diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index bb35b3f5fc..3d8a9d9f4d 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -1,5 +1,5 @@
---
-title: Windows 10 - Apps
+title: Learn about the different app types in Windows 10 | Microsoft Docs
ms.reviewer:
manager: dansimp
description: Use this article to understand the different types of apps that run on Windows 10, such as UWP and Win32 apps.
@@ -30,7 +30,7 @@ On your Windows 10 devices, you can run the following app types:
- **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. But, not all Windows apps are UWP apps.
- **Win32 apps**: These apps are traditional Windows applications.
-This article lists the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. If you use custom images, your specific apps might be different.
+This article lists the provisioned Windows apps and system apps installed on a standard Windows 10 Enterprise device. If you use custom images, your specific apps might be different.
Some of the apps show up in multiple areas. That's because their status changed between versions. Make sure to check the version column for the version you're currently running.
diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md
index 9b9c05d03d..cdf909411f 100644
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@@ -40,6 +40,19 @@ manager: dansimp
+Steps to use this policy correctly:
+
+1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s).
+1. Create a custom OMA URI based device configuration that sets this policy value to desired number of days (> 0) and assign it to HoloLens device(s).
+ 1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays
+ 1. The value can be between min / max allowed.
+1. Enroll HoloLens devices and verify both configurations get applied to the device.
+1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created.
+1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days.
+1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point here is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted.
+
+> [!NOTE]
+> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments.
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index 9755457f60..7c0a2bd53f 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -295,7 +295,7 @@ SurfaceHub
The data type is boolean. Supported operation is Get and Replace.
**InBoxApps/Welcome/CurrentBackgroundPath**
-
Background image for the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
+
Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
The data type is string. Supported operation is Get and Replace.
@@ -316,12 +316,12 @@ SurfaceHub
Invitations to collaborate from the Whiteboard app are not allowed.
The data type is boolean. Supported operation is Get and Replace.
-
+
**InBoxApps/Whiteboard/SigninDisabled**
Sign-ins from the Whiteboard app are not allowed.
The data type is boolean. Supported operation is Get and Replace.
-
+
**InBoxApps/Whiteboard/TelemeteryDisabled**
Telemetry collection from the Whiteboard app is not allowed.
@@ -571,7 +571,7 @@ SurfaceHub
If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
The data type is boolean. Supported operation is Get and Replace.
-
+
**Properties/ProxyServers**
Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://).
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 02c175e81b..5eec9e233a 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -145,8 +145,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica
On **MDT01**:
-1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC1902120058_en_US.exe) to **D:\\setup\\adobe** on MDT01.
-2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC1902120058_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
+1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01.
+2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
4. Right-click the **Applications** node, and create a new folder named **Adobe**.
@@ -316,7 +316,7 @@ On **MDT01**:
### For the HP EliteBook 8560w
-For the HP EliteBook 8560w, you use HP SoftPaq Download Manager to get the drivers. The HP SoftPaq Download Manager can be accessed on the [HP Support site](https://go.microsoft.com/fwlink/p/?LinkId=619545).
+For the HP EliteBook 8560w, you use HP Image Assistant to get the drivers. The HP Image Assistant can be accessed on the [HP Support site](https://ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html).
In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder.
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index 4250054f65..c1039d7404 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -32,7 +32,7 @@ The procedures in this guide use the following names and infrastructure.
For the purposes of this topic, we will use three server computers: **DC01**, **MDT01**, and **HV01**.
- All servers are running Windows Server 2019.
- You can use an earlier version of Windows Server with minor modifications to some procedures.
- - Note: Although MDT supports Windows Server 2008 R2, at least Windows Server 2012 R2 or later is requried to perform the procedures in this guide.
+ - Note: Although MDT supports Windows Server 2008 R2, at least Windows Server 2012 R2 or later is required to perform the procedures in this guide.
- **DC01** is a domain controller, DHCP server, and DNS server for contoso.com, representing the fictitious Contoso Corporation.
