From 866f0b1d4c788f9ec7ba0f5117835ad725b5ebec Mon Sep 17 00:00:00 2001
From: jsuther1974 <jsuther@microsoft.com>
Date: Thu, 2 Feb 2023 11:42:56 -0800
Subject: [PATCH 01/11] Added warnings for applocker event volumes and script
 enforcement on server 2016

---
 .../applocker/using-event-viewer-with-applocker.md  | 13 ++++++++-----
 ...orized-apps-deployed-with-a-managed-installer.md |  5 ++++-
 .../design/script-enforcement.md                    | 11 ++++++++---
 .../operations/known-issues.md                      |  7 +++----
 4 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
index 4c9e95f7c1..ed7b6721dc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
@@ -1,6 +1,6 @@
 ---
 title: Using Event Viewer with AppLocker (Windows)
-description: This topic lists AppLocker events and describes how to use Event Viewer with AppLocker.
+description: This article lists AppLocker events and describes how to use Event Viewer with AppLocker.
 ms.assetid: 109abb10-78b1-4c29-a576-e5a17dfeb916
 ms.reviewer: 
 ms.author: vinpa
@@ -14,7 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.topic: conceptual
 ms.technology: itpro-security
-ms.date: 12/31/2017
+ms.date: 02/02/2023
 ---
 
 # Using Event Viewer with AppLocker
@@ -28,7 +28,7 @@ ms.date: 12/31/2017
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
-This topic lists AppLocker events and describes how to use Event Viewer with AppLocker.
+This article lists AppLocker events and describes how to use Event Viewer with AppLocker.
 
 The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains detailed info about:
 
@@ -43,10 +43,13 @@ Review the entries in the Event Viewer to determine if any applications aren't i
 
 For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
 
+> [!NOTE]
+> The AppLocker event logs are very verbose and can result in a large number of events depending on the policies deployed, particularly in the *AppLocker - EXE and DLL* event log. If you're using an event forwarding and collection service, like LogAnalytics, you may want to adjust the configuration for that event log to only collect Error events or stop collecting events from that log altogether.
+
 **To review the AppLocker log in Event Viewer**
 
 1.  Open Event Viewer.
-2.  In the console tree under **Application and Services Logs\\Microsoft\\Windows**, click **AppLocker**.
+2.  In the console tree under **Application and Services Logs\\Microsoft\\Windows**, select **AppLocker**.
 
 The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules.
 
@@ -83,7 +86,7 @@ The following table contains information about the events that you can use to de
 | 8040 | Error | Package family name * version * was prevented from installing or updating due to Config CI policy | Added in Windows Server 2016 and Windows 10.|
 
  
-## Related topics
+## Related articles
 
 - [Tools to use with AppLocker](tools-to-use-with-applocker.md)
  
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
index c15b97399b..2b03d8a6f4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -13,7 +13,7 @@ author: jsuther1974
 ms.reviewer: jogeurte
 ms.author: vinpa
 manager: aaroncz
-ms.date: 08/26/2022
+ms.date: 02/02/2023
 ms.technology: itpro-security
 ms.topic: article
 ---
@@ -62,6 +62,9 @@ To turn on managed installer tracking, you must:
 - Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs.
 - Enable AppLocker's Application Identity and AppLockerFltr services.
 
+> [!NOTE]
+> The managed installer AppLocker policy below is designed to be safely merged with any pre-existing AppLocker policies and won't change the behavior of those policies. However, if applied on a device that doesn't currently have any AppLocker policy, you will see a large increase in warning events generated in the *AppLocker - EXE and DLL* event log. If you're using an event forwarding and collection service, like LogAnalytics, you may want to adjust the configuration for that event log to only collect Error events or stop collecting events from that log altogether.
+
 > [!NOTE]
 > MEMCM will automatically configure itself as a managed installer, and enable the required AppLocker components, if you deploy one of its inbox WDAC policies. If you are configuring MEMCM as a managed installer using any other method, additional setup is required. Use the [**ManagedInstaller** cmdline switch in your ccmsetup.exe setup](/mem/configmgr/core/clients/deploy/about-client-installation-properties#managedinstaller). Or you can deploy one of the MEMCM inbox audit mode policies alongside your custom policy.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md
index 2414d5dd4e..29174ef291 100644
--- a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md
@@ -9,7 +9,7 @@ ms.reviewer: jogeurte
 ms.author: jogeurte
 ms.manager: jsuther
 manager: aaroncz
-ms.date: 11/02/2022
+ms.date: 02/02/2023
 ms.technology: itpro-security
 ms.topic: article
 ms.localizationpriority: medium
@@ -26,13 +26,18 @@ ms.localizationpriority: medium
 > [!NOTE]
 > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
+> [!IMPORTANT]
+> Option **11 Disabled:Script Enforcement** is not supported on **Windows Server 2016** and should not be used on that platform. Doing so may result in unexpected script enforcement behaviors.
+
 ## Script enforcement overview
 
