| At least seven days prior to the second Tuesday of the month| Notification of the planned release window for each ring. |
| Release start | Same as release schedule | The second Tuesday of every month. | Notification that the update is now being released into your environment. |
| Release summary | Same as release schedule | The fourth Tuesday of every month. | Informs you of the percentage of eligible devices that were patched during the release. |
+### Opt out of receiving emails for standard communications
+
+> [!IMPORTANT]
+> This feature is in **public preview**. This feature is being actively developed and may not be complete. You can test and use these features in production environments and provide feedback.
+
+If you don't want to receive standard communications for Windows Updates releases via email, you can choose to opt out.
+
+**To opt out of receiving emails for standard communications:**
+
+1. Go to the **[Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)**.
+2. Go to **Windows Autopatch** > **Tenant administration** > select **Admin contacts**.
+3. Select the admin contact you want to opt out for.
+4. Select **Edit Contact**.
+5. Clear the **Send me emails for Windows update releases and status** checkbox in the fly-in pane.
+6. Select **Save** to apply the changes.
+
## Communications during release
The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) shortly after Autopatch becomes aware of the new information.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md
index e18ee9ef48..1a345f2942 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md
@@ -67,8 +67,8 @@ Windows Autopatch understands the importance of not disrupting end users but als
| Policy | Description |
| ----- | ----- |
-| [Active hours start](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) | This policy controls the start of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. |
-| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | This policy controls the end of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
+| [Active hours start](/windows/client-management/mdm/policy-csp-update#activehoursstart) | This policy controls the start of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. |
+| [Active hours end](/windows/client-management/mdm/policy-csp-update#activehoursend) | This policy controls the end of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
> [!IMPORTANT]
> Both policies must be deployed for them to work as expected.
@@ -76,4 +76,4 @@ Windows Autopatch understands the importance of not disrupting end users but als
A device won't restart during active hours unless it has passed the date specified by the update deadline policy. Once the device has passed the deadline policy, the device will update as soon as possible.
> [!IMPORTANT]
-> If your devices must be updated at a specific date or time, they aren't suitable for Windows Autopatch. Allowing you to choose specific dates to update devices would disrupt the rollout schedule, and prevent us from delivering the service level objective. The use of any of the following CSPs on a managed device will render it ineligible for management:- [Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
- [Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek)
- [Update/ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek)
- [Update/ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek)
- [Update/ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek)
- [Update/ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek)
- [Update/ScheduledInstallTime](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)
+> If your devices must be updated at a specific date or time, they aren't suitable for Windows Autopatch. Selecting specific dates to update devices would disrupt the rollout schedule, and prevent Windows Autopatch from delivering the [service level objective](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective). The use of any of the following CSPs on a managed device will render it ineligible for the service level objective:- [Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#scheduledinstallday)
- [Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstalleveryweek)
- [Update/ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallfirstweek)
- [Update/ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallfourthweek)
- [Update/ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallsecondweek)
- [Update/ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallthirdweek)
- [Update/ScheduledInstallTime](/windows/client-management/mdm/policy-csp-update#scheduledinstalltime)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index c687882aaf..974c419ebd 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -38,7 +38,7 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut
## Windows quality update releases
-Windows Autopatch deploys the [B release of Windows quality updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month.
+Windows Autopatch deploys the [Monthly security update releases](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month.
To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. There are three primary policies that are used to control Windows quality updates:
@@ -115,7 +115,7 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea
### Pausing and resuming a release
> [!CAUTION]
-> It's recommended to only use Windows Autopatch's Release management blade to pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
+> You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
The service-level pause of updates is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
index 492e76ed01..bd21b2a994 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
@@ -1,6 +1,6 @@
---
-title: Windows quality update signals
-description: This article explains the Windows quality update signals
+title: Windows quality update release signals
+description: This article explains the Windows quality update release signals
ms.date: 01/24/2023
ms.prod: windows-client
ms.technology: itpro-updates
@@ -14,7 +14,7 @@ ms.reviewer: hathind
# Windows quality update signals
-Windows Autopatch monitors a specific set of signals and aims to release quality updates both quickly and safely. The service doesn't comprehensively monitor every use case in Windows.
+Windows Autopatch monitors a specific set of signals and aims to release the monthly security update both quickly and safely. The service doesn't comprehensively monitor every use case in Windows.
If there's a scenario that is critical to your business, which isn't monitored by Windows Autopatch, you're responsible for testing and taking any follow-up actions, like requesting to pause the release.
@@ -24,9 +24,9 @@ Before being released to the Test ring, Windows Autopatch reviews several data s
| Pre-release signal | Description |
| ----- | ----- |
-| Windows Payload Review | The contents of the B release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-windows-quality-update-communications.md#communications-during-release) will be sent out. |
-| C-Release Review - Internal Signals | Windows Autopatch reviews active incidents associated with the previous C release to understand potential risks in the B release. |
-| C-Release Review - Social Signals | Windows Autopatch monitors social signals to better understand potential risks associated with the B release. |
+| Windows Payload Review | The contents of the monthly security update release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-windows-quality-update-communications.md#communications-during-release) will be sent out. |
+| Optional non-security preview release review - Internal Signals | Windows Autopatch reviews active incidents associated with the previous optional non-security preview release to understand potential risks in the monthly security update release. |
+| Optional non-security preview release review - Social Signals | Windows Autopatch monitors social signals to better understand potential risks associated with the monthly security update release. |
## Early signals
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md
index 508c99fa46..6bc2b3018b 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md
@@ -53,7 +53,7 @@ However, if an update has already started for a particular deployment ring, Wind
#### Scheduled install
> [!NOTE]
-> If you select the Schedule install cadence type, the devices in that ring won’t be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective).
+> This feature isn't suitable for business critical workloads because Windows Autopatch cannot guarantee that devices will always update and restart in the specified time.If you select the Schedule install cadence type, the devices in that ring won’t be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective).
While the Windows Autopatch default options will meet the majority of the needs for regular users with corporate devices, we understand there are devices that run critical activities and can only receive Windows Updates at specific times. The **Scheduled install** cadence type will prevent forced restarts and interruptions to critical business activities for end users, thereby minimizing disruptions. Upon selecting the **Scheduled install** cadence type, any previously set deadlines and grace periods will be removed. The expectation is that devices would only update and restart according to the time specified.
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index 35df585aa1..c515617ae7 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -1,6 +1,6 @@
---
title: What is Windows Autopatch?
-description: Details what the service is and shortcuts to articles
+description: Details what the service is and shortcuts to articles.
ms.date: 07/11/2022
ms.prod: windows-client
ms.technology: itpro-updates
@@ -9,7 +9,9 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
ms.reviewer: hathind
---
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index 0c4b7973da..a180a874ec 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -45,14 +45,13 @@ This setting must be turned on to avoid a "lack of permissions" error when we in
| ----- | ----- |
| Not ready | Allow access to unlicensed admins should be turned on. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). |
-### Windows 10 and later update rings
+### Update rings for Windows 10 or later
-Your "Windows 10 and later update ring" policy in Intune must not target any Windows Autopatch devices.
+Your "Update rings for Windows 10 or later" policy in Intune must not target any Windows Autopatch devices.
| Result | Meaning |
| ----- | ----- |
-| Not ready | You have an "update ring" policy that targets all devices, all users, or both.
To resolve, change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.
For more information, see [Manage Windows 10 and later software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
|
-| Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch.You can continue with enrollment. However, you must resolve the advisory prior to deploying your first device. To resolve the advisory, see [Maintain the Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md).
|
+| Advisory | You have an "update ring" policy that targets all devices, all users, or both. Windows Autopatch will also create our own update ring policies during enrollment. To avoid conflicts with Windows Autopatch devices, we'll exclude our devices group from your existing update ring policies that target all devices, all users, or both. You must consent to this change when you go to enroll your tenant.|
## Azure Active Directory settings
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
index 47d7aa1795..e8e54695c8 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
@@ -26,8 +26,8 @@ Window Autopatch deploys mobile device management (MDM) policies to configure Mi
| ----- | ----- | ----- |
| Set updates to occur automatically | Enabled | Enable automatic updates |
| Specify a location to look for updates | Blank | Don't use this setting since it overwrites the update branch |
-| Update branch | Monthly Enterprise | Supported branch for Windows Autopatch |
+| Update channel | Monthly Enterprise | Supported channel for Windows Autopatch |
| Specify the version of Microsoft 365 Apps to update to | Variable | Used to roll back to a previous version if an error occurs |
-| Set a deadline by when updates must be applied | 3 | Update deadline |
+| Set a deadline by when updates must be applied | 7 | Update deadline |
| Hide update notifications from users | Turned off | Users should be notified when Microsoft 365 Apps are being updated |
| Hide the option to turn on or off automatic Office updates | Turned on | Prevents users from disabling automatic updates |
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index 03a4316178..576eade6e5 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 03/21/2023
+ms.date: 04/04/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@@ -18,12 +18,21 @@ This article lists new and updated feature releases, and service releases, with
Minor corrections such as typos, style, or formatting issues aren't listed.
+## April 2023
+
+### April 2023 service release
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC536881](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Take action: Review Windows Autopatch Tenant management blade for potential action required to prevent inactive status |
+
## March 2023
### March feature releases or updates
| Article | Description |
| ----- | ----- |
+| [Windows quality update communications](../operate/windows-autopatch-windows-quality-update-communications.md#standard-communications) | Added guidance on how to [opt out of receiving emails for standard communications](../operate/windows-autopatch-windows-quality-update-communications.md#opt-out-of-receiving-emails-for-standard-communications) (public preview) |
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | - Added support for subscription versions of Microsoft Project and Visio desktop apps
- Updated device eligibility criteria
- Clarified update controls
|
| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | New [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) feature. This feature is in public preview- [MC524715](https://admin.microsoft.com/adminportal/home#/MessageCenter)
|
@@ -31,6 +40,8 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Message center post number | Description |
| ----- | ----- |
+| [MC536880](https://admin.microsoft.com/adminportal/home#/MessageCenter) | New Features in Windows Autopatch Public Preview |
+| [MC535259](https://admin.microsoft.com/adminportal/home#/MessageCenter) | March 2023 Windows Autopatch baseline configuration update |
| [MC527439](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Prepare for Windows Autopatch Groups |
| [MC524715](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Public preview - Customize Windows Update settings |
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 4ca53207b6..4ebfe798e1 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -1,13 +1,15 @@
---
title: Demonstrate Autopilot deployment
-manager: aaroncz
description: Step-by-step instructions on how to set up a virtual machine with a Windows Autopilot deployment.
ms.prod: windows-client
ms.technology: itpro-deploy
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
-ms.collection: highpri, tier2
+manager: aaroncz
+ms.collection:
+ - highpri
+ - tier2
ms.topic: tutorial
ms.date: 10/28/2022
---
diff --git a/windows/deployment/windows-autopilot/index.yml b/windows/deployment/windows-autopilot/index.yml
index 82cba08343..78ac058a36 100644
--- a/windows/deployment/windows-autopilot/index.yml
+++ b/windows/deployment/windows-autopilot/index.yml
@@ -9,11 +9,13 @@ metadata:
ms.topic: landing-page
ms.prod: windows-client
ms.technology: itpro-deploy
- ms.collection: highpri, tier1
+ ms.collection:
+ - highpri
+ - tier1
author: frankroj
ms.author: frankroj
manager: aaroncz
- ms.date: 10/28/2022 #Required; mm/dd/yyyy format.
+ ms.date: 10/28/2022
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 34186301e4..8eb8641a31 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -12,8 +12,9 @@ metadata:
ms.prod: windows-client
ms.collection:
- highpri
- author: dougeby #Required; your GitHub user alias, with correct capitalization.
- ms.author: dougeby #Required; microsoft alias of author; optional team alias.
+ - tier1
+ author: aczechowski #Required; your GitHub user alias, with correct capitalization.
+ ms.author: aaroncz #Required; microsoft alias of author; optional team alias.
ms.date: 10/01/2021 #Required; mm/dd/yyyy format.
localization_priority: medium
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index dc1df5efdf..c94b44464a 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -370,8 +370,8 @@ The following fields are available:
- **AppraiserVersion** The version of the appraiser file that is generating the events.
- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS.
- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question.
-- **DisplayGenericMessage** Will be a generic message be shown for this file?
-- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file.
+- **DisplayGenericMessage** Will a generic message be shown for this file?
+- **DisplayGenericMessageGated** Indicates whether a generic message will be shown for this file.
- **HardBlock** This file is blocked in the SDB.
- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB?
- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode?
@@ -1314,8 +1314,8 @@ The following fields are available:
- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime.
- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
-- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
-- **RunResult** The hresult of the Appraiser diagnostic data run.
+- **RunOnline** Indicates if appraiser was able to connect to Windows Update and therefore is making decisions using up-to-date driver coverage information.
+- **RunResult** The result of the Appraiser diagnostic data run.
- **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run.
- **StoreHandleIsNotNull** Obsolete, always set to false
- **TelementrySent** Indicates whether diagnostic data was successfully sent.
@@ -1560,7 +1560,7 @@ The following fields are available:
- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine.
- **OSEdition** Retrieves the version of the current OS.
-- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
+- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc.
- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
- **OSSKU** Retrieves the Friendly Name of OS Edition.
- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines.
@@ -1715,7 +1715,7 @@ The following fields are available:
- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display.
- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display.
- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display.
-- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
+- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches.
- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine
- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine.
@@ -1807,7 +1807,7 @@ The following fields are available:
- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting
- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades.
-- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it?
+- **OSAssessmentFeatureOutOfDate** How many days has it been since the last feature update was released but the device did not install it?
- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update?
- **OSAssessmentForQualityUpdate** Is the device on the latest quality update?
- **OSAssessmentForSecurityUpdate** Is the device on the latest security update?
@@ -2099,7 +2099,7 @@ The following fields are available:
- **pendingDecision** Indicates the cause of reboot, if applicable.
- **primitiveExecutionContext** The state during system startup when the uninstall was completed.
- **revisionVersion** The revision number of the security update being uninstalled.
-- **transactionCanceled** Indicates whether the uninstall was cancelled.
+- **transactionCanceled** Indicates whether the uninstall was canceled.
### CbsServicingProvider.CbsQualityUpdateInstall
@@ -2397,7 +2397,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure
-This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3091,7 +3091,7 @@ The following fields are available:
- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster).
- **securityLevel** The cluster parameter: security level.
- **securityLevelForStorage** The cluster parameter: security level for storage.
-- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes.
+- **sharedVolumeBlockCacheSize** Specifies the block cache size shared volumes.
- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down.
- **upNodeCount** Specifies the number of nodes that are up (online).
- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV.
@@ -3191,7 +3191,7 @@ This event captures basic checksum data about the device inventory items stored
The following fields are available:
-- **DeviceCensus** A count of devicecensus objects in cache.
+- **DeviceCensus** A count of device census objects in cache.
- **DriverPackageExtended** A count of driverpackageextended objects in cache.
- **FileSigningInfo** A count of file signing objects in cache.
- **InventoryApplication** A count of application objects in cache.
@@ -3204,7 +3204,7 @@ The following fields are available:
- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache.
- **InventoryDeviceMediaClass** A count of device media objects in cache.
- **InventoryDevicePnp** A count of device Plug and Play objects in cache.
-- **InventoryDeviceUsbHubClass** A count of device usb objects in cache
+- **InventoryDeviceUsbHubClass** A count of device USB objects in cache
- **InventoryDriverBinary** A count of driver binary objects in cache.
- **InventoryDriverPackage** A count of device objects in cache.
- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache.
@@ -3988,7 +3988,7 @@ The following fields are available:
- **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
- **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
- **osArch** The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''.
-- **osPlatform** The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system Name should be transmitted in lowercase with minimal formatting. Default: ''.
+- **osPlatform** The operating system family within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system Name should be transmitted in lowercase with minimal formatting. Default: ''.
- **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''.
- **osVersion** The primary version of the operating system. '' if unknown. Default: ''.
- **requestCheckPeriodSec** The update interval in seconds. The value is read from the registry. Default: '-1'.
@@ -4037,7 +4037,7 @@ The following fields are available:
- **appAp** Microsoft Edge Update parameters, including channel, architecture, platform, and additional parameters identifying the release of Microsoft Edge to update and how to install it. Example: 'beta-arch_x64-full'. Default: ''."
- **appAppId** The GUID that identifies the product channels such as Edge Canary, Dev, Beta, Stable, and Edge Update.
-- **appBrandCode** The 4-digit brand code under which the the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
+- **appBrandCode** The 4-digit brand code under which the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
- **appChannel** An integer indicating the channel of the installation (e.g. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
- **appCohort** A machine-readable string identifying the release channel that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
@@ -4085,7 +4085,7 @@ The following fields are available:
- **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
- **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
- **osArch** The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''.
-- **osPlatform** The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system name should be transmitted in lowercase with minimal formatting. Default: ''.
+- **osPlatform** The operating system family within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system name should be transmitted in lowercase with minimal formatting. Default: ''.
- **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''.
- **osVersion** The primary version of the operating system. '' if unknown. Default: ''.
- **requestCheckPeriodSec** The update interval in seconds. The value is read from the registry. Default: '-1'.
@@ -4999,7 +4999,7 @@ The following fields are available:
- **AdditionalReasons** If an action has been assessed as inapplicable, the additional logic prevented it.
- **CachedEngineVersion** The engine DLL version that is being used.
- **EventInstanceID** A unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
- **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it.
- **IsExecutingAction** If the action is presently being executed.
- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.).
@@ -5033,7 +5033,7 @@ The following fields are available:
- **CachedEngineVersion** The engine DLL version that is being used.
- **EventInstanceID** A unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
- **FailedParseActions** The list of actions that were not successfully parsed.
- **ParsedActions** The list of actions that were successfully parsed.
- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.).
@@ -5077,7 +5077,7 @@ The following fields are available:
- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled.
- **DriverSyncPassPerformed** Were drivers scanned this time?
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
- **ExtendedMetadataCabUrl** Hostname that is used to download an update.
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan.
@@ -5147,8 +5147,8 @@ The following fields are available:
- **ClientVersion** Version number of the software distribution client
- **DeviceModel** Device model as defined in the system bios
- **EventInstanceID** A globally unique identifier for event instance
-- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
-- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver".