- **MDT01** is a domain member server in contoso.com with a data (D:) drive that can store at least 200GB. MDT01 will host deployment shares and run the Windows Deployment Service. Optionally, MDT01 is also a WSUS server.
- A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway.
@@ -147,21 +147,9 @@ Switch to **DC01** and perform the following procedures on **DC01**:
To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell.
-To use Windows PowerShell, copy the following commands into a text file and save it as C:\Setup\Scripts\ou.ps1. Be sure that you are viewing file extensions and that you save the file with the .ps1 extension.
+Copy the following list of OU names and paths into a CSV file and save it as `~\Setup\Scripts\oulist.csv`.
-```powershell
-$oulist = Import-csv -Path c:\oulist.txt
-ForEach($entry in $oulist){
- $ouname = $entry.ouname
- $oupath = $entry.oupath
- New-ADOrganizationalUnit -Name $ouname -Path $oupath
- Write-Host -ForegroundColor Green "OU $ouname is created in the location $oupath"
-}
-```
-
-Next, copy the following list of OU names and paths into a text file and save it as C:\Setup\Scripts\oulist.txt
-
-```text
+```csv
OUName,OUPath
Contoso,"DC=CONTOSO,DC=COM"
Accounts,"OU=Contoso,DC=CONTOSO,DC=COM"
@@ -175,11 +163,20 @@ Workstations,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
Security Groups,"OU=Groups,OU=Contoso,DC=CONTOSO,DC=COM"
```
-Lastly, open an elevated Windows PowerShell prompt on DC01 and run the ou.ps1 script:
+Next, copy the following commands into a file and save it as `~\Setup\Scripts\ou.ps1`. Be sure that you are viewing file extensions and that you save the file with the `.ps1` extension.
+
+```powershell
+Import-CSV -Path $home\Setup\Scripts\oulist.csv | ForEach-Object {
+ New-ADOrganizationalUnit -Name $_.ouname -Path $_.oupath
+ Write-Host -ForegroundColor Green "OU $($_.ouname) is created in the location $($_.oupath)"
+}
+```
+
+Lastly, open an elevated Windows PowerShell prompt on DC01 and run the `ou.ps1` script:
```powershell
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
-Set-Location C:\Setup\Scripts
+Set-Location $home\Setup\Scripts
.\ou.ps1
```
@@ -212,7 +209,7 @@ The final result of either method is shown below. The **MDT_BA** account will be
When creating a reference image, you need an account for MDT. The MDT build account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.
-To create an MDT build account, open an elevalted Windows PowerShell prompt on DC01 and enter the following (copy and paste the entire command, taking care to notice the scroll bar at the bottom). This command will create the MDT_BA user account and set the password to "pass@word1":
+To create an MDT build account, open an elevated Windows PowerShell prompt on DC01 and enter the following (copy and paste the entire command, taking care to notice the scroll bar at the bottom). This command will create the MDT_BA user account and set the password to "pass@word1":
```powershell
New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
@@ -262,4 +259,4 @@ When you have completed all the steps in this section to prepare for deployment,
The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so you can see how some tasks can be automated with Windows PowerShell.
- [Gather.ps1](/samples/browse/?redirectedfrom=TechNet-Gallery). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment.
- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
-- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.
\ No newline at end of file
+- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index ec30cea998..9b9c40977d 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -3716,7 +3716,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
Well-Known SID/RID |
-S-1-5-21-<domain>-1000 |
+S-1-5-21-<domain>-<variable RID> |
Type |
@@ -3760,4 +3760,4 @@ This security group was introduced in Windows Server 2012, and it has not chang
- [Special Identities](special-identities.md)
-- [Access Control Overview](access-control.md)
\ No newline at end of file
+- [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 717d082664..476aed7683 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -82,6 +82,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
|-------------|---------|
| 0X80072F0C | Unknown |
| 0x80070057 | Invalid parameter or argument is passed. |
+| 0x80090010 | NTE_PERM |
| 0x80090020 | NTE\_FAIL |
| 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. |
| 0x8009002D | NTE\_INTERNAL\_ERROR |
@@ -110,4 +111,4 @@ For errors listed in this table, contact Microsoft Support for assistance.
