Merge branch 'master' into Ashok-Lobo-5388078

2025-05-12 21:37:22 +00:00 · 2021-09-17 14:26:15 +05:30 · 2021-09-17 14:26:15 +05:30 · 474ecb4e73
commit 474ecb4e73
parent 4b6ad246f2 ca38e82361
17 changed files with 272 additions and 129 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -1,7 +1,7 @@
 {
  "redirections": [
    {
-      "source_path": "windows/configuration/customize-the-start-menu-layout-on-windows-11.md",
+      "source_path": "windows/configuration/use-json-customize-start-menu-windows.md",
      "redirect_url": "/windows/configuration/customize-start-menu-layout-windows-11",
      "redirect_document_id": false  
    },
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@ -27,6 +27,9 @@ manager: dansimp
  <dd>
    <a href="#kerberos-kerberosclientsupportsclaimscompoundarmor">Kerberos/KerberosClientSupportsClaimsCompoundArmor</a>
  </dd>
  <dd>
    <a href="#kerberos-pkinithashalgorithmconfiguration">Kerberos/PKInitHashAlgorithmConfiguration</a>
  </dd>
  <dd>
    <a href="#kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a>
  </dd>
@ -50,28 +53,34 @@ manager: dansimp
 <!--SupportedSKUs-->
 <table>
 <tr>
-    <th>Windows Edition</th>
+    <th>Edition</th>
-    <th>Supported?</th>
+    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
@ -120,28 +129,34 @@ ADMX Info:
 <!--SupportedSKUs-->
 <table>
 <tr>
-    <th>Windows Edition</th>
+    <th>Edition</th>
-    <th>Supported?</th>
+    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
@ -183,34 +198,124 @@ ADMX Info:
 <hr/>
 <!--Policy-->
 <a href="" id="kerberos-pkinithashalgorithmconfiguration"></a>**Kerberos/PKInitHashAlgorithmConfiguration**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Edition</th>
    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.
 If you enable this policy, you will be able to configure one of four states for each algorithm:
 * **Default**: This sets the algorithm to the recommended state.
 * **Supported**: This enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
 * **Audited**: This enables usage of the algorithm and reports an event (ID 205) every time it is used. This state is intended to verify that the algorithm is not being used and can be safely disabled.
 * **Not Supported**: This disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
 If you disable or do not configure this policy, each algorithm will assume the **Default** state.
 More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Introducing agility to PKINIT in Kerberos protocol*
 -   GP name: *PKInitHashAlgorithmConfiguration*
 -   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring**  
 <!--SupportedSKUs-->
 <table>
 <tr>
-    <th>Windows Edition</th>
+    <th>Edition</th>
-    <th>Supported?</th>
+    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 </table>
@ -233,7 +338,8 @@ Warning: When a domain does not support Kerberos armoring by enabling "Support D
 If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. 
-Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. 
+> [!NOTE]
 > The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. 
 If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
@ -263,28 +369,34 @@ ADMX Info:
 <!--SupportedSKUs-->
 <table>
 <tr>
-    <th>Windows Edition</th>
+    <th>Edition</th>
-    <th>Supported?</th>
+    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 </table>
@ -333,28 +445,34 @@ ADMX Info:
 <!--SupportedSKUs-->
 <table>
 <tr>
-    <th>Windows Edition</th>
+    <th>Edition</th>
-    <th>Supported?</th>
+    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 </table>
@ -379,7 +497,8 @@ If you enable this policy setting, the Kerberos client or server uses the config
 If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. 
-Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
+> [!NOTE]
 > This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
 <!--/Description-->
 > [!TIP]
@ -407,28 +526,34 @@ ADMX Info:
 <!--SupportedSKUs-->
 <table>
 <tr>
-    <th>Windows Edition</th>
+    <th>Edition</th>
-    <th>Supported?</th>
+    <th>Windows 10</th>
    <th>Windows 11</th>
 </tr>
 <tr>
    <td>Home</td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
-    <td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+     <td>Yes</td>
     <td>Yes</td>
 </tr>
 </table>
--- a/windows/configuration/customize-start-menu-layout-windows-11.md
+++ b/windows/configuration/customize-start-menu-layout-windows-11.md
@ -1,6 +1,6 @@
 ---
 title: Add or remove pinned apps on the Start menu in Windows 11 | Microsoft Docs
-description: Export start layout to LayoutModification.json that includes pinned apps. Add or remove pinned apps, and use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices.