+- **EventScenario** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
- **FlightId** The specific id of the flight the device is getting
- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
- **RevisionNumber** Identifies the revision number of this specific piece of content
@@ -5189,7 +5189,7 @@ The following fields are available:
- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
- **DownloadScenarioId** A unique ID for a given download, used to tie together Windows Update and Delivery Optimizer events.
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed.
+- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was canceled, succeeded, or failed.
- **EventType** Identifies the type of the event (Child, Bundle, or Driver).
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
@@ -5241,8 +5241,8 @@ The following fields are available:
- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
- **ClientVersion** The version number of the software distribution client
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver"
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed
+- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver"
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough
- **FileId** A hash that uniquely identifies a file
- **FileName** Name of the downloaded file
@@ -5274,7 +5274,7 @@ The following fields are available:
- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered"
- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any
- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any
-- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
+- **PowerState** Indicates the power state of the device at the time of heartbeat (DC, AC, Battery Saver, or Connected Standby)
- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one
- **ResumeCount** Number of times this active download has resumed from a suspended state
- **RevisionNumber** Identifies the revision number of this specific piece of content
@@ -5307,7 +5307,7 @@ The following fields are available:
- **DeviceModel** The device model.
- **DriverPingBack** Contains information about the previous driver and system state.
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was canceled, succeeded, or failed.
- **EventType** Possible values are Child, Bundle, or Driver.
- **ExtendedErrorCode** The extended error code.
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough.
@@ -5675,7 +5675,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentMitigationSummary
-This event sends a summary of all the update agent mitigations available for an this update. The data collected with this event is used to help keep Windows secure and up to date.
+This event sends a summary of all the update agent mitigations available for this update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5958,7 +5958,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors).
- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT).
- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
-- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** An ID that uniquely identifies a group of events.
- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
@@ -5980,7 +5980,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** ID that uniquely identifies a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@@ -6002,7 +6002,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** ID that uniquely identifies a group of events.
- **WuId** Windows Update client ID.
@@ -6024,7 +6024,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
- **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
@@ -6068,7 +6068,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
-- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** ID that uniquely identifies a group of events.
- **WuId** Windows Update client ID.
@@ -6090,7 +6090,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT).
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@@ -6112,7 +6112,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** Windows Update client ID.
@@ -6224,10 +6224,10 @@ The following fields are available:
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@@ -6296,7 +6296,7 @@ The following fields are available:
### Microsoft.Windows.WERVertical.OSCrash
-This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
The following fields are available:
@@ -6715,7 +6715,7 @@ The following fields are available:
- **CatalogId** The Store Catalog ID for the product being installed.
- **ProductId** The Store Product ID for the product being installed.
-- **SkuId** Specfic edition of the app being updated.
+- **SkuId** Specific edition of the app being updated.
### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
@@ -7069,7 +7069,7 @@ The following fields are available:
- **flightMetadata** Contains the FlightId and the build being flighted.
- **objectId** Unique value for each Update Agent mode.
- **relatedCV** Correlation vector value generated from the latest USO scan.
-- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
+- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Canceled, 3 = Blocked, 4 = BlockCanceled.
- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
- **sessionId** Unique value for each Update Agent mode attempt.
@@ -7379,7 +7379,7 @@ The following fields are available:
- **detectionBlockreason** The reason detection did not complete.
- **detectionRetryMode** Indicates whether we will try to scan again.
- **errorCode** The error code returned for the current process.
-- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was canceled, succeeded, or failed.
- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable.
- **interactive** Indicates whether the user initiated the session.
- **networkStatus** Indicates if the device is connected to the internet.
@@ -7410,7 +7410,7 @@ This event indicates the reboot was postponed due to needing a display. The data
The following fields are available:
- **displayNeededReason** Reason the display is needed.
-- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours.
- **revisionNumber** Revision number of the update.
- **updateId** Update ID.
@@ -7528,7 +7528,7 @@ This event indicates that an enabled GameMode process prevented the device from
The following fields are available:
-- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
- **gameModeReason** Name of the enabled GameMode process that prevented the device from restarting to complete an update.
- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
@@ -7632,13 +7632,13 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.PowerMenuOptionsChanged
-This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a update is installed. The data collected with this event is used to help keep Windows secure and up to date.
+This event is sent when the options in power menu changed, usually due to an update pending reboot, or after an update is installed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
- **powermenuNewOptions** The new options after the power menu changed.
- **powermenuOldOptions** The old options before the power menu changed.
-- **rebootPendingMinutes** If the power menu changed because a reboot is pending due to a update, this indicates how long that reboot has been pending.
+- **rebootPendingMinutes** If the power menu changed because a reboot is pending due to an update, this indicates how long that reboot has been pending.
- **wuDeviceid** The device ID recorded by Windows Update if the power menu changed because a reboot is pending due to an update.
@@ -8122,7 +8122,7 @@ The following fields are available:
- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **FlightId** Unique identifier for each flight.
-- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
+- **InstanceId** Unique GUID that identifies each instance of setuphost.exe.
- **MitigationScenario** The update scenario in which the mitigation was executed.
- **RelatedCV** Correlation vector value generated from the latest USO scan.
- **ReparsePointsFailed** Number of reparse points that are corrupted but we failed to fix them.
@@ -8145,7 +8145,7 @@ The following fields are available:
- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **EditionIdUpdated** Determine whether EditionId was changed.
- **FlightId** Unique identifier for each flight.
-- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
+- **InstanceId** Unique GUID that identifies each instance of setuphost.exe.
- **MitigationScenario** The update scenario in which the mitigation was executed.
- **ProductEditionId** Expected EditionId value based on GetProductInfo.
- **ProductType** Value returned by GetProductInfo.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index b0975595c9..46a32b7e45 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -5475,7 +5475,7 @@ The following fields are available:
- **appAp** Microsoft Edge Update parameters, including channel, architecture, platform, and additional parameters identifying the release of Microsoft Edge to update and how to install it. Example: 'beta-arch_x64-full'. Default: ''."
- **appAppId** The GUID that identifies the product channels such as Edge Canary, Dev, Beta, Stable, and Edge Update.
-- **appBrandCode** The 4-digit brand code under which the the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
+- **appBrandCode** The 4-digit brand code under which the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
- **appChannel** An integer indicating the channel of the installation (e.g. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
- **appCohort** A machine-readable string identifying the release channel that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
index c1efb0d547..2b7ee3b4fa 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -5877,7 +5877,7 @@ The following fields are available:
- **appAp** Microsoft Edge Update parameters, including channel, architecture, platform, and additional parameters identifying the release of Microsoft Edge to update and how to install it. Example: 'beta-arch_x64-full'. Default: ''."
- **appAppId** The GUID that identifies the product channels such as Edge Canary, Dev, Beta, Stable, and Edge Update.
-- **appBrandCode** The 4-digit brand code under which the the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
+- **appBrandCode** The 4-digit brand code under which the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
- **appChannel** An integer indicating the channel of the installation (e.g. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
- **appCohort** A machine-readable string identifying the release channel that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index a001e395da..5b73a85111 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -5212,7 +5212,7 @@ The following fields are available:
- **appAp** Microsoft Edge Update parameters, including channel, architecture, platform, and additional parameters identifying the release of Microsoft Edge to update and how to install it. Example: 'beta-arch_x64-full'. Default: ''."
- **appAppId** The GUID that identifies the product channels such as Edge Canary, Dev, Beta, Stable, and Edge Update.
-- **appBrandCode** The 4-digit brand code under which the the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
+- **appBrandCode** The 4-digit brand code under which the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
- **appChannel** An integer indicating the channel of the installation (e.g. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
- **appCohort** A machine-readable string identifying the release channel that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index 38c4f1639f..4984e4e28e 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -215,6 +215,8 @@
href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
- name: Get support
href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+ - name: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
+ href: threat-protection/mbsa-removal-and-guidance.md
- name: Virus & threat protection
items:
- name: Overview
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 7591454011..5d4dda26a8 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -76,11 +76,46 @@
"identity-protection/**/*.md": "paoloma",
"threat-protection/windows-firewall/*.md": "aaroncz"
},
+ "appliesto":{
+ "identity-protection/**/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10"
+ ],
+ "identity-protection/credential-guard/**/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10",
+ "✅ Windows Server 2022",
+ "✅ Windows Server 2019",
+ "✅ Windows Server 2016"
+ ],
+ "identity-protection/smart-cards/**/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10",
+ "✅ Windows Server 2022",
+ "✅ Windows Server 2019",
+ "✅ Windows Server 2016"
+ ],
+ "identity-protection/user-account-control/**/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10",
+ "✅ Windows Server 2022",
+ "✅ Windows Server 2019",
+ "✅ Windows Server 2016"
+ ],
+ "identity-protection/virtual-smart-cards/**/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10",
+ "✅ Windows Server 2022",
+ "✅ Windows Server 2019",
+ "✅ Windows Server 2016"
+ ]
+ },
"ms.reviewer":{
"identity-protection/hello-for-business/*.md": "erikdau",
"identity-protection/credential-guard/*.md": "zwhittington",
"identity-protection/access-control/*.md": "sulahiri",
- "threat-protection/windows-firewall/*.md": "paoloma"
+ "threat-protection/windows-firewall/*.md": "paoloma",
+ "identity-protection/vpn/*.md": "pesmith"
},
"ms.collection":{
"identity-protection/hello-for-business/*.md": "tier1",
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 4ddce5cb4e..6bec9ee14c 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -1,13 +1,14 @@
---
+ms.date: 11/22/2022
title: Access Control Overview
description: Description of the access controls in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer.
-ms.prod: windows-client
ms.topic: article
-ms.date: 11/22/2022
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
-ms.technology: itpro-security
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
---
# Access Control Overview
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index f6baab162b..a2c64c37a0 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -1,15 +1,17 @@
---
+ms.date: 12/05/2022
title: Local Accounts
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
-ms.date: 12/05/2022
+ms.topic: conceptual
ms.collection:
- highpri
- tier2
-ms.topic: article
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
-ms.technology: itpro-security
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
---
# Local Accounts
@@ -60,7 +62,7 @@ Group Policy can be used to control the use of the local Administrators group au
> [!IMPORTANT]
>
-> - Blank passwords are not allowed in the versions designated in the **Applies To** list at the beginning of this topic.
+> - Blank passwords are not allowed.
>
> - Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled.
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index e7d4d83f53..317ef89a50 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -1,26 +1,13 @@
---
title: Configure S/MIME for Windows
description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
ms.topic: article
-ms.localizationpriority: medium
ms.date: 07/27/2017
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
---
# Configure S/MIME for Windows
-**Applies to**
-- Windows 10
-- Windows 11
-
S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.
## About message encryption
@@ -31,11 +18,11 @@ Encrypted messages can be read only by recipients who have a certificate. If you
## About digital signatures
-A digitally signed message reassures the recipient that the message hasn't been tampered with and verifies the identity of the sender. Recipients can only verify the digital signature if they’re using an email client that supports S/MIME.
+A digitally signed message reassures the recipient that the message hasn't been tampered with and verifies the identity of the sender. Recipients can only verify the digital signature if they're using an email client that supports S/MIME.
## Prerequisites
-- [S/MIME is enabled for Exchange accounts](/microsoft-365/security/office-365-security/s-mime-for-message-signing-and-encryption) (on-premises and Office 365). Users can’t use S/MIME signing and encryption with a personal account such as Outlook.com.
+- [S/MIME is enabled for Exchange accounts](/microsoft-365/security/office-365-security/s-mime-for-message-signing-and-encryption) (on-premises and Office 365). Users can't use S/MIME signing and encryption with a personal account such as Outlook.com.
- Valid Personal Information Exchange (PFX) certificates are installed on the device.
- [How to Create PFX Certificate Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/mt131410(v=technet.10))
@@ -49,11 +36,11 @@ On the device, perform the following steps: (add select certificate)
2. Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone.
- :::image type="content" alt-text="settings icon in mail app." source="images/mailsettings.png":::
+ :::image type="content" alt-text="settings icon in mail app." source="images/mailsettings.png":::
3. Tap **Email security**.
- :::image type="content" alt-text="email security settings." source="images/emailsecurity.png":::
+ :::image type="content" alt-text="email security settings." source="images/emailsecurity.png":::
4. In **Select an account**, select the account for which you want to configure S/MIME options.
@@ -74,7 +61,7 @@ On the device, perform the following steps: (add select certificate)
2. Use **Sign** and **Encrypt** icons to turn on digital signature and encryption for this message.
- :::image type="content" alt-text="sign or encrypt message." source="images/signencrypt.png":::
+ :::image type="content" alt-text="sign or encrypt message." source="images/signencrypt.png":::
## Read signed or encrypted messages
@@ -90,5 +77,5 @@ When you receive a signed email, the app provides a feature to install correspon
3. Tap **Install.**
- :::image type="content" alt-text="message security information." source="images/installcert.png":::
+ :::image type="content" alt-text="message security information." source="images/installcert.png":::
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index c8ed1adc92..ca9c7acd52 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -1,11 +1,8 @@
---
+ms.date: 08/17/2017
title: Additional mitigations
description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard.
-ms.date: 08/17/2017
ms.topic: article
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# Additional mitigations
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
index bde6066c0c..d48686101c 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@@ -1,11 +1,8 @@
---
+ms.date: 01/06/2023
title: Considerations when using Windows Defender Credential Guard
description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard.
-ms.date: 01/06/2023
ms.topic: article
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# Considerations when using Windows Defender Credential Guard
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index c9ed9e42c7..f6fafc39c0 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -1,11 +1,8 @@
---
+ms.date: 08/17/2017
title: How Windows Defender Credential Guard works
description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
-ms.date: 08/17/2017
ms.topic: conceptual
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# How Windows Defender Credential Guard works
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index 07d9647887..f05c26620f 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -1,11 +1,8 @@
---
+ms.date: 11/28/2022
title: Windows Defender Credential Guard - Known issues
description: Windows Defender Credential Guard - Known issues in Windows Enterprise
ms.topic: article
-ms.date: 11/28/2022
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# Windows Defender Credential Guard: Known issues
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index a4f523f78b..eb38ab1250 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -6,9 +6,6 @@ ms.collection:
- highpri
- tier2
ms.topic: article
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# Manage Windows Defender Credential Guard
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
index 42fbe2a663..6b9dbeadc9 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@@ -3,9 +3,6 @@ title: Windows Defender Credential Guard protection limits (Windows)
description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide.
ms.date: 08/17/2017
ms.topic: article
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# Windows Defender Credential Guard protection limits
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 164f0f776e..ea7bf02bae 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -3,9 +3,6 @@ title: Windows Defender Credential Guard requirements
description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security.
ms.date: 12/27/2021
ms.topic: article
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# Windows Defender Credential Guard requirements
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index 0ab05c22ab..af00a1aef1 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -6,9 +6,6 @@ ms.topic: article
ms.collection:
- highpri
- tier2
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# Protect derived domain credentials with Windows Defender Credential Guard
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index 6b2de2aa60..d4f8cceb8d 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -1,17 +1,8 @@
---
title: Enterprise Certificate Pinning
description: Enterprise certificate pinning is a Windows feature for remembering; or pinning a root issuing certificate authority, or end entity certificate to a given domain name.
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
+ms.topic: conceptual
ms.date: 07/27/2017
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
---
# Enterprise Certificate Pinning
@@ -22,7 +13,7 @@ Enterprise certificate pinning helps reduce man-in-the-middle attacks by enablin
> [!NOTE]
> External domain names, where the certificate issued to these domains is issued by a public certificate authority, are not ideal for enterprise certificate pinning.
-Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) are updated to check if the site’s chain that authenticates servers matches a restricted set of certificates.
+Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) are updated to check if the site's chain that authenticates servers matches a restricted set of certificates.
These restrictions are encapsulated in a Pin Rules Certificate Trust List (CTL) that is configured and deployed to Windows 10 computers.
Any site certificate that triggers a name mismatch causes Windows to write an event to the CAPI2 event log and prevents the user from navigating to the web site using Microsoft Edge or Internet Explorer.
@@ -97,7 +88,7 @@ The **Certificate** element can have the following attributes.
| **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory, or Base64 must be present). |
| **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory, or Base64 must be present). |
| **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
This allows the certificates to be included in the XML file without a file directory dependency.
Note:
You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory, or Base64 must be present). |
-| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and excludes the certificate(s) from the Pin Rule in the generated CTL.
For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.|
+| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element's certificates.
If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and excludes the certificate(s) from the Pin Rule in the generated CTL.
For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.|
#### Site element
@@ -154,7 +145,7 @@ Use **certutil.exe** to apply your certificate pinning rules to your reference c
The **setreg** argument takes a secondary argument that determines the location of where certutil writes the certificate pining rules.
This secondary argument is **chain\PinRules**.
The last argument you provide is the name of file that contains your certificate pinning rules in certificate trust list format (.stl).
-You’ll pass the name of the file as the last argument; however, you need to prefix the file name with the '@' symbol as shown in the following example.
+You'll pass the name of the file as the last argument; however, you need to prefix the file name with the '@' symbol as shown in the following example.
You need to perform this command from an elevated command prompt.
```code
@@ -174,7 +165,7 @@ Certutil writes the binary information to the following registration location:
### Deploying Enterprise Pin Rule Settings using Group Policy
-You’ve successfully created a certificate pinning rules XML file.
+You've successfully created a certificate pinning rules XML file.
From the XML file you've created a certificate pinning trust list file, and you've applied the contents of that file to your reference computer from which you can run the Group Policy Management Console.
Now you need to configure a Group Policy object to include the applied certificate pin rule settings and deploy it to your environment.
@@ -182,7 +173,7 @@ Sign-in to the reference computer using domain administrator equivalent credenti
1. Start the **Group Policy Management Console** (gpmc.msc)
2. In the navigation pane, expand the forest node and then expand the domain node.
-3. Expand the node that contains your Active Directory’s domain name
+3. Expand the node that contains your Active Directory's domain name
4. Select the **Group Policy objects** node. Right-click the **Group Policy objects** node and click **New**.
5. In the **New GPO** dialog box, type _Enterprise Certificate Pinning Rules_ in the **Name** text box and click **OK**.
6. In the content pane, right-click the **Enterprise Certificate Pinning Rules** Group Policy object and click **Edit**.
@@ -227,16 +218,16 @@ icacls %PinRulesLogDir% /grant *S-1-5-12:(OI)(CI)(F)
icacls %PinRulesLogDir% /inheritance:e /setintegritylevel (OI)(CI)L
```
-Whenever an application verifies a TLS/SSL certificate chain that contains a server name matching a DNS name in the server certificate, Windows writes a .p7b file consisting of all the certificates in the server’s chain to one of three child folders:
+Whenever an application verifies a TLS/SSL certificate chain that contains a server name matching a DNS name in the server certificate, Windows writes a .p7b file consisting of all the certificates in the server's chain to one of three child folders:
- AdminPinRules
Matched a site in the enterprise certificate pinning rules.