 By default, script enforcement is enabled for all WDAC policies unless the option **11 Disabled:Script Enforcement** is set in the policy. WDAC script enforcement involves a handshake between an enlightened script host, such as PowerShell, and WDAC. The actual enforcement behavior, however, is handled entirely by the script host. Some script hosts, like the Microsoft HTML Application Host (mshta.exe), simply block all code execution if any WDAC UMCI policy is active. Most script hosts first ask WDAC whether a script should be allowed to run based on the WDAC policies currently active. The script host then either blocks, allows, or changes *how* the script is run to best protect the user and the device.
 
+Validation for signed scripts is done using the [WinVerifyTrust API](/windows/win32/api/wintrust/nf-wintrust-winverifytrust). To pass validation, the signature root must be present in the trusted root store on the device and be allowed by your WDAC policy. This behavior is different from WDAC validation for executable files, which doesn't require installation of the root certificate.
+
 WDAC shares the *AppLocker - MSI and Script* event log for all script enforcement events. Whenever a script host asks WDAC if a script should be allowed, an event will be logged with the answer WDAC returned to the script host. For more information on WDAC script enforcement events, see [Understanding Application Control events](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations#windows-applocker-msi-and-script-log).
 
-> [!IMPORTANT]
+> [!NOTE]
 > When a script runs that is not allowed by policy, WDAC raises an event indicating that the script was "blocked". However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running.
 >
 > Also be aware that some script hosts may change how they behave even if a WDAC policy is in audit mode only. You should review the information below for each script host and test thoroughly within your environment to ensure the scripts you need to run are working properly.
@@ -43,7 +48,7 @@ WDAC shares the *AppLocker - MSI and Script* event log for all script enforcemen
 
 All PowerShell scripts (.ps1), modules (.psm1), and manifests (.psd1) must be allowed by WDAC policy in order to run with Full Language rights.
 
-Any **dependent modules** that are loaded by an allowed module must also be allowed by WDAC policy, and module functions must be exported explicitly by name when WDAC is enforced. Modules that do not specify any exported functions (no export name list) will still load but no module functions will be accessible. Modules that use wildcards (\*) in their name will fail to load.
+Any **dependent modules** that are loaded by an allowed module must also be allowed by WDAC policy, and module functions must be exported explicitly by name when WDAC is enforced. Modules that don't specify any exported functions (no export name list) will still load but no module functions will be accessible. Modules that use wildcards (\*) in their name will fail to load.
 
 Any PowerShell script that isn't allowed by WDAC policy will still run, but only in Constrained Language Mode.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
index 9a7322339f..a5642a032c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
@@ -9,7 +9,7 @@ ms.reviewer: jogeurte
 ms.author: jogeurte
 ms.manager: jsuther
 manager: aaroncz
-ms.date: 07/01/2022
+ms.date: 02/02/2023
 ms.technology: itpro-security
 ms.topic: article
 ms.localizationpriority: medium
@@ -19,7 +19,6 @@ ms.localizationpriority: medium
 
 **Applies to:**
 
-
 - Windows 10
 - Windows 11
 - Windows Server 2016 and above
@@ -27,11 +26,11 @@ ms.localizationpriority: medium
 > [!NOTE]
 > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
-This topic covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.
+This article covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.
 
 ## Managed Installer and ISG will cause garrulous events
 
-When Managed Installer and ISG are enabled, 3091 and 3092 events will be logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. Beginning with the September 2022 C release, these events will be moved to the verbose channel since the events don't indicate an issue with the policy.
+When Managed Installer and ISG are enabled, 3091 and 3092 events will be logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events have been moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy.
 
 ## .NET native images may generate false positive block events
 

From 43f1d1c26f0e3977e6b5db1077a3c514602ecd51 Mon Sep 17 00:00:00 2001
From: Andre Della Monica <andredm@microsoft.com>
Date: Thu, 2 Feb 2023 13:51:18 -0600
Subject: [PATCH 02/11] More changes

---
 ...topatch-windows-feature-update-overview.md | 22 +++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index fb5db5fcd8..99ba4fc377 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -1,7 +1,7 @@
 ---
 title: Windows feature updates
 description: This article explains how Windows feature updates are managed in Autopatch
-ms.date: 02/01/2023
+ms.date: 02/02/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@@ -14,10 +14,12 @@ msreviewer: andredm7
 
 # Windows feature updates
 
-Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation. Windows feature updates:
+Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation.
 
