday challenges in the enterprise. Including:
+Windows Information Protection helps address your everyday challenges in the enterprise. Including:
- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
@@ -124,7 +124,7 @@ WIP helps address your everyday challenges in the enterprise. Including:
- Helping control the network and data access and data sharing for apps that aren’t enterprise aware
### Enterprise scenarios
-WIP currently addresses these enterprise scenarios:
+Windows Information Protection currently addresses these enterprise scenarios:
- You can encrypt enterprise data on employee-owned and corporate-owned devices.
- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
@@ -134,21 +134,21 @@ WIP currently addresses these enterprise scenarios:
- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
### WIP-protection modes
-Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
+Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
-Your WIP policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned.
+Your Windows Information Protection policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned.
>[!NOTE]
>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
-You can set your WIP policy to use 1 of 4 protection and management modes:
+You can set your Windows Information Protection policy to use 1 of 4 protection and management modes:
|Mode|Description|
|----|-----------|
-|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
-|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
-|Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
-|Off |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on. |
+|Block |Windows Information Protection looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
+|Allow overrides |Windows Information Protection looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
+|Silent |Windows Information Protection runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
+|Off |Windows Information Protection is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn Windows Information Protection back on. |
## Turn off WIP
You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied.
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index d5400291be..c55f4fe75b 100644
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -25,7 +25,7 @@ ms.reviewer:
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
-We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a WIP policy. If you are using Intune, the SharePoint entries may be added automatically.
+We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a Windows Information Protection policy. If you are using Intune, the SharePoint entries may be added automatically.
## Recommended Enterprise Cloud Resources
diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
index cd707f5044..84dae48f11 100644
--- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -29,7 +29,7 @@ Use Task Manager to check the context of your apps while running in Windows Info
## Viewing the Enterprise Context column in Task Manager
You need to add the Enterprise Context column to the **Details** tab of the Task Manager.
-1. Make sure that you have an active WIP policy deployed and turned on in your organization.
+1. Make sure that you have an active Windows Information Protection policy deployed and turned on in your organization.
2. Open the Task Manager (taskmgr.exe), click the **Details** tab, right-click in the column heading area, and click **Select columns**.
@@ -50,7 +50,7 @@ The **Enterprise Context** column shows you what each app can do with your enter
- **Personal.** Shows the text, *Personal*. This app is considered non-work-related and can't touch any work data or resources.
-- **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components).
+- **Exempt.** Shows the text, *Exempt*. Windows Information Protection policies don't apply to these apps (such as, system components).
> [!Important]
> Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials.
diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md
index 310538cbee..305b40e22f 100644
--- a/windows/security/operating-system.md
+++ b/windows/security/operating-system.md
@@ -5,9 +5,6 @@ ms.reviewer:
ms.topic: article
manager: dansimp
ms.author: deniseb
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: denisebmsft
ms.collection: M365-security-compliance
ms.prod: m365-security
diff --git a/windows/security/security-foundations.md b/windows/security/security-foundations.md
index 0d118520fc..1dc5324f16 100644
--- a/windows/security/security-foundations.md
+++ b/windows/security/security-foundations.md
@@ -5,9 +5,6 @@ ms.reviewer:
ms.topic: article
manager: dansimp
ms.author: deniseb
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: denisebmsft
ms.collection: M365-security-compliance
ms.prod: m365-security
diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
index 7057f8c90f..564c7cdfe4 100644
--- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
+++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
@@ -1,14 +1,9 @@
---
title: Block untrusted fonts in an enterprise (Windows 10)
description: To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature.
-ms.assetid: a3354c8e-4208-4be6-bc19-56a572c361b4
ms.reviewer:
manager: dansimp
-keywords: font blocking, untrusted font blocking, block fonts, untrusted fonts
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.pagetype: security
-ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.date: 08/14/2017
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index 778a829c8b..68328931ed 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -2,7 +2,6 @@
title: Federal Information Processing Standard (FIPS) 140 Validation
description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140.
ms.prod: m365-security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md
index 5d606c7889..2159488c70 100644
--- a/windows/security/threat-protection/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/get-support-for-security-baselines.md
@@ -1,14 +1,11 @@
---
title: Get support
description: Frequently asked question about how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics in your organization.
-keywords: virtualization, security, malware
ms.prod: m365-security
-ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: dansimp
author: dulcemontemayor
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 06/25/2018
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index c76ead4afc..02f00be3f6 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -1,17 +1,12 @@
---
title: Windows threat protection
description: Describes the security capabilities in Windows client focused on threat protection
-keywords: threat protection, Microsoft Defender Antivirus, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.technology: windows-sec
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index 406ee97c59..c8fafe64a7 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -1,9 +1,7 @@
---
title: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions.
-keywords: MBSA, security, removal
ms.prod: m365-security
-ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: dansimp
author: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
index e99bc8205f..b641427ea4 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -9,7 +9,6 @@ metadata:
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
- ms.date: 03/14/2022
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -45,7 +44,7 @@ sections:
To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can:
- Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”.
- - It must be a FQDN. A simple IP address will not work.
+ - It must be an FQDN. A simple IP address won't work.
- Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard.
- question: |
@@ -54,7 +53,7 @@ sections:
Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
- question: |
- Which Input Method Editors (IME) in 19H1 are not supported?
+ Which Input Method Editors (IME) in 19H1 aren't supported?
answer: |
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard:
@@ -74,17 +73,15 @@ sections:
- question: |
I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
answer: |
- This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
+ This feature is currently experimental only and isn't functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
- question: |
What is the WDAGUtilityAccount local account?
answer: |
- WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error:
+ WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. It requires *Logon as a service* permissions to be able to function correctly. If this permission is denied, you might see the following error:
**Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000**
- We recommend that you do not modify this account.
-
- question: |
How do I trust a subdomain in my site list?
answer: |
@@ -93,35 +90,35 @@ sections:
- question: |
Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
answer: |
- When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
+ When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode doesn't. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
- question: |
Is there a size limit to the domain lists that I need to configure?
answer: |
- Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit.
+ Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 1,6383-byte limit.
- question: |
Why does my encryption driver break Microsoft Defender Application Guard?
answer: |
- Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
+ Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
- question: |
Why do the Network Isolation policies in Group Policy and CSP look different?
answer: |
- There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
+ There's not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
- Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources**
- Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)**
- - For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
+ - For EnterpriseNetworkDomainNames, there's no mapped CSP policy.
- Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
+ Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
- question: |
Why did Application Guard stop working after I turned off hyperthreading?
answer: |
- If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
+ If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there's a possibility Application Guard no longer meets the minimum requirements.
- question: |
Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
index 2b7a3193ab..ffd97aa5cd 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
@@ -2,12 +2,9 @@
title: Microsoft Defender Application Guard Extension
description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers.
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-author: martyav
-ms.author: v-maave
+author: aczechowski
+ms.author: aaroncz
ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
@@ -60,24 +57,24 @@ Both Chrome and Firefox have their own browser-specific group policies. We recom
#### Chrome policies
-These policies can be found along the filepath, *Software\Policies\Google\Chrome\\*, with each policy name corresponding to the file name (e.g., IncognitoModeAvailability is located at *Software\Policies\Google\Chrome\IncognitoModeAvailability*).
+These policies can be found along the filepath, `Software\Policies\Google\Chrome\`, with each policy name corresponding to the file name. For example, `IncognitoModeAvailability` is located at `Software\Policies\Google\Chrome\IncognitoModeAvailability`.
Policy name | Values | Recommended setting | Reason
-|-|-|-
-[IncognitoModeAvailability](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=IncognitoModeAvailability) | `0` = Enabled
`1` = Disabled
`2` = Forced (i.e. forces pages to only open in Incognito mode) | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default.
-[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled
`true`, `1`, or not configured = Enabled | Disabled | This policy allows users to login as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default.
-[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled
`true` or `1` = Enabled
**Note:** If this policy is not set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension.
+[IncognitoModeAvailability](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=IncognitoModeAvailability) | `0` = Enabled
`1` = Disabled
`2` = Forces pages to only open in Incognito mode | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default.
+[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled
`true`, `1`, or not configured = Enabled | Disabled | This policy allows users to sign in as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default.
+[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled
`true` or `1` = Enabled
**Note:** If this policy isn't set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension.
[ExtensionSettings](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) | This policy accepts a dictionary that configures multiple other management settings for Chrome. See the [Google Cloud documentation](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) for complete schema. | Include an entry for `force_installed` | This policy prevents users from manually removing the extension.
#### Firefox policies
-These policies can be found along the filepath, *Software\Policies\Mozilla\Firefox\\*, with each policy name corresponding to the file name (e.g., DisableSafeMode is located at *Software\Policies\Mozilla\Firefox\DisableSafeMode*).
+These policies can be found along the filepath, `Software\Policies\Mozilla\Firefox\`, with each policy name corresponding to the file name. Foe example, `DisableSafeMode` is located at `Software\Policies\Mozilla\Firefox\DisableSafeMode`.
Policy name | Values | Recommended setting | Reason
-|-|-|-
-[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled
`true` or `1` = Safe mode is disabled | True (i.e. the policy is enabled and Safe mode is *not* allowed to run) | Safe mode can allow users to circumvent Application Guard
-[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to *about:config* is allowed
`true` or `1` = User access to *about:config* is not allowed | True (i.e. the policy is enabled and access to about:config is *not* allowed) | *About:config* is a special page within Firefox that offers control over many settings that may compromise security
-[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions (these can be found by searching `extensions.webextensions.uuids` within the about:config page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user cannot disable or uninstall it.
+[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled
`true` or `1` = Safe mode is disabled | The policy is enabled and Safe mode isn't allowed to run. | Safe mode can allow users to circumvent Application Guard
+[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to `about:config` is allowed
`true` or `1` = User access to `about:config` isn't allowed | The policy is enabled and access to `about:config` isn't allowed. | `About:config` is a special page within Firefox that offers control over many settings that may compromise security
+[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions. You can find these extensions by searching `extensions.webextensions.uuids` within the `about:config` page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user can't disable or uninstall it.
## Troubleshooting guide
@@ -85,15 +82,15 @@ Policy name | Values | Recommended setting | Reason
Error message | Cause | Actions
-|-|-
-Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot 2. If the companion app is already installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
+Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot 2. If the companion app is already installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
ExceptionThrown | An unexpected exception was thrown. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation
Failed to determine if Application Guard is enabled | The extension was able to communicate with the companion app, but the information request failed in the app. | 1. Restart the browser 2. Check for updates in both the Microsoft store and the respective web store for the affected browser
-Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
+Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
Main page navigation caught an unexpected error | An unexpected exception was thrown during the main page navigation. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation
-Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed. 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
-Protocol out of sync | The extension and native app cannot communicate with each other. This is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser
-Security patch level does not match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser
-Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Check if Edge is working 3. Retry the operation
+Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed. 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
+Protocol out of sync | The extension and native app can't communicate with each other. This error is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser
+Security patch level doesn't match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser
+Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Check if Microsoft Edge is working 3. Retry the operation
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index 576cbdac19..60dacaca16 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -27,7 +27,7 @@ Microsoft Defender SmartScreen protects against phishing or malware websites and
**Microsoft Defender SmartScreen determines whether a site is potentially malicious by:**
-- Analyzing visited webpages looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution.
+- Analyzing visited webpages and looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution.
- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
@@ -41,24 +41,24 @@ Microsoft Defender SmartScreen protects against phishing or malware websites and
Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially engineered attack. The primary benefits are:
-- **Anti-phishing and anti-malware support.** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97)
+- **Anti-phishing and anti-malware support:** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more information about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97)
-- **Reputation-based URL and app protection.** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user.
+- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user.
-- **Operating system integration.** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) attempts to download and run.
+- **Operating system integration:** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) that attempts to download and run.
-- **Improved heuristics and diagnostic data.** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files.