- AutoUpdatePinRules
Matched a site in the certificate pinning rules managed by Microsoft.
- NoPinRules
- Didn’t match any site in the certificate pin rules.
+ Didn't match any site in the certificate pin rules.
-The output file name consists of the leading eight ASCII hex digits of the root’s SHA1 thumbprint followed by the server name.
+The output file name consists of the leading eight ASCII hex digits of the root's SHA1 thumbprint followed by the server name.
For example:
- `D4DE20D0_xsi.outlook.com.p7b`
@@ -255,7 +246,7 @@ You can then copy and paste the output of the cmdlet into the XML file.
For simplicity, you can truncate decimal point (.) and the numbers after it.
-However, be certain to append the uppercase “Z” to the end of the XML date string.
+However, be certain to append the uppercase "Z" to the end of the XML date string.
```code
2015-05-11T07:00:00.2655691Z
@@ -264,7 +255,7 @@ However, be certain to append the uppercase “Z” to the end of the XML date s
## Converting an XML Date
-You can also use Windows PowerShell to validate and convert an XML date into a human readable date to validate it’s the correct date.
+You can also use Windows PowerShell to validate and convert an XML date into a human readable date to validate it's the correct date.
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 1ca04993a0..c4e5d43423 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -1,9 +1,7 @@
---
title: Multi-factor unlock
description: Learn how Windows offers multi-factor device unlock by extending Windows Hello with trusted signals.
-ms.date: 03/09/2023
-appliesto:
-- ✅ Windows 10 and later
+ms.date: 03/30/2023
ms.topic: how-to
---
# Multi-factor unlock
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index fa405ca079..8838fb1b97 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -2,8 +2,6 @@
title: Windows Hello for Business cloud-only deployment
description: Learn how to configure Windows Hello for Business in a cloud-only deployment scenario.
ms.date: 06/23/2021
-appliesto:
-- ✅ Windows 10 and later
ms.topic: article
---
# Cloud-only deployment
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 6607d17abb..f825873fc9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -3,8 +3,11 @@ title: Plan an adequate number of Domain Controllers for Windows Hello for Busin
description: Learn how to plan for an adequate number of Domain Controllers to support Windows Hello for Business deployments.
ms.date: 03/10/2023
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
ms.topic: conceptual
---
# Plan an adequate number of Domain Controllers for Windows Hello for Business deployments
diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
index 5d311af3bb..2b3a033a16 100644
--- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
+++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
@@ -2,8 +2,6 @@
title: Windows Hello and password changes
description: Learn the impact of changing a password when using Windows Hello.
ms.date: 03/15/2023
-appliesto:
-- ✅ Windows 10 and later
ms.topic: conceptual
---
# Windows Hello and password changes
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index e6a01bb2b8..f1a275279e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -2,8 +2,6 @@
title: Windows Hello biometrics in the enterprise (Windows)
description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
ms.date: 01/12/2021
-appliesto:
-- ✅ Windows 10 and later
ms.topic: article
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index c765eb789e..744816323d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -3,8 +3,11 @@ title: Prepare and deploy Active Directory Federation Services in an on-premises
description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business on-premises certificate trust model.
ms.date: 12/12/2022
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
ms.topic: tutorial
---
# Prepare and deploy Active Directory Federation Services - on-premises certificate trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 5d92d9dcb7..b3059ee0c0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -2,12 +2,9 @@
title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
ms.collection:
- - highpri
- - tier1
+- highpri
+- tier1
ms.date: 12/12/2022
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
ms.topic: tutorial
---
# Configure Windows Hello for Business group policy settings - on-premises certificate Trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 629e59b1e2..455d4055a2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -3,8 +3,11 @@ title: Validate Active Directory prerequisites in an on-premises certificate tru
description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a certificate trust model.
ms.date: 12/12/2022
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
ms.topic: tutorial
---
# Validate Active Directory prerequisites - on-premises certificate trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index c7c5b09a61..c7b67abec3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -3,8 +3,11 @@ title: Validate and Deploy MFA for Windows Hello for Business with certificate t
description: Validate and deploy multi-factor authentication (MFA) for Windows Hello for Business in an on-premises certificate trust model.
ms.date: 12/13/2022
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 27f2375bae..6174ed348a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -3,8 +3,11 @@ title: Configure and validate the Public Key Infrastructure in an on-premises ce
description: Configure and validate the Public Key Infrastructure the Public Key Infrastructure when deploying Windows Hello for Business in a certificate trust model.
ms.date: 12/12/2022
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
ms.topic: tutorial
---
# Configure and validate the Public Key Infrastructure - on-premises certificate trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
index 0775ea4e9d..70a5ee4feb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -3,8 +3,11 @@ title: Windows Hello for Business deployment guide for the on-premises certifica
description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust model.
ms.date: 12/12/2022
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
ms.topic: tutorial
---
# Deployment guide overview - on-premises certificate trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 22f170e86e..9646f16b66 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -2,8 +2,6 @@
title: Windows Hello for Business Deployment Overview
description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
ms.date: 02/15/2022
-appliesto:
-- ✅ Windows 10 and later
ms.topic: article
---
# Windows Hello for Business Deployment Overview
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index 8c8fd3b65d..655c8961da 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -2,8 +2,6 @@
title: Windows Hello for Business Deployment Known Issues
description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues
ms.date: 05/03/2021
-appliesto:
-- ✅ Windows 10 and later
ms.topic: article
---
# Windows Hello for Business Known Deployment Issues
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
index 6104c34401..56d613052d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
@@ -2,9 +2,6 @@
title: Windows Hello for Business deployment guide for the on-premises key trust model
description: Learn how to deploy Windows Hello for Business in an on-premises, key trust model.
ms.date: 12/12/2022
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
ms.topic: tutorial
---
# Deployment guide overview - on-premises key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 7d4f20063d..0b255e1d93 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -6,8 +6,6 @@ ms.collection:
- tier1
ms.topic: article
ms.date: 03/15/2023
-appliesto:
-- ✅ Windows 10 and later
---
# Deploy certificates for remote desktop (RDP) sign-in
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index e1b28aec6f..23537daa14 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -1,10 +1,8 @@
---
-title: Windows Hello errors during PIN creation (Windows)
-description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step.
+title: Windows Hello errors during PIN creation
+description: When you set up Windows Hello, you may get an error during the Create a work PIN step.
ms.topic: troubleshooting
-ms.date: 05/05/2018
-appliesto:
-- ✅ Windows 10 and later
+ms.date: 03/31/2023
---
# Windows Hello errors during PIN creation
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index bb59a07821..0a5083fd99 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -9,8 +9,6 @@ metadata:
- tier1
ms.topic: faq
ms.date: 03/09/2023
- appliesto:
- - ✅ Windows 10 and later
title: Common questions about Windows Hello for Business
summary: Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Hello for Business.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
index d6d35b189a..2f6540362a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@@ -2,8 +2,6 @@
title: Dual Enrollment
description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment.
ms.date: 09/09/2019
-appliesto:
-- ✅ Windows 10 and later
ms.topic: article
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 5fea59fc25..28401253c2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -2,8 +2,6 @@
title: Dynamic lock
description: Learn how to configure dynamic lock on Windows devices via group policies. This feature locks a device when a Bluetooth signal falls below a set value.
ms.date: 03/10/2023
-appliesto:
-- ✅ Windows 10 and later
ms.topic: how-to
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index ea7e72e5d4..916a8890bf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -5,8 +5,6 @@ ms.collection:
- highpri
- tier1
ms.date: 03/10/2023
-appliesto:
-- ✅ Windows 10 and later
ms.topic: how-to
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 2f1c460668..45fc8c784f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -2,8 +2,6 @@
title: Remote Desktop
description: Learn how Windows Hello for Business supports using biometrics with remote desktop
ms.date: 02/24/2021
-appliesto:
-- ✅ Windows 10 and later
ms.topic: article
ms.collection:
- tier1
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index 27dde9400e..f25bac5b47 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -2,8 +2,6 @@
title: How Windows Hello for Business works - Authentication
description: Learn about the authentication flow for Windows Hello for Business.
ms.date: 02/15/2022
-appliesto:
-- ✅ Windows 10 and later
ms.topic: article
---
# Windows Hello for Business and Authentication
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 6d250848d5..219e82d35c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -2,8 +2,6 @@
title: How Windows Hello for Business works - Provisioning
description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments.
ms.date: 2/15/2022
-appliesto:
-- ✅ Windows 10 and later
ms.topic: article
---
# Windows Hello for Business Provisioning
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index b3765851fa..76368b1c12 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -2,8 +2,6 @@
title: How Windows Hello for Business works - technology and terms
description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works.
ms.date: 10/08/2018
-appliesto:
-- ✅ Windows 10 and later
ms.topic: article
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 40e094e6c7..93bfd6d56a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -2,8 +2,6 @@
title: How Windows Hello for Business works
description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services.
ms.date: 05/05/2018
-appliesto:
-- ✅ Windows 10 and later
ms.topic: article
---
# How Windows Hello for Business works in Windows Devices
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index fbed200f77..3eeb4f536d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -2,8 +2,6 @@
title: Use Certificates to enable SSO for Azure AD join devices
description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps.
ms.date: 08/19/2018
-appliesto:
-- ✅ Windows 10 and later
ms.topic: how-to
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index d0aa2590f7..9a5646c257 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -2,8 +2,6 @@
title: Configure single sign-on (SSO) for Azure AD joined devices
description: Learn how to configure single sign-on to on-premises resources for Azure AD-joined devices, using Windows Hello for Business.
ms.date: 12/30/2022
-appliesto:
-- ✅ Windows 10 and later
ms.topic: article
---
# Configure single sign-on for Azure AD joined devices
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md
index 788cd8af15..662e259872 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki.md
@@ -3,8 +3,11 @@ title: Configure and validate the Public Key Infrastructure in an hybrid certifi
description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model.
ms.date: 01/03/2023
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
ms.topic: tutorial
---
# Configure and validate the Public Key Infrastructure - hybrid certificate trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index 02c36f3fbe..eabb6ec24d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -3,8 +3,11 @@ title: Windows Hello for Business hybrid certificate trust deployment
description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
ms.date: 03/16/2023
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
ms.topic: how-to
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index a1a88d6f2e..629d9c561e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -2,8 +2,6 @@
title: Windows Hello for Business hybrid certificate trust clients configuration and enrollment
description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario.
ms.date: 01/03/2023
-appliesto:
-- ✅ Windows 10 and later
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index ca0662ddde..2a40af9e7f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -3,8 +3,11 @@ title: Configure Active Directory Federation Services in a hybrid certificate tr
description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business hybrid certificate trust model.
ms.date: 01/03/2023
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
ms.topic: tutorial
---
# Configure Active Directory Federation Services - hybrid certificate trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
index 73c27e5835..31e4fb9ee2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision.md
@@ -2,8 +2,6 @@
title: Windows Hello for Business hybrid key trust clients configuration and enrollment
description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario.
ms.date: 01/03/2023
-appliesto:
-- ✅ Windows 10 and later
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
index 19c9df7d89..c4248ffb62 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-validate-pki.md
@@ -3,8 +3,11 @@ title: Configure and validate the Public Key Infrastructure in an hybrid key tru
description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in an hybrid key trust model.
ms.date: 01/03/2023
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
ms.topic: tutorial
---
# Configure and validate the Public Key Infrastructure - hybrid key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index 042fe747a8..8ab43e5406 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -3,8 +3,11 @@ title: Windows Hello for Business hybrid key trust deployment
description: Learn how to deploy Windows Hello for Business in a hybrid key trust scenario.
ms.date: 12/28/2022
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
ms.topic: how-to
---
# Hybrid key trust deployment
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 518283865d..9c4a5f6165 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -1,14 +1,17 @@
---
+ms.date: 12/13/2022
title: Windows Hello for Business Deployment Prerequisite Overview
description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
-ms.collection:
+ms.topic: article
+ms.collection:
- highpri
- tier1
-ms.date: 12/13/2022
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
-ms.topic: article
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
---
# Windows Hello for Business Deployment Prerequisite Overview
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index b0cf1c66b8..be437d043f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -1,10 +1,13 @@
---
+ms.date: 12/12/2022
title: Prepare and deploy Active Directory Federation Services in an on-premises key trust
description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business key trust model.
-ms.date: 12/12/2022
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
ms.topic: tutorial
---
# Prepare and deploy Active Directory Federation Services - on-premises key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index d9446b6eec..3fd25ec607 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -1,10 +1,10 @@
---
+ms.date: 12/12/2022
title: Configure Windows Hello for Business Policy settings in an on-premises key trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario
-ms.date: 12/12/2022
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows 11
+- ✅ Windows 10
ms.topic: tutorial
---
# Configure Windows Hello for Business group policy settings - on-premises key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index 07673151d3..19fe709d3f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -3,8 +3,11 @@ title: Validate Active Directory prerequisites in an on-premises key trust
description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a key trust model.
ms.date: 12/12/2022
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
ms.topic: tutorial
---
# Validate Active Directory prerequisites - on-premises key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index 65f12b5274..4d089851ff 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -3,8 +3,11 @@ title: Validate and Deploy MFA for Windows Hello for Business with key trust
description: Validate and deploy multi-factor authentication (MFA) for Windows Hello for Business in an on-premises key trust model.
ms.date: 12/12/2022
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index 96505087ec..e2f7510aac 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -3,8 +3,11 @@ title: Configure and validate the Public Key Infrastructure in an on-premises ke
description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a key trust model.
ms.date: 12/12/2022
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
ms.topic: tutorial
---
# Configure and validate the Public Key Infrastructure - on-premises key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index e666aa4beb..2676f0066f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -5,8 +5,6 @@ ms.collection:
- highpri
- tier1
ms.date: 2/15/2022
-appliesto:
-- ✅ Windows 10 and later
ms.topic: article
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index d6e6de308d..005fb6c685 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -5,8 +5,6 @@ ms.collection:
- highpri
- tier1
ms.topic: conceptual
-appliesto:
- - ✅ Windows 10 and later
ms.date: 12/31/2017
---
# Windows Hello for Business Overview
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index f3e0b27534..b941c37a84 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -2,8 +2,6 @@
title: Planning a Windows Hello for Business Deployment
description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
ms.date: 09/16/2020
-appliesto:
-- ✅ Windows 10 and later
ms.topic: article
---
# Planning a Windows Hello for Business Deployment
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 1d36c9e14c..90bd5ec677 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -2,8 +2,6 @@
title: Prepare people to use Windows Hello (Windows)
description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
ms.date: 08/19/2018
-appliesto:
-- ✅ Windows 10 and later
ms.topic: article
---
# Prepare people to use Windows Hello
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
index 1afbc43168..0963b04163 100644
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -2,8 +2,6 @@
title: Windows Hello for Business Videos
description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
ms.date: 03/09/2023
-appliesto:
-- ✅ Windows 10 and later
ms.topic: article
---
# Windows Hello for Business Videos
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 80c0b844fc..9c3cd5a067 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -5,8 +5,6 @@ ms.collection:
- highpri
- tier1
ms.date: 03/15/2023
-appliesto:
-- ✅ Windows 10 and later
ms.topic: conceptual
---
# Why a PIN is better than an online password
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml
index 4d8789f403..e888c0e2f7 100644
--- a/windows/security/identity-protection/hello-for-business/index.yml
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@@ -6,12 +6,7 @@ summary: Learn how to manage and deploy Windows Hello for Business.
metadata:
title: Windows Hello for Business documentation
description: Learn how to manage and deploy Windows Hello for Business.
- ms.prod: windows-client
- ms.technology: itpro-security
ms.topic: landing-page
- author: paolomatarazzo
- ms.author: paoloma
- manager: aaroncz
ms.date: 03/09/2023
ms.collection:
- highpri
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 4b2daf06b4..3ad9597e77 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -3,8 +3,6 @@ title: Password-less strategy
description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11.
ms.topic: conceptual
ms.date: 05/24/2022
-appliesto:
-- ✅ Windows 10 and later
---
# Password-less strategy
diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
index 654302f210..f2aa96a5ea 100644
--- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md
+++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
@@ -2,8 +2,6 @@
title: WebAuthn APIs
description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps.
ms.date: 03/09/2023
-appliesto:
-- ✅ Windows 10 and later
ms.topic: article
---
# WebAuthn APIs for passwordless authentication on Windows
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
index dc71f52903..c16e630bed 100644
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@@ -1,17 +1,8 @@
---
-title: Identity and access management (Windows 10)
+title: Identity and access management
description: Learn more about identity and access protection technologies in Windows.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
ms.topic: article
-ms.localizationpriority: medium
ms.date: 02/05/2018
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
---
# Identity and access management
diff --git a/windows/security/identity-protection/password-support-policy.md b/windows/security/identity-protection/password-support-policy.md
index fe76412c23..46e3507908 100644
--- a/windows/security/identity-protection/password-support-policy.md
+++ b/windows/security/identity-protection/password-support-policy.md
@@ -1,22 +1,13 @@
---
title: Technical support policy for lost or forgotten passwords
description: Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so.
-ms.custom:
- - CI ID 110060
- - CSSTroubleshoot
-ms.prod: windows-client
ms.topic: article
-ms.localizationpriority: medium
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
ms.date: 11/20/2019
-ms.technology: itpro-security
---
# Technical support policy for lost or forgotten passwords
-Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating system, and other Microsoft products include passwords to help secure your information. This article provides some options that you can use to reset or recover your password if you forget it. If these options don’t work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password.
+Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating system, and other Microsoft products include passwords to help secure your information. This article provides some options that you can use to reset or recover your password if you forget it. If these options don't work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password.