-- Keep Windows devices protected against behavioral issues.
-- Provide new features to boost end-user productivity.
+Windows feature updates consist of:
+
+- Keeping Windows devices protected against behavioral issues.
+- Providing new features to boost end-user productivity.
 
 Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date so you can focus on running your core businesses while Windows Autopatch runs update management on your behalf.
 
@@ -86,6 +88,18 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
 > [!NOTE]
 > Pausing or resuming an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch uses Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
 
+### Pause statuses
+
+There are two statuses: **Service Paused** and **Customer Paused**.
+
+| Status | Description |
+| ----- | ------ |
+| Service Paused | If the Windows Autopatch service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. |
+| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. |
+
+> [!IMPORTANT]
+> Service pause is only available for [Windows Quality Updates](windows-autopatch-windows-quality-update-overview.md). Windows Autopatch does not pause Windows Feature Updates on behalf of your organization.
+
 ## Rollback
 
 Windows Autopatch doesn’t support the rollback of Windows Feature updates.

From ddcc4053f952838416d49759c181bde15f847940 Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Thu, 2 Feb 2023 12:04:06 -0800
Subject: [PATCH 03/11] Update
 windows-autopatch-windows-feature-update-overview.md

---
 ...topatch-windows-feature-update-overview.md | 19 ++++++-------------
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index 99ba4fc377..922597bb73 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -73,6 +73,9 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
 
 ## Pausing and resuming a release
 
+> [!IMPORTANT]
+> Pausing or resuming an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch uses Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
+
 **To pause or resume a feature update:**
 
 1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
@@ -85,20 +88,10 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
 8. If you're resuming an update, you can select one or more deployment rings.
 9. Select **Okay**.
 
+If you've paused an update, the specified release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update.
+
 > [!NOTE]
-> Pausing or resuming an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch uses Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
-
-### Pause statuses
-
-There are two statuses: **Service Paused** and **Customer Paused**.
-
-| Status | Description |
-| ----- | ------ |
-| Service Paused | If the Windows Autopatch service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. |
-| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. |
-
-> [!IMPORTANT]
-> Service pause is only available for [Windows Quality Updates](windows-autopatch-windows-quality-update-overview.md). Windows Autopatch does not pause Windows Feature Updates on behalf of your organization.
+> The Service Paused status only applies to [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf.
 
 ## Rollback
 

From 2cb041666424d6ed1aa5464f144a820c179fd9b2 Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Thu, 2 Feb 2023 12:13:42 -0800
Subject: [PATCH 04/11] Update
 windows-autopatch-windows-feature-update-overview.md

---
 .../windows-autopatch-windows-feature-update-overview.md        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index 922597bb73..f1cba8f922 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -74,7 +74,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
 ## Pausing and resuming a release
 
 > [!IMPORTANT]
-> Pausing or resuming an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch uses Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
+> Pausing or resuming an update can take up to eight hours to be applied to devices, because Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
 
 **To pause or resume a feature update:**
 

From 93f2f5c2a0a1398bf9736e622ec0dc360346b26e Mon Sep 17 00:00:00 2001
From: tiaraquan <tiaraquan@microsoft.com>
Date: Thu, 2 Feb 2023 12:40:38 -0800
Subject: [PATCH 05/11] Updated WQU release mgmt section with similar
 instructions as feature updates.

---
 ...s-autopatch-windows-quality-update-overview.md | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index 59cc60bb90..eb56d18767 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -110,7 +110,20 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea
 
 If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-windows-quality-update-signals.md), we may decide to pause that release.
 
-In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Release management** > in the **Release schedule** tab, you can pause or resume a Windows quality update.
+> [!IMPORTANT]
+> Pausing or resuming an update can take up to eight hours to be applied to devices, because Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
+
+**To pause or resume a quality update:**
+
+1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Devices** from the left navigation menu.
+1. Under the **Windows Autopatch** section, select **Release management**.
+1. In the **Release management** blade, select either: **Pause** or **Resume**.
+1. Select the update type you would like to pause or resume.
+1. Select a reason from the dropdown menu.
+1. Optional. Enter details about why you're pausing or resuming the selected update.
+1. If you're resuming an update, you can select one or more deployment rings.
+1. Select **Okay**.
 
 There are two statuses associated with paused quality updates, **Service Paused** and **Customer Paused**.
 