+- **Improved heuristics and diagnostic data:** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files.
-- **Management through Group Policy and Microsoft Intune.** Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md).
+- **Management through Group Policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md).
-- **Blocking URLs associated with potentially unwanted applications.** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
+- **Blocking URLs associated with potentially unwanted applications:** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
> [!IMPORTANT]
> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
## Submit files to Microsoft Defender SmartScreen for review
-If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more info, see [Submit files for analysis](../intelligence/submission-guide.md).
+If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](../intelligence/submission-guide.md).
When submitting Microsoft Defender SmartScreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu.
@@ -67,7 +67,7 @@ When submitting Microsoft Defender SmartScreen products, make sure to select **M
## Viewing Microsoft Defender SmartScreen anti-phishing events
> [!NOTE]
-> No SmartScreen events will be logged when using Microsoft Edge version 77 or later.
+> No SmartScreen events will be logged when using Microsoft Edge version 77 or later.
When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565657(v=vs.85)).
@@ -94,3 +94,4 @@ wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true
- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
- [Threat protection](../index.md)
- [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings)
+- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference.md#configuration-service-provider-reference)
\ No newline at end of file
diff --git a/windows/security/threat-protection/msft-security-dev-lifecycle.md b/windows/security/threat-protection/msft-security-dev-lifecycle.md
index df8eacefc1..9be071fa44 100644
--- a/windows/security/threat-protection/msft-security-dev-lifecycle.md
+++ b/windows/security/threat-protection/msft-security-dev-lifecycle.md
@@ -2,7 +2,6 @@
title: Microsoft Security Development Lifecycle
description: Download the Microsoft Security Development Lifecycle white paper which covers a security assurance process focused on software development.
ms.prod: m365-security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
index 33712bcefa..681a9ae413 100644
--- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
@@ -3,11 +3,7 @@ manager: dansimp
ms.author: dansimp
title: Override Process Mitigation Options (Windows 10)
description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies.
-keywords: Process Mitigation Options, Mitigation Options, Group Policy Mitigation Options
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.pagetype: security
-ms.sitesec: library
author: dulcemontemayor
ms.localizationpriority: medium
ms.technology: windows-sec
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 9d7d8ad4bc..436d94ab00 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -2,9 +2,6 @@
title: Mitigate threats by using Windows 10 security features (Windows 10)
description: An overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.reviewer:
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 087bf0dbc9..ed70e30816 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -1,15 +1,10 @@
---
title: Control the health of Windows 10-based devices (Windows 10)
description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.
-ms.assetid: 45DB1C41-C35D-43C9-A274-3AD5F31FE873
ms.reviewer:
manager: dansimp
ms.author: dansimp
-keywords: security, BYOD, malware, device health attestation, mobile
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security, devices
author: dulcemontemayor
ms.date: 10/13/2017
ms.localizationpriority: medium
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
index ccaba0be7d..0c1396e74f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
@@ -14,7 +14,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
ms.technology: windows-sec
---
@@ -86,7 +85,7 @@ None. Changes to this policy become effective without a restart when saved local
### Group Policy
-Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply.
+Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. The policy is applicable to domain controllers only.
### Auditing
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index 9376277ddf..411b14fcba 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -1,14 +1,10 @@
---
title: Use Windows Event Forwarding to help with intrusion detection (Windows 10)
description: Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.
-ms.assetid: 733263E5-7FD1-45D2-914A-184B9E3E6A3F
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dulcemontemayor
ms.date: 02/28/2019
ms.localizationpriority: medium
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
index eec6f18251..5901726822 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
@@ -14,7 +14,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 09/21/2017
ms.technology: windows-sec
---
@@ -24,10 +23,10 @@ ms.technology: windows-sec
- Windows 10
- Windows 11
-- Windows Server 2016 and above
+- Windows Server 2012 R2 and later
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic for IT professionals describes how to import an AppLocker policy.
@@ -35,11 +34,14 @@ Before completing this procedure, you should have exported an AppLocker policy.
Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
->**Caution:** Importing a policy will overwrite the existing policy on that computer.
+> **Caution:** Importing a policy will overwrite the existing policy on that computer.
**To import an AppLocker policy**
1. From the AppLocker console, right-click **AppLocker**, and then click **Import Policy**.
+
2. In the **Import Policy** dialog box, locate the file that you exported, and then click **Open**.
+
3. The **Import Policy** dialog box will warn you that importing a policy will overwrite the existing rules and enforcement settings. If acceptable, click **OK** to import and overwrite the policy.
+
4. The **AppLocker** dialog box will notify you of how many rules were overwritten and imported. Click **OK**.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
index 3203610df6..d7e1d5636c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
@@ -14,7 +14,6 @@ author: jgeurten
ms.reviewer: jsuther1974
ms.author: dansimp
manager: dansimp
-ms.date: 03/22/2022
ms.technology: windows-sec
---
@@ -45,6 +44,9 @@ To create effective WDAC deny policies, it's crucial to understand how WDAC pars
5. If no rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly.
+> [!NOTE]
+> If your WDAC policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. For more details, see [How does the integration between WDAC and the Intelligent Security Graph work?](use-windows-defender-application-control-with-intelligent-security-graph.md#how-does-the-integration-between-wdac-and-the-intelligent-security-graph-work).
+
## Interaction with Existing Policies
### Adding Allow Rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 36aa766318..3e1dfaea27 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -14,7 +14,6 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 07/15/2021
ms.technology: windows-sec
---
@@ -24,7 +23,7 @@ ms.technology: windows-sec
- Windows 10
- Windows 11
-- Windows Server 2016 and above
+- Windows Server 2019 and above
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
index 15141a8aff..ec94f13e2b 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
@@ -1,17 +1,12 @@
---
title: Create an Outbound Program or Service Rule (Windows)
description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules.
-ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
diff --git a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
index 9539084377..6e4429688b 100644
--- a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
+++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
@@ -1,17 +1,12 @@
---
title: Create Inbound Rules to Support RPC (Windows)
description: Learn how to allow RPC network traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
-ms.assetid: 0b001c2c-12c1-4a30-bb99-0c034d7e6150
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index 33d369d823..502b0b5b91 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -1,17 +1,12 @@
---
title: Create Windows Firewall rules in Intune (Windows)
description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security. Start by creating a profile in Device Configuration in Intune.
-ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.technology: windows-sec
diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
index 6d9896ef84..1b2931e18d 100644
--- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -1,17 +1,12 @@
---
title: Create WMI Filters for the GPO (Windows)
description: Learn how to use WMI filters on a GPO to make sure that each GPO for a group can only be applied to devices running the correct version of Windows.
-ms.assetid: b1a6d93d-a3c8-4e61-a388-4a3323f0e74e
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
index bb72548e1a..7e365c2fbf 100644
--- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
+++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
@@ -1,17 +1,12 @@
---
title: Designing a Windows Defender Firewall Strategy (Windows)
description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy.
-ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
index be0ce97138..cdbb54af14 100644
--- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
@@ -1,17 +1,12 @@
---
title: Determining the Trusted State of Your Devices (Windows)
description: Learn how to define the trusted state of devices in your enterprise to help design your strategy for using Windows Defender Firewall with Advanced Security.
-ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
@@ -25,7 +20,7 @@ ms.technology: windows-sec
- Windows 11
- Windows Server 2016 and above
-After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status.
+After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security can't exceed the level of security set by the least secure client that achieves trusted status.
>**Note:** In this context, the term *trust* has nothing to do with an Active Directory trust relationship between domains. The trusted state of your devices just indicates the level of risk that you believe the device brings to the network. Trusted devices bring little risk whereas untrusted devices can potentially bring great risk.
@@ -46,9 +41,9 @@ The remainder of this section defines these states and how to determine which de
### Trusted state
-Classifying a device as trusted means that the device's security risks are managed, but it does not imply that it is perfectly secure or invulnerable. The responsibility for this managed state falls to the IT and security administrators, in addition to the users who are responsible for the configuration of the device. A trusted device that is poorly managed will likely become a point of weakness for the network.
+Classifying a device as trusted means that the device's security risks are managed, but it doesn't imply that it's perfectly secure or invulnerable. The responsibility for this managed state falls to the IT and security administrators, in addition to the users who are responsible for the configuration of the device. A trusted device that is poorly managed will likely become a point of weakness for the network.
-When a device is considered trusted, other trusted devices can reasonably assume that the device will not initiate a malicious act. For example, trusted devices can expect that other trusted devices will not run a virus that attacks them, because all trusted devices are required to use mechanisms (such as antivirus software) to mitigate the threat of viruses.
+When a device is considered trusted, other trusted devices can reasonably assume that the device won't initiate a malicious act. For example, trusted devices can expect that other trusted devices won't run a virus that attacks them, because all trusted devices are required to use mechanisms (such as antivirus software) to mitigate the threat of viruses.
Spend some time defining the goals and technology requirements that your organization considers appropriate as the minimum configuration for a device to obtain trusted status.
@@ -68,49 +63,49 @@ A possible list of technology requirements might include the following:
- **Password requirements.** Trusted clients must use strong passwords.
-It is important to understand that the trusted state is not constant; it is a transient state that is subject to changing security standards and compliance with those standards. New threats and new defenses emerge constantly. For this reason, the organization's management systems must continually check the trusted devices to ensure ongoing compliance. Additionally, the management systems must be able to issue updates or configuration changes if they are required to help maintain the trusted status.
+It's important to understand that the trusted state isn't constant; it's a transient state that is subject to changing security standards and compliance with those standards. New threats and new defenses emerge constantly. For this reason, the organization's management systems must continually check the trusted devices to ensure ongoing compliance. Additionally, the management systems must be able to issue updates or configuration changes if they're required to help maintain the trusted status.
-A device that continues to meet all these security requirements can be considered trusted. However it is possible that most devices that were identified in the discovery process discussed earlier do not meet these requirements. Therefore, you must identify which devices can be trusted and which ones cannot. To help with this process, you use the intermediate *trustworthy* state. The remainder of this section discusses the different states and their implications.
+A device that continues to meet all these security requirements can be considered trusted. However it's possible that most devices that were identified in the discovery process discussed earlier don't meet these requirements. Therefore, you must identify which devices can be trusted and which ones can't. To help with this process, you use the intermediate *trustworthy* state. The remainder of this section discusses the different states and their implications.
### Trustworthy state
-It is useful to identify as soon as possible those devices in your current infrastructure that can achieve a trusted state. A *trustworthy state* can be assigned to indicate that the current device can physically achieve the trusted state with required software and configuration changes.
+It's useful to identify as soon as possible those devices in your current infrastructure that can achieve a trusted state. A *trustworthy state* can be assigned to indicate that the current device can physically achieve the trusted state with required software and configuration changes.
For each device that is assigned a trustworthy status, make an accompanying configuration note that states what is required to enable the device to achieve trusted status. This information is especially important to both the project design team (to estimate the costs of adding the device to the solution) and the support staff (to enable them to apply the required configuration).
Generally, trustworthy devices fall into one of the following two groups:
-- **Configuration required.** The current hardware, operating system, and software enable the device to achieve a trustworthy state. However, additional configuration changes are required. For example, if the organization requires a secure file system before a device can be considered trusted, a device that uses a FAT32-formatted hard disk does not meet this requirement.
+- **Configuration required.** The current hardware, operating system, and software enable the device to achieve a trustworthy state. However, additional configuration changes are required. For example, if the organization requires a secure file system before a device can be considered trusted, a device that uses a FAT32-formatted hard disk doesn't meet this requirement.
- **Upgrade required.** These devices require upgrades before they can be considered trusted. The following list provides some examples of the type of upgrade these devices might require:
- - **Operating system upgrade required.** If the device's current operating system cannot support the security needs of the organization, an upgrade would be required before the device could achieve a trusted state.