+description: Export Start layout to LayoutModification.json with pinned apps, add or remove pinned apps, and use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices.
 ms.assetid: 
 manager: dougeby
 ms.author: mandia
@ -10,7 +10,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: mobile
 author: MandiOhlinger
-ms.date: 09/13/2021
+ms.date: 09/14/2021
 ms.localizationpriority: medium
 ---
@ -42,7 +42,7 @@ This article shows you how to export an existing Start menu layout, and use the
  - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
  - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
-## Start menu features and sections
+## Start menu features and areas
 In Windows 11, the Start menu is redesigned with a simplified set of apps that are arranged in a grid of pages. There aren't folders, groups, or different-sized app icons:
@ -50,11 +50,11 @@ In Windows 11, the Start menu is redesigned with a simplified set of apps that a
 Start has the following areas:
- **Pinned**: This area shows pinned apps, or a subset of all of the apps installed on the device. You can create a list of pinned apps you want on the devices using the **ConfigureStartPins** policy. **ConfigureStartPins** overrides the entire layout, which also removes apps that are pinned by default.
+- **Pinned**: Shows pinned apps, or a subset of all of the apps installed on the device. You can create a list of pinned apps you want on the devices using the **ConfigureStartPins** policy. **ConfigureStartPins** overrides the entire layout, which also removes apps that are pinned by default.
  This article shows you how to use the **ConfigureStartPins** policy.
- **All apps**: Users select this option to see an alphabetical list of all the apps on the device. This section can't be customized using the JSON file. You can use the `Start/ShowOrHideMostUsedApps` CSP, which is a new policy available in Windows 11.
+- **All apps**: Users select this option to see an alphabetical list of all the apps on the device. This section can't be customized using the JSON file. You can use the `Start/ShowOrHideMostUsedApps` CSP, which is a policy to configure the "Most used" section at the top of the all apps list.
 - **Recommended**: Shows recently opened files and recently installed apps. This section can't be customized using the JSON file. To prevent files from showing in this section, you can use the [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists). This CSP also hides recent files that show from the taskbar.
  You can use an MDM provider, like Microsoft Intune, to manage the [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) on your devices. For more information on the Start menu settings you can configure in a Microsoft Intune policy, see [Windows 10 (and later) device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10#start).
@ -74,7 +74,7 @@ If you're familiar with creating JSON files, you can create your own `LayoutModi
 1. Create a folder to save the `.json` file. For example, create the `C:\Layouts` folder.
 2. On a Windows 11 device, open the Windows PowerShell app.
-3. Run the following cmdletBe sure to name the file `LayoutModification.json`.
+3. Run the following cmdlet. Name the file `LayoutModification.json`.
    ```powershell
    Export-StartLayout -Path "C:\Layouts\LayoutModification.json" 
@ -83,7 +83,7 @@ If you're familiar with creating JSON files, you can create your own `LayoutModi
 ### Get the pinnedList JSON
 1. Open the `LayoutModification.json` file in a JSON editor, such as Visual Studio Code or Notepad. For more information, see [edit JSON with Visual Studio Code](https://code.visualstudio.com/docs/languages/json).
-2. In the file, you see the `pinnedList` section. This section includes all the apps that are pinned. Copy the `pinnedList` content in the JSON file. You'll use it in the next section.
+2. In the file, you see the `pinnedList` section. This section includes all of the pinned apps. Copy the `pinnedList` content in the JSON file. You'll use it in the next section.
    In the following example, you see that Microsoft Edge, Microsoft Word, the Microsoft Store app, and Notepad are pinned:
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@ -43,7 +43,7 @@ Domain-joined device certificate authentication has the following requirements:
 -   All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
    -   KDC EKU present
    -   DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
-   Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
+-   Windows devices have the CA issuing the domain controller certificates in the enterprise store.
 -   A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
 #### Deploying domain-joined device certificates
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@ -1,6 +1,6 @@
 ---
-title: Advice while using Windows Defender Credential Guard (Windows 10)
+title: Advice while using Windows Defender Credential Guard (Windows)
-description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows 10.