If you lose or forget a password, you can use the links in this article to find published support information that will help you reset the password.
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 63c2e03d67..64e9869d2a 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -1,20 +1,17 @@
---
title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10)
description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
ms.collection:
- - highpri
- - tier2
+- highpri
+- tier2
ms.topic: article
-ms.localizationpriority: medium
ms.date: 01/12/2018
appliesto:
- - ✅ Windows 10
- - ✅ Windows Server 2016
-ms.technology: itpro-security
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
---
# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 7c25e23d15..365f168f07 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -1,27 +1,15 @@
---
+ms.date: 09/24/2021
title: Smart Card and Remote Desktop Services (Windows)
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: ardenw
-manager: aaroncz
ms.topic: article
-ms.localizationpriority: medium
-ms.date: 09/24/2021
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
-ms.technology: itpro-security
+ms.reviewer: ardenw
---
# Smart Card and Remote Desktop Services
This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
-The content in this topic applies to the versions of Windows that are designated in the **Applies To** list at the beginning of this topic. In these versions, smart card redirection logic and **WinSCard** API are combined to support multiple redirected sessions into a single process.
+Smart card redirection logic and **WinSCard** API are combined to support multiple redirected sessions into a single process.
Smart card support is required to enable many Remote Desktop Services scenarios. These include:
@@ -95,7 +83,8 @@ Where <*CertFile*> is the root certificate of the KDC certificate issuer.
For information about this option for the command-line tool, see [-addstore](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_addstore).
-> **Note** If you use the credential SSP on computers running the supported versions of the operating system that are designated in the **Applies To** list at the beginning of this topic: To sign in with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller.
+> [!NOTE]
+> To sign in with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller.
Sign-in to Remote Desktop Services across a domain works only if the UPN in the certificate uses the following form: <*ClientName*>@<*DomainDNSName*>
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 0b300b959d..5a810263fc 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -1,21 +1,9 @@
---
title: Smart Card Architecture (Windows)
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
ms.reviewer: ardenw
-manager: aaroncz
ms.topic: article
-ms.localizationpriority: medium
ms.date: 09/24/2021
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
-ms.technology: itpro-security
---
# Smart Card Architecture
@@ -94,7 +82,7 @@ Figure 2 illustrates the relationship between the CryptoAPI, CSPs, the Smart Ca
### Caching with Base CSP and smart card KSP
-Smart card architecture uses caching mechanisms to assist in streamlining operations and to improve a user’s access to a PIN.
+Smart card architecture uses caching mechanisms to assist in streamlining operations and to improve a user's access to a PIN.
- [Data caching](#data-caching): The data cache provides for a single process to minimize smart card I/O operations.
@@ -320,8 +308,6 @@ Figure 4 shows the Cryptography architecture that is used by the Windows operat
### Base CSP and smart card KSP properties in Windows
-The following properties are supported in versions of Windows designated in the **Applies To** list at the beginning of this topic.
-
> **Note** The API definitions are located in WinCrypt.h and WinSCard.h.
| **Property** | **Description** |
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index ad23803395..bbdab0c142 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -1,21 +1,9 @@
---
title: Certificate Propagation Service (Windows)
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
ms.reviewer: ardenw
-manager: aaroncz
ms.topic: article
-ms.localizationpriority: medium
ms.date: 08/24/2021
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
-ms.technology: itpro-security
---
# Certificate Propagation Service
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index 4d2926242d..e52b7eeabd 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -1,21 +1,9 @@
---
title: Certificate Requirements and Enumeration (Windows)
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
ms.reviewer: ardenw
-manager: aaroncz
ms.topic: article
-ms.localizationpriority: medium
ms.date: 09/24/2021
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
-ms.technology: itpro-security
---
# Certificate Requirements and Enumeration
@@ -81,7 +69,7 @@ The following table lists the certificate support in older Windows operating sys
Most issues during authentication occur because of session behavior changes. When changes occur, the Local Security Authority (LSA) does not reacquire the session context; it relies instead on the Cryptographic Service Provider to handle the session change.
-In the supported versions of Windows designated in the **Applies To** list at the beginning of this topic, client certificates that do not contain a UPN in the **subjectAltName** (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
+Client certificates that do not contain a UPN in the **subjectAltName** (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
Support for multiple certificates on the same card is enabled by default. New certificate types must be enabled through Group Policy.
@@ -131,7 +119,7 @@ Following are the steps that are performed during a smart card sign-in:
12. The KDC validates the user's certificate (time, path, and revocation status) to ensure that the certificate is from a trusted source. The KDC uses CryptoAPI to build a certification path from the user's certificate to a root certification authority (CA) certificate that resides in the root store on the domain controller. The KDC then uses CryptoAPI to verify the digital signature on the signed authenticator that was included in the preauthentication data fields. The domain controller verifies the signature and uses the public key from the user's certificate to prove that the request originated from the owner of the private key that corresponds to the public key. The KDC also verifies that the issuer is trusted and appears in the NTAUTH certificate store.
-13. The KDC service retrieves user account information from AD DS. The KDC constructs a TGT, which is based on the user account information that it retrieves from AD DS. The TGT’s authorization data fields include the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multidomain environment) the SIDs for any universal groups of which the user is a member.
+13. The KDC service retrieves user account information from AD DS. The KDC constructs a TGT, which is based on the user account information that it retrieves from AD DS. The TGT's authorization data fields include the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multidomain environment) the SIDs for any universal groups of which the user is a member.
14. The domain controller returns the TGT to the client as part of the KRB\_AS\_REP response.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 10b6bda518..72b31805ae 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -1,24 +1,12 @@
---
title: Smart Card Troubleshooting (Windows)
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
ms.reviewer: ardenw
-manager: aaroncz
ms.collection:
- highpri
- tier2
ms.topic: article
-ms.localizationpriority: medium
ms.date: 09/24/2021
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
-ms.technology: itpro-security
---
# Smart Card Troubleshooting
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index ed07b57089..50e701debe 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -1,21 +1,9 @@
---
title: Smart Card Events (Windows)
description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
ms.reviewer: ardenw
-manager: aaroncz
ms.topic: article
-ms.localizationpriority: medium
ms.date: 09/24/2021
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
-ms.technology: itpro-security
---
# Smart Card Events
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index 26f06f48c2..78fe0f4b8a 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -1,21 +1,9 @@
---
title: Smart Card Group Policy and Registry Settings (Windows)
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
ms.reviewer: ardenw
-manager: aaroncz
ms.topic: article
-ms.localizationpriority: medium
ms.date: 11/02/2021
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
-ms.technology: itpro-security
---
# Smart Card Group Policy and Registry Settings
@@ -222,7 +210,7 @@ You can use this policy setting to change the default message that a user sees i
When this policy setting is turned on, you can create and manage the displayed message that the user sees when a smart card is blocked.
-When this policy setting isn't turned on (and the integrated unblock feature is also enabled), the user sees the system’s default message when the smart card is blocked.
+When this policy setting isn't turned on (and the integrated unblock feature is also enabled), the user sees the system's default message when the smart card is blocked.
| **Item** | **Description** |
|--------------------------------------|-------------------------|
@@ -236,7 +224,7 @@ When this policy setting isn't turned on (and the integrated unblock feature is
You can use this policy setting to configure which valid sign-in certificates are displayed.
> [!NOTE]
-> During the certificate renewal period, a user’s smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet.
+> During the certificate renewal period, a user's smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet.
>
> If two certificates are issued from the same template with the same major version and they are for the same user (this is determined by their UPN), they are determined to be the same.
@@ -288,7 +276,7 @@ When this setting isn't turned on, the user doesn't see a smart card device driv
You can use this policy setting to prevent Credential Manager from returning plaintext PINs.
> [!NOTE]
-> Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the user’s profile.
+> Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the user's profile.
When this policy setting is turned on, Credential Manager doesn't return a plaintext PIN.
@@ -310,7 +298,7 @@ You can use this policy setting to control the way the subject name appears duri
When this policy setting is turned on, the subject name during sign-in appears reversed from the way that it's stored in the certificate.
-When this policy setting isn’t turned on, the subject name appears the same as it’s stored in the certificate.
+When this policy setting isn't turned on, the subject name appears the same as it's stored in the certificate.
| **Item** | **Description** |
@@ -346,7 +334,7 @@ You can use this policy setting to manage the root certificate propagation that
When this policy setting is turned on, root certificate propagation occurs when the user inserts the smart card.
-When this policy setting isn’t turned on, root certificate propagation doesn’t occur when the user inserts the smart card.
+When this policy setting isn't turned on, root certificate propagation doesn't occur when the user inserts the smart card.
| **Item** | **Description** |
|--------------------------------------|---------------------------------------------------------------------------------------------------------|
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index b0989b839d..a44e2533fc 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -1,21 +1,9 @@
---
title: How Smart Card Sign-in Works in Windows
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
ms.reviewer: ardenw
-manager: aaroncz
ms.topic: article
-ms.localizationpriority: medium
ms.date: 09/24/2021
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
-ms.technology: itpro-security
---
# How Smart Card Sign-in Works in Windows
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 1df09c74c0..40f781ce63 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -1,21 +1,9 @@
---
title: Smart Card Removal Policy Service (Windows)
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
ms.reviewer: ardenw
-manager: aaroncz
ms.topic: article
-ms.localizationpriority: medium
ms.date: 09/24/2021
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
-ms.technology: itpro-security
---
# Smart Card Removal Policy Service
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index 187d0bc8a9..170dfa5cf4 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -1,21 +1,9 @@
---
title: Smart Cards for Windows Service (Windows)
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
ms.reviewer: ardenw
-manager: aaroncz
ms.topic: article
-ms.localizationpriority: medium
ms.date: 09/24/2021
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
-ms.technology: itpro-security
---
# Smart Cards for Windows Service
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index c543380fcd..bb1e4d8fb6 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -1,21 +1,9 @@
---
title: Smart Card Tools and Settings (Windows)
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
ms.reviewer: ardenw
-manager: aaroncz
ms.topic: article
-ms.localizationpriority: medium
ms.date: 09/24/2021
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016
- - ✅ Windows Server 2019
- - ✅ Windows Server 2022
-ms.technology: itpro-security
---
# Smart Card Tools and Settings
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index d5912c3e8d..3b74397463 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -4,10 +4,6 @@ description: Learn about the Windows smart card infrastructure for physical smar
ms.reviewer: ardenw
ms.topic: article
ms.date: 09/24/2021
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
-ms.technology: itpro-security
---
# Smart Card Technical Reference
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index 8037f68045..0e56328a44 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -5,11 +5,7 @@ ms.collection:
- highpri
- tier2
ms.topic: article
-ms.localizationpriority: medium
ms.date: 09/23/2021
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# How User Account Control works
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index 979a7ae1f1..08e9ce3e06 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -6,9 +6,6 @@ ms.collection:
- tier2
ms.topic: article
ms.date: 04/19/2017
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# User Account Control Group Policy and registry key settings
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index 93502be3e3..e85aae3ab9 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -6,9 +6,6 @@ ms.collection:
- tier2
ms.topic: article
ms.date: 09/24/2011
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# User Account Control
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
index 28f209a22e..ffdb4e4a3f 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
@@ -3,9 +3,6 @@ title: User Account Control security policy settings (Windows)
description: You can use security policies to configure how User Account Control works in your organization.
ms.topic: article
ms.date: 09/24/2021
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# User Account Control security policy settings
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index 63ac28b3e9..b20f03522b 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -3,9 +3,6 @@ title: Deploy Virtual Smart Cards
description: Learn about what to consider when deploying a virtual smart card authentication solution
ms.topic: conceptual
ms.date: 02/22/2023
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# Deploy Virtual Smart Cards
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
index b2afb7673e..d86c288331 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
@@ -3,9 +3,6 @@ title: Evaluate Virtual Smart Card Security
description: Learn about the security characteristics and considerations when deploying TPM virtual smart cards.
ms.topic: conceptual
ms.date: 02/22/2023
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# Evaluate Virtual Smart Card Security
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index ab3569f8ab..9d8e125298 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -3,9 +3,6 @@ title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10)
description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
ms.topic: conceptual
ms.date: 02/22/2023
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# Get Started with Virtual Smart Cards: Walkthrough Guide
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
index 05598bf6ee..1445f06ad2 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -3,9 +3,6 @@ title: Virtual Smart Card Overview
description: Learn about virtual smart card technology for Windows.
ms.topic: conceptual
ms.date: 02/22/2023
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# Virtual Smart Card Overview
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
index 5f39e38b48..5eca1fae1e 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
@@ -3,9 +3,6 @@ title: Tpmvscmgr
description: Learn about the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
ms.topic: conceptual
ms.date: 02/22/2023
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# Tpmvscmgr
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
index dfde051a1a..77e78baaf2 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
@@ -4,9 +4,6 @@ description: Learn how smart card technology can fit into your authentication de
ms.prod: windows-client
ms.topic: conceptual
ms.date: 02/22/2023
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# Understand and Evaluate Virtual Smart Cards
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index eb4d234c61..ddb91270e5 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -3,9 +3,6 @@ title: Use Virtual Smart Cards
description: Learn about the requirements for virtual smart cards, how to use and manage them.
ms.topic: conceptual
ms.date: 02/22/2023
-appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
---
# Use Virtual Smart Cards
diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index 188fe97442..834f56a321 100644
--- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -1,24 +1,12 @@
---
-title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10 and Windows 11)
+title: How to configure Diffie Hellman protocol over IKEv2 VPN connections
description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-ms.localizationpriority: medium
ms.date: 09/23/2021
-manager: aaroncz
-ms.reviewer: pesmith
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
ms.topic: how-to
---
# How to configure Diffie Hellman protocol over IKEv2 VPN connections
->Applies To: Windows Server (General Availability Channel), Windows Server 2016, Windows 10, Windows 11
-
In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges.
To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets.
@@ -31,7 +19,7 @@ For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-V
Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy
```
-On an earlier version of Windows Server, run [Set-VpnServerIPsecConfiguration](/previous-versions/windows/powershell-scripting/hh918373(v=wps.620)). Since `Set-VpnServerIPsecConfiguration` doesn’t have `-TunnelType`, the configuration applies to all tunnel types on the server.
+On an earlier version of Windows Server, run [Set-VpnServerIPsecConfiguration](/previous-versions/windows/powershell-scripting/hh918373(v=wps.620)). Since `Set-VpnServerIPsecConfiguration` doesn't have `-TunnelType`, the configuration applies to all tunnel types on the server.
```powershell
Set-VpnServerIPsecConfiguration -CustomPolicy
diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index e44a13a1a8..08b4c532c8 100644
--- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -1,16 +1,7 @@
---
title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections
description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
-ms.prod: windows-client
-author: paolomatarazzo
ms.date: 12/28/2022
-manager: aaroncz
-ms.author: paoloma
-ms.reviewer: pesmith
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
ms.topic: how-to
---
@@ -95,7 +86,7 @@ For more information, see [Configure certificate infrastructure for SCEP](/mem/i
You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well.
-Domain controllers must have appropriate KDC certificates for the client to trust them as domain controllers. Because phones are not domain-joined, the root CA of the KDC’s certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store.
+Domain controllers must have appropriate KDC certificates for the client to trust them as domain controllers. Because phones are not domain-joined, the root CA of the KDC's certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store.
Domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication.
This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server.
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index f14e959f6b..c74740f325 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -1,17 +1,7 @@
---
title: VPN authentication options (Windows 10 and Windows 11)
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.localizationpriority: medium
ms.date: 09/23/2021
-manager: aaroncz
-ms.author: paoloma
-ms.reviewer: pesmith
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
ms.topic: conceptual
---
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 61044232d2..51c5aebb16 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -1,23 +1,13 @@
---
title: VPN auto-triggered profile options (Windows 10 and Windows 11)
description: Learn about the types of auto-trigger rules for VPNs in Windows, which start a VPN when it is needed to access a resource.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.localizationpriority: medium
ms.date: 09/23/2021
-manager: aaroncz
-ms.author: paoloma
-ms.reviewer: pesmith
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
ms.topic: conceptual
---
# VPN auto-triggered profile options
-In Windows 10 and Windows 11, a number of features have been added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules:
+In Windows 10 and Windows 11, a number of features have been added to auto-trigger VPN so users won't have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules:
- App trigger
- Name-based trigger
@@ -64,7 +54,7 @@ When a device has multiple profiles with Always On triggers, the user can specif
## Preserving user Always On preference
-Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value **AutoTriggerDisabledProfilesList**.
+Windows has a feature to preserve a user's AlwaysOn preference. In the event that a user manually unchecks the "Connect automatically" checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value **AutoTriggerDisabledProfilesList**.
Should a management tool remove or add the same profile name back and set **AlwaysOn** to **true**, Windows will not check the box if the profile name exists in the following registry value in order to preserve user preference.
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index 4e7d339c66..392b5cf099 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -1,17 +1,7 @@
---
title: VPN and conditional access (Windows 10 and Windows 11)
description: Learn how to integrate the VPN client with the Conditional Access Platform, so you can create access rules for Azure Active Directory (Azure AD) connected apps.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: pesmith
-manager: aaroncz
-ms.localizationpriority: medium
ms.date: 09/23/2021
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
ms.topic: conceptual
---
@@ -63,43 +53,34 @@ After the server side is set up, VPN admins can add the policy settings for cond
Two client-side configuration service providers are leveraged for VPN device compliance.
- VPNv2 CSP DeviceCompliance settings:
-
- - **Enabled**: enables the Device Compliance flow from the client. If marked as **true**, the VPN client attempts to communicate with Azure AD to get a certificate to use for authentication. The VPN should be set up to use certificate authentication and the VPN server must trust the server returned by Azure AD.
- - **Sso**: entries under SSO should be used to direct the VPN client to use a certificate other than the VPN authentication certificate when accessing resources that require Kerberos authentication.
- - **Sso/Enabled**: if this field is set to **true**, the VPN client looks for a separate certificate for Kerberos authentication.
- - **Sso/IssuerHash**: hashes for the VPN client to look for the correct certificate for Kerberos authentication.
- - **Sso/Eku**: comma-separated list of extended key usage (EKU) extensions for the VPN client to look for the correct certificate for Kerberos authentication.