+ - **Operating system upgrade required.** If the device's current operating system can't support the security needs of the organization, an upgrade would be required before the device could achieve a trusted state.
- - **Software required.** A device that is missing a required security application, such as an antivirus scanner or a management client, cannot be considered trusted until these applications are installed and active.
+ - **Software required.** A device that is missing a required security application, such as an antivirus scanner or a management client, can't be considered trusted until these applications are installed and active.
- **Hardware upgrade required.** In some cases, a device might require a specific hardware upgrade before it can achieve trusted status. This type of device usually needs an operating system upgrade or additional software that forces the required hardware upgrade. For example, security software might require additional hard disk space on the device.
- - **Device replacement required.** This category is reserved for devices that cannot support the security requirements of the solution because their hardware cannot support the minimum acceptable configuration. For example, a device that cannot run a secure operating system because it has an old processor (such as a 100-megahertz \[MHz\] x86-based device).
+ - **Device replacement required.** This category is reserved for devices that can't support the security requirements of the solution because their hardware can't support the minimum acceptable configuration. For example, a device that can't run a secure operating system because it has an old processor (such as a 100-megahertz \[MHz\] x86-based device).
Use these groups to assign costs for implementing the solution on the devices that require upgrades.
### Known, untrusted state
-During the process of categorizing an organization's devices, you will identify some devices that cannot achieve trusted status for specific well-understood and well-defined reasons. These reasons might include the following types:
+During the process of categorizing an organization's devices, you'll identify some devices that can't achieve trusted status for specific well-understood and well-defined reasons. These reasons might include the following types:
-- **Financial.** The funding is not available to upgrade the hardware or software for this device.
+- **Financial.** The funding isn't available to upgrade the hardware or software for this device.
-- **Political.** The device must remain in an untrusted state because of a political or business situation that does not enable it to comply with the stated minimum security requirements of the organization. It is highly recommended that you contact the business owner or independent software vendor (ISV) for the device to discuss the added value of server and domain isolation.
+- **Political.** The device must remain in an untrusted state because of a political or business situation that doesn't enable it to comply with the stated minimum security requirements of the organization. It's highly recommended that you contact the business owner or independent software vendor (ISV) for the device to discuss the added value of server and domain isolation.
- **Functional.** The device must run a nonsecure operating system or must operate in a nonsecure manner to perform its role. For example, the device might be required to run an older operating system because a specific line of business application will only work on that operating system.
There can be multiple functional reasons for a device to remain in the known untrusted state. The following list includes several examples of functional reasons that can lead to a classification of this state:
-- **Devices that run unsupported versions of Windows.** This includes Windows XP, Windows Millennium Edition, Windows 98, Windows 95, or Windows NT. Devices that run these versions of the Windows operating system cannot be classified as trustworthy because these operating systems do not support the required security infrastructure. For example, although Windows NT does support a basic security infrastructure, it does not support “deny” ACLs on local resources, any way to ensure the confidentiality and integrity of network communications, smart cards for strong authentication, or centralized management of device configurations (although limited central management of user configurations is supported).
+- **Devices that run unsupported versions of Windows.** This includes Windows XP, Windows Millennium Edition, Windows 98, Windows 95, or Windows NT. Devices that run these versions of the Windows operating system can't be classified as trustworthy because these operating systems don't support the required security infrastructure. For example, although Windows NT does support a basic security infrastructure, it doesn't support “deny” ACLs on local resources, any way to ensure the confidentiality and integrity of network communications, smart cards for strong authentication, or centralized management of device configurations (although limited central management of user configurations is supported).
-- **Stand-alone devices.** Devices running any version of Windows that are configured as stand-alone devices or as members of a workgroup usually cannot achieve a trustworthy state. Although these devices fully support the minimum required basic security infrastructure, the required security management capabilities are unlikely to be available when the device is not a part of a trusted domain.
+- **Stand-alone devices.** Devices running any version of Windows that are configured as stand-alone devices or as members of a workgroup usually can't achieve a trustworthy state. Although these devices fully support the minimum required basic security infrastructure, the required security management capabilities are unlikely to be available when the device isn't a part of a trusted domain.
-- **Devices in an untrusted domain.** A device that is a member of a domain that is not trusted by an organization's IT department cannot be classified as trusted. An untrusted domain is a domain that cannot provide the required security capabilities to its members. Although the operating systems of devices that are members of this untrusted domain might fully support the minimum required basic security infrastructure, the required security management capabilities cannot be fully guaranteed when devices are not in a trusted domain.
+- **Devices in an untrusted domain.** A device that is a member of a domain that isn't trusted by an organization's IT department can't be classified as trusted. An untrusted domain is a domain that can't provide the required security capabilities to its members. Although the operating systems of devices that are members of this untrusted domain might fully support the minimum required basic security infrastructure, the required security management capabilities can't be fully guaranteed when devices aren't in a trusted domain.
### Unknown, untrusted state
@@ -129,20 +124,20 @@ The final step in this part of the process is to record the approximate cost of
- What is the projected cost or impact of making the proposed changes to enable the device to achieve a trusted state?
-By answering these questions, you can quickly determine the level of effort and approximate cost of bringing a particular device or group of devices into the scope of the project. It is important to remember that the state of a device is transitive, and that by performing the listed remedial actions you can change the state of a device from untrusted to trusted. After you decide whether to place a device in a trusted state, you are ready to begin planning and designing the isolation groups, which the next section [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) discusses.
+By answering these questions, you can quickly determine the level of effort and approximate cost of bringing a particular device or group of devices into the scope of the project. It's important to remember that the state of a device is transitive, and that by performing the listed remedial actions you can change the state of a device from untrusted to trusted. After you decide whether to place a device in a trusted state, you're ready to begin planning and designing the isolation groups, which the next section [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) discusses.
The following table is an example of a data sheet that you could use to help capture the current state of a device and what would be required for the device to achieve a trusted state.
| Device name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost |
| - | - | - | - | - | - |
-| CLIENT001 | No| No| Upgrade hardware and software.| Current operating system is Windows XP. Old hardware is not compatible with newer versions of Windows.| $??|
+| CLIENT001 | No| No| Upgrade hardware and software.| Current operating system is Windows XP. Old hardware isn't compatible with newer versions of Windows.| $??|
| SERVER001 | Yes| No| Join trusted domain and upgrade from Windows Server 2003 to Windows Server 2012.| No antivirus software present.| $??|
In the previous table, the device CLIENT001 is currently "known, untrusted" because its hardware must be upgraded. However, it could be considered trustworthy if the required upgrades are possible. However, if many devices require the same upgrades, the overall cost of the solution would be much higher.
The device SERVER001 is "trustworthy" because it meets the hardware requirements but its operating system must be upgraded. It also requires antivirus software. The projected cost is the amount of effort that is required to upgrade the operating system and install antivirus software, along with their purchase costs.
-With the other information that you have gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section.
+With the other information that you've gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section.
The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan.
diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
index 6b8adafa56..4b52443989 100644
--- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
@@ -1,17 +1,12 @@
---
title: Documenting the Zones (Windows)
description: Learn how to document the zone placement of devices in your design for Windows Defender Firewall with Advanced Security.
-ms.assetid: ebd7a650-4d36-42d4-aac0-428617f5a32d
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
index ec6e6a670b..d3e12bfc41 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
@@ -1,17 +1,12 @@
---
title: Domain Isolation Policy Design Example (Windows)
description: This example uses a fictitious company to illustrate domain isolation policy design in Windows Defender Firewall with Advanced Security.
-ms.assetid: 704dcf58-286f-41aa-80af-c81720aa7fc5
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
index 0f112cdfa7..ac3e4beadc 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
@@ -1,17 +1,12 @@
---
title: Domain Isolation Policy Design (Windows)
description: Learn how to design a domain isolation policy, based on which devices accept only connections from authenticated members of the same isolated domain.
-ms.assetid: 7475084e-f231-473a-9357-5e1d39861d66
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md
index cd420e5088..c17b29ef65 100644
--- a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md
+++ b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md
@@ -1,17 +1,12 @@
---
title: Enable Predefined Inbound Rules (Windows)
description: Learn the rules for Windows Defender Firewall with Advanced Security for common networking roles and functions.
-ms.assetid: a4fff086-ae81-4c09-b828-18c6c9a937a7
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
index 0102f9ee3a..782c3d49fc 100644
--- a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
+++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
@@ -1,17 +1,12 @@
---
title: Enable Predefined Outbound Rules (Windows)
description: Learn to deploy predefined firewall rules that block outbound network traffic for common network functions in Windows Defender Firewall with Advanced Security.
-ms.assetid: 71cc4157-a1ed-41d9-91e4-b3140c67c1be
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
index 6d909df105..f246825b19 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
@@ -1,17 +1,12 @@
---
title: Encryption Zone GPOs (Windows)
description: Learn how to add a device to an encryption zone by adding the device account to the encryption zone group in Windows Defender Firewall with Advanced Security.
-ms.assetid: eeb973dd-83a5-4381-9af9-65c43c98c29b
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
@@ -27,6 +22,6 @@ ms.technology: windows-sec
Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section.
-The GPO is only for server versions of Windows. Client devices are not expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows.
+The GPO is only for server versions of Windows. Client devices aren't expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows.
- [GPO\_DOMISO\_Encryption](gpo-domiso-encryption.md)
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md
index fe2e9815a6..8a6dd9db87 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md
@@ -1,17 +1,12 @@
---
title: Encryption Zone (Windows)
description: Learn how to create an encryption zone to contain devices that host very sensitive data and require that the sensitive network traffic be encrypted.
-ms.assetid: 55a025ce-357f-4d1b-b2ae-6ee32c9abe13
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
index 0a1c8c3094..9cd638e39c 100644
--- a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
+++ b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
@@ -1,17 +1,12 @@
---
title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows)
description: Evaluating Windows Defender Firewall with Advanced Security Design Examples
-ms.assetid: a591389b-18fa-4a39-ba07-b6fb61961cbd
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
index 686d6ff871..dee6778a40 100644
--- a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
@@ -1,17 +1,12 @@
---
title: Exempt ICMP from Authentication (Windows)
description: Learn how to add exemptions for any network traffic that uses the ICMP protocol in Windows Defender Firewall with Advanced Security.
-ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md
index c060789ce3..a150d214f5 100644
--- a/windows/security/threat-protection/windows-firewall/exemption-list.md
+++ b/windows/security/threat-protection/windows-firewall/exemption-list.md
@@ -1,17 +1,12 @@
---
title: Exemption List (Windows)
description: Learn about reasons to add devices to an exemption list in Windows Defender Firewall with Advanced Security and the trade-offs of having too many exemptions.
-ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
index ca7cb954eb..ad4e1359c3 100644
--- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
+++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
@@ -4,8 +4,6 @@ description: Filter origin documentation audit log improvements
ms.reviewer:
ms.author: v-bshilpa
ms.prod: m365-security
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: normal
author: Benny-54
manager: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
index c6815864d5..9cac69201b 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
@@ -1,17 +1,12 @@
---
title: Firewall GPOs (Windows)
description: In this example, a Group Policy Object is linked to the domain container because the domain controllers are not part of the isolated domain.
-ms.assetid: 720645fb-a01f-491e-8d05-c9c6d5e28033
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
index e130a76c47..6152948655 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
@@ -1,17 +1,12 @@
---
title: Basic Firewall Policy Design Example (Windows)
description: This example features a fictitious company and illustrates firewall policy design for Windows Defender Firewall with Advanced Security.
-ms.assetid: 0dc3bcfe-7a4d-4a15-93a9-64b13bd775a7
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md
index 562716bc3b..db56dcc84e 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md
@@ -4,8 +4,6 @@ description: Firewall settings lost on upgrade
ms.reviewer:
ms.author: v-bshilpa
ms.prod: m365-security
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: Benny-54
manager: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
index 32c6dd328f..fe4d111ad1 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
@@ -1,17 +1,12 @@
---
title: Gathering Information about Your Active Directory Deployment (Windows)
description: Learn about gathering Active Directory information, including domain layout, organizational unit architecture, and site topology, for your firewall deployment.