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index 3261c5f549..5bbb8174ec 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -14,12 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 11/29/2018
---
# Trusted Platform Module Technology Overview
**Applies to**
+- Windows 11
- Windows 10
- Windows Server 2016
- Windows Server 2019
@@ -28,7 +28,7 @@ This topic for the IT professional describes the Trusted Platform Module (TPM) a
## Feature description
-Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
+[Trusted Platform Module (TPM)](/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
- Generate, store, and limit the use of cryptographic keys.
@@ -54,13 +54,13 @@ Certificates can be installed or created on computers that are using the TPM. Af
Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process.
-Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
+Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 and later editions or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
## New and changed functionality
-For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module).
+For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module)
## Device health attestation
@@ -75,14 +75,14 @@ Some things that you can check on the device are:
- Is SecureBoot supported and enabled?
> [!NOTE]
-> Windows 10, Windows Server 2016 and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
+> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
## Supported versions for device health attestation
-| TPM version | Windows 10 | Windows Server 2016 | Windows Server 2019 |
-|-------------|-------------|---------------------|---------------------|
-| TPM 1.2 | >= ver 1607 | >= ver 1607 | Yes |
-| TPM 2.0 | Yes | Yes | Yes |
+| TPM version | Windows 11 | Windows 10 | Windows Server 2016 | Windows Server 2019 |
+|-------------|-------------|-------------|---------------------|---------------------|
+| TPM 1.2 | | >= ver 1607 | >= ver 1607 | Yes |
+| TPM 2.0 | Yes | Yes | Yes | Yes |
## Related topics
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 2a578d07ab..2ec5067168 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -45,7 +45,7 @@ The Security Compliance Toolkit consists of:
- Microsoft 365 Apps for enterprise, Version 2104
- Microsoft Edge security baseline
- - Version 88
+ - Version 92
- Windows Update security baseline
- Windows 10 20H2 and below (October 2020 Update)
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
index 4df87c418a..be2c2f115a 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 08/16/2021
ms.technology: mde
---
@@ -35,7 +35,7 @@ This policy setting is dependent on the **Account lockout threshold** policy set
- A user-defined number of minutes from 0 through 99,999
- Not defined
-If [Account lockout threshold](account-lockout-threshold.md) is configured, after the specified number of failed attempts, the account will be locked out. If th **Account lockout duration** is set to 0, the account will remain locked until an administrator unlocks it manually.
+If [Account lockout threshold](account-lockout-threshold.md) is configured, after the specified number of failed attempts, the account will be locked out. If the **Account lockout duration** is set to 0, the account will remain locked until an administrator unlocks it manually.
It is advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the **Account lockout threshold** value to 0.
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
index 5028f2de9f..15639fd8d3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 07/15/2021
+ms.date: 08/10/2021
ms.technology: mde
---
@@ -93,27 +93,86 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS
```
-An example of a valid Managed Installer rule collection using Microsoft Endpoint Config Manager (MEMCM) is shown below.
+An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), Powershell, and PowerShell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer.
```xml
-
-
+
+
+
+
-
-
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
-
### Enable service enforcement in AppLocker policy
Since many installation processes rely on services, it is typically necessary to enable tracking of services.
@@ -214,3 +273,32 @@ Ea Value Length: 7e
## Enabling managed installer logging events
Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events.
+
+## Deploying the Managed Installer rule collection
+
+Once you've completed configuring your chosen Managed Installer, by specifying which option to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it.
+
+1. Use the following command to deploy the policy.
+ ```powershell
+ $policyFile=
+ @"
+ Raw_AppLocker_Policy_XML
+ "@
+ Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue
+ ```
+
+2. Verify Deployment of the ruleset was successful
+ ```powershell
+ Get-AppLockerPolicy -Local
+
+ Version RuleCollections RuleCollectionTypes
+ ------- --------------- -------------------
+ 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...}
+ ```
+ Verify the output shows the ManagedInstaller rule set.