-
+ - **Enabled**: enables the Device Compliance flow from the client. If marked as **true**, the VPN client attempts to communicate with Azure AD to get a certificate to use for authentication. The VPN should be set up to use certificate authentication and the VPN server must trust the server returned by Azure AD.
+ - **Sso**: entries under SSO should be used to direct the VPN client to use a certificate other than the VPN authentication certificate when accessing resources that require Kerberos authentication.
+ - **Sso/Enabled**: if this field is set to **true**, the VPN client looks for a separate certificate for Kerberos authentication.
+ - **Sso/IssuerHash**: hashes for the VPN client to look for the correct certificate for Kerberos authentication.
+ - **Sso/Eku**: comma-separated list of extended key usage (EKU) extensions for the VPN client to look for the correct certificate for Kerberos authentication.
- HealthAttestation CSP (not a requirement) - functions performed by the HealthAttestation CSP include:
+ - Collects TPM data used to verify health states
+ - Forwards the data to the Health Attestation Service (HAS)
+ - Provisions the Health Attestation Certificate received from the HAS
+ - Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
- - Collects TPM data used to verify health states
- - Forwards the data to the Health Attestation Service (HAS)
- - Provisions the Health Attestation Certificate received from the HAS
- - Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
-
> [!NOTE]
-> Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources.
->
+> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This will enable the user to access on-premises resources.
> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
## Client connection flow
The VPN client side connection flow works as follows:
-> [!div class="mx-imgBorder"]
-> 
-
+
+
When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow:
-1. The VPN client calls into Windows 10’s or Windows 11’s Azure AD Token Broker, identifying itself as a VPN client.
-
-2. The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. The Azure AD Server checks if the device is in compliance with the policies.
-
-3. If compliant, Azure AD requests a short-lived certificate.
-
-4. Azure AD pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing.
-
-5. The VPN client uses the Azure AD-issued certificate to authenticate with the VPN server.
+1. The VPN client calls into Windows 10's or Windows 11's Azure AD Token Broker, identifying itself as a VPN client.
+1. The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. The Azure AD Server checks if the device is in compliance with the policies.
+1. If compliant, Azure AD requests a short-lived certificate.
+1. Azure AD pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing.
+1. The VPN client uses the Azure AD-issued certificate to authenticate with the VPN server.
## Configure conditional access
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index e9eecdbbb9..0ae1626c8b 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -1,23 +1,13 @@
---
title: VPN connection types (Windows 10 and Windows 11)
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.localizationpriority: medium
ms.date: 08/23/2021
-manager: aaroncz
-ms.author: paoloma
-ms.reviewer: pesmith
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
ms.topic: conceptual
---
# VPN connection types
-Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network.
+Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization's private network.
There are many options for VPN clients. In Windows 10 and Windows 11, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured.
diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
index f8cf27d242..15f788082b 100644
--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@@ -1,17 +1,7 @@
---
title: Windows VPN technical guide (Windows 10 and Windows 11)
description: Learn about decisions to make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.localizationpriority: medium
ms.date: 02/21/2022
-manager: aaroncz
-ms.author: paoloma
-ms.reviewer: pesmith
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
ms.topic: conceptual
---
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
index 34f201d00a..2c6402477a 100644
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@@ -1,17 +1,7 @@
---
title: VPN name resolution (Windows 10 and Windows 11)
description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.localizationpriority: medium
ms.date: 09/23/2021
-manager: aaroncz
-ms.author: paoloma
-ms.reviewer: pesmith
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
ms.topic: conceptual
---
@@ -23,7 +13,7 @@ The name resolution setting in the VPN profile configures how name resolution sh
## Name Resolution Policy table (NRPT)
-The NRPT is a table of namespaces that determines the DNS client’s behavior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache.
+The NRPT is a table of namespaces that determines the DNS client's behavior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache.
There are 3 types of name matches that can set up for NRPT:
diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
index 6e45c35a7e..8eb30c7bce 100644
--- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
+++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
@@ -1,18 +1,8 @@
---
-title: Optimizing Office 365 traffic for remote workers with the native Windows 10 or Windows 11 VPN client
-description: tbd
-ms.prod: windows-client
+title: Optimizing Office 365 traffic for remote workers with the native Windows VPN client
+description: Learn how to optimize Office 365 traffic for remote workers with the native Windows VPN client
ms.topic: article
-ms.localizationpriority: medium
ms.date: 09/23/2021
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: pesmith
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
---
# Optimizing Office 365 traffic for remote workers with the native Windows 10 and Windows 11 VPN client
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index a6330f4ad8..2ebbff5348 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -1,17 +1,7 @@
---
title: VPN profile options (Windows 10 and Windows 11)
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
-manager: aaroncz
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: pesmith
-ms.localizationpriority: medium
ms.date: 05/17/2018
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
ms.topic: conceptual
---
@@ -221,75 +211,75 @@ The following sample is a sample plug-in VPN profile. This blob would fall under
```xml
- TestVpnProfile
-
- testserver1.contoso.com;testserver2.contoso..com
- JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy
- <pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>
-
-
- 192.168.0.0
- 24
-
-
- 10.10.0.0
- 16
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
-
-
-
- %ProgramFiles%\Internet Explorer\iexplore.exe
-
-
-
-
- %ProgramFiles%\Internet Explorer\iexplore.exe
-
- 6
- 10,20-50,100-200
- 20-50,100-200,300
- 30.30.0.0/16,10.10.10.10-20.20.20.20
-
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
- 3.3.3.3/32,1.1.1.1-2.2.2.2
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
- O:SYG:SYD:(A;;CC;;;AU)
-
-
-
- corp.contoso.com
- 1.2.3.4,5.6.7.8
- 5.5.5.5
- false
-
-
- corp.contoso.com
- 10.10.10.10,20.20.20.20
- 100.100.100.100
-
-
- true
- false
- corp.contoso.com
- contoso.com,test.corp.contoso.com
-
-
- HelloServer
-
- Helloworld.Com
-
+ TestVpnProfile
+
+ testserver1.contoso.com;testserver2.contoso..com
+ JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy
+ <pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>
+
+
+ 192.168.0.0
+ 24
+
+
+ 10.10.0.0
+ 16
+
+
+
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+
+
+
+
+ %ProgramFiles%\Internet Explorer\iexplore.exe
+
+
+
+
+ %ProgramFiles%\Internet Explorer\iexplore.exe
+
+ 6
+ 10,20-50,100-200
+ 20-50,100-200,300
+ 30.30.0.0/16,10.10.10.10-20.20.20.20
+
+
+
+
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+
+ 3.3.3.3/32,1.1.1.1-2.2.2.2
+
+
+
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+
+ O:SYG:SYD:(A;;CC;;;AU)
+
+
+
+ corp.contoso.com
+ 1.2.3.4,5.6.7.8
+ 5.5.5.5
+ false
+
+
+ corp.contoso.com
+ 10.10.10.10,20.20.20.20
+ 100.100.100.100
+
+
+ true
+ false
+ corp.contoso.com
+ contoso.com,test.corp.contoso.com
+
+
+ HelloServer
+
+ Helloworld.Com
+
```
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
index be5bc1caf0..925b124da9 100644
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@@ -1,17 +1,7 @@
---
-title: VPN routing decisions (Windows 10 and Windows 10)
-description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.localizationpriority: medium
ms.date: 09/23/2021
-manager: aaroncz
-ms.author: paoloma
-ms.reviewer: pesmith
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+title: VPN routing decisions
+description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.topic: conceptual
---
# VPN routing decisions
@@ -38,7 +28,7 @@ Routes can also be added at connect time through the server for UWP VPN apps.
In a force tunnel configuration, all traffic will go over VPN. This is the default configuration and takes effect if no routes are specified.
-The only implication of this setting is the manipulation of routing entries. In the case of a force tunnel, VPN V4 and V6 default routes (for example. 0.0.0.0/0) are added to the routing table with a lower metric than ones for other interfaces. This sends traffic through the VPN as long as there isn’t a specific route on the physical interface itself.
+The only implication of this setting is the manipulation of routing entries. In the case of a force tunnel, VPN V4 and V6 default routes (for example. 0.0.0.0/0) are added to the routing table with a lower metric than ones for other interfaces. This sends traffic through the VPN as long as there isn't a specific route on the physical interface itself.
For built-in VPN, this decision is controlled using the MDM setting **VPNv2/ProfileName/NativeProfile/RoutingPolicyType**.
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
index f8fb6861a0..c4d9da3ec4 100644
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@@ -1,17 +1,7 @@
---
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.localizationpriority: medium
ms.date: 07/21/2022
-manager: aaroncz
-ms.author: paoloma
-ms.reviewer: pesmith
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
ms.topic: conceptual
---
diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
index aee7a82d2d..5cbde2e21f 100644
--- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
@@ -1,17 +1,8 @@
---
title: Windows Credential Theft Mitigation Guide Abstract
description: Provides a summary of the Windows credential theft mitigation guide.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
-appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+ms.topic: conceptual
+ms.date: 03/31/2023
---
# Windows Credential Theft Mitigation Guide Abstract
@@ -65,5 +56,3 @@ This sections covers how to detect the use of stolen credentials and how to coll
## Responding to suspicious activity
Learn Microsoft's recommendations for responding to incidents, including how to recover control of compromised accounts, how to investigate attacks, and how to recover from a breach.
-
-
diff --git a/windows/security/information-protection/bitlocker/images/kernel-dma-protection-security-center.png b/windows/security/information-protection/bitlocker/images/kernel-dma-protection-security-center.png
deleted file mode 100644
index 9f9aea0f86..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/kernel-dma-protection-security-center.png and /dev/null differ
diff --git a/windows/security/information-protection/images/device-details-tab.png b/windows/security/information-protection/images/device-details-tab.png
deleted file mode 100644
index 4dfe33e156..0000000000
Binary files a/windows/security/information-protection/images/device-details-tab.png and /dev/null differ
diff --git a/windows/security/information-protection/images/device-details.png b/windows/security/information-protection/images/device-details.png
new file mode 100644
index 0000000000..32e2edb41d
Binary files /dev/null and b/windows/security/information-protection/images/device-details.png differ
diff --git a/windows/security/information-protection/images/device_details_tab_1903.png b/windows/security/information-protection/images/device_details_tab_1903.png
deleted file mode 100644
index beb0337379..0000000000
Binary files a/windows/security/information-protection/images/device_details_tab_1903.png and /dev/null differ
diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.png b/windows/security/information-protection/images/kernel-dma-protection-security-center.png
new file mode 100644
index 0000000000..61a2a9a928
Binary files /dev/null and b/windows/security/information-protection/images/kernel-dma-protection-security-center.png differ
diff --git a/windows/security/information-protection/images/kernel-dma-protection-user-experience.png b/windows/security/information-protection/images/kernel-dma-protection-user-experience.png
deleted file mode 100644
index 8949c51627..0000000000
Binary files a/windows/security/information-protection/images/kernel-dma-protection-user-experience.png and /dev/null differ
diff --git a/windows/security/information-protection/images/kernel-dma-protection.png b/windows/security/information-protection/images/kernel-dma-protection.png
new file mode 100644
index 0000000000..be1a68e120
Binary files /dev/null and b/windows/security/information-protection/images/kernel-dma-protection.png differ
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 49d276838c..eb8db70020 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -1,6 +1,6 @@
---
-title: Kernel DMA Protection (Windows)
-description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports.
+title: Kernel DMA Protection
+description: Learn how Kernel DMA Protection protects Windows devices against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices.
ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
@@ -9,123 +9,94 @@ ms.collection:
- highpri
- tier1
ms.topic: conceptual
-ms.date: 01/05/2023
+ms.date: 03/30/2023
ms.technology: itpro-security
+appliesto:
+ - ✅ Windows 10 and later
---
# Kernel DMA Protection
-**Applies to**
-- Windows 10
-- Windows 11
+Kernel DMA Protection is a Windows security feature that protects against external peripherals from gaining unauthorized access to memory.
-In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (for example, Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (for example, M.2 slots)
+PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach classes of external peripherals, including graphics cards, to their devices with the plug-and-play ease of USB.\
+These devices are DMA-capable, and can access system memory and perform read and write operations without the need for the system processor's involvement. This capability is the reason behind the exceptional performance of PCI devices, but it also makes them susceptible to *drive-by DMA attacks*.
-Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely.
+Drive-by DMA attacks are attacks that occur while the owner of the system isn't present and usually take just a few minutes, with simple-to-moderate attacking tools (affordable, off-the-shelf hardware and software), that don't require the disassembly of the device. For example, attackers can plug in a USB-like device while the device owner is on a break, and walk away with all the secrets on the machine, or inject a malware that allows them to have full control over the device remotely while bypassing the lock screen.
-This feature doesn't protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.
-
-
-## Background
-
-PCI devices are DMA-capable, which allows them to read and write to system memory at will, without having to engage the system processor in these operations.
-The DMA capability is what makes PCI devices the highest performing devices available today.
-These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard.
-Access to these devices required the user to turn off power to the system and disassemble the chassis.
-
-Today, this is no longer the case with hot plug PCIe ports (for example, Thunderbolt™ and CFexpress).
-
-Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that wasn't available before for PCs.
-It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB.
-Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks.
-
-Drive-by DMA attacks are attacks that occur while the owner of the system is not present and usually take less than 10 minutes, with simple to moderate attacking tools (affordable, off-the-shelf hardware and software) that do not require the disassembly of the PC.
-A simple example would be a PC owner leaves the PC for a quick coffee break, and within the break, an attacker steps in, plugs in a USB-like device and walks away with all the secrets on the machine, or injects a malware that allows them to have full control over the PC remotely.
+> [!NOTE]
+> Kernel DMA Protection feature doesn't protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, or ExpressCard.
## How Windows protects against DMA drive-by attacks
-Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless the drivers for these peripherals support memory isolation (such as DMA-remapping).
-Peripherals with [DMA Remapping compatible drivers](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers) will be automatically enumerated, started, and allowed to perform DMA to their assigned memory regions.
+Windows uses the system *Input/Output Memory Management Unit (IOMMU)* to block external peripherals from starting and performing DMA, unless the drivers for these peripherals support memory isolation (such as DMA-remapping).
+Peripherals with [DMA Remapping compatible drivers][LINK-1] will be automatically enumerated, started, and allowed to perform DMA to their assigned memory regions.
-By default, peripherals with DMA Remapping incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. IT administrators can modify the default behavior applied to devices with DMA Remapping incompatible drivers using the [DmaGuard MDM policies](/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies).
+By default, peripherals with DMA Remapping incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. IT administrators can modify the default behavior applied to devices with DMA Remapping incompatible drivers using MDM or group policies.
## User experience
-
+When Kernel DMA Protection is enabled:
-By default, peripherals with DMA remapping compatible device drivers will be automatically enumerated and started. Peripherals with DMA Remapping incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged.
-The peripheral will continue to function normally if the user locks the screen or logs out of the system.
+- Peripherals with DMA Remapping-compatible device drivers will be automatically enumerated and started
+- Peripherals with DMA Remapping-incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. The peripheral will continue to function normally if the user locks the screen or signs out of the system.
## System compatibility
-Kernel DMA Protection requires new UEFI firmware support.
-This support is anticipated only on newly introduced, Intel-based systems shipping with Windows 10 version 1803 (not all systems). Virtualization-based Security (VBS) is not required.
+Kernel DMA Protection requires UEFI firmware support, and Virtualization-based Security (VBS) isn't required.
-To see if a system supports Kernel DMA Protection, check the System Information desktop app (MSINFO32).
-Systems released prior to Windows 10 version 1803 do not support Kernel DMA Protection, but they can leverage other DMA attack mitigations as described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
+Kernel DMA Protection isn't compatible with other BitLocker DMA attacks countermeasures. It's recommended to disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection. Kernel DMA Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals.
->[!NOTE]
->Kernel DMA Protection is not compatible with other BitLocker DMA attacks countermeasures. It is recommended to disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection. Kernel DMA Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals.
+> [!NOTE]
+> DMA remapping support for graphics devices was added in Windows 11 with the WDDM 3.0 driver model; Windows 10 doesn't support this feature.
->[!NOTE]
->DMA remapping support for graphics devices was added in Windows 11 with the WDDM 3.0 driver model; Windows 10 does not support this feature.
+## Check if Kernel DMA Protection is enabled
-## How to check if Kernel DMA Protection is enabled
+Systems that support Kernel DMA Protection will enable the feature automatically, with no user or IT admin configuration required.
-Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required.
+You can use the Windows Security app to check if Kernel DMA Protection is enabled:
-### Using the Windows Security app
+1. Open Windows Security app
+1. Select **Device security > Core isolation details > Memory access protection**
-Beginning with Windows 10 version 1809, you can use the Windows Security app to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**.
+:::image type="content" source="images/kernel-dma-protection-security-center.png" alt-text="Screenshot of Kernel DMA protection in Windows Security." lightbox="images/kernel-dma-protection-security-center.png" border="true":::
-
+Alternatively, you can use the System Information desktop app (`msinfo32.exe`). If the system supports Kernel DMA Protection, the **Kernel DMA Protection** value will be set to **ON**.
-### Using System information
+:::image type="content" source="images/kernel-dma-protection.png" alt-text="Screenshot of Kernel DMA protection in System Information." lightbox="images/kernel-dma-protection.png" border="true":::
-1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar.
+If the current state of **Kernel DMA Protection** is **OFF** and **Hyper-V - Virtualization Enabled in Firmware** is **NO**:
-2. Check the value of **Kernel DMA Protection**.
+- Reboot into UEFI settings
+- Turn on Intel Virtualization Technology
+- Turn on Intel Virtualization Technology for I/O (VT-d)
+- Reboot system into Windows
- 
-
-3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO:
+> [!NOTE]
+> If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to **YES**.
+>
+> Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of *ACPI Kernel DMA Protection Indicators* described in [Kernel DMA Protection (Memory Access Protection) for OEMs][LINK-3].
- - Reboot into BIOS settings
- - Turn on Intel Virtualization Technology.
- - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
- - Reboot system into Windows.
+If the state of **Kernel DMA Protection** remains Off, then the system doesn't support Kernel DMA Protection.
- > [!NOTE]
- > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
-
- > [!NOTE]
- > Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
-
-4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.
-
- For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
+For systems that don't support Kernel DMA Protection, refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt 3 and Security on Microsoft Windows Operating system][EXT-1] for other means of DMA protection.