-ms.assetid: b591b85b-12ac-4329-a47e-bc1b03e66eb0
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
index 792686a4b3..0c7ab93228 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
@@ -1,17 +1,12 @@
---
title: Gathering Info about Your Network Infrastructure (Windows)
description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment.
-ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
index 0e57c0e9a9..6d7e499d9c 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
@@ -1,17 +1,12 @@
---
title: Gathering Information about Your Devices (Windows)
description: Learn what information to gather about the devices in your enterprise to plan your Windows Defender Firewall with Advanced Security deployment.
-ms.assetid: 7f7cd3b9-de8e-4fbf-89c6-3d1a47bc2beb
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
index 579ef8f647..fe22f964b8 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
@@ -1,17 +1,12 @@
---
title: Gathering Other Relevant Information (Windows)
description: Learn about additional information you may need to gather to deploy Windows Defender Firewall with Advanced Security policies in your organization.
-ms.assetid: 87ccca07-4346-496b-876d-cdde57d0ce17
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
index 8482a7cd65..0599090184 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
@@ -1,17 +1,12 @@
---
title: Gathering the Information You Need (Windows)
description: Collect and analyze information about your network, directory services, and devices to prepare for Windows Defender Firewall with Advanced Security deployment.
-ms.assetid: 545fef02-5725-4b1e-b67a-a32d94c27d15
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
index afa8e8f5cc..adfb2e0acb 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
@@ -1,17 +1,12 @@
---
title: GPO\_DOMISO\_Boundary (Windows)
description: This example GPO supports devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices.
-ms.assetid: ead3a510-c329-4c2a-9ad2-46a3b4975cfd
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
index d1ca928d07..bc83b6e60d 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
@@ -1,18 +1,13 @@
---
title: GPO\_DOMISO\_Encryption\_WS2008 (Windows)
description: This example GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests.
-ms.assetid: 84375480-af6a-4c79-aafe-0a37115a7446
ms.reviewer:
ms.author: dansimp
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
ms.date: 09/08/2021
ms.technology: windows-sec
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
index 662dd03f50..6cd30ab0e7 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
@@ -1,17 +1,12 @@
---
title: GPO\_DOMISO\_Firewall (Windows)
description: Learn about the settings and rules in this example GPO, which is authored by using the Group Policy editing tools.
-ms.assetid: 318467d2-5698-4c5d-8000-7f56f5314c42
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
index bed380f50e..ce23a063fa 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
@@ -1,17 +1,12 @@
---
title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows)
description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools.
-ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
index 84d2f5ce16..3e29726a15 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
@@ -1,17 +1,12 @@
---
title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows)
description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools.
-ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
index 6746a2c01c..5684e64a1e 100644
--- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
+++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
@@ -1,17 +1,12 @@
---
title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows)
description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals
-ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
index 9f16389687..19be53c930 100644
--- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
+++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
@@ -1,17 +1,12 @@
---
title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows)
description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan
-ms.assetid: 15f609d5-5e4e-4a71-9eff-493a2e3e40f9
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
index ccaefb1de6..afdbbb4444 100644
--- a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
@@ -1,17 +1,12 @@
---
title: Isolated Domain GPOs (Windows)
description: Learn about GPOs for isolated domains in this example configuration of Windows Defender Firewall with Advanced Security.
-ms.assetid: e254ce4a-18c6-4868-8179-4078d9de215f
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md
index af0a3cd985..336af76b07 100644
--- a/windows/security/threat-protection/windows-firewall/isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md
@@ -1,17 +1,12 @@
---
title: Isolated Domain (Windows)
description: Learn about the isolated domain, which is the primary zone for trusted devices, which use connection security and firewall rules to control communication.
-ms.assetid: d6fa8d67-0078-49f6-9bcc-db1f24816c5e
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
index 642c968859..94c2d1efc2 100644
--- a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
+++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
@@ -2,13 +2,9 @@
title: Isolating Microsoft Store Apps on Your Network (Windows)
description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
index 472e264155..27ca0787a6 100644
--- a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
+++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
@@ -1,17 +1,12 @@
---
title: Link the GPO to the Domain (Windows)
description: Learn how to link a GPO to the Active Directory container for the target devices, after you configure it in Windows Defender Firewall with Advanced Security.
-ms.assetid: 746d4553-b1a6-4954-9770-a948926b1165
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
index 4d847f7055..e14954cb74 100644
--- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
@@ -1,17 +1,12 @@
---
title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows)
description: Mapping your implementation goals to a Windows Firewall with Advanced Security design
-ms.assetid: 7e68c59e-ba40-49c4-8e47-5de5d6b5eb22
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
index e2e209ff07..20c89d309f 100644
--- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
+++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
@@ -1,17 +1,12 @@
---
title: Modify GPO Filters (Windows)
description: Learn how to modify GPO filters to apply to a different zone or version of windows in Windows Defender Firewall with Advanced Security.
-ms.assetid: 24ede9ca-a501-4025-9020-1129e2cdde80
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
index 7b4d920b83..27d55010fe 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
@@ -1,17 +1,12 @@
---
title: Open the Group Policy Management Console to IP Security Policies (Windows)
description: Learn how to open the Group Policy Management Console to IP Security Policies to configure GPOs for earlier versions of the Windows operating system.
-ms.assetid: 235f73e4-37b7-40f4-a35e-3e7238bbef43
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
index d55f5793ea..6b414fd0e1 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
@@ -1,17 +1,12 @@
---
title: Group Policy Management of Windows Firewall with Advanced Security (Windows)
description: Group Policy Management of Windows Firewall with Advanced Security
-ms.assetid: 28afab36-8768-4938-9ff2-9d6dab702e98
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
index 77e7c364b3..7c1ef5c3ab 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
@@ -1,17 +1,12 @@
---
title: Group Policy Management of Windows Defender Firewall (Windows)
description: Group Policy Management of Windows Defender Firewall with Advanced Security
-ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
index c46ba8f97f..31a3fba50f 100644
--- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
@@ -1,17 +1,12 @@
---
title: Open Windows Defender Firewall with Advanced Security (Windows)
description: Learn how to open the Windows Defender Firewall with Advanced Security console. You must be a member of the Administrators group.
-ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
index c5d10098c9..e0e0de7084 100644
--- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
@@ -1,17 +1,12 @@
---
title: Planning Certificate-based Authentication (Windows)
description: Learn how a device unable to join an Active Directory domain can still participate in an isolated domain by using certificate-based authentication.
-ms.assetid: a55344e6-d0df-4ad5-a6f5-67ccb6397dec
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
index a5c690294e..8732491e55 100644
--- a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
@@ -1,17 +1,12 @@
---
title: Planning Domain Isolation Zones (Windows)
description: Learn how to use information you have gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security.
-ms.assetid: 70bc7c52-91f0-4a0d-a64a-69d3ea1c6d05
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
index 81d3ffeabe..fcdef1ec8f 100644
--- a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
@@ -1,17 +1,12 @@
---
title: Planning GPO Deployment (Windows)
description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory.
-ms.assetid: b38adfb1-1371-4227-a887-e6d118809de1
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
index 3002cef090..46f1ec18cd 100644
--- a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
@@ -1,17 +1,12 @@
---
title: Planning Group Policy Deployment for Your Isolation Zones (Windows)
description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment.
-ms.assetid: ea7c0acd-af28-4347-9d4a-4801b470557c
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
index 6cf3ebe60c..703b785517 100644
--- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
@@ -1,17 +1,12 @@
---
title: Planning Isolation Groups for the Zones (Windows)
description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs.
-ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
index 9a897f0089..115c4bc0b4 100644
--- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
+++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
@@ -1,17 +1,12 @@
---
title: Planning Network Access Groups (Windows)
description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security.
-ms.assetid: 56ea1717-1731-4a5d-b277-5a73eb86feb0
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
index 9e87ee9790..7c7ab8b78d 100644
--- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
@@ -1,17 +1,12 @@
---
title: Planning Server Isolation Zones (Windows)
description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security.
-ms.assetid: 5f63c929-589e-4b64-82ea-515d62765b7b
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
index ed55752803..5aed4df804 100644
--- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
+++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
@@ -1,17 +1,12 @@
---
title: Planning Settings for a Basic Firewall Policy (Windows)
description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices.
-ms.assetid: 4c90df5a-3cbc-4b85-924b-537c2422d735
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
index 74e85fa1a0..054cd6b4c9 100644
--- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
@@ -1,17 +1,12 @@
---
title: Planning the GPOs (Windows)
description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout.
-ms.assetid: 11949ca3-a11c-4a16-b297-0862432eb5b4
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
index d651e8e71b..1bb9e49550 100644
--- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
@@ -1,17 +1,12 @@
---
title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows)
description: Use the design information in this article to plan for the deployment of Windows Defender Firewall with Advanced Security in your organization.
-ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
index 66140941f1..c88257ead5 100644
--- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
@@ -1,17 +1,12 @@
---
title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows)
description: After you gather the relevant information, select the design or combination of designs for Windows Defender Firewall with Advanced Security in your environment.
-ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
index e45fb6c5e6..8c98be2b77 100644
--- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
+++ b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
@@ -1,17 +1,12 @@
---
title: Procedures Used in This Guide (Windows)
description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide.
-ms.assetid: 45c0f549-e4d8-45a3-a600-63e2a449e178
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
index 40645e4078..ba994c905e 100644
--- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
+++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
@@ -1,17 +1,12 @@
---
title: Protect devices from unwanted network traffic (Windows)
description: Learn how running a host-based firewall on every device in your organization can help protect against attacks as part of a defense-in-depth security strategy.
-ms.assetid: 307d2b38-e8c4-4358-ae16-f2143af965dc
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 01/18/2022
diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md
index 83309d4b1b..42338ede59 100644
--- a/windows/security/threat-protection/windows-firewall/quarantine.md
+++ b/windows/security/threat-protection/windows-firewall/quarantine.md
@@ -4,14 +4,9 @@ description: Quarantine behavior is explained in detail.
ms.author: v-bshilpa
author: Benny-54
manager: dansimp
-ms.assetid:
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: normal
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
index 5ae57cd35b..23025f1e50 100644
--- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
@@ -1,17 +1,12 @@
---
title: Require Encryption When Accessing Sensitive Network Resources (Windows)
description: Windows Defender Firewall with Advanced Security allows you to require that all network traffic in an isolated domain be encrypted.
-ms.assetid: da980d30-a68b-4e2a-ba63-94726355ce6f
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
index 4e8ca4f98b..b91f299c18 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
@@ -1,17 +1,12 @@
---
title: Restrict Access to Only Specified Users or Devices (Windows)
description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security.
-ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
index 287942862c..cc78b7ceb7 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
@@ -1,17 +1,12 @@
---
title: Restrict access to only trusted devices (Windows)
description: Windows Defender Firewall with Advanced Security enables you to isolate devices you trust and restrict access of untrusted devices to trusted devices.
-ms.assetid: bc1f49a4-7d54-4857-8af9-b7c79f47273b
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
index 35882149d3..d405ae9ad9 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
@@ -1,17 +1,12 @@
---
title: Restrict Server Access to Members of a Group Only (Windows)
description: Create a firewall rule to access isolated servers running Windows Server 2008 or later and restrict server access to members of a group.
-ms.assetid: ea51c55b-e1ed-44b4-82e3-3c4287a8628b
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
index 70ebf3fd75..e43a977d74 100644
--- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
+++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
@@ -2,13 +2,9 @@
title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows)
description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
index 9ec9d59a12..9f249ae1c5 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
@@ -1,17 +1,12 @@
---
title: Server Isolation GPOs (Windows)
description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security.