+description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
@ -19,8 +19,10 @@ ms.reviewer:
 # Considerations when using Windows Defender Credential Guard
 **Applies to**
-   Windows 10
+- Windows 10
-   Windows Server 2016
+- Windows 11
 - Windows Server 2016
 - Windows Server 2019
 Passwords are still weak. We recommend that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
@ -79,7 +81,7 @@ If you must clear the TPM on a domain-joined device without connectivity to doma
 Domain user sign-in on a domain-joined device after clearing a TPM for as long as there is no connectivity to a domain controller:
-|Credential Type | Windows 10 version | Behavior
+|Credential Type | Windows version | Behavior
 |---|---|---|
 | Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI does not work at all. |
 | Password | Windows 10 v1709 or later | If the user signed-in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected.
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@ -20,18 +20,20 @@ ms.reviewer:
 **Applies to**  
 - Windows 10
 - Windows 11
 - Windows Server 2016
 - Windows Server 2019
-Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
 For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
-When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Windows Defender Credential Guard with any of these protocols. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
+When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which are not protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, are not to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
 When Windows Defender Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
-Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
+Here's a high-level overview on how the LSA is isolated by using Virtualization-based security:
 ![Windows Defender Credential Guard overview.](images/credguard.png)  
@ -39,4 +41,4 @@ Here's a high-level overview on how the LSA is isolated by using virtualization-
 **Related videos**
-[What is virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security)
+[What is Virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security)
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@ -1,6 +1,6 @@
 ---
-title: Windows Defender Credential Guard - Known issues (Windows 10)
+title: Windows Defender Credential Guard - Known issues (Windows)
-description: Windows Defender Credential Guard - Known issues in Windows 10 Enterprise
+description: Windows Defender Credential Guard - Known issues in Windows Enterprise
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
@ -19,9 +19,10 @@ ms.reviewer:
 # Windows Defender Credential Guard: Known issues 
 **Applies to**
-   Windows 10
+- Windows 10
-   Windows Server 2016
+- Windows 11
-   Windows Server 2019
+- Windows Server 2016
 - Windows Server 2019
 Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when it is enabled. For further information, see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). 
@ -51,12 +52,12 @@ The following known issue has been fixed in the [Cumulative Security Update for
 The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217)
+- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217)
     This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/help/4015219/windows-10-update-kb4015219) and [KB4015221](https://support.microsoft.com/help/4015221/windows-10-update-kb4015221)
- [KB4033236 Two incorrect logon attempts sent to Active Directory after Windows Defender Credential Guard installed on Windows 10](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview)
+- [KB4033236 Two incorrect logon attempts sent to Active Directory after Windows Defender Credential Guard installed on Windows](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview)
    This issue can potentially lead to unexpected account lockouts. The issue was fixed in servicing updates for each of the following operating systems:
@ -69,30 +70,30 @@ The following known issues have been fixed by servicing releases made available
 The following issue affects the Java GSS API. See the following Oracle bug database article: 
- [JDK-8161921: Windows 10 Windows Defender Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
+- [JDK-8161921: Windows Defender Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
-When Windows Defender Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
+When Windows Defender Credential Guard is enabled on Windows, the Java GSS API will not authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
 The following issue affects Cisco AnyConnect Secure Mobility Client:
- [Blue screen on Windows 10 computers running Hypervisor-Protected Code Integrity and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \*
+- [Blue screen on Windows computers running Hypervisor-Protected Code Integrity and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \*
 *Registration required to access this article. 
 The following issue affects McAfee Application and Change Control (MACC):
- [KB88869 Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) <sup>[1]</sup>
+- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) <sup>[1]</sup>
 The following issue affects AppSense Environment Manager.