## Frequently asked questions
-### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3?
-In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
-
### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot?
-No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot.
+
+No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It's the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt 3 ports during boot.
### How can I check if a certain driver supports DMA-remapping?
-DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of two means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (that is, the device driver does not support DMA-remapping).
-Check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
-
+Not all devices and drivers support DMA-remapping. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of **0** or **1** means that the device driver doesn't support DMA-remapping. A value of **2** means that the device driver supports DMA-remapping. If the property isn't available, then the device driver doesn't support DMA-remapping.
+Check the driver instance for the device you're testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
-*For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image.
+:::image type="content" source="images/device-details.png" alt-text="Screenshot of device details for a Thunderbolt controller showing a value of 2." border="false":::
-
+### When the drivers for PCI or Thunderbolt 3 peripherals don't support DMA-remapping?
-### When the drivers for PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping?
-
-If the peripherals do have class drivers provided by Windows, use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers).
+Use the Windows-provided drivers for the peripherals, when available. If there are no class drivers provided by Windows for your peripherals, contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping][LINK-1].
### My system's Kernel DMA Protection is off. Can DMA-remapping for a specific device be turned on?
@@ -134,20 +105,26 @@ Yes. DMA remapping for a specific device can be turned on independent from Kerne
Kernel DMA Protection is a policy that allows or blocks devices to perform DMA, based on their remapping state and capabilities.
### Do Microsoft drivers support DMA-remapping?
-In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers, and Storage NVMe Controllers support DMA Remapping.
+
+The Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers, and Storage NVMe Controllers support DMA Remapping.
### Do drivers for non-PCI devices need to be compatible with DMA-remapping?
-No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA Remapping.
+
+No. Devices for non-PCI peripherals, such as USB devices, don't perform DMA, thus no need for the driver to be compatible with DMA Remapping.
### How can an enterprise enable the External device enumeration policy?
-The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that aren't, can be blocked, allowed, or allowed only after the user signs in (default).
-The policy can be enabled by using:
+The External device enumeration policy controls whether to enumerate external peripherals that aren't compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that aren't, can be blocked, allowed, or allowed only after the user signs in (default).
-- Group Policy: Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection
-- Mobile Device Management (MDM): [DmaGuard policies](/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies)
+The policy can be enabled by using:
-## Related topics
+- Group Policy: **Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection**
+- Mobile Device Management (MDM): [DmaGuard policies][LINK-2]
-- [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md)
-- [DmaGuard MDM policies](/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies)
+
+
+[LINK-1]: /windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers
+[LINK-2]: /windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies
+[LINK-3]: /windows-hardware/design/device-experiences/oem-kernel-dma-protection
+
+[EXT-1]: https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf
\ No newline at end of file
diff --git a/windows/security/threat-protection/images/powershell-example.png b/windows/security/threat-protection/images/powershell-example.png
new file mode 100644
index 0000000000..4ec2be97af
Binary files /dev/null and b/windows/security/threat-protection/images/powershell-example.png differ
diff --git a/windows/security/threat-protection/images/vbs-example.png b/windows/security/threat-protection/images/vbs-example.png
new file mode 100644
index 0000000000..6a1cc80fd4
Binary files /dev/null and b/windows/security/threat-protection/images/vbs-example.png differ
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
new file mode 100644
index 0000000000..ca5ddc47aa
--- /dev/null
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -0,0 +1,44 @@
+---
+title: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
+description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions.
+ms.prod: windows-client
+ms.localizationpriority: medium
+ms.author: paoloma
+author: paolomatarazzo
+manager: aaroncz
+ms.technology: itpro-security
+ms.date: 03/29/2023
+ms.topic: article
+---
+
+# What is Microsoft Baseline Security Analyzer and its uses?
+
+Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these extra checks hadn't been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive.
+
+MBSA was largely used in situations where Microsoft Update a local WSUS or Configuration Manager server wasn't available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 isn't updated to fully support Windows 10 and Windows Server 2016.
+
+> [!NOTE]
+> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file.
+
+## Solution
+
+A script can help you with an alternative to MBSA's patch-compliance checking:
+
+- [Using WUA to Scan for Updates Offline](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script.
+For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0).
+
+For example:
+
+[](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
+[](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0)
+
+The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
+The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools or drivers.
+
+## More information
+
+For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit.
+
+- [Windows security baselines](windows-security-baselines.md)
+- [Download Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319)
+- [Microsoft Security Guidance blog](/archive/blogs/secguide/)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg b/windows/security/threat-protection/microsoft-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg
deleted file mode 100644
index 428f96e9b5..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index 43d0713f40..6f0853d443 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -1,19 +1,19 @@
---
-title: Enable hardware-based isolation for Microsoft Edge (Windows)
+title: Enable hardware-based isolation for Microsoft Edge
description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 11/30/2022
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.custom: asr
ms.technology: itpro-security
-ms.collection:
+appliesto:
+ - ✅ Windows 10
+ - ✅ Windows 11
+ms.collection:
- highpri
- tier2
ms.topic: how-to
@@ -21,39 +21,34 @@ ms.topic: how-to
# Prepare to install Microsoft Defender Application Guard
-**Applies to:**
-
-- Windows 10
-- Windows 11
-
-## Review system requirements
-
-See [System requirements for Microsoft Defender Application Guard](./reqs-md-app-guard.md) to review the hardware and software installation requirements for Microsoft Defender Application Guard.
+Before you continue, review [System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) to review the hardware and software installation requirements for Microsoft Defender Application Guard.
> [!NOTE]
> Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
-## Prepare for Microsoft Defender Application Guard
+## Prepare for Microsoft Defender Application Guard
Before you can install and use Microsoft Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode.
### Standalone mode
-Applies to:
-- Windows 10 Enterprise edition, version 1709 or higher
-- Windows 10 Pro edition, version 1803
-- Windows 11
+Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-md-app-guard.md) testing scenario.
-Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-md-app-guard.md) testing scenario.
+Standalone mode is applicable for:
+
+- Windows 10 Enterprise edition, version 1709 and later
+- Windows 10 Pro edition, version 1803 and later
+- Windows 11 and later
## Enterprise-managed mode
-Applies to:
-- Windows 10 Enterprise edition, version 1709 or higher
-- Windows 11
-
You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container.
+Enterprise-managed mode is applicable for:
+
+- Windows 10 Enterprise edition, version 1709 and later
+- Windows 11 and later
+
The following diagram shows the flow between the host PC and the isolated container.
@@ -62,71 +57,56 @@ The following diagram shows the flow between the host PC and the isolated contai
Application Guard functionality is turned off by default. However, you can quickly install it on your employee's devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution.
-### To install by using the Control Panel
+### Install from Control Panel
-1. Open the **Control Panel**, click **Programs,** and then select **Turn Windows features on or off**.
+1. Open the **Control Panel**, select **Programs,** and then select **Turn Windows features on or off**.
-2. Select the check box next to **Microsoft Defender Application Guard** and then select **OK**.
+1. Select the check box next to **Microsoft Defender Application Guard** and then select **OK** to install Application Guard and its underlying dependencies.
- Application Guard and its underlying dependencies are all installed.
-
-### To install by using PowerShell
+### Install from PowerShell
> [!NOTE]
> Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only.
-1. Select the **Search** or **Cortana** icon in the Windows 10 or Windows 11 taskbar and type **PowerShell**.
-
-2. Right-click **Windows PowerShell**, and then select **Run as administrator**.
+1. Select the **Search** icon in the Windows taskbar and type **PowerShell**.
- Windows PowerShell opens with administrator credentials.
+1. Right-click **Windows PowerShell**, and then select **Run as administrator** to open Windows PowerShell with administrator credentials.
-3. Type the following command:
+1. Type the following command:
- ```
- Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard
- ```
-4. Restart the device.
+ ```powershell
+ Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard
+ ```
- Application Guard and its underlying dependencies are all installed.
+1. Restart the device to install Application Guard and its underlying dependencies.
-### To install by using Intune
+### Install from Intune
> [!IMPORTANT]
> Make sure your organization's devices meet [requirements](reqs-md-app-guard.md) and are [enrolled in Intune](/mem/intune/enrollment/device-enrollment).
-:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune.":::
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following:
+1. Select **Endpoint security** > **Attack surface reduction** > **Create Policy**, and do the following:
- 1. In the **Platform** list, select **Windows 10 and later**.
-
- 2. In the **Profile** type, choose **Templates** and select **Endpoint protection**.
-
- 3. Choose **Create**.
+ - In the **Platform** list, select **Windows 10 and later**.
+ - In the **Profile** type, select **App and browser isolation**.
+ - Select **Create**.
-2. Specify the following settings for the profile:
+1. In the **Basics** tab, specify the **Name** and **Description** for the policy. Select **Next**.
- - **Name** and **Description**
+1. In the **Configuration settings** tab, configure the **Application Guard** settings, as desired. Select **Next**.
- - In the **Select a category to configure settings** section, choose **Microsoft Defender Application Guard**.
+1. In the **Scope tags** tab, if your organization is using scope tags, choose **+ Select scope tags**, and then select the tags you want to use. Select **Next**.
- - In the **Application Guard** list, choose **Enabled for Edge**.
+ To learn more about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
- - Choose your preferences for **Clipboard behavior**, **External content**, and the remaining settings.
+1. In the **Assignments** page, select the users or groups that will receive the policy. Select **Next**.
-3. Choose **OK**, and then choose **OK** again.
+ To learn more about assigning policies, see [Assign policies in Microsoft Intune](/mem/intune/configuration/device-profile-assign).
-4. Review your settings, and then choose **Create**.
+1. Review your settings, and then select **Create**.
-5. Choose **Assignments**, and then do the following:
-
- 1. On the **Include** tab, in the **Assign to** list, choose an option.
-
- 2. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the **Exclude** tab.
-
- 3. Select **Save**.
-
-After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.
+After the policy is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index 2dfbaefa4f..c003b5258e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -105,6 +105,8 @@
- name: WDAC operational guide
href: windows-defender-application-control-operational-guide.md
items:
+ - name: WDAC debugging and troubleshooting
+ href: operations/wdac-debugging-and-troubleshooting.md
- name: Understanding Application Control event IDs
href: event-id-explanations.md
- name: Understanding Application Control event tags
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 4b9c9e64bd..1b123b517a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -8,7 +8,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
-ms.date: 06/27/2022
+ms.date: 03/24/2023
ms.topic: reference
---
@@ -20,50 +20,82 @@ ms.topic: reference
- Windows 11
- Windows Server 2016 and later (limited events)
-A Windows Defender Application Control policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
+## WDAC Events Overview
-- Events about Application Control policy activation and the control of executables, dlls, and drivers appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational**
+WDAC logs events when a policy is loaded, when a file is blocked, or when a file would be blocked if in audit mode. These block events include information that identifies the policy and gives more details about the block. WDAC doesn't generate events when a binary is allowed. However, you can turn on allow audit events for files authorized by a managed installer or the Intelligent Security Graph (ISG) as described later in this article.
-- Events about the control of MSI installers, scripts, and COM objects appear in **Applications and Services logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**
+### Core WDAC event logs
+
+WDAC events are generated under two locations in the Windows Event Viewer:
+
+- **Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational** includes events about Application Control policy activation and the control of executables, dlls, and drivers.
+- **Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script** includes events about the control of MSI installers, scripts, and COM objects.
+
+Most app and script failures that occur when WDAC is active can be diagnosed using these two event logs. This article describes in greater detail the events that exist in these logs. To understand the meaning of different data elements, or tags, found in the details of these events, see [Understanding Application Control event tags](event-tag-explanations.md).
> [!NOTE]
-> These event IDs are not included on Windows Server Core edition.
+> **Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script** events are not included on Windows Server Core edition.
-## Windows CodeIntegrity Operational log
+## WDAC block events for executables, dlls, and drivers
+
+These events are found in the **CodeIntegrity - Operational** event log.
| Event ID | Explanation |
|--------|-----------|
-| 3004 | This event isn't common and may occur with or without an Application Control policy present. It typically indicates a kernel driver tried to load with an invalid signature. For example, the file may not be WHQL-signed on a system where WHQL is required. |
-| 3033 | This event isn't common. It often means the file's signature is revoked or expired. Try using option `20 Enabled:Revoked Expired As Unsigned` in your policy along with a non-signature rule (for example, hash) to address issues with revoked or expired certs. |
-| 3034 | This event isn't common. It's the audit mode equivalent of event 3033 described above. |
+| 3004 | This event isn't common and may occur with or without an Application Control policy present. It typically indicates a kernel driver tried to load with an invalid signature. For example, the file may not be WHQL-signed on a system where WHQL is required.
This event is also seen for kernel- or user-mode code that the developer opted-in to [/INTEGRITYCHECK](/cpp/build/reference/integritycheck-require-signature-check) but isn't signed correctly. |
+| 3033 | This event may occur with or without an Application Control policy present and should occur alongside a 3077 event if caused by WDAC policy. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. Presence of the Lifetime Signing EKU is the only case where WDAC blocks files due to an expired signature. Try using option `20 Enabled:Revoked Expired As Unsigned` in your policy along with a rule (for example, hash) that doesn't rely on the revoked or expired cert.
This event also occurs if code compiled with [Code Integrity Guard (CIG)](/microsoft-365/security/defender-endpoint/exploit-protection-reference#code-integrity-guard) tries to load other code that doesn't meet the CIG requirements. |
+| 3034 | This event isn't common. It's the audit mode equivalent of event 3033. |
| 3076 | This event is the main Application Control block event for audit mode policies. It indicates that the file would have been blocked if the policy was enforced. |
| 3077 | This event is the main Application Control block event for enforced policies. It indicates that the file didn't pass your policy and was blocked. |
-| 3089 | This event contains signature information for files that were blocked or would have been blocked by Application Control. One 3089 event is created for each signature of a file. The event shows the total number of signatures found and an index value to identify the current signature. Unsigned files produce a single 3089 event with TotalSignatureCount 0. 3089 events are correlated with 3004, 3033, 3034, 3076 and 3077 events. You can match the events using the `Correlation ActivityID` found in the **System** portion of the event. |
-| 3099 | Indicates that a policy has been loaded. This event also includes information about the Application Control policy options that were specified by the policy. |
+| 3089 | This event contains signature information for files that were blocked or audit blocked by Application Control. One of these events is created for each signature of a file. Each event shows the total number of signatures found and an index value to identify the current signature. Unsigned files generate a single one of these events with TotalSignatureCount of 0. These events are correlated with 3004, 3033, 3034, 3076 and 3077 events. You can match the events using the `Correlation ActivityID` found in the **System** portion of the event. |
-## Windows AppLocker MSI and Script log
+## WDAC block events for packaged apps, MSI installers, scripts, and COM objects
+
+These events are found in the **AppLocker – MSI and Script** event log.
| Event ID | Explanation |
|--------|-----------|
-| 8028 | This event indicates that a script host, such as PowerShell, queried Application Control about a file the script host was about to run. Since the policy was in audit mode, the script or MSI file should have run. Some script hosts may have additional information in their logs. Note: Most third-party script hosts don't integrate with Application Control. Consider the risks from unverified scripts when choosing which script hosts you allow to run. |
-| 8029 | This event is the enforcement mode equivalent of event 8028 described above. Note: While this event says that a script was blocked, the actual script enforcement behavior is implemented by the script host. The script host may allow the file to run with restrictions and not block the file outright. For example, PowerShell will allow a script to run but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). |
+| 8028 | This event indicates that a script host, such as PowerShell, queried Application Control about a file the script host was about to run. Since the policy was in audit mode, the script or MSI file should have run, but wouldn't have passed the WDAC policy if it was enforced. Some script hosts may have additional information in their logs. Note: Most third-party script hosts don't integrate with Application Control. Consider the risks from unverified scripts when choosing which script hosts you allow to run. |
+| 8029 | This event is the enforcement mode equivalent of event 8028. Note: While this event says that a script was blocked, the script hosts control the actual script enforcement behavior. The script host may allow the file to run with restrictions and not block the file outright. For example, PowerShell runs script not allowed by your WDAC policy in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). |
| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). |
-| 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. 8038 events are correlated with 8028 and 8029 events and can be matched using the `Correlation ActivityID` found in the **System** portion of the event. |
+| 8037 | This event indicates that a script host checked whether to allow a script to run, and the file passed the WDAC policy. |
+| 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files generate a single 8038 event with TotalSignatureCount 0. These events are correlated with 8028 and 8029 events and can be matched using the `Correlation ActivityID` found in the **System** portion of the event. |
+| 8039 | This event indicates that a packaged app (MSIX/AppX) was allowed to install or run because the WDAC policy is in audit mode. But, it would have been blocked if the policy was enforced. |
+| 8040 | This event indicates that a packaged app was prevented from installing or running due to the WDAC policy. |
+
+## WDAC policy activation events
+
+These events are found in the **CodeIntegrity - Operational** event log.
+
+| Event ID | Explanation |
+|--------|-----------|
+| 3095 | The Application Control policy can't be refreshed and must be rebooted instead. |
+| 3096 | The Application Control policy wasn't refreshed since it's already up-to-date. This event's Details includes useful information about the policy, such as its policy options. |
+| 3097 | The Application Control policy can't be refreshed. |
+| 3099 | Indicates that a policy has been loaded. This event's Details includes useful information about the Application Control policy, such as its policy options. |
+| 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. |
+| 3101 | Application Control policy refresh started for *N* policies. |
+| 3102 | Application Control policy refresh finished for *N* policies. |
+| 3103 | The system is ignoring the Application Control policy refresh. For example, an inbox Windows policy that doesn't meet the conditions for activation. |
+| 3105 | The system is attempting to refresh the Application Control policy with the specified ID. |
## Diagnostic events for Intelligent Security Graph (ISG) and Managed Installer (MI)
> [!NOTE]
> When Managed Installer is enabled, customers using LogAnalytics should be aware that Managed Installer may fire many 3091 events. Customers may need to filter out these events to avoid high LogAnalytics costs.
-Events 3090, 3091 and 3092 prove helpful diagnostic information when the ISG or MI option is enabled by any Application Control policy. These events can help you debug why something was allowed/denied based on managed installer or ISG. These events don't necessarily indicate a problem but should be reviewed in context with other events like 3076 or 3077 described above.
