diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md
index 4eca196e15..63c9c6aa24 100644
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@@ -16,7 +16,10 @@ ms.topic: article
# Windows Update for Business deployment service
-> Applies to: Windows 10
+**Applies to**
+
+- Windows 10
+- Windows 11
The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. It's designed to work in harmony with your existing Windows Update for Business policies.
@@ -56,18 +59,18 @@ The deployment service exposes these capabilities through Microsoft [Graph REST
To work with the deployment service, devices must meet all these requirements:
-- Be running Windows 10, version 1709 or later
+- Be running Windows 10, version 1709 or later (or Windows 11)
- Be joined to Azure Active Directory (AD) or Hybrid AD
-- Have one of the following Windows 10 editions installed:
- - Windows 10 Pro
- - Windows 10 Enterprise
- - Windows 10 Education
- - Windows 10 Pro Education
- - Windows 10 Pro for Workstations
+- Have one of the following Windows 10 or Windows 11 editions installed:
+ - Pro
+ - Enterprise
+ - Education
+ - Pro Education
+ - Pro for Workstations
Additionally, your organization must have one of the following subscriptions:
-- Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
-- Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5)
+- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
+- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows Virtual Desktop Access E3 or E5
- Microsoft 365 Business Premium
@@ -78,7 +81,7 @@ To use the deployment service, you use a management tool built on the platform,
### Using Microsoft Endpoint Manager
-Microsoft Endpoint Manager integrates with the deployment service to provide Windows 10 update management capabilities. For more information, see [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates).
+Microsoft Endpoint Manager integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates).
### Scripting common actions using PowerShell
@@ -141,18 +144,27 @@ To enroll devices in Windows Update for Business cloud processing, set the **All
Following is an example of setting the policy using Microsoft Endpoint Manager:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
2. Select **Devices** > **Configuration profiles** > **Create profile**.
+
3. Select **Windows 10 and later** in **Platform**, select **Templates** in **Profile type**, select **Custom** in **Template name**, and then select **Create**.
+
4. In **Basics**, enter a meaningful name and a description for the policy, and then select **Next**.
+
5. In **Configuration settings**, select **Add**, enter the following settings, select **Save**, and then select **Next**.
- Name: **AllowWUfBCloudProcessing**
- Description: Enter a description.
- OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing`
- Data type: **Integer**
- Value: **8**
+
6. In **Assignments**, select the groups that will receive the profile, and then select **Next**.
+
7. In **Review + create**, review your settings, and then select **Create**.
-8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**.
+
+8. (Optional) To verify that the policy reached the client, check the value of the following registry entry:
+
+ **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**
## Best practices
Follow these suggestions for the best results with the service.
@@ -160,6 +172,7 @@ Follow these suggestions for the best results with the service.
### Device onboarding
- Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day).
+
- Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors.
### General
diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md
index 735acd6e97..eb28dce097 100644
--- a/windows/deployment/update/safeguard-holds.md
+++ b/windows/deployment/update/safeguard-holds.md
@@ -12,9 +12,14 @@ ms.topic: article
# Safeguard holds
-Microsoft uses quality and compatibility data to identify issues that might cause a Windows 10 feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
+**Applies to**
-Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows 10.
+- Windows 10
+- Windows 11
+
+Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
+
+Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows client.
The lifespan of holds varies depending on the time required to investigate and fix an issue. During this time Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the hold. Once we release the hold, Windows Update will resume offering new operating system versions to devices.
diff --git a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
index 9995f497a4..22c00f87cc 100644
--- a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
@@ -1,5 +1,5 @@
---
-title: Add Production Devices to the Membership Group for a Zone (Windows 10)
+title: Add Production Devices to the Membership Group for a Zone (Windows)
description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group.
ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.
diff --git a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
index 30d809e60c..14eaf54184 100644
--- a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
@@ -1,5 +1,5 @@
---
-title: Add Test Devices to the Membership Group for a Zone (Windows 10)
+title: Add Test Devices to the Membership Group for a Zone (Windows)
description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected.
ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device.
diff --git a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
index 0345da06fe..7a8c114351 100644
--- a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
+++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
@@ -1,5 +1,5 @@
---
-title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows 10)
+title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows)
description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO).
ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).
diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
index 08a9798526..2fe271c315 100644
--- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
@@ -1,5 +1,5 @@
---
-title: Assign Security Group Filters to the GPO (Windows 10)
+title: Assign Security Group Filters to the GPO (Windows)
description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers.
ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/02/2019
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.
diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
index 76378c3a0f..0eda99ff36 100644
--- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
@@ -1,5 +1,5 @@
---
-title: Basic Firewall Policy Design (Windows 10)
+title: Basic Firewall Policy Design (Windows)
description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design.
ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418
ms.reviewer:
@@ -20,8 +20,9 @@ ms.technology: mde
# Basic Firewall Policy Design
**Applies to**
-- Windows 10
-- Windows Server 2016
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization.
@@ -37,7 +38,7 @@ Many network administrators do not want to tackle the difficult task of determin
For example, when you install a server role, the appropriate firewall rules are created and enabled automatically.
-- For other standard network behavior, the predefined rules that are built into Windows 10, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, and Windows 7 can easily be configured in a GPO and deployed to the devices in your organization.
+- For other standard network behavior, the predefined rules that are built into Windows 11, Windows 10, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, and Windows 7 can easily be configured in a GPO and deployed to the devices in your organization.
For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols.
diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
index 5819f886fd..fde3e3850b 100644
--- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
+++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
@@ -20,9 +20,10 @@ ms.technology: mde
**Applies to**
-- Windows operating systems including Windows 10
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
-- Windows Server Operating Systems
Windows Defender Firewall with Advanced Security provides host-based, two-way
network traffic filtering and blocks unauthorized network traffic flowing into
diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
index 50e2f66e16..d17a0d6cac 100644
--- a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
@@ -1,5 +1,5 @@
---
-title: Boundary Zone GPOs (Windows 10)
+title: Boundary Zone GPOs (Windows)
description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section.
diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md
index 37d7edb647..9c0d1186eb 100644
--- a/windows/security/threat-protection/windows-firewall/boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md
@@ -1,5 +1,5 @@
---
-title: Boundary Zone (Windows 10)
+title: Boundary Zone (Windows)
description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security.
ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,15 +22,16 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
-In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain.
+In most organizations, some devices can receive network traffic from devices that aren't part of the isolated domain, and therefore can't authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain.
Devices in the boundary zone are trusted devices that can accept communication requests both from other isolated domain member devices and from untrusted devices. Boundary zone devices try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating device.
-The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but do not require it.
+The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but don't require it.
-Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision.
+These boundary zone devices might receive unsolicited inbound communications from untrusted devices that use plaintext and must be carefully managed and secured in other ways. Mitigating this extra risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone minimizes the additional risk. The following illustration shows a sample process that can help make such a decision.
@@ -38,7 +39,7 @@ The goal of this process is to determine whether the risk of adding a device to
You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain.
-Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
+ [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section discusses creation of the group and how to link it to the GPOs that apply the rules to members of the group.
## GPO settings for boundary zone servers running at least Windows Server 2008
@@ -49,13 +50,13 @@ The boundary zone GPO for devices running at least Windows Server 2008 should i
1. Exempt all ICMP traffic from IPsec.
- 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems.
+ 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES, and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems.
- 3. Data protection (quick mode) algorithm combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems..
+ 3. Data protection (quick mode) algorithm combinations. We recommend that you don't include DES or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies.
- 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5, you must include certificate-based authentication as an optional authentication method.
+ 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members can't use Kerberos V5, you must include certificate-based authentication as an optional authentication method.
- The following connection security rules:
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
index 1b369d6c5e..be336a726b 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
@@ -1,5 +1,5 @@
---
-title: Certificate-based Isolation Policy Design Example (Windows 10)
+title: Certificate-based Isolation Policy Design Example (Windows)
description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security.
ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
index 7c427d50e7..a59ba99025 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
@@ -1,5 +1,5 @@
---
-title: Certificate-based Isolation Policy Design (Windows 10)
+title: Certificate-based Isolation Policy Design (Windows)
description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design.
ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic.
diff --git a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
index cbea6cabc0..eb09b78b9f 100644
--- a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
+++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
@@ -1,5 +1,5 @@
---
-title: Change Rules from Request to Require Mode (Windows 10)
+title: Change Rules from Request to Require Mode (Windows)
description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices.
ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
index a3164b6f45..ec2429b56d 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
@@ -1,5 +1,5 @@
---
-title: Checklist Configuring Basic Firewall Settings (Windows 10)
+title: Checklist Configuring Basic Firewall Settings (Windows)
description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall.
ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
index 2ecb358ade..5e8cd7d149 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
@@ -1,5 +1,5 @@
---
-title: Checklist Configuring Rules for an Isolated Server Zone (Windows 10)
+title: Checklist Configuring Rules for an Isolated Server Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain.
ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
index c07a12c977..c464183424 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
@@ -1,5 +1,5 @@
---
-title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows 10)
+title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows)
description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone
ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md).
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
index e10ef7fc18..2a908f4267 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
@@ -1,5 +1,5 @@
---
-title: Checklist Configuring Rules for the Boundary Zone (Windows 10)
+title: Checklist Configuring Rules for the Boundary Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
index 180c4f2168..fc6329d478 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
@@ -1,5 +1,5 @@
---
-title: Checklist Configuring Rules for the Encryption Zone (Windows 10)
+title: Checklist Configuring Rules for the Encryption Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
index 2bccefd09c..2a0fe73601 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
@@ -1,5 +1,5 @@
---
-title: Checklist Configuring Rules for the Isolated Domain (Windows 10)
+title: Checklist Configuring Rules for the Isolated Domain (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
index d2ba4b5a27..b5113224e7 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
@@ -1,5 +1,5 @@
---
-title: Checklist Creating Group Policy Objects (Windows 10)
+title: Checklist Creating Group Policy Objects (Windows)
description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS.
ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group.
@@ -30,7 +31,7 @@ The checklists for firewall, domain isolation, and server isolation include a li
## About membership groups
-For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied.
+For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 11, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied.
## About exclusion groups
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
index 834016bd7b..53822035a9 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
@@ -1,5 +1,5 @@
---
-title: Checklist Creating Inbound Firewall Rules (Windows 10)
+title: Checklist Creating Inbound Firewall Rules (Windows)
description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This checklist includes tasks for creating firewall rules in your GPOs.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
index b20cb735f9..445f1e1eda 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
@@ -1,5 +1,5 @@
---
-title: Checklist Creating Outbound Firewall Rules (Windows 10)
+title: Checklist Creating Outbound Firewall Rules (Windows)
description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This checklist includes tasks for creating outbound firewall rules in your GPOs.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
index 4a4c525867..d57f7d5a5d 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
@@ -1,5 +1,5 @@
---
-title: Create Rules for Standalone Isolated Server Zone Clients (Windows 10)
+title: Create Rules for Standalone Isolated Server Zone Clients (Windows)
description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone
ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
index 1aa6060a8c..1d50c40f3d 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
@@ -1,5 +1,5 @@
---
-title: Checklist Implementing a Basic Firewall Policy Design (Windows 10)
+title: Checklist Implementing a Basic Firewall Policy Design (Windows)
description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation.
ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
@@ -35,7 +36,7 @@ The procedures in this section use the Group Policy MMC snap-in interfaces to co
| Task | Reference |
| - | - |
| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Basic Firewall Policy Design](basic-firewall-policy-design.md)
[Firewall Policy Design Example](firewall-policy-design-example.md)
[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)|
-| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
+| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 11, Windows 10, and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10 or Windows 11, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
| If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)|
| Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)|
| Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)|
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
index 52c11e99ed..1166334bca 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
@@ -1,5 +1,5 @@
---
-title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows 10)
+title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows)
description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design.
ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
index 1261adcbb9..cf988d2a7d 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
@@ -1,5 +1,5 @@
---
-title: Checklist Implementing a Domain Isolation Policy Design (Windows 10)
+title: Checklist Implementing a Domain Isolation Policy Design (Windows)
description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design.
ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
index 1d53748cc1..b571f7dce4 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
@@ -1,5 +1,5 @@
---
-title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows 10)
+title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows)
description: Use these tasks to create a server isolation policy design that is not part of an isolated domain. See references to concepts and links to other checklists.
ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md).
diff --git a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
index e6fd6b4090..1841e7d9f5 100644
--- a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
+++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
@@ -1,5 +1,5 @@
---
-title: Configure Authentication Methods (Windows 10)
+title: Configure Authentication Methods (Windows)
description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone.
diff --git a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
index 41b2b78f6c..2ef49bcb9e 100644
--- a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
+++ b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
@@ -1,5 +1,5 @@
---
-title: Configure Data Protection (Quick Mode) Settings (Windows 10)
+title: Configure Data Protection (Quick Mode) Settings (Windows)
description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone.
ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone.
diff --git a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
index cfc3364fe7..064de062cf 100644
--- a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
+++ b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
@@ -1,5 +1,5 @@
---
-title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows 10)
+title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows)
description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network.
ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate.
diff --git a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
index f1b75a3291..3164f07dea 100644
--- a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
+++ b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
@@ -1,5 +1,5 @@
---
-title: Configure Key Exchange (Main Mode) Settings (Windows 10)
+title: Configure Key Exchange (Main Mode) Settings (Windows)
description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security.
ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic.
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
index 561ea0f380..e3d4f8f8b6 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
@@ -1,5 +1,5 @@
---
-title: Configure the Rules to Require Encryption (Windows 10)
+title: Configure the Rules to Require Encryption (Windows)
description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that do not use encryption for zones that require encryption.
ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
index 4c82249ccd..a4a7b01573 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
@@ -1,5 +1,5 @@
---
-title: Configure the Windows Defender Firewall Log (Windows 10)
+title: Configure the Windows Defender Firewall Log (Windows)
description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC.
ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
index 7ff2117797..58fdd2dd8a 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
@@ -1,5 +1,5 @@
---
-title: Configure the Workstation Authentication Template (Windows 10)
+title: Configure the Workstation Authentication Template (Windows)
description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations.
ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6
ms.reviewer:
@@ -11,7 +11,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
-ms.date: 07/30/2018
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -19,7 +19,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements.
diff --git a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
index 200675b11a..ee29ef81e8 100644
--- a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
+++ b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
@@ -1,5 +1,5 @@
---
-title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows 10)
+title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows)
description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Bbocked
ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To configure Windows Defender Firewall with Advanced Security to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console.
diff --git a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
index 8af8ad2d89..6e1c2f5c0b 100644
--- a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
+++ b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
@@ -1,5 +1,5 @@
---
-title: Confirm That Certificates Are Deployed Correctly (Windows 10)
+title: Confirm That Certificates Are Deployed Correctly (Windows)
description: Learn how to confirm that a Group Policy is being applied as expected and that the certificates are being properly installed on the workstations.
ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices.
diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
index 4020fab006..ac157cc912 100644
--- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
@@ -1,5 +1,5 @@
---
-title: Copy a GPO to Create a New GPO (Windows 10)
+title: Copy a GPO to Create a New GPO (Windows)
description: Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices.
ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in.
@@ -56,4 +57,4 @@ To complete this procedure, you must be a member of the Domain Administrators gr
12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**.
-13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO.
+13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10 or Windows 11, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO.
diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
index 3511ad7f7f..844bf1db69 100644
--- a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
@@ -1,5 +1,5 @@
---
-title: Create a Group Account in Active Directory (Windows 10)
+title: Create a Group Account in Active Directory (Windows)
description: Learn how to create a security group for the computers that are to receive Group Policy settings by using the Active Directory Users and Computers console.
ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console.
diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
index e6e1e18867..b7b3944df5 100644
--- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
@@ -1,5 +1,5 @@
---
-title: Create a Group Policy Object (Windows 10)
+title: Create a Group Policy Object (Windows)
description: Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group.
ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To create a new GPO, use the Active Directory Users and Computers MMC snap-in.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
index 35cb8d066a..c28612d61c 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
@@ -1,5 +1,5 @@
---
-title: Create an Authentication Exemption List Rule (Windows 10)
+title: Create an Authentication Exemption List Rule (Windows)
description: Learn how to create rules that exempt devices that cannot communicate by using IPSec from the authentication requirements of your isolation policies.
ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
index 43156e1bc5..b3a12b2ba9 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
@@ -1,5 +1,5 @@
---
-title: Create an Authentication Request Rule (Windows 10)
+title: Create an Authentication Request Rule (Windows)
description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate.
ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to:**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the devices on the network to use those protocols and methods before they can communicate.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
index c56953f28c..53f49581bd 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
@@ -1,5 +1,5 @@
---
-title: Create an Inbound ICMP Rule (Windows 10)
+title: Create an Inbound ICMP Rule (Windows)
description: Learn how to allow inbound ICMP traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: 267b940a-79d9-4322-b53b-81901e357344
ms.reviewer:
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/17/2017
+ms.date: 09/07/2021
ms.technology: mde
---
@@ -22,7 +22,8 @@ ms.technology: mde
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network.