  For further information, see the following Knowledge Base article:
- [Installing AppSense Environment Manager on Windows 10 machines causes LSAISO.exe to exhibit high CPU usage when Windows Defender Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) <sup>[1]</sup> \**
+- [Installing AppSense Environment Manager on Windows machines causes LSAISO.exe to exhibit high CPU usage when Windows Defender Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) <sup>[1]</sup> \**
 The following issue affects Citrix applications:
- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. <sup>[1]</sup>
+- Windows machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. <sup>[1]</sup>
-<sup>[1]</sup> Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10 or Windows Server 2016 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article:
+<sup>[1]</sup> Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10, Windows 11, Windows Server 2016 or Windows Server 2019 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article:
- [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4032786)
+- [KB4032786 High CPU usage in the LSAISO process on Windows](https://support.microsoft.com/help/4032786)
 For further technical information on LSAISO.exe, see the MSDN article: [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes)
@ -107,21 +108,21 @@ See the following article on Citrix support for Secure Boot:
 Windows Defender Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
- For Windows Defender Credential Guard on Windows 10 with McAfee Encryption products, see:
+- For Windows Defender Credential Guard on Windows with McAfee Encryption products, see:
-  [Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows 10 with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
+  [Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
- For Windows Defender Credential Guard on Windows 10 with Check Point Endpoint Security Client, see:
+- For Windows Defender Credential Guard on Windows with Check Point Endpoint Security Client, see:
-  [Check Point Endpoint Security Client support for Microsoft Windows 10 Windows Defender Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
+  [Check Point Endpoint Security Client support for Microsoft Windows Defender Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
- For Windows Defender Credential Guard on Windows 10 with VMWare Workstation
+- For Windows Defender Credential Guard on Windows with VMWare Workstation
-  [Windows 10 host fails when running VMWare Workstation when Windows Defender Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
+  [Windows host fails when running VMWare Workstation when Windows Defender Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
- For Windows Defender Credential Guard on Windows 10 with specific versions of the Lenovo ThinkPad
+- For Windows Defender Credential Guard on Windows with specific versions of the Lenovo ThinkPad
-  [ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in Microsoft Windows 10 – ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
+  [ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in Microsoft Windows – ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
- For Windows Defender Credential Guard on Windows 10 with Symantec Endpoint Protection
+- For Windows Defender Credential Guard on Windows with Symantec Endpoint Protection
-  [Windows 10 with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
+  [Windows devices with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
-  This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Windows Defender Credential Guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Windows Defender Credential Guard. 
+  This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard. 
  Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@ -1,5 +1,5 @@
 ---
-title: Manage Windows Defender Credential Guard (Windows 10)
+title: Manage Windows Defender Credential Guard (Windows)
 description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools.
 ms.prod: w10
 ms.mktglfcycl: explore
@ -21,8 +21,9 @@ ms.custom:
 # Manage Windows Defender Credential Guard
 **Applies to**
-   Windows 10 Enterprise or Education SKUs
+- Windows 10
-   Windows Server 2016
+- Windows 11
 - Windows Server 2016
 - Windows Server 2019
--- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
@ -1,6 +1,6 @@
 ---
-title: Windows Defender Credential Guard protection limits & mitigations (Windows 10)
+title: Windows Defender Credential Guard protection limits & mitigations (Windows)
-description: Scenarios not protected by Windows Defender Credential Guard in Windows 10, and additional mitigations you can use.
+description: Scenarios not protected by Windows Defender Credential Guard in Windows, and additional mitigations you can use.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
@ -19,8 +19,10 @@ ms.reviewer:
 # Windows Defender Credential Guard protection limits and mitigations
 **Applies to**
-   Windows 10
+- Windows 10
-   Windows Server 2016
+- Windows 11
 - Windows Server 2016
 - Windows Server 2019
 Prefer video? See [Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
 in the Deep Dive into Windows Defender Credential Guard video series.
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@ -1,6 +1,6 @@
 ---
-title: Windows Defender Credential Guard protection limits (Windows 10)
+title: Windows Defender Credential Guard protection limits (Windows)
-description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows 10. Learn more with this guide.
+description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
@ -19,8 +19,10 @@ ms.reviewer:
 # Windows Defender Credential Guard protection limits
 **Applies to**
-   Windows 10
+- Windows 10
-   Windows Server 2016
+- Windows 11
 - Windows Server 2016
 - Windows Server 2019
 Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@ -1,5 +1,5 @@
 ---
-title: Windows Defender Credential Guard Requirements (Windows 10)
+title: Windows Defender Credential Guard Requirements (Windows)
 description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security.
 ms.prod: w10
 ms.mktglfcycl: explore
@ -20,8 +20,10 @@ ms.reviewer:
 ## Applies to
- Windows 10 Enterprise
+- Windows 10
- Windows Server 2016
+- Windows 11
 - Windows Server 2016
 - Windows Server 2019
 For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
@ -102,7 +104,7 @@ The following tables describe baseline protections, plus protections for improve
 |Hardware: **Trusted Platform Module (TPM)**|**Requirement**: </br> - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../information-protection/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.|
 |Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**: </br> - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.|
 |Firmware: **Secure firmware update process**|**Requirements**: </br> - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.|
-|Software: Qualified **Windows operating system**|**Requirement**: </br> - Windows 10 or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
+|Software: Qualified **Windows operating system**|**Requirement**: </br> - At least Windows 10 or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
 > [!IMPORTANT]
 > Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.
--- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
@ -1,6 +1,6 @@
 ---
-title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows 10)
+title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows)
-description:  Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows 10.
+description:  Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@ -1,5 +1,5 @@
 ---
-title: Protect derived domain credentials with Windows Defender Credential Guard (Windows 10)
+title: Protect derived domain credentials with Windows Defender Credential Guard (Windows)
 description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
 ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
 ms.reviewer: 
@ -20,8 +20,10 @@ ms.date: 08/17/2017
 # Protect derived domain credentials with Windows Defender Credential Guard
 **Applies to**
-   Windows 10
+- Windows 10
-   Windows Server 2016
+- Windows 11
 - Windows Server 2016
 - Windows Server 2019
 Introduced in Windows 10 Enterprise and Windows Server 2016, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@ -18,7 +18,10 @@ ms.reviewer:
 # Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
 **Applies to:**
- Windows 10 Enterprise Edition
+- Windows 10
 - Windows 11
 - Windows Server 2016
 - Windows Server 2019
 ```powershell
 # Script to find out if a machine is Device Guard compliant.
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@ -21,13 +21,12 @@ ms.reviewer:
 -   Windows 10
 -   Windows 11
-In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (e.g., Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (e.g., M.2 slots)
+In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (for example, Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (for example, M.2 slots)
 Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely.
-This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.
+This feature doesn't protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.
 For Thunderbolt DMA protection on earlier Windows versions and platforms that lack support for Kernel DMA Protection, please refer to [Intel Thunderbolt™ 3 Security documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf).
 ## Background
@ -36,19 +35,19 @@ The DMA capability is what makes PCI devices the highest performing devices avai
 These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard. 
 Access to these devices required the user to turn off power to the system and disassemble the chassis. 
-Today, this is no longer the case with hot plug PCIe ports (e.g., Thunderbolt™ and CFexpress). 
+Today, this is no longer the case with hot plug PCIe ports (for example, Thunderbolt™ and CFexpress). 
-Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that was not available before for PCs. 
+Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that wasn't available before for PCs. 
 It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB. 
 Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks.
 Drive-by DMA attacks are attacks that occur while the owner of the system is not present and usually take less than 10 minutes, with simple to moderate attacking tools (affordable, off-the-shelf hardware and software) that do not require the disassembly of the PC. 
-A simple example would be a PC owner leaves the PC for a quick coffee break, and within the break, and attacker steps in, plugs in a USB-like device and walks away with all the secrets on the machine, or injects a malware that allows them to have full control over the PC remotely.
+A simple example would be a PC owner leaves the PC for a quick coffee break, and within the break, an attacker steps in, plugs in a USB-like device and walks away with all the secrets on the machine, or injects a malware that allows them to have full control over the PC remotely.
 ## How Windows protects against DMA drive-by attacks
 Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless the drivers for these peripherals support memory isolation (such as DMA-remapping). 
-Peripherals with [DMA Remapping compatible drivers](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers) will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. 
+Peripherals with [DMA Remapping compatible drivers](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers) will be automatically enumerated, started, and allowed to perform DMA to their assigned memory regions. 
 By default, peripherals with DMA Remapping incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. IT administrators can modify the default behavior applied to devices with DMA Remapping incompatible drivers using the [DmaGuard MDM policies](/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies).
@ -62,7 +61,7 @@ The peripheral will continue to function normally if the user locks the screen o
 ## System compatibility
 Kernel DMA Protection requires new UEFI firmware support. 
-This support is anticipated only on newly-introduced, Intel-based systems shipping with Windows 10 version 1803 (not all systems). Virtualization-based Security (VBS) is not required.
+This support is anticipated only on newly introduced, Intel-based systems shipping with Windows 10 version 1803 (not all systems). Virtualization-based Security (VBS) is not required.
 To see if a system supports Kernel DMA Protection, check the System Information desktop app (MSINFO32). 
 Systems released prior to Windows 10 version 1803 do not support Kernel DMA Protection, but they can leverage other DMA attack mitigations as described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
@ -111,8 +110,8 @@ In-market systems, released with Windows 10 version 1709 or earlier, will not su
 No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. 
 ### How can I check if a certain driver supports DMA-remapping?
-DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (i.e. the device driver does not support DMA-remapping).
+DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of two means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (that is, the device driver does not support DMA-remapping).
-Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
+Check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
 ![Kernel DMA protection user experience.](images/device_details_tab_1903.png)
@ -120,9 +119,9 @@ Please check the driver instance for the device you are testing. Some drivers ma
 ![Kernel DMA protection user experience.](images/device-details-tab.png)
-### What should I do if the drivers for my PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping?
+### When the drivers for PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping?
-If the peripherals do have class drivers provided by Windows, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers).
+If the peripherals do have class drivers provided by Windows, use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers).
 ### My system's Kernel DMA Protection is off. Can DMA-remapping for a specific device be turned on?
@ -131,13 +130,13 @@ Yes. DMA remapping for a specific device can be turned on independent from Kerne
 Kernel DMA Protection is a policy that allows or blocks devices to perform DMA, based on their remapping state and capabilities.
 ### Do Microsoft drivers support DMA-remapping?
-In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA Remapping.
+In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers, and Storage NVMe Controllers support DMA Remapping.
 ### Do drivers for non-PCI devices need to be compatible with DMA-remapping?
 No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA Remapping.
 ### How can an enterprise enable the External device enumeration policy?
-The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).
+The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that aren't, can be blocked, allowed, or allowed only after the user signs in (default).
 The policy can be enabled by using: 
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@ -46,7 +46,7 @@ The Security Compliance Toolkit consists of:
    - Microsoft 365 Apps for enterprise, Version 2104
 - Microsoft Edge security baseline
-    - Version 92
+    - Version 93
 - Windows Update security baseline
    - Windows 10 20H2 and below (October 2020 Update)
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@ -40,6 +40,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 - bash.exe
 - bginfo.exe<sup>1</sup>
 - cdb.exe
 - cscript.exe
 - csi.exe
 - dbghost.exe
 - dbgsvc.exe
@ -69,6 +70,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 - wfc.exe
 - windbg.exe
 - wmic.exe
 - wscript.exe
 - wsl.exe
 - wslconfig.exe
 - wslhost.exe
@ -149,7 +151,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
  <Deny ID="ID_DENY_BGINFO" FriendlyName="bginfo.exe" FileName="BGINFO.Exe" MinimumFileVersion="4.21.0.0"/> 
  <Deny ID="ID_DENY_CBD" FriendlyName="cdb.exe" FileName="CDB.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
  <Deny ID="ID_DENY_CSI" FriendlyName="csi.exe" FileName="csi.Exe" MinimumFileVersion="65535.65535.65535.65535"/>
-  <Deny ID="ID_DENY_CSCRIPT" FriendlyName="cscript.exe" FileName="cscript.exe" MinimumFileVersion = "65535.65535.65535.65535" />
+  <Deny ID="ID_DENY_CSCRIPT" FriendlyName="cscript.exe" FileName="cscript.exe" MinimumFileVersion = "10.0.0.0" />
  <Deny ID="ID_DENY_DBGHOST" FriendlyName="dbghost.exe" FileName="DBGHOST.Exe" MinimumFileVersion="2.3.0.0"/> 
  <Deny ID="ID_DENY_DBGSVC" FriendlyName="dbgsvc.exe" FileName="DBGSVC.Exe" MinimumFileVersion="2.3.0.0"/>
  <Deny ID="ID_DENY_DNX" FriendlyName="dnx.exe" FileName="dnx.Exe" MinimumFileVersion="65535.65535.65535.65535"/> 
@ -179,7 +181,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
  <Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />   
  <Deny ID="ID_DENY_WINDBG" FriendlyName="windbg.exe" FileName="windbg.Exe" MinimumFileVersion="65535.65535.65535.65535"/> 
  <Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/>
-  <Deny ID="ID_DENY_WSCRIPT" FriendlyName="wscript.exe"  FileName="wscript.exe" MinimumFileVersion = "65535.65535.65535.65535" />
+  <Deny ID="ID_DENY_WSCRIPT" FriendlyName="wscript.exe"  FileName="wscript.exe" MinimumFileVersion = "10.0.0.0" />
  <Deny ID="ID_DENY_WSL" FriendlyName="wsl.exe" FileName="wsl.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
  <Deny ID="ID_DENY_WSLCONFIG" FriendlyName="wslconfig.exe" FileName="wslconfig.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
  <Deny ID="ID_DENY_WSLHOST" FriendlyName="wslhost.exe" FileName="wslhost.exe" MinimumFileVersion="65535.65535.65535.65535"/>