-ms.assetid: c97b1f2f-51d8-4596-b38a-8a3f6f706be4
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
index 59eb498be0..f5b9e6802b 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
@@ -1,17 +1,12 @@
---
title: Server Isolation Policy Design Example (Windows)
description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company.
-ms.assetid: 337e5f6b-1ec5-4b83-bee5-d0aea1fa5fc6
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
index 92ff6b97db..c9a669692f 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
@@ -1,17 +1,12 @@
---
title: Server Isolation Policy Design (Windows)
description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group.
-ms.assetid: f93f65cd-b863-461e-ab5d-a620fd962c9a
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
index 3e3a5b108f..2337344ccf 100644
--- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
@@ -4,8 +4,6 @@ description: Troubleshooting UWP App Connectivity Issues in Windows Firewall
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
index 0ae4b4f8dd..64a55b790e 100644
--- a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
+++ b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
@@ -1,17 +1,12 @@
---
title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows)
description: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior
-ms.assetid: 3c3fe832-ea81-4227-98d7-857a3129db74
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
index d6dbf5fd5a..dd58d0c8d0 100644
--- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
+++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
@@ -2,13 +2,9 @@
title: Understand WFAS Deployment (Windows)
description: Resources for helping you understand the Windows Defender Firewall with Advanced Security (WFAS) Design Process
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
index 7ae486d08d..0c11ed522b 100644
--- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
+++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
@@ -1,17 +1,12 @@
---
title: Verify That Network Traffic Is Authenticated (Windows)
description: Learn how to confirm that network traffic is being protected by IPsec authentication after you configure your domain isolation rule to require authentication.
-ms.assetid: cc1fb973-aedf-4074-ad4a-7376b24f03d2
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index b00b59d00e..c89e65cba2 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -2,13 +2,9 @@
title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell (Windows)
description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
index dfcf6cfc99..fbb11692e8 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
@@ -1,17 +1,12 @@
---
title: Windows Defender Firewall with Advanced Security deployment overview (Windows)
description: Use this guide to deploy Windows Defender Firewall with Advanced Security for your enterprise to help protect devices and data that they share across a network.
-ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
index 38545a3d40..623503499e 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
@@ -1,17 +1,12 @@
---
title: Windows Defender Firewall with Advanced Security design guide (Windows)
description: Learn about common goals for using Windows Defender Firewall with Advanced Security to choose or create a design for deploying the firewall in your enterprise.
-ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
index 989c1be1a1..966c5e4a6a 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -2,14 +2,10 @@
title: Windows Defender Firewall with Advanced Security (Windows)
description: Learn overview information about the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md
index 281436db6f..d9ecdb1fb0 100644
--- a/windows/security/threat-protection/windows-platform-common-criteria.md
+++ b/windows/security/threat-protection/windows-platform-common-criteria.md
@@ -2,7 +2,6 @@
title: Common Criteria Certifications
description: This topic details how Microsoft supports the Common Criteria certification program.
ms.prod: m365-security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
index 31d3aba69a..be77c53fd5 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
@@ -2,7 +2,6 @@
title: Windows Sandbox architecture
description: Windows Sandbox architecture
ms.prod: m365-security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index cd5f7a2082..94adc3d7c8 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -2,7 +2,6 @@
title: Windows Sandbox configuration
description: Windows Sandbox configuration
ms.prod: m365-security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 29b2f22f62..ec43ba1f84 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -2,7 +2,6 @@
title: Windows Sandbox
description: Windows Sandbox overview
ms.prod: m365-security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
index c3cc25f375..52c3d0d811 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -1,14 +1,11 @@
---
title: Get support for security baselines
description: Find answers to frequently asked question on how to get support for baselines, the Security Compliance Toolkit (SCT), and related topics.
-keywords: virtualization, security, malware
ms.prod: m365-security
-ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: dansimp
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/14/2022
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index eec2742b4c..3fd0c07c67 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -1,14 +1,11 @@
---
title: Microsoft Security Compliance Toolkit 1.0 Guide
description: This article describes how to use Security Compliance Toolkit 1.0 in your organization
-keywords: virtualization, security, malware
ms.prod: m365-security
-ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: dansimp
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/14/2022
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
index 6d4c993655..18cb5242f6 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -1,14 +1,11 @@
---
title: Security baselines guide
description: Learn how to use security baselines in your organization.
-keywords: virtualization, security, malware
ms.prod: m365-security
-ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: dansimp
author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 01/26/2022
diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md
index 6792a8df14..a0e24a1035 100644
--- a/windows/security/trusted-boot.md
+++ b/windows/security/trusted-boot.md
@@ -5,7 +5,6 @@ search.appverid: MET150
author: denisebmsft
ms.author: deniseb
manager: dansimp
-audience: ITPro
ms.topic: conceptual
ms.date: 09/21/2021
ms.prod: m365-security
@@ -13,8 +12,7 @@ ms.technology: windows-sec
ms.localizationpriority: medium
ms.collection:
ms.custom:
-ms.reviewer: jsuther
-f1.keywords: NOCSH
+ms.reviewer: jsuther
---
# Secure Boot and Trusted Boot
diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md
index 8b9b5e1d73..6953ab042b 100644
--- a/windows/security/zero-trust-windows-device-health.md
+++ b/windows/security/zero-trust-windows-device-health.md
@@ -5,9 +5,6 @@ ms.reviewer:
ms.topic: article
manager: dansimp
ms.author: dansimp
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.collection: M365-security-compliance
ms.custom: intro-overview
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index 9e25d09647..dc42004f13 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -20,23 +20,3 @@
href: whats-new-windows-10-version-21H1.md
- name: What's new in Windows 10, version 20H2
href: whats-new-windows-10-version-20H2.md
- - name: What's new in Windows 10, version 2004
- href: whats-new-windows-10-version-2004.md
- - name: What's new in Windows 10, version 1909
- href: whats-new-windows-10-version-1909.md
- - name: What's new in Windows 10, version 1903
- href: whats-new-windows-10-version-1903.md
-- name: Previous versions
- items:
- - name: What's new in Windows 10, version 1809
- href: whats-new-windows-10-version-1809.md
- - name: What's new in Windows 10, version 1803
- href: whats-new-windows-10-version-1803.md
- - name: What's new in Windows 10, version 1709
- href: whats-new-windows-10-version-1709.md
- - name: What's new in Windows 10, version 1703
- href: whats-new-windows-10-version-1703.md
- - name: What's new in Windows 10, version 1607
- href: whats-new-windows-10-version-1607.md
- - name: What's new in Windows 10, versions 1507 and 1511
- href: whats-new-windows-10-version-1507-and-1511.md
\ No newline at end of file
diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md
index b99b7a48ad..77dfd79528 100644
--- a/windows/whats-new/contribute-to-a-topic.md
+++ b/windows/whats-new/contribute-to-a-topic.md
@@ -1,10 +1,7 @@
---
title: Edit an existing topic using the Edit link
description: Instructions about how to edit an existing topic by using the Edit link on docs.microsoft.com.
-keywords: contribute, edit a topic
ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
ms.date: 10/13/2017
ms.reviewer:
manager: dansimp
diff --git a/windows/whats-new/get-started-with-1709.md b/windows/whats-new/get-started-with-1709.md
deleted file mode 100644
index c2522f3e4c..0000000000
--- a/windows/whats-new/get-started-with-1709.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Get started with Windows 10, version 1709
-description: Learn about features, review requirements, and plan your deployment of Windows 10, version 1709, including IT Pro content, release information, and history.
-keywords: ["get started", "windows 10", "fall creators update", "1709"]
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: dansimp
-ms.author: dansimp
-ms.date: 10/16/2017
-ms.reviewer:
-manager: dansimp
-ms.localizationpriority: high
-ms.topic: article
----
-
-# Get started with Windows 10, version 1709
-
-**Applies to**
-
-- Windows 10
-
-> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-Welcome to Windows 10, version 1709, also known as the Fall Creators Update. Use the following information to learn about new features, review system requirements, and plan your deployment of the latest version of Windows 10.
-
-## Specification and systems requirements
-
-Before you install any version of Windows 10, make sure you visit the [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications) page. This page contains the minimum systems requirements and important notes to install Windows 10, as well as feature deprecation information and additional requirements to use certain features.
-
-## What's new in Windows 10, version 1709 IT Pro content
-
-Take a look at the [What's new in Windows 10, version 1709 IT Pro content](whats-new-windows-10-version-1709.md), for the latest updates in content. Use this topic to easily navigate the documentation for the new features in Windows 10, version 1709.
-
-## Windows 10 release information and update history
-
-To view availability dates and servicing options for each version and update of Windows, including version 1709, visit the [Windows 10 release information](https://technet.microsoft.com/windows/mt679505.aspx) page. For further details on each update, go to the [Windows 10 update history](https://support.microsoft.com/help/4018124/windows-10-update-history) page.
-
-## Windows 10 Roadmap
-
-If you'd like to gain some insight into preview, or in-development features, visit the [Windows 10 Roadmap](https://www.microsoft.com/WindowsForBusiness/windows-roadmap) page. You'll be able to filter by feature state and product category, to make this information easier to navigate.
-
-## Top support solutions for Windows 10
-
-Having problems with your latest deployment of Windows 10, version 1709? Check out the [Top support solutions for Windows 10](/windows/client-management/windows-10-support-solutions) topic, where we've collected the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment.
-
-> Want even more information? Visit the [Windows 10 lifecycle page](https://www.microsoft.com/itpro/windows-10) on the [Windows IT Pro Center](https://itpro.windows.com).
-
-Ready to get started with Windows 10, version 1709?
-> [!div class="nextstepaction"]
-> [Deploy and Update Windows 10](/windows/deployment)
diff --git a/windows/whats-new/images/bulk-token.PNG b/windows/whats-new/images/bulk-token.PNG
deleted file mode 100644
index b0d2221824..0000000000
Binary files a/windows/whats-new/images/bulk-token.PNG and /dev/null differ
diff --git a/windows/whats-new/images/wdatp.png b/windows/whats-new/images/wdatp.png
deleted file mode 100644
index 79410f493f..0000000000
Binary files a/windows/whats-new/images/wdatp.png and /dev/null differ
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index 615251c635..3d11bd96e3 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -1,76 +1,67 @@
### YamlMime:Landing
-title: What's new in Windows # < 60 chars
-summary: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. # < 160 chars
+title: What's new in Windows
+summary: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11.
metadata:
- title: What's new in Windows # Required; page title displayed in search results. Include the brand. < 60 chars.
- description: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
+ title: What's new in Windows
+ description: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11.
services: windows-10
- ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
+ ms.service: windows-10
ms.subservice: subservice
- ms.topic: landing-page # Required
+ ms.topic: landing-page
ms.collection:
- windows-10
- highpri
author: aczechowski
ms.author: aaroncz
manager: dougeby
- ms.date: 06/24/2021 #Required; mm/dd/yyyy format.