+The following events provide helpful diagnostic information when a WDAC policy includes the ISG or MI option. These events can help you debug why something was allowed/denied based on managed installer or ISG. Events 3090, 3091, and 3092 don't necessarily indicate a problem but should be reviewed in context with other events like 3076 or 3077.
+
+Unless otherwise noted, these events are found in either the **CodeIntegrity - Operational** event log or the **CodeIntegrity - Verbose** event log depending on your version of Windows.
| Event ID | Explanation |
|--------|---------|
| 3090 | *Optional* This event indicates that a file was allowed to run based purely on ISG or managed installer. |
| 3091 | This event indicates that a file didn't have ISG or managed installer authorization and the Application Control policy is in audit mode. |
| 3092 | This event is the enforcement mode equivalent of 3091. |
+| 8002 | This event is found in the **AppLocker - EXE and DLL** event log. When a process launches that matches a managed installer rule, this event is raised with PolicyName = MANAGEDINSTALLER found in the event Details. Events with PolicyName = EXE or DLL aren't related to WDAC. |
-The above events are reported per active policy on the system, so you may see multiple events for the same file.
+Events 3090, 3091, and 3092 are reported per active policy on the system, so you may see multiple events for the same file.
### ISG and MI diagnostic event details
@@ -86,57 +118,7 @@ To enable 3090 allow events, create a TestFlags regkey with a value of 0x300 as
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
```
-3091 and 3092 events are inactive on some versions of Windows. The above steps will also turn on those events.
-
-## Event ID 3099 Options
-
-The Application Control policy rule option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. To derive and parse these values, follow the below workflow.
-
-- Access Event Viewer.
-- Access the Code integrity 3099 event.
-- Access the details pane.
-- Identify the hex code listed in the "Options" field.
-- Convert the hex code to binary.
-
-:::image type="content" source="images/event-3099-options.png" alt-text="Event 3099 policy rule options.":::
-
-For a simple solution for converting hex to binary, follow these steps:
-
-1. Open the Calculator app.
-1. Select the menu icon. :::image type="icon" source="images/calculator-menu-icon.png" border="false":::
-1. Select **Programmer** mode.
-1. Select **HEX**. :::image type="icon" source="images/hex-icon.png" border="false":::
-1. Enter your hex code. For example, `80881000`.
-1. Switch to the **Bit Toggling Keyboard**. :::image type="icon" source="images/bit-toggling-keyboard-icon.png" border="false":::
-
-:::image type="content" source="images/calculator-with-hex-in-binary.png" alt-text="An example of the calculator app in programmer mode, with a hex code converted into binary.":::
-
-This view will provide the hex code in binary form, with each bit address shown separately. The bit addresses start at 0 in the bottom right. Each bit address correlates to a specific event policy-rule option. If the bit address holds a value of 1, the setting is in the policy.
-
-Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create.md#table-1-windows-defender-application-control-policy---policy-rule-options). For example, if the bit address of 16 holds a value of 1, then the **Enabled: Audit Mode (Default)** option is in the policy. This setting means that the policy is in audit mode.
-
-| Bit Address | Policy Rule Option |
-|-------|------|
-| 2 | `Enabled:UMCI` |
-| 3 | `Enabled:Boot Menu Protection` |
-| 4 | `Enabled:Intelligent Security Graph Authorization` |
-| 5 | `Enabled:Invalidate EAs on Reboot` |
-| 7 | `Required:WHQL` |
-| 10 | `Enabled:Allow Supplemental Policies` |
-| 11 | `Disabled:Runtime FilePath Rule Protection` |
-| 13 | `Enabled:Revoked Expired As Unsigned` |
-| 16 | `Enabled:Audit Mode (Default)` |
-| 17 | `Disabled:Flight Signing` |
-| 18 | `Enabled:Inherit Default Policy` |
-| 19 | `Enabled:Unsigned System Integrity Policy (Default)` |
-| 20 | `Enabled:Dynamic Code Security` |
-| 21 | `Required:EV Signers` |
-| 22 | `Enabled:Boot Audit on Failure` |
-| 23 | `Enabled:Advanced Boot Options Menu` |
-| 24 | `Disabled:Script Enforcement` |
-| 25 | `Required:Enforce Store Applications` |
-| 27 | `Enabled:Managed Installer` |
-| 28 | `Enabled:Update Policy No Reboot` |
+Events 3091 and 3092 are inactive on some versions of Windows and are turned on by the preceding command.
## Appendix
@@ -152,11 +134,11 @@ A list of other relevant event IDs and their corresponding description.
| 3012 | Code Integrity started loading the signature catalog. |
| 3023 | The driver file under validation didn't meet the requirements to pass the application control policy. |
| 3024 | Windows application control was unable to refresh the boot catalog file. |
-| 3026 | The catalog loaded is signed by a signing certificate that has been revoked by Microsoft and/or the certificate issuing authority. |
-| 3032 | The file under validation is revoked by the system or the file has a signature that has been revoked.
+| 3026 | Microsoft or the certificate issuing authority revoked the certificate that signed the catalog. |
+| 3032 | The file under validation is revoked or the file has a signature that is revoked.
| 3033 | The file under validation didn't meet the requirements to pass the application control policy. |
| 3034 | The file under validation wouldn't meet the requirements to pass the Application Control policy if it was enforced. The file was allowed since the policy is in audit mode. |
-| 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. |
+| 3036 | Microsoft or the certificate issuing authority revoked the certificate that signed the file being validated. |
| 3064 | If the Application Control policy was enforced, a user mode DLL under validation wouldn't meet the requirements to pass the application control policy. The DLL was allowed since the policy is in audit mode. |
| 3065 | If the Application Control policy was enforced, a user mode DLL under validation wouldn't meet the requirements to pass the application control policy. |
| 3074 | Page hash failure while hypervisor-protected code integrity was enabled. |
@@ -166,18 +148,18 @@ A list of other relevant event IDs and their corresponding description.
| 3079 | The file under validation didn't meet the requirements to pass the application control policy. |
| 3080 | If the Application Control policy was in enforced mode, the file under validation wouldn't have met the requirements to pass the application control policy. |
| 3081 | The file under validation didn't meet the requirements to pass the application control policy. |
-| 3082 | If the Application Control policy was in enforced mode, the non-WHQL driver would have been denied by the policy. |
-| 3084 | Code Integrity will enforce the WHQL driver signing requirements on this boot session. |
-| 3085 | Code Integrity won't enforce the WHQL driver signing requirements on this boot session. |
+| 3082 | If the Application Control policy was enforced, the policy would have blocked this non-WHQL driver. |
+| 3084 | Code Integrity is enforcing WHQL driver signing requirements on this boot session. |
+| 3085 | Code Integrity isn't enforcing WHQL driver signing requirements on this boot session. |
| 3086 | The file under validation doesn't meet the signing requirements for an isolated user mode (IUM) process. |
-| 3089 | This event contains signature information for files that were blocked or would have been blocked by Application Control. One 3089 event is created for each signature of a file. |
+| 3089 | This event contains signature information for files that were blocked or audit blocked by Application Control. One 3089 event is created for each signature of a file. |
| 3090 | *Optional* This event indicates that a file was allowed to run based purely on ISG or managed installer. |
| 3091 | This event indicates that a file didn't have ISG or managed installer authorization and the Application Control policy is in audit mode. |
| 3092 | This event is the enforcement mode equivalent of 3091. |
| 3095 | The Application Control policy can't be refreshed and must be rebooted instead. |
| 3096 | The Application Control policy wasn't refreshed since it's already up-to-date. |
| 3097 | The Application Control policy can't be refreshed. |
-| 3099 | Indicates that a policy has been loaded. This event also includes information about the options that were specified by the Application Control policy. |
+| 3099 | Indicates that a policy has been loaded. This event also includes information about the options set by the Application Control policy. |
| 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. |
| 3101 | The system started refreshing the Application Control policy. |
| 3102 | The system finished refreshing the Application Control policy. |
@@ -187,5 +169,5 @@ A list of other relevant event IDs and their corresponding description.
| 3108 | Windows mode change event was successful. |
| 3110 | Windows mode change event was unsuccessful. |
| 3111 | The file under validation didn't meet the hypervisor-protected code integrity (HVCI) policy. |
-| 3112 | The file under validation is signed by a certificate that has been explicitly revoked by Windows. |
+| 3112 | Windows has revoked the certificate that signed the file being validated. |
| 3114 | Dynamic Code Security opted the .NET app or DLL into Application Control policy validation. The file under validation didn't pass your policy and was blocked. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
index f358465735..04be400ff9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
@@ -10,17 +10,17 @@ ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
-ms.date: 07/13/2021
+ms.date: 03/24/2023
ms.technology: itpro-security
ms.topic: article
---
# Understanding Application Control event tags
-Windows Defender Application Control (WDAC) events include many fields, which provide helpful troubleshooting information to figure out exactly what an event means. Below, we've documented the values and meanings for a few useful event tags.
+Windows Defender Application Control (WDAC) events include many fields, which provide helpful troubleshooting information to figure out exactly what an event means. This article describes the values and meanings for a few useful event tags.
## SignatureType
@@ -30,21 +30,21 @@ Represents the type of signature which verified the image.
|---|----------|
| 0 | Unsigned or verification hasn't been attempted |
| 1 | Embedded signature |
-| 2 | Cached signature; presence of CI EA shows that file had been previously verified |
+| 2 | Cached signature; presence of a CI EA means the file was previously verified |
| 3 | Cached catalog verified via Catalog Database or searching catalog directly |
| 4 | Uncached catalog verified via Catalog Database or searching catalog directly |
| 5 | Successfully verified using an EA that informs CI that catalog to try first |
| 6 | AppX / MSIX package catalog verified |
| 7 | File was verified |
-## ValidatedSigningLevel
+## Requested and Validated Signing Level
Represents the signature level at which the code was verified.
-| ValidatedSigningLevel Value | Explanation |
+| SigningLevel Value | Explanation |
|---|----------|
| 0 | Signing level hasn't yet been checked |
-| 1 | File is unsigned |
+| 1 | File is unsigned or has no signature that passes the active policies |
| 2 | Trusted by Windows Defender Application Control policy |
| 3 | Developer signed code |
| 4 | Authenticode signed |
@@ -76,15 +76,15 @@ Represents why verification failed, or if it succeeded.
| 11 | Page hash mismatch |
| 12 | Not valid for a PPL (Protected Process Light) |
| 13 | Not valid for a PP (Protected Process) |
-| 14 | The signature is missing the required ARM EKU |
+| 14 | The signature is missing the required ARM processor EKU |
| 15 | Failed WHQL check |
| 16 | Default policy signing level not met |
| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs |
-| 18 | Custom signing level not met; returned if signature fails to match CISigners in UMCI |
-| 19 | Binary is revoked by file hash |
+| 18 | Custom signing level not met; returned if signature fails to match `CISigners` in UMCI |
+| 19 | Binary is revoked based on its file hash |
| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy |
| 21 | Failed to pass Windows Defender Application Control policy |
-| 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet |
+| 22 | Not Isolated User Mode (IUM)) signed; indicates an attempt to load a non-trustlet binary into a trustlet |
| 23 | Invalid image hash |
| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS |
| 25 | Anti-cheat policy violation |
@@ -92,6 +92,56 @@ Represents why verification failed, or if it succeeded.
| 27 | The signing chain appears to be tampered/invalid |
| 28 | Resource page hash mismatch |
+## Policy activation event Options
+
+The Application Control policy rule option values can be derived from the "Options" field in the Details section for successful [policy activation events](event-id-explanations.md#wdac-policy-activation-events). To parse the values, first convert the hex value to binary. To derive and parse these values, follow the below workflow.
+
+- Access Event Viewer.
+- Access the Code integrity 3099 event.
+- Access the details pane.
+- Identify the hex code listed in the "Options" field.
+- Convert the hex code to binary.
+
+:::image type="content" source="images/event-3099-options.png" alt-text="Event 3099 policy rule options.":::
+
+For a simple solution for converting hex to binary, follow these steps:
+
+1. Open the Calculator app.
+1. Select the menu icon. :::image type="icon" source="images/calculator-menu-icon.png" border="false":::
+1. Select **Programmer** mode.
+1. Select **HEX**. :::image type="icon" source="images/hex-icon.png" border="false":::
+1. Enter your hex code. For example, `80881000`.
+1. Switch to the **Bit Toggling Keyboard**. :::image type="icon" source="images/bit-toggling-keyboard-icon.png" border="false":::
+
+:::image type="content" source="images/calculator-with-hex-in-binary.png" alt-text="An example of the calculator app in programmer mode, with a hex code converted into binary.":::
+
+This view provides the hex code in binary form, with each bit address shown separately. The bit addresses start at 0 in the bottom right. Each bit address correlates to a specific event policy-rule option. If the bit address holds a value of 1, the setting is in the policy.
+
+Next, use the bit addresses and their values from the following table to determine the state of each [policy rule-option](select-types-of-rules-to-create.md#table-1-windows-defender-application-control-policy---policy-rule-options). For example, if the bit address of 16 holds a value of 1, then the **Enabled: Audit Mode (Default)** option is in the policy. This setting means that the policy is in audit mode.
+
+| Bit Address | Policy Rule Option |
+|-------|------|
+| 2 | `Enabled:UMCI` |
+| 3 | `Enabled:Boot Menu Protection` |
+| 4 | `Enabled:Intelligent Security Graph Authorization` |
+| 5 | `Enabled:Invalidate EAs on Reboot` |
+| 7 | `Required:WHQL` |
+| 10 | `Enabled:Allow Supplemental Policies` |
+| 11 | `Disabled:Runtime FilePath Rule Protection` |
+| 13 | `Enabled:Revoked Expired As Unsigned` |
+| 16 | `Enabled:Audit Mode (Default)` |
+| 17 | `Disabled:Flight Signing` |
+| 18 | `Enabled:Inherit Default Policy` |
+| 19 | `Enabled:Unsigned System Integrity Policy (Default)` |
+| 20 | `Enabled:Dynamic Code Security` |
+| 21 | `Required:EV Signers` |
+| 22 | `Enabled:Boot Audit on Failure` |
+| 23 | `Enabled:Advanced Boot Options Menu` |
+| 24 | `Disabled:Script Enforcement` |
+| 25 | `Required:Enforce Store Applications` |
+| 27 | `Enabled:Managed Installer` |
+| 28 | `Enabled:Update Policy No Reboot` |
+
## Microsoft Root CAs trusted by Windows
The rule means trust anything signed by a certificate that chains to this root CA.
@@ -101,7 +151,7 @@ The rule means trust anything signed by a certificate that chains to this root C
| 0| None |
| 1| Unknown |
| 2 | Self-Signed |
-| 3 | Authenticode |
+| 3 | Microsoft Authenticode(tm) Root Authority |
| 4 | Microsoft Product Root 1997 |
| 5 | Microsoft Product Root 2001 |
| 6 | Microsoft Product Root 2010 |
@@ -123,4 +173,4 @@ For well-known roots, the TBS hashes for the certificates are baked into the cod
## Status values
-Represents values that are used to communicate system information. They are of four types: success values, information values, warning values, and error values. Click on the [NTSATUS](/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55) link for information about common usage details.
+Represents values that are used to communicate system information. They are of four types: success values, information values, warning values, and error values. See [NTSATUS](/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55) for information about common usage details.
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
index 3bd14575c5..fdbd1d7ecc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -8,7 +8,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
-ms.date: 03/16/2023
+ms.date: 03/31/2023
ms.technology: itpro-security
---
@@ -23,7 +23,7 @@ ms.technology: itpro-security
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md).
-When you create policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that you can use.
+When you create policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that you can use. These example policies are provided "as-is". You should thoroughly test the policies you deploy using safe deployment methods.
| **Example Base Policy** | **Description** | **Where it can be found** |
|-------------------------|---------------------------------------------------------------|--------|
@@ -31,7 +31,7 @@ When you create policies for use with Windows Defender Application Control (WDAC
| **AllowMicrosoft.xml** | This example policy includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\AllowMicrosoft.xml |
| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml |
| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using WDAC. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml |
-| **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DenyAllAudit.xml |
+| **DenyAllAudit.xml** | ***Warning: Will cause boot issues on Windows Server 2019 and earlier. Do not use on those operating systems.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DenyAllAudit.xml |
| **Microsoft Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise WDAC policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\SignedReputable.xml |
| **Example supplemental policy** | This example policy shows how to use supplemental policy to expand the DefaultWindows_Audit.xml allow a single Microsoft-signed file. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Supplemental.xml |
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/event-3077.png b/windows/security/threat-protection/windows-defender-application-control/images/event-3077.png
new file mode 100644
index 0000000000..2b39c88a49
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/event-3077.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/event-3089.png b/windows/security/threat-protection/windows-defender-application-control/images/event-3089.png
new file mode 100644
index 0000000000..30d2cba31d
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/event-3089.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md
index ac290b7659..9c88206c87 100644
--- a/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md
@@ -65,18 +65,9 @@ CiTool makes Windows Defender Application Control (WDAC) policy management easie
4. List the actively enforced WDAC policies on the system
```powershell
- $wdacPolicies = (CiTool -lp -json | ConvertFrom-Json).Policies
-
# Check each policy's IsEnforced state and return only the enforced policies
- foreach($wdacPolicy in $wdacPolicies ){
-
- if($wdacPolicy.IsEnforced)
- {
- Write-Host $wdacPolicy.FriendlyName
- Write-Host $wdacPolicy.PolicyID "`n"
- }
- }
-
+ (CiTool -lp -json | ConvertFrom-Json).Policies | Where-Object {$_.IsEnforced -eq "True"} |
+ Select-Object -Property PolicyID,FriendlyName | Format-List
```
5. Display the help menu
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
index a5642a032c..d6e821e8be 100644
--- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
@@ -9,7 +9,7 @@ ms.reviewer: jogeurte
ms.author: jogeurte
ms.manager: jsuther
manager: aaroncz
-ms.date: 02/02/2023
+ms.date: 04/04/2023
ms.technology: itpro-security
ms.topic: article
ms.localizationpriority: medium
@@ -28,15 +28,34 @@ ms.localizationpriority: medium
This article covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.