From c688efc7542d1c598e684bca5d63d89e80b1f28c Mon Sep 17 00:00:00 2001
From: tiaraquan <tiaraquan@microsoft.com>
Date: Thu, 2 Feb 2023 12:45:22 -0800
Subject: [PATCH 06/11] Tweak

---
 ...-autopatch-windows-quality-update-overview.md | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index eb56d18767..4d4570df39 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -116,14 +116,14 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win
 **To pause or resume a quality update:**
 
 1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Devices** from the left navigation menu.
-1. Under the **Windows Autopatch** section, select **Release management**.
-1. In the **Release management** blade, select either: **Pause** or **Resume**.
-1. Select the update type you would like to pause or resume.
-1. Select a reason from the dropdown menu.
-1. Optional. Enter details about why you're pausing or resuming the selected update.
-1. If you're resuming an update, you can select one or more deployment rings.
-1. Select **Okay**.
+2. Select **Devices** from the left navigation menu.
+3. Under the **Windows Autopatch** section, select **Release management**.
+4. In the **Release management** blade, select either: **Pause** or **Resume**.
+5. Select the update type you would like to pause or resume.
+6. Select a reason from the dropdown menu.
+7. Optional. Enter details about why you're pausing or resuming the selected update.
+8. If you're resuming an update, you can select one or more deployment rings.
+9. Select **Okay**.
 
 There are two statuses associated with paused quality updates, **Service Paused** and **Customer Paused**.
 

From a688e3437ee0aa5725f845f14bdc735dd06f8264 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann <v-angelaf@microsoft.com>
Date: Thu, 2 Feb 2023 14:24:14 -0700
Subject: [PATCH 07/11] Update using-event-viewer-with-applocker.md

Line 58: Remove extra spaces.
---
 .../using-event-viewer-with-applocker.md      | 39 +++++++++----------
 1 file changed, 19 insertions(+), 20 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
index ed7b6721dc..d10ebcfc03 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
@@ -30,16 +30,16 @@ ms.date: 02/02/2023
 
 This article lists AppLocker events and describes how to use Event Viewer with AppLocker.
 
-The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains detailed info about:
+The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains details such as the following information:
 
--   Which file is affected and the path of that file
--   Which packaged app is affected and the package identifier of the app
--   Whether the file or packaged app is allowed or blocked
--   The rule type (path, file hash, or publisher)
--   The rule name
--   The security identifier (SID) for the user or group identified in the rule
+- Which file is affected and the path of that file
+- Which packaged app is affected and the package identifier of the app
+- Whether the file or packaged app is allowed or blocked
+- The rule type (path, file hash, or publisher)
+- The rule name
+- The security identifier (SID) for the user or group identified in the rule
 
-Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example: %SystemDrive%).
+Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example, `%SystemDrive%`).
 
 For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
 
@@ -48,24 +48,24 @@ For info about what to look for in the AppLocker event logs, see [Monitor app us
 
 **To review the AppLocker log in Event Viewer**
 
-1.  Open Event Viewer.
-2.  In the console tree under **Application and Services Logs\\Microsoft\\Windows**, select **AppLocker**.
+1. Open Event Viewer.
+2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, select **AppLocker**.
 
 The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules.
 
 | Event ID | Level | Event message | Description |
-| - | - | - | - |
-| 8000 | Error| Application Identity Policy conversion failed. Status  *&lt;%1&gt; *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| 
+| --- | --- | --- | --- |
+| 8000 | Error| Application Identity Policy conversion failed. Status *&lt;%1&gt;*| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| 
 | 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| 
-| 8002 | Information|  *&lt;File name&gt; * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| 
-| 8003 | Warning|  *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the  **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the  **Enforce rules** enforcement mode were enabled. |
-| 8004 | Error|  *&lt;File name&gt; * was not allowed to run.| Access to  *&lt;file name&gt;* is restricted by the administrator. Applied only when the  **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.| 
-| 8005| Information|  *&lt;File name&gt; * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| 
-| 8006 | Warning|  *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the  **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the  **Enforce rules** enforcement mode were enabled. |
-| 8007 | Error|  *&lt;File name&gt; * was not allowed to run.| Access to  *&lt;file name&gt;* is restricted by the administrator. Applied only when the  **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.| 
+| 8002 | Information| *&lt;File name&gt; * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| 
+| 8003 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. |
+| 8004 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.| 
+| 8005| Information| *&lt;File name&gt; * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| 
+| 8006 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. |
+| 8007 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.| 
 | 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.| 
 | 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.| 
-| 8021|  Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| 
+| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| 
 | 8022| Information| Packaged app disabled.| Added in Windows Server 2012 and Windows 8.| 
 | 8023 | Information| Packaged app installation allowed.| Added in Windows Server 2012 and Windows 8.|
 | 8024 | Information| Packaged app installation audited.| Added in Windows Server 2012 and Windows 8.| 
@@ -90,4 +90,3 @@ The following table contains information about the events that you can use to de
 