+ ms.date: 06/03/2022
localization_priority: medium
-
-# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
landingContent:
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
- # Card (optional)
- title: Windows 11
linkLists:
- linkListType: overview
links:
- text: Windows 11 overview
- url: windows-11-overview.md
+ url: windows-11-overview.md
- text: Windows 11 requirements
url: windows-11-requirements.md
- - text: Plan for Windows 11
+ - text: Plan for Windows 11
url: windows-11-plan.md
- - text: Prepare for Windows 11
+ - text: Prepare for Windows 11
url: windows-11-prepare.md
- title: Windows 10
linkLists:
- linkListType: overview
links:
+ - text: What's new in Windows 10, version 21H2
+ url: whats-new-windows-10-version-21h2.md
- text: What's new in Windows 10, version 21H1
- url: whats-new-windows-10-version-21h1.md
+ url: whats-new-windows-10-version-21h1.md
- text: What's new in Windows 10, version 20H2
- url: whats-new-windows-10-version-20H2.md
- - text: What's new in Windows 10, version 2004
- url: whats-new-windows-10-version-2004.md
- - text: What's new in Windows 10, version 1909
- url: whats-new-windows-10-version-1909.md
- - text: What's new in Windows 10, version 1903
- url: whats-new-windows-10-version-1903.md
+ url: whats-new-windows-10-version-20h2.md
-
- # Card (optional)
- title: Learn more
linkLists:
- linkListType: overview
links:
- - text: Windows release information
- url: /windows/release-health/release-information
+ - text: Windows 11 release information
+ url: /windows/release-health/windows11-release-information
- text: Windows release health dashboard
- url: /windows/release-information/
- - text: Windows update history
- url: https://support.microsoft.com/topic/windows-10-update-history-7dd3071a-3906-fa2c-c342-f7f86728a6e3
- - text: Windows 10 features we’re no longer developing
+ url: /windows/release-health/
+ - text: Windows 11 update history
+ url: https://support.microsoft.com/topic/windows-11-update-history-a19cd327-b57f-44b9-84e0-26ced7109ba9
+ - text: Windows 10 update history
+ url: https://support.microsoft.com/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb
+ - text: Windows 10 features we're no longer developing
url: /windows/deployment/planning/windows-10-deprecated-features
- text: Features and functionality removed in Windows 10
url: /windows/deployment/planning/windows-10-removed-features
- text: Compare Windows 10 Editions
- url: https://go.microsoft.com/fwlink/p/?LinkId=690485
+ url: https://www.microsoft.com/windowsforbusiness/compare
- text: Windows 10 Enterprise LTSC
url: ltsc/index.md
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index dfb0df5731..5d691021f8 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -1,11 +1,7 @@
---
title: Windows 10 Enterprise LTSC
description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB).
-keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 LTSC", "Windows 10 LTSB"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.author: aaroncz
manager: dougeby
@@ -30,9 +26,9 @@ This topic provides links to articles with information about what's new in each
## The Long-Term Servicing Channel (LTSC)
-The following table summarizes equivalent feature update versions of Windows 10 LTSC and General Availability Channel (SAC) releases.
+The following table summarizes equivalent feature update versions of Windows 10 LTSC and General Availability Channel (GA Channel) releases.
-| LTSC release | Equivalent SAC release | Availability date |
+| LTSC release | Equivalent GA Channel release | Availability date |
| --- | --- | --- |
| Windows 10 Enterprise LTSC 2015 | Windows 10, Version 1507 | 7/29/2015 |
| Windows 10 Enterprise LTSC 2016 | Windows 10, Version 1607 | 8/2/2016 |
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
index c1c29d8f63..6e75a1fb9f 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
@@ -4,13 +4,9 @@ ms.reviewer:
manager: dougeby
ms.author: aaroncz
description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB).
-keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2015"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
-ms.localizationpriority: low
+ms.localizationpriority: medium
ms.topic: article
---
@@ -21,9 +17,6 @@ ms.topic: article
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
-> [!NOTE]
-> Features in Windows 10 Enterprise LTSC 2015 are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md).
-
## Deployment
### Provisioning devices using Windows Imaging and Configuration Designer (ICD)
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
index 354488f563..7ee18df927 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
@@ -4,11 +4,7 @@ ms.reviewer:
manager: dougeby
ms.author: aaroncz
description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB).
-keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2016"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.localizationpriority: low
ms.topic: article
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 40a615660a..034ffc1f83 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -4,12 +4,9 @@ ms.reviewer:
manager: dougeby
ms.author: aaroncz
description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB).
-keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2019"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
-ms.localizationpriority: low
+ms.localizationpriority: medium
ms.topic: article
---
@@ -21,22 +18,23 @@ ms.topic: article
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2019, compared to Windows 10 Enterprise LTSC 2016 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
>[!NOTE]
->Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 1809.
+>Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 1809.
Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as:
-- Advanced protection against modern security threats
+
+- Advanced protection against modern security threats
- Full flexibility of OS deployment
- Updating and support options
- Comprehensive device and app management and control capabilities
-The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below.
+The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below.
>[!IMPORTANT]
>The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the General Availability Channel release of Windows 10 might be limited.
## Microsoft Intune
-Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching.
+Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. However, Windows 10 update rings device profiles don't support LTSC releases. For installing software updates, use the [policy configuration service provider (CSP)](/windows/client-management/mdm/policy-csp-update), Windows Server Update Services (WSUS), or Microsoft Endpoint Configuration Manager.
## Security
@@ -46,37 +44,36 @@ This version of Windows 10 includes security improvements for threat protection,
#### Microsoft Defender for Endpoint
-The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management.
+The [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) platform includes multiple security pillars. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management.
-[  ](../images/wdatp.png#lightbox)
-
-##### Attack surface reduction
+##### Attack surface reduction
Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access]/microsoft-365/security/defender-endpoint/enable-controlled-folders).
-- This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
+- This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We've made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
-- When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page.
+- When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Select **Allow an app through Controlled folder access**. After the prompt, select the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page.
-###### Windows Defender Firewall
+###### Windows Defender Firewall
-Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](/windows/wsl/release-notes#build-17618-skip-ahead).
+Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This behavior was first introduced in [Build 17627](/windows/wsl/release-notes#build-17618-skip-ahead).
##### Windows Defender Device Guard
-[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including:
-- Software-based protection provided by code integrity policies
+[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including:
+
+- Software-based protection provided by code integrity policies
- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI)
-But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control).
+But these protections can also be configured separately. And, unlike HVCI, code integrity policies don't require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control).
-### Next-gen protection
+### Next-gen protection
-### Endpoint detection and response
+### Endpoint detection and response
-Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal.
+Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal.
-Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus).
+Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between Microsoft 365 services and interoperates with Microsoft Defender for Endpoint. Other policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus).
We've also [increased the breadth of the documentation library for enterprise security admins](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows). The new library includes information on:
@@ -98,9 +95,9 @@ We've [invested heavily in helping to protect against ransomware](https://blogs.
**Endpoint detection and response** is also enhanced. New **detection** capabilities include:
-- [Use the threat intelligence API to create custom alerts](/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
+- [Use the threat intelligence API to create custom alerts](/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intelligence application, and create custom threat intelligence alerts for your organization.
-- [Custom detection](/microsoft-365/security/defender-endpoint/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
+- [Custom detection](/microsoft-365/security/defender-endpoint/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. You can use advanced hunting through the creation of custom detection rules.
- Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks.
@@ -110,83 +107,77 @@ We've [invested heavily in helping to protect against ransomware](https://blogs.
**Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
-- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
-- [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
+- [Take response actions on a machine](/microsoft-365/security/defender-endpoint/respond-machine-alerts) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
+- [Take response actions on a file](/microsoft-365/security/defender-endpoint/respond-file-alerts) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
-Additional capabilities have been added to help you gain a holistic view on **investigations** include:
+Other capabilities have been added to help you gain a holistic view on **investigations** include:
-- [Threat analytics](/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
+- [Threat analytics](/microsoft-365/security/defender-endpoint/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess the effect to their environment. They also provide recommended actions to contain, increase organizational resilience, and prevent specific threats.
-- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
+- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/microsoft-365/security/defender/advanced-hunting-query-language)
-- [Use Automated investigations to investigate and remediate threats](/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
+- [Use Automated investigations to investigate and remediate threats](/microsoft-365/security/defender-endpoint/automated-investigations)
-- [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
+- [Investigate a user account](/microsoft-365/security/defender-endpoint/investigate-user) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
-- [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
+- [Alert process tree](/microsoft-365/security/defender-endpoint/investigate-alerts) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
-- [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint.
+- [Pull alerts using REST API](/microsoft-365/security/defender-endpoint/configure-siem) - Use REST API to pull alerts from Microsoft Defender for Endpoint.
Other enhanced security features include:
-- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues.
+- [Check sensor health state](/microsoft-365/security/defender-endpoint/check-sensor-status) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues.
-- [Managed security service provider (MSSP) support](/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
+- [Managed security service provider (MSSP) support](/microsoft-365/security/defender-endpoint/mssp-support) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
-- [Integration with Azure Defender](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
+- [Integration with Azure Defender](/microsoft-365/security/defender-endpoint/configure-server-endpoints#integration-with-microsoft-defender-for-cloud) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration, Azure Defender can use Defender for Endpoint to provide improved threat detection for Windows Servers.
-- [Integration with Microsoft Cloud App Security](/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines.
+- [Integration with Microsoft Cloud App Security](/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security uses Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines.
-- [Onboard Windows Server 2019](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
+- [Onboard Windows Server 2019](/microsoft-365/security/defender-endpoint/configure-server-endpoints#windows-server-semi-annual-enterprise-channel-sac-windows-server-2019-and-windows-server-2022) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
-- [Onboard previous versions of Windows](/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor.
+- [Onboard previous versions of Windows](/microsoft-365/security/defender-endpoint/onboard-downlevel) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor.
-- [Enable conditional access to better protect users, devices, and data](/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
+- [Enable conditional access to better protect users, devices, and data](/microsoft-365/security/defender-endpoint/conditional-access)
-We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on.
+We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device's time isn't properly synced with our time servers and the time-syncing service is disabled, we'll provide the option for you to turn it back on.
-We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**.
+We're continuing to work on how other security apps you've installed show up in the **Windows Security** app. There's a new page called **Security providers** that you can find in the **Settings** section of the app. Select **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers' apps or get more information on how to resolve issues reported to you through **Windows Security**.
-This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks).
+This improvement also means you'll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you'll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks).
You can read more about ransomware mitigations and detection capability at:
-- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
-- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/)
+- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://www.microsoft.com/security/blog/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
+- [Microsoft Malware Protection Center blog](https://www.microsoft.com/security/blog/category/research/ransomware/)
Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
-Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10: [Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10: [Defender for Endpoint](/microsoft-365/security/defender-endpoint/).
-
+### Information protection
-### Information protection
-
-Improvements have been added to Windows Information Protection and BitLocker.
+Improvements have been added to Windows Information Protection and BitLocker.
#### Windows Information Protection
-Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions).
+Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection.
-Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
+Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure).
-You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs).
+You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For more information, see [How to collect Windows Information Protection (WIP) audit event logs](/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs).
-This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234).
+This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive files on-demand for the enterprise](https://techcommunity.microsoft.com/t5/microsoft-onedrive-blog/onedrive-files-on-demand-for-the-enterprise/ba-p/117234).
### BitLocker
-The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3).
+The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#configure-minimum-pin-length-for-startup).
#### Silent enforcement on fixed drives
-Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI.
+Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (Azure AD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard Azure AD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don't pass the HSTI.
-This is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others.
-
-This feature will soon be enabled on Olympia Corp as an optional feature.
+This change is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) and used by Intune and others.
### Identity protection
@@ -194,50 +185,46 @@ Improvements have been added are to Windows Hello for Business and Credential Gu
#### Windows Hello for Business
-New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present.
+New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you aren't present.
-New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) include:
+New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) include:
-- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
+- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](/mem/intune).
-- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
+- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more information, see [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
-[Windows Hello](/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration).
+[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/index) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration).
-- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
+- Windows Hello is now password-less on S-mode.
- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
-- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their device Bluetooth is off.
+- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign-in, and will notify Dynamic lock users if Dynamic lock has stopped working because their device Bluetooth is off.
-- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
+- You can set up Windows Hello from lock screen for Microsoft accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
-- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
+- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync) for secondary account SSO for a particular identity provider.
+
+- It's easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: device Bluetooth is off).
-- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: device Bluetooth is off).
-
For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97)
#### Windows Defender Credential Guard
-Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
+Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
-Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode.
+Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode.
> [!NOTE]
-> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions.
+> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions.
-For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
+For more information, see [Credential Guard Security Considerations](/windows/security/identity-protection/credential-guard/credential-guard-requirements#security-considerations).