+
+3. Get the policy XML (optional) using PowerShell:
+ ```powershell
+ Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue
+ ```
+ This command will show the raw XML to verify the individual rules that were set.
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index d409657e10..f85b75d3ad 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -24,15 +24,15 @@ ms.date:
- Windows 10
- Windows Server 2016 and above
-Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they are patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy which is applied to the following sets of devices:
+Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices:
- Hypervisor-protected code integrity (HVCI) enabled devices
- Windows 10 in S mode (S mode) devices
-Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
+Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
> [!Note]
-> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode.
+> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It's recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode.
```xml
@@ -55,8 +55,6 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security
-
-
@@ -315,7 +313,6 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security
-
@@ -425,7 +422,6 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
index 5392e5253b..9ffbd067e1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
-ms.date: 05/03/2018
+ms.date: 08/12/2021
ms.technology: mde
---
@@ -38,7 +38,7 @@ For example, to create a WDAC policy allowing **addin1.dll** and **addin2.dll**
```powershell
$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe'
-$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe'
+$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP2.exe'
New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs
```
diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
index 9ed555e0c8..78d50e3732 100644
--- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 05/25/2017
+ms.date: 08/16/2021
ms.technology: mde
---
@@ -40,17 +40,15 @@ First, create the WMI filter and configure it to look for a specified version (o
1. Open the Group Policy Management console.
-2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **WMI Filters**.
+2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, and then select **WMI Filters**.
-3. Click **Action**, and then click **New**.
+3. Select **Action**, and then select **New**.
-4. In the **Name** text box, type the name of the WMI filter.
-
- >**Note:** Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has a naming convention.
+4. In the **Name** text box, type the name of the WMI filter. Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has a naming convention.
5. In the **Description** text box, type a description for the WMI filter. For example, if the filter excludes domain controllers, you might consider stating that in the description.
-6. Click **Add**.
+6. Select **Add**.
7. Leave the **Namespace** value set to **root\\CIMv2**.
@@ -66,7 +64,7 @@ First, create the WMI filter and configure it to look for a specified version (o
... where Version like "6.1%" or Version like "6.2%"
```
- To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network.
+ To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers and for Windows 10 multi-session, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network.
The following clause returns **true** for all devices that are not domain controllers:
@@ -92,9 +90,9 @@ First, create the WMI filter and configure it to look for a specified version (o
select * from Win32_OperatingSystem where Version like "10.%" and ProductType="3"
```
-9. Click **OK** to save the query to the filter.
+9. Select **OK** to save the query to the filter.
-10. Click **Save** to save your completed filter.
+10. Select **Save** to save your completed filter.
> [!NOTE]
> If you're using multiple queries in the same WMI filter, these queries must all return **TRUE** for the filter requirements to be met and for the GPO to be applied.
@@ -105,8 +103,8 @@ After you have created a filter with the correct query, link the filter to the G
1. Open the Group Policy Management console.
-2. In the navigation pane, find and then click the GPO that you want to modify.
+2. In the navigation pane, find and then select the GPO that you want to modify.
3. Under **WMI Filtering**, select the correct WMI filter from the list.
-4. Click **Yes** to accept the filter.
\ No newline at end of file
+4. Select **Yes** to accept the filter.
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index 5af0900b7e..2aebecdb11 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.author: greglin
-ms.date: 06/24/2021
+ms.date: 08/18/2021
ms.reviewer:
manager: laurawi
ms.localizationpriority: high
@@ -39,7 +39,7 @@ If you are looking for ways to optimize your approach to deploying Windows 11, o
As a first step, you will need to know which of your current devices meet the Windows 11 hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows 11. Verify that your device meets or exceeds [Windows 11 requirements](windows-11-requirements.md) to ensure it is compatible.
-Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows 11. End-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.
+Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine their eligibility for Windows 11. End-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.
Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows 11 is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows 11 device support into their solutions.