 - [Tools to use with AppLocker](tools-to-use-with-applocker.md)
  
- 

From bb17ce2c681b089b05ae0fb631ba673c1841af8b Mon Sep 17 00:00:00 2001
From: Angela Fleischmann <v-angelaf@microsoft.com>
Date: Thu, 2 Feb 2023 14:26:49 -0700
Subject: [PATCH 08/11] Update
 windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md

Line 41: Correct the placement of a period.
---
 .../design/script-enforcement.md                                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md
index 29174ef291..d8598308cd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md
@@ -38,7 +38,7 @@ Validation for signed scripts is done using the [WinVerifyTrust API](/windows/wi
 WDAC shares the *AppLocker - MSI and Script* event log for all script enforcement events. Whenever a script host asks WDAC if a script should be allowed, an event will be logged with the answer WDAC returned to the script host. For more information on WDAC script enforcement events, see [Understanding Application Control events](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations#windows-applocker-msi-and-script-log).
 
 > [!NOTE]
-> When a script runs that is not allowed by policy, WDAC raises an event indicating that the script was "blocked". However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running.
+> When a script runs that is not allowed by policy, WDAC raises an event indicating that the script was "blocked." However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running.
 >
 > Also be aware that some script hosts may change how they behave even if a WDAC policy is in audit mode only. You should review the information below for each script host and test thoroughly within your environment to ensure the scripts you need to run are working properly.
 

From 78db741ab05034a92db5a5e0b624c6b51bc56d61 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann <v-angelaf@microsoft.com>
Date: Thu, 2 Feb 2023 14:29:57 -0700
Subject: [PATCH 09/11] Update
 windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md

Line 58: Replace extra spaces.
---
 .../applocker/using-event-viewer-with-applocker.md              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
index d10ebcfc03..00a6cb48d3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
@@ -55,7 +55,7 @@ The following table contains information about the events that you can use to de
 
 | Event ID | Level | Event message | Description |
 | --- | --- | --- | --- |
-| 8000 | Error| Application Identity Policy conversion failed. Status *&lt;%1&gt;*| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| 
+| 8000 | Error| Application Identity Policy conversion failed. Status * &lt;%1&gt; *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| 
 | 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| 
 | 8002 | Information| *&lt;File name&gt; * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| 
 | 8003 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. |

From ac76087c4ce36c585371c5fcf6e3bebf7f6c7274 Mon Sep 17 00:00:00 2001
From: tiaraquan <tiaraquan@microsoft.com>
Date: Thu, 2 Feb 2023 13:43:28 -0800
Subject: [PATCH 10/11] Tweak

---
 .../windows-autopatch-windows-feature-update-overview.md        | 2 +-
 .../windows-autopatch-windows-quality-update-overview.md        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index f1cba8f922..4cc1f4a6ab 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -76,7 +76,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
 > [!IMPORTANT]
 > Pausing or resuming an update can take up to eight hours to be applied to devices, because Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
 
-**To pause or resume a feature update:**
+**To pause or resume a Windows feature update:**
 
 1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices** from the left navigation menu.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index 4d4570df39..75c2765189 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -113,7 +113,7 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win
 > [!IMPORTANT]
 > Pausing or resuming an update can take up to eight hours to be applied to devices, because Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
 
-**To pause or resume a quality update:**
+**To pause or resume a Windows quality update:**
 
 1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices** from the left navigation menu.

From 449ef376cd6d427c4f70977d68d1fa08106604d1 Mon Sep 17 00:00:00 2001
From: tiaraquan <tiaraquan@microsoft.com>
Date: Thu, 2 Feb 2023 13:45:40 -0800
Subject: [PATCH 11/11] Tweak

---
 .../windows-autopatch-windows-feature-update-overview.md        | 2 +-
 .../windows-autopatch-windows-quality-update-overview.md        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index 4cc1f4a6ab..e63ff0668b 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -74,7 +74,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
 ## Pausing and resuming a release
 
 > [!IMPORTANT]
-> Pausing or resuming an update can take up to eight hours to be applied to devices, because Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
+> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
 
 **To pause or resume a Windows feature update:**
 
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index 75c2765189..52eb955e6c 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -111,7 +111,7 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea
 If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-windows-quality-update-signals.md), we may decide to pause that release.
 
 > [!IMPORTANT]
-> Pausing or resuming an update can take up to eight hours to be applied to devices, because Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
+> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
 
 **To pause or resume a Windows quality update:**