### Other security improvements
#### Windows security baselines
-Microsoft has released new [Windows security baselines](/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
-
-**Windows security baselines** have been updated for Windows 10. A [security baseline](/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
-
-The new [security baseline for Windows 10 version 1803](/windows/security/threat-protection/security-compliance-toolkit-10) has been published.
+Microsoft has released new [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security effect. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10).
#### SMBLoris vulnerability
@@ -245,57 +232,52 @@ An issue, known as _SMBLoris_, which could result in denial of service, has been
#### Windows Security Center
-Windows Defender Security Center is now called **Windows Security Center**.
+Windows Defender Security Center is now called **Windows Security Center**.
-You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**.
+You can still get to the app in all the usual ways. Ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**.
-The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products.
+The WSC service now requires antivirus products to run as a protected process to register. Products that haven't yet implemented this functionality won't appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products.
-WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
+WSC now includes the Fluent Design System elements you know and love. You'll also notice we've adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you've enabled that option in **Color Settings**.
-
+:::image type="content" source="../images/defender.png" alt-text="Screenshot of the Windows Security Center.":::
-#### Group Policy Security Options
+#### Group policy security options
-The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
+The security setting [**Interactive logon: Display user information when the session is locked**](/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
A new security policy setting
-[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise LTSC 2019. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
+[**Interactive logon: Don't display username at sign-in**](/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise LTSC 2019. This security policy setting determines whether the username is displayed during sign-in. It works with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
#### Windows 10 in S mode
-We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
+We've continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
-> [!div class="mx-imgBorder"]
-> 
+:::image type="content" source="../images/virus-and-threat-protection.png" alt-text="Screenshot of the Virus & threat protection settings in Windows.":::
## Deployment
### MBR2GPT.EXE
-MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
+MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also run from the full Windows 10 operating system.
-The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
+The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports other partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
-Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+Other security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
-For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
+For more information, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
### DISM
The following new DISM commands have been added to manage feature updates:
-- **DISM /Online /Initiate-OSUninstall**
- - Initiates an OS uninstall to take the computer back to the previous installation of windows.
+- `DISM /Online /Initiate-OSUninstall`: Initiates an OS uninstall to take the computer back to the previous installation of windows.
-- **DISM /Online /Remove-OSUninstall**
- - Removes the OS uninstall capability from the computer.
+- `DISM /Online /Remove-OSUninstall`: Removes the OS uninstall capability from the computer.
-- **DISM /Online /Get-OSUninstallWindow**
- - Displays the number of days after upgrade during which uninstall can be performed.
+- `DISM /Online /Get-OSUninstallWindow`: Displays the number of days after upgrade during which uninstall can be performed.
-- **DISM /Online /Set-OSUninstallWindow**
- - Sets the number of days after upgrade during which uninstall can be performed.
+- `DISM /Online /Set-OSUninstallWindow`: Sets the number of days after upgrade during which uninstall can be performed.
For more information, see [DISM operating system uninstall command-line options](/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
@@ -303,129 +285,106 @@ For more information, see [DISM operating system uninstall command-line options]
You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once.
-Prerequisites:
+Prerequisites:
+
- Windows 10, version 1803 or Windows 10 Enterprise LTSC 2019, or later.
- Windows 10 Enterprise or Pro
For more information, see [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
-It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
+It's also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
`/PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]`
-For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21).
+For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#postrollback).
New command-line switches are also available to control BitLocker:
-- **Setup.exe /BitLocker AlwaysSuspend**
- - Always suspend BitLocker during upgrade.
+- `Setup.exe /BitLocker AlwaysSuspend`: Always suspend BitLocker during upgrade.
-- **Setup.exe /BitLocker TryKeepActive**
- - Enable upgrade without suspending BitLocker, but if upgrade does not work, then suspend BitLocker and complete the upgrade.
+- `Setup.exe /BitLocker TryKeepActive`: Enable upgrade without suspending BitLocker, but if upgrade doesn't work, then suspend BitLocker and complete the upgrade.
-- **Setup.exe /BitLocker ForceKeepActive**
- - Enable upgrade without suspending BitLocker, but if upgrade does not work, fail the upgrade.
+- `Setup.exe /BitLocker ForceKeepActive`: Enable upgrade without suspending BitLocker, but if upgrade doesn't work, fail the upgrade.
-For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33).
+For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#bitlocker).
### Feature update improvements
-Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/).
+Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This change results in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/articles/were-listening-to-you/).
### SetupDiag
[SetupDiag](/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed.
-SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
+SetupDiag works by searching Windows Setup log files. When it searches log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
## Sign-in
### Faster sign-in to a Windows 10 shared pc
-If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc) in a flash!
+If you have shared devices deployed in your work place, **Fast sign-in** enables users to quickly sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc).
-**To enable fast sign-in:**
+#### To enable fast sign-in
1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise LTSC 2019.
2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in.
-3. Sign-in to a shared PC with your account. You'll notice the difference!
+3. Sign-in to a shared PC with your account.
- 
+ :::image type="content" source="../images/fastsignin.png" alt-text="An animated image that demonstrates the fast sign-in feature.":::
### Web sign-in to Windows 10
-Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
+Until now, Windows sign-in only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We're introducing "web sign-in," a new way of signing into your Windows PC. Web Sign-in enables Windows sign-in support for non-ADFS federated providers (e.g.SAML).
-**To try out web sign-in:**
+#### Try out web sign-in
1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
-2. Set the Policy CSP, and the Authentication and EnableWebSignIn policies to enable web sign-in.
+2. Set the Policy CSP, and the Authentication and EnableWebSignIn policies to enable web sign-in.
3. On the lock screen, select web sign-in under sign-in options.
-4. Click the “Sign in” button to continue.
-
+4. Select "Sign in" to continue.
-## Windows Analytics
+ :::image type="content" source="../images/websignin.png" alt-text="A screenshot of the Windows sign-in screen that highlights the web sign-in feature.":::
-### Upgrade Readiness
-
->[!IMPORTANT]
->Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a General Availability Channel release.
-
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
-
-The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
-
-For more information about Upgrade Readiness, see the following topics:
-
-- [Windows Analytics blog](/archive/blogs/upgradeanalytics/)
-- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
-
-Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
-
-### Update Compliance
+## Update Compliance
Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
+New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates.
+
For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor).
-New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Microsoft Defender Antivirus with Update Compliance](/windows/deployment/update/update-compliance-monitor).
-
-### Device Health
-
-Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](/windows/deployment/update/device-health-monitor).
-
-## Accessibility and Privacy
+## Accessibility and privacy
### Accessibility
-"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/), a blog post.
+"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What's new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/).
### Privacy
-In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/configuration/diagnostic-data-viewer-overview) app.
+In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/privacy/diagnostic-data-viewer-overview) app.
## Configuration
### Kiosk configuration
-The new chromium-based Microsoft Edge has many improvements specifically targeted to Kiosks. However, it is not included in the LTSC release of Windows 10. You can download and install Microsoft Edge separately [here](https://www.microsoft.com/edge/business/download).
+The new chromium-based Microsoft Edge has many improvements targeted to kiosks. However, it's not included in the LTSC release of Windows 10. You can download and install Microsoft Edge separately. For more information, see [Download and deploy Microsoft Edge for business](https://www.microsoft.com/edge/business/download).
-Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release.
+Internet Explorer is included in Windows 10 LTSC releases as its feature set isn't changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release.
-If you wish to take advantage of [Kiosk capabilities in Edge](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](/windows/configuration/kiosk-methods) with a semi-annual release channel.
+If you wish to take advantage of [Kiosk capabilities in Microsoft Edge](/previous-versions/windows/edge-legacy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](/windows/configuration/kiosk-methods) with a semi-annual release channel.
### Co-management
-Intune and Microsoft Endpoint Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+Intune and Microsoft Endpoint Configuration Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
-For more information, see [What's New in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803).
+For more information, see [What's New in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management).
### OS uninstall period
@@ -435,72 +394,70 @@ The OS uninstall period is a length of time that users are given when they can o
Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
-
-
### Windows Spotlight
-The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences:
+The following new group policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences:
- **Turn off the Windows Spotlight on Action Center**
- **Do not use diagnostic data for tailored experiences**
- **Turn off the Windows Welcome Experience**
-[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight)
+For more information, see [Configure Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight).
### Start and taskbar layout
Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise LTSC 2019 adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management).
-[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
+[More MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
- Settings for the User tile: [**Start/HideUserTile**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
- Settings for Power: [**Start/HidePowerButton**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep)
-- Additional new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist).
+- Other new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist).
## Windows Update
### Windows Insider for Business
-We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
+We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization - especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
-
### Optimize update delivery
-With changes delivered in Windows 10 Enterprise LTSC 2019, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+With changes delivered in Windows 10 Enterprise LTSC 2019, [express updates](/windows/deployment/do/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Configuration Manager. It's also supported with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This support is in addition to current express support on Windows Update, Windows Update for Business and WSUS.
>[!NOTE]
> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
-Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
+Delivery Optimization policies now enable you to configure other restrictions to have more control in various scenarios.
Added policies include:
-- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
-- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn)
-- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching)
-- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching)
-- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size)
-To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization).
+- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/do/waas-delivery-optimization-reference#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
+- [Enable Peer Caching while the device connects via VPN](/windows/deployment/do/waas-delivery-optimization-reference#enable-peer-caching-while-the-device-connects-via-vpn)
+- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/do/waas-delivery-optimization-reference#minimum-ram-allowed-to-use-peer-caching)
+- [Minimum disk size allowed to use Peer Caching](/windows/deployment/do/waas-delivery-optimization-reference#minimum-disk-size-allowed-to-use-peer-caching)
+- [Minimum Peer Caching Content File Size](/windows/deployment/do/waas-delivery-optimization-reference#minimum-peer-caching-content-file-size)
+
+For more information, see [Configure Delivery Optimization for Windows updates](/windows/deployment/do/waas-delivery-optimization).
### Uninstalled in-box apps no longer automatically reinstall
Starting with Windows 10 Enterprise LTSC 2019, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
-Additionally, apps de-provisioned by admins on Windows 10 Enterprise LTSC 2019 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise LTSC 2016 (or earlier) to Windows 10 Enterprise LTSC 2019.
+Additionally, apps de-provisioned by admins on Windows 10 Enterprise LTSC 2019 machines will stay de-provisioned after future feature update installations. This behavior won't apply to the update from Windows 10 Enterprise LTSC 2016 (or earlier) to Windows 10 Enterprise LTSC 2019.
## Management
### New MDM capabilities
-Windows 10 Enterprise LTSC 2019 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](/windows/client-management/mdm/policy-configuration-service-provider).
+Windows 10 Enterprise LTSC 2019 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful group policy settings via MDM. For more information, see [Policy CSP - ADMX-backed policies](/windows/client-management/mdm/policy-configuration-service-provider).
Some of the other new CSPs are:
-- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
+- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can't reach the management server when the location or network changes. The dynamic management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
- The [CleanPC CSP](/windows/client-management/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
@@ -512,13 +469,11 @@ Some of the other new CSPs are:
- The [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
-IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
+For more information, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management).
-[Learn more about new MDM capabilities.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
+MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
-MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
-
-Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709).
+Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management).
### Mobile application management support for Windows 10
@@ -528,13 +483,14 @@ For more info, see [Implement server-side support for mobile application managem
### MDM diagnostics
-In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
+In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we're introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as another tool to help support personnel quickly reduce issues to their root cause, while saving time and cost.
### Application Virtualization for Windows (App-V)
-Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart.
+Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, **New-AppVSequencerVM** and **Connect-AppvSequencerVM**. These cmdlets automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (`.appvt`) file, and letting you use PowerShell or group policy settings to automatically clean up your unpublished packages after a device restart.
+
+For more information, see the following articles:
-For more info, see the following topics:
- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm)
- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing)
- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating)
@@ -544,16 +500,16 @@ For more info, see the following topics:
Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level.
-- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
-- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703)
+- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703)
+- [Windows 10, version 1703 diagnostic data](/windows/privacy/windows-diagnostic-data-1703)
-### Group Policy spreadsheet
+### Group policy spreadsheet
-Learn about the new Group Policies that were added in Windows 10 Enterprise LTSC 2019.
+Learn about the new group policies that were added in Windows 10 Enterprise LTSC 2019.
-- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250)
+- [Group policy settings reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250)
-### Mixed Reality Apps
+### Mixed reality apps
This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](/windows/application-management/manage-windows-mixed-reality).
@@ -561,7 +517,7 @@ This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.wind
### Network stack
-Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/).
+Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core network stack features in the Creators Update for Windows 10](https://techcommunity.microsoft.com/t5/networking-blog/core-network-stack-features-in-the-creators-update-for-windows/ba-p/339676).
### Miracast over Infrastructure
@@ -569,47 +525,47 @@ In this version of Windows 10, Microsoft has extended the ability to send a Mira
#### How it works
-Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
+Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS and multicast DNS (mDNS). If the name isn't resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
-#### Miracast over Infrastructure offers a number of benefits
+#### Miracast over Infrastructure offers many benefits
- Windows automatically detects when sending the video stream over this path is applicable.
- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
-- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
+- Users don't have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
- No changes to current wireless drivers or PC hardware are required.
-- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
-- It leverages an existing connection that both reduces the time to connect and provides a very stable stream.
+- It works well with older wireless hardware that isn't optimized for Miracast over Wi-Fi Direct.
+- It uses an existing connection that reduces the time to connect and provides a stable stream.
#### Enabling Miracast over Infrastructure
-If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
+If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to make sure the following requirement exist within your deployment:
- The device (PC or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise LTSC 2019, or a later OS.
- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows device can act as a Miracast over Infrastructure *source*.
- - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
+ - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection. For example, using either WPA2-PSK or WPA2-Enterprise security. If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
- As a Miracast source, the device must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
+- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this configuration by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
> [!IMPORTANT]
-> Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
+> Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don't have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
## Registry editor improvements
-We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
+We added a dropdown that displays while you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
-
+:::image type="content" source="../images/regeditor.png" alt-text="Screenshot of Registry Editor showing list of path completion.":::
## Remote Desktop with Biometrics
Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
-To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**.
+To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and select **Connect**.
-- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials.
+- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also select **More choices** to choose alternate credentials.
- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN.
@@ -619,6 +575,6 @@ See the following example:
-## See Also
+## See also
[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release.
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 1e10461eea..6faf817654 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -4,10 +4,7 @@ ms.reviewer:
manager: dougeby
ms.author: aaroncz
description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2021.
-keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2021"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.localizationpriority: low
ms.topic: article
@@ -142,7 +139,7 @@ Windows Hello enhancements include:
- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
- Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
-- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
+- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
- With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data.
- Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present.
- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
index e7ad13d805..8190b90e04 100644
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -1,16 +1,14 @@
---
title: What's new in Windows 10, versions 1507 and 1511 (Windows 10)
description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511).
-ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6
ms.reviewer:
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
manager: dougeby
ms.author: aaroncz
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.topic: article
+ROBOTS: NOINDEX
---
# What's new in Windows 10, versions 1507 and 1511 for IT Pros
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index 509b7d10a0..48342fd24c 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -1,16 +1,14 @@
---
title: What's new in Windows 10, version 1607 (Windows 10)
description: What's new in Windows 10 for Windows 10 (version 1607).
-keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.reviewer:
author: aczechowski
manager: dougeby
ms.author: aaroncz
ms.topic: article
+ROBOTS: NOINDEX
---
# What's new in Windows 10, version 1607 for IT Pros
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index a62e914365..df0bb338ac 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -1,17 +1,14 @@
---
title: What's new in Windows 10, version 1703
description: New and updated features in Windows 10, version 1703 (also known as the Creators Updated).
-keywords: ["What's new in Windows 10", "Windows 10", "creators update"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: high
-ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617
+ms.localizationpriority: medium
ms.reviewer:
author: aczechowski
manager: dougeby
ms.author: aaroncz
ms.topic: article
+ROBOTS: NOINDEX
---
# What's new in Windows 10, version 1703 for IT Pros
@@ -44,8 +41,6 @@ Both the desktop and kiosk wizards include an option to remove pre-installed sof
Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
-
-
### Windows Spotlight
@@ -232,7 +227,6 @@ Some of the other new CSPs are:
- The [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
-IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
[Learn more about new MDM capabilities.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index 905d4ff2dd..ad9ebb3782 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -1,16 +1,14 @@
---
title: What's new in Windows 10, version 1709
description: New and updated features in Windows 10, version 1709 (also known as the Fall Creators Update).
-keywords: ["What's new in Windows 10", "Windows 10", "Fall Creators Update"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.reviewer:
author: aczechowski
manager: dougeby
ms.author: aaroncz
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.topic: article
+ROBOTS: NOINDEX
---
# What's new in Windows 10, version 1709 for IT Pros
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index f2f4dc5964..d8903b9bbb 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -1,16 +1,14 @@
---
title: What's new in Windows 10, version 1803
description: New and updated features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update).
-keywords: ["What's new in Windows 10", "Windows 10", "April 2018 Update"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.reviewer:
author: aczechowski
manager: dougeby
ms.author: aaroncz
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.topic: article
+ROBOTS: NOINDEX
---
# What's new in Windows 10, version 1803 for IT Pros
@@ -147,7 +145,7 @@ The OS uninstall period is a length of time that users are given when they can o
- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
-- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
+- You can set up Windows Hello from lock screen for Microsoft accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index 9ce31284cc..d14888637d 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -2,15 +2,13 @@
title: What's new in Windows 10, version 1809
ms.reviewer:
description: Learn about features for Windows 10, version 1809, including features and fixes included in previous cumulative updates to Windows 10, version 1803.
-keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 October 2018 Update"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
manager: dougeby
ms.author: aaroncz
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.topic: article
+ROBOTS: NOINDEX
---
# What's new in Windows 10, version 1809 for IT Pros
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index 35ed9f16c3..30dde72ade 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -1,16 +1,13 @@
---
title: What's new in Windows 10, version 1903
description: New and updated features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update).
-keywords: ["What's new in Windows 10", "Windows 10", "May 2019 Update"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.author: aaroncz
manager: dougeby
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.topic: article
+ROBOTS: NOINDEX
---
# What's new in Windows 10, version 1903 for IT Pros
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 3b33b31e96..7f89949678 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -1,16 +1,13 @@
---
title: What's new in Windows 10, version 1909
description: New and updated features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update).
-keywords: ["What's new in Windows 10", "Windows 10", "November 2019 Update"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.author: aaroncz
manager: dougeby
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.topic: article
+ROBOTS: NOINDEX
---
# What's new in Windows 10, version 1909 for IT Pros
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index 726580724f..a00b411668 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -1,16 +1,13 @@
---
title: What's new in Windows 10, version 2004
description: New and updated features in Windows 10, version 2004 (also known as the Windows 10 May 2020 Update).
-keywords: ["What's new in Windows 10", "Windows 10", "May 2020 Update"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.author: aaroncz
manager: dougeby
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.topic: article
+ROBOTS: NOINDEX
---
# What's new in Windows 10, version 2004 for IT Pros
@@ -35,7 +32,7 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings
- Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
-- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
+- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
### Windows Defender System Guard
diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md
index 436dc92f0d..b3f400dbeb 100644
--- a/windows/whats-new/whats-new-windows-10-version-20H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-20H2.md
@@ -1,11 +1,7 @@
---
title: What's new in Windows 10, version 20H2
description: New and updated features in Windows 10, version 20H2 (also known as the Windows 10 October 2020 Update).
-keywords: ["What's new in Windows 10", "Windows 10", "October 2020 Update"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.author: aaroncz
manager: dougeby
diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md
index 2fdba9bd26..f598d1913b 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H1.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H1.md
@@ -1,11 +1,7 @@
---
title: What's new in Windows 10, version 21H1
description: New and updated features in Windows 10, version 21H1 (also known as the Windows 10 May 2021 Update).
-keywords: ["What's new in Windows 10", "Windows 10", "May 2021 Update"]
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.author: aaroncz
manager: dougeby
diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
index d536eb04eb..da72022d30 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -3,9 +3,6 @@ title: What's new in Windows 10, version 21H2 for IT pros
description: Learn more about what's new in Windows 10 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
manager: dougeby
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: mobile
ms.author: aaroncz
author: aczechowski
ms.localizationpriority: medium
diff --git a/windows/whats-new/windows-10-insider-preview.md b/windows/whats-new/windows-10-insider-preview.md
index 2e6f2191f7..61a499904f 100644
--- a/windows/whats-new/windows-10-insider-preview.md
+++ b/windows/whats-new/windows-10-insider-preview.md
@@ -2,8 +2,6 @@
title: Documentation for Windows 10 Insider Preview (Windows 10)
description: Preliminary documentation for some Windows 10 features in Insider Preview.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: dansimp
ms.date: 04/14/2017
ms.reviewer:
diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md
index 623e6caba5..ec5cd6f23f 100644
--- a/windows/whats-new/windows-11-overview.md
+++ b/windows/whats-new/windows-11-overview.md
@@ -3,14 +3,10 @@ title: Windows 11 overview for administrators
description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs.
ms.reviewer:
manager: dougeby
-ms.audience: itpro
author: aczechowski
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.localizationpriority: medium
-audience: itpro
ms.topic: article
ms.collection: highpri
ms.custom: intro-overview
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index 91a6d66855..7f67c4a774 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -1,10 +1,7 @@
---
title: Plan for Windows 11
description: Windows 11 deployment planning, IT Pro content.
-keywords: ["get started", "windows 11", "plan"]
ms.prod: w11
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
manager: dougeby
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index 262bf50024..532493e1e3 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -1,10 +1,7 @@
---
title: Prepare for Windows 11
description: Prepare your infrastructure and tools to deploy Windows 11, IT Pro content.
-keywords: ["get started", "windows 11"]
ms.prod: w11
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: aczechowski
ms.author: aaroncz
manager: dougeby
diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md
index 8384e85778..b2aef79c6d 100644
--- a/windows/whats-new/windows-11-requirements.md
+++ b/windows/whats-new/windows-11-requirements.md
@@ -2,14 +2,10 @@
title: Windows 11 requirements
description: Hardware requirements to deploy Windows 11
manager: dougeby
-ms.audience: itpro
author: aczechowski
ms.author: aaroncz
ms.prod: w11
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.localizationpriority: medium
-audience: itpro
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.collection: highpri
+:::image type="content" source="images/windows-10-management-range-of-options.png" alt-text="Diagram of the path to modern IT." lightbox="images/windows-10-management-range-of-options.png":::
-As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and Microsoft Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
-## Deployment and Provisioning
+## Deployment and provisioning
-With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully configured, fully managed devices, you can:
+With Windows 10, you can continue to use traditional OS deployment, but you can also "manage out of the box." To transform new devices into fully configured, fully managed devices, you can:
+- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/).
-- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](/mem/intune/fundamentals/).
+- Create self-contained provisioning packages built with the Windows Configuration Designer. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages).
-- Create self-contained provisioning packages built with the [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-packages).
+- Use traditional imaging techniques such as deploying custom images using [Configuration Manager](/mem/configmgr/core/understand/introduction).
-- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](/configmgr/core/understand/introduction).
+You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive - everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today.
-You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive – everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
+## Identity and authentication
-## Identity and Authentication
-
-You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
+You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
You can envision user and device management as falling into these two categories:
-- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
+- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
- - For corporate devices, they can set up corporate access with [Azure AD Join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.