-## Managed Installer and ISG will cause garrulous events
+## WDAC policy file locations
+
+**Multiple policy format WDAC policies** are found in the following locations depending on whether the policy is signed or not, and the method of policy deployment that was used.
+
+- <OS Volume>\\Windows\\System32\\CodeIntegrity\\CiPolicies\Active\\*\{PolicyId GUID\}*.cip
+- <EFI System Partition>\\Microsoft\\Boot\\CiPolicies\Active\\*\{PolicyId GUID\}*.cip
+
+The *\{PolicyId GUID\}* value is unique by policy and defined in the policy XML with the <PolicyId> element.
+
+For **single policy format WDAC policies**, in addition to the two locations above, also look for a file called SiPolicy.p7b that may be found in the following locations:
+
+- <EFI System Partition>\\Microsoft\\Boot\\SiPolicy.p7b
+- <OS Volume>\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b
+
+> [!NOTE]
+> A multiple policy format WDAC policy using the single policy format GUID `{A244370E-44C9-4C06-B551-F6016E563076}` may exist under any of the policy file locations.
+
+## Known issues
+
+### Managed Installer and ISG may cause excessive events
When Managed Installer and ISG are enabled, 3091 and 3092 events will be logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events have been moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy.
-## .NET native images may generate false positive block events
+### .NET native images may generate false positive block events
In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fall back to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window.
-## MSI Installations launched directly from the internet are blocked by WDAC
+### MSI Installations launched directly from the internet are blocked by WDAC
Installing .msi files directly from the internet to a computer protected by WDAC will fail.
For example, this command won't work:
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md b/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md
new file mode 100644
index 0000000000..81ed21b671
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md
@@ -0,0 +1,257 @@
+---
+title: WDAC debugging and troubleshooting guide
+description: Learn how to debug and troubleshoot app and script failures when using WDAC
+author: valemieux
+ms.author: jogeurte
+ms.reviewer: jsuther1974
+ms.topic: how-to
+ms.date: 03/23/2023
+ms.custom: template-how-to
+ms.prod: windows-client
+ms.technology: itpro-security
+---
+
+# WDAC debugging and troubleshooting
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+- Windows Server 2016 and later
+
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+
+This article describes how to debug and troubleshoot app and script failures when using Windows Defender Application Control (WDAC).
+
+## 1 - Gather WDAC diagnostic data
+
+Before debugging and troubleshooting WDAC issues, you must collect information from a device exhibiting the problem behavior.
+
+Run the following commands from an elevated PowerShell window to collect the diagnostic information you may need:
+
+1. Gather general WDAC diagnostic data and copy it to %userprofile%\AppData\Local\Temp\DiagOutputDir\CiDiag:
+
+ ```powershell
+ cidiag.exe /stop
+ ```
+
+ If CiDiag.exe isn't present in your version of Windows, gather this information manually:
+
+ - WDAC policy binaries from the [Windows and EFI system partitions](known-issues.md#wdac-policy-file-locations)
+ - [WDAC event logs](#core-wdac-event-logs)
+ - [AppLocker event logs](#core-wdac-event-logs)
+ - [Other event logs that may contain useful information](#other-windows-event-logs-that-may-be-useful) from other Windows apps and services
+
+2. Save the device's System Information to the CiDiag folder:
+
+ ```powershell
+ msinfo32.exe /report $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\SystemInformation.txt
+ ```
+
+3. Use [CiTool.exe](citool-commands.md) to inventory the list of WDAC policies on the device. Skip this step if CiTool.exe isn't present in your version of Windows.
+
+ ```powershell
+ citool.exe -lp -json > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\CiToolOutput.json
+ ````
+
+4. Export AppLocker registry key data to the CiDiag folder:
+
+ ```powershell
+ reg.exe query HKLM\Software\Policies\Microsoft\Windows\SrpV2 /s > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerRegistry.txt; reg.exe query HKLM\Software\Policies\Microsoft\Windows\AppidPlugins /s >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerRegistry.txt; reg.exe query HKLM\System\CurrentControlSet\Control\Srp\ /s >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerRegistry.txt
+ ```
+
+ > [!NOTE]
+ > You may see an error that the system was unable to find the specified registry key or value. This error doesn't indicate a problem and can be ignored.
+
+5. Copy any AppLocker policy files from %windir%System32\AppLocker to the CiDiag folder:
+
+ ```powershell
+ Copy-Item -Path $env:windir\System32\AppLocker -Destination $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\ -Recurse -Force -ErrorAction Ignore
+ ```
+
+6. Collect file information for the AppLocker policy files collected in the previous step:
+
+ ```powershell
+ Get-ChildItem -Path $env:windir\System32\AppLocker\ -Recurse | select Mode,LastWriteTime,CreationTime,Length,Name >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerPolicyFiles.txt
+ ```
+
+7. Export the effective AppLocker policy:
+
+ ```powershell
+ Get-AppLockerPolicy -xml -Effective > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLocker.xml
+ ```
+
+8. Collect AppLocker services configuration and state information:
+
+ ```powershell
+ sc.exe query appid > $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt; sc.exe query appidsvc >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt; sc.exe query applockerfltr >> $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt
+ ```
+
+### Core WDAC event logs
+
+WDAC events are generated under two locations:
+
+- Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+- Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+
+Within the CiDiag output directory, these event logs are called CIOperational.evtx and ALMsiAndScript.evtx, respectively.
+
+### Other Windows event logs that may be useful
+
+Sometimes, you may be able to supplement the information contained in the core WDAC event logs with information found in these other event logs. CIDiag.exe doesn't collect the ones shown in *italics*.
+
+- Applications and Services logs – Microsoft – Windows – CodeIntegrity – Verbose
+- Applications and Services logs – Microsoft – Windows – AppLocker – EXE and DLL
+- Applications and Services logs – Microsoft – Windows – AppLocker – Packaged app-Deployment
+- Applications and Services logs – Microsoft – Windows – AppLocker – Packaged app-Execution
+- Applications and Services logs – Microsoft – Windows – AppID - Operational
+- Applications and Services logs – Microsoft – Windows – CAPI2 - Operational
+- Applications and Services logs – Microsoft – Windows – DeviceGuard - Operational
+- *Applications and Services logs – Microsoft – Windows – PowerShell - \**
+- *Windows - Application*
+- *Windows - System*
+
+## 2 - Use the diagnostic and log data to identify problems
+
+Having gathered the necessary diagnostic information from a device, you're ready to begin your analysis of the diagnostic data collected in the previous section.
+
+1. Verify the set of WDAC policies that are active and enforced. Confirm that only those policies you expect to be active are currently active. Be aware of the [Windows inbox policies](inbox-wdac-policies.md) that may also be active. You can use either of these methods:
+
+ - Review the output from *CiTool.exe -lp*, if applicable, which was saved to the CIDiag output directory as CiToolOutput.json. See [use Microsoft Edge to view the formatted json file](/microsoft-edge/devtools-guide-chromium/json-viewer/json-viewer).
+ - Review all [policy activation events](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations#wdac-policy-activation-events) from the core WDAC event log found at **Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational**. Within the CIDiag output directory, this event log is called CIOperational.evtx.
+
+2. Review any [block events for executables, dlls, and drivers](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations#wdac-block-events-for-executables-dlls-and-drivers) from the core WDAC event log found at **Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational**. Within the CIDiag output directory, this event log is called CIOperational.evtx. Use information from the block events and their correlated 3089 signature details event(s) to investigate any blocks that are unexplained or unexpected. See the blocked executable example described later in this article for reference.
+3. Review any [block events for packaged apps, MSI installers, scripts, and COM objects](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations#wdac-block-events-for-packaged-apps-msi-installers-scripts-and-com-objects) from the core script enforcement event log found at **Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script**. Within the CIDiag output directory, this event log is called ALMsiAndScript.evtx. Use information from the block events and their correlated 8038 signature details event(s) to investigate any blocks that are unexplained or unexpected.
+
+Most WDAC-related issues, including app and script failures, can be diagnosed using the preceding steps.
+
+### Event analysis for an example blocked executable
+
+Here's an example of detailed EventData from a typical WDAC enforcement mode block event 3077, and one of its correlated 3089 signature information events. The tables that follow each event screenshot describe some of the elements contained in the events. Following the event descriptions is a step-by-step walkthrough explaining how to use the events to understand why the block occurred.
+
+#### Event 3077 - WDAC enforcement block event
+
+
+
+| Element name | Description |
+| ----- | ----- |
+| System - Correlation - \[ActivityID\] | **Not shown in screenshot**
Use the correlation ActivityID to match a WDAC block event with one or more 3089 signature events. |
+| File Name | The file's path and name on disk that was blocked from running. Since the name on disk is mutable, this value **isn't** the one used when creating WDAC file rules with `-Level FileName`. Instead, see the OriginalFileName element later in this table. |
+| Process Name | The path and name of the file that attempted to run the blocked file. Also called the parent process. |
+| Requested Signing Level | The Windows signing authorization level the code needed to pass in order to run. See [Requested and validated signing level](/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations#requested-and-validated-signing-level). |
+| Validated Signing Level | The Windows signing authorization level the code was given. See [Requested and validated signing level](/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations#requested-and-validated-signing-level). |
+| Status | Windows NT status code. You can use `certutil.exe -error ` to look up the meaning of the status code. |
+| SHA1 Hash | The SHA1 Authenticode hash for the blocked file. |
+| SHA256 Hash | The SHA256 Authenticode hash for the blocked file. |
+| SHA1 Flat Hash | The SHA1 flat file hash for the blocked file. |
+| SHA256 Flat Hash | The SHA256 flat file hash for the blocked file. |
+| PolicyName | The friendly name of the WDAC policy that caused the block event. A separate 3077 block event (or 3076 audit block event) is shown for each policy that blocks the file from running. |
+| PolicyId | The friendly ID value of the WDAC policy that caused the block event. |
+| PolicyHash | The SHA256 Authenticode hash of the WDAC policy binary that caused the block event. |
+| OriginalFileName | The immutable file name set by the developer in the blocked file's resource header. This value is the one used when creating WDAC file rules with `-Level FileName`. |
+| InternalName | Another immutable value set by the developer in the blocked file's resource header. You can substitute this value for the OriginalFileName in file rules with `-Level FileName -SpecificFileNameLevel InternalName`. |
+| FileDescription | Another immutable value set by the developer in the blocked file's resource header. You can substitute this value for the OriginalFileName in file rules with `-Level FileName -SpecificFileNameLevel FileDescription`. |
+| ProductName | Another immutable value set by the developer in the blocked file's resource header. You can substitute this value for the OriginalFileName in file rules with `-Level FileName -SpecificFileNameLevel ProductName`. |
+| FileVersion | The policy's VersionEx value used to enforce version control over signed policies. |
+| PolicyGUID | The PolicyId of the WDAC policy that caused the block event. |
+| UserWriteable | A boolean value indicating if the file was in a user-writeable location. This information is useful for diagnosing issues when allowing by FilePath rules. |
+| PackageFamilyName | The Package Family Name for the packaged app (MSIX) that includes the blocked file. |
+
+#### Event 3089 - WDAC signature information event
+
+
+
+| Element name | Description |
+| ----- | ----- |
+| System - Correlation - \[ActivityID\] | Use the correlation ActivityID to match a WDAC signature event with its block event. |
+| TotalSignatureCount | The total number of signatures detected for the blocked file. |
+| Signature | The index count, starting at 0, of the current signature shown in this 3089 event. If the file had multiple signatures, you'll find other 3089 events for the other signatures. |
+| Hash | The hash value that WDAC used to match the file. This value should match one of the four hashes shown on the 3077 or 3076 block event. If no signatures were found for the file (TotalSignatureCount = 0), then only the hash value is shown. |
+| SignatureType | The [type of signature](/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations#signaturetype). |
+| ValidatedSigningLevel | The Windows signing authorization level the signature met. See [Requested and validated signing level](/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations#requested-and-validated-signing-level). |
+| VerificationError | The reason this particular signature failed to pass the WDAC policy. See [VerificationError](/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations#verificationerror). |
+| PublisherName | The common name (CN) value from the leaf certificate. |
+| IssuerName | The CN value from the highest available certificate in the certificate chain. This level is typically one certificate below the root. |
+| PublisherTBSHash | The TBS hash of the leaf certificate. |
+| IssuerTBSHash | The TBS hash of the highest available certificate in the certificate chain. This level is typically one certificate below the root. |
+
+#### Step-by-step walkthrough of the example 3077 and 3089 events
+
+Now let's walk through how to use the event data in the example 3077 and 3089 events to understand why the WDAC policy blocked this file.
+
+##### Understand what file is being blocked and the block context
+
+Referring to the 3077 event, locate the information that identifies the policy, the file being blocked, and the parent process that tried to run it. Consider this context information to determine whether the block is expected and wanted.
+
+In the example, the file being blocked is PowerShell.exe, which is part of Windows and would normally be expected to run. However, in this case, the policy was based off of the Windows in S mode policy template, which doesn't allow script hosts to run as a way to limit the attack surface. For S mode, this block event is a success. But let's assume the policy author was unaware of that constraint when they chose the template, and treat this block as unexpected.
+
+##### Determine why WDAC rejected the file
+
+Again referring to the 3077 event, we see the Requested Signing Level of 2 means the code must pass the WDAC policy. But the Validated Signing Level of 1 means the code was treated as though unsigned. "Unsigned" could mean the file was truly unsigned, signed but with an invalid certificate, or signed but without any certificates allowed by the WDAC policy.
+
+Now, let's inspect the correlated 3089 event(s) for the blocked file. In the example, we're looking at only the first signature (Signature index 0) found on a file that had multiple signatures. For this signature, the ValidatedSigningLevel is 12, meaning it has a Microsoft Windows product signature. The VerificationError of 21 means that the signature didn't pass the WDAC policy.
+
+It's important to review the information for each correlated 3089 event as each signature may have a different ValidatedSigningLevel and VerificationError.
+
+> [!IMPORTANT]
+> Notice how the Validated Signing Level on the 3077 event is interpreted very differently from the ValidatedSigningLevel on the 3089 event.
+>
+> In the case of the 3077 event, Validated Signing Level tells us how the binary was actually treated by Windows.
+>
+> In the case of the 3089 event, on the other hand, ValidatedSigningLevel tells us the potential **maximum** level the signature could receive. We must use the VerificationError to understand why the signature was rejected.
+
+## 3 - Resolve common problems
+
+Having analyzed the WDAC diagnostic data, you can take steps to resolve the issue or do more debugging steps. Following are some common problems and steps you can try to resolve or further isolate the root issue:
+
+### Issue: A file was blocked that you want to allow
+
+- Use data from the core WDAC event logs to add rules to allow the blocked file.
+- Redeploy the file or app using a managed installer if your policy trusts managed installers.
+
+### Issue: A policy is active that is unexpected
+
+This condition may exist if:
+
+- A policy was removed but the system hasn't been rebooted.
+- A policy was partially removed, but a copy of the policy still exists in either the System or EFI partition.
+- A policy with PolicyId {A244370E-44C9-4C06-B551-F6016E563076} (single-policy format) was copied to the multiple-policy format policy location before activation, resulting in a duplicate policy binary on disk. Check for both SiPolicy.p7b and \{A244370E-44C9-4C06-B551-F6016E563076\}.cip files in the System and EFI partitions.
+- A policy was incorrectly deployed to the device.
+- An attacker with administrator access has applied a policy to cause denial of service for some critical processes.
+
+To resolve such an issue, follow the instructions to [Remove WDAC policies](/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies) for the identified policy.
+
+### Issue: An unhandled app failure is occurring and no WDAC events are observed
+
+Some apps alter their behavior when a user mode WDAC policy is active, which can result in unexpected failures. It can also be a side-effect of script enforcement for apps that don't properly handle the enforcement behaviors implemented by the script hosts.
+
+Try to isolate the root cause by doing the following actions:
+
+- Check the other event logs listed in section 1 of this article for events corresponding with the unexpected app failures.
+- Temporarily replace the WDAC policy with another policy that [disables script enforcement](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement) and retest.
+- Temporarily replace the WDAC policy with another policy that [allows all COM objects](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy) and retest.
+- Temporarily replace the WDAC policy with another policy that relaxes other [policy rules](/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-policy-rules) and retest.
+
+### Issue: An app deployed by a managed installer isn't working
+
+To debug issues using managed installer, try these steps:
+
+- Check that the WDAC policy that is blocking the app includes the option to enable managed installer.
+- Check that the effective AppLocker policy $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLocker.xml is correct as described in [Automatically allow apps deployed by a managed installer](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer#create-and-deploy-an-applocker-policy-that-defines-your-managed-installer-rules-and-enables-services-enforcement-for-executables-and-dlls).
+- Check that the AppLocker services are running. This information is found in $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt created in section 1 of this article.
+- Check that an AppLocker file exists called MANAGEDINSTALLER.APPLOCKER exists in the CiDiag folder created earlier. If not, repeat the steps to deploy and enable the managed installer AppLocker configuration.
+- Restart the managed installer process and check that an 8002 event is observed in the **AppLocker - EXE and DLL** event log for the managed installer process with PolicyName = MANAGEDINSTALLER. If instead you see an event with 8003 or 8004 with PolicyName = MANAGEDINSTALLER, then check the ManagedInstaller rules in the AppLocker policy XML and ensure a rule matches the managed installer process.
+- [Use fsutil.exe](/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer#using-fsutil-to-query-extended-attributes-for-managed-installer-mi) to verify files written by the managed installer process have the managed installer origin extended attribute. If not, redeploy the files with the managed installer and check again.
+- Test installation of a different app using the managed installer.
+- Add another managed installer to your AppLocker policy and test installation using the other managed installer.
+- Check if the app is encountering a [known limitation with managed installer](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer#known-limitations-with-managed-installer). If so, you must authorize the app using other means.
+
+### Issue: An app you expected the Intelligent Security Graph (ISG) to allow isn't working
+
+To debug issues using ISG, try these steps:
+
+- Check that the WDAC policy that is blocking the app includes the option to enable the intelligent security graph.
+- Check that the AppLocker services are running. This information is found in $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt created in section 1 of this article.
+- [Use fsutil.exe](/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer#using-fsutil-to-query-extended-attributes-for-intelligent-security-graph-isg) to verify files have the ISG origin extended attribute. If not, redeploy the files with the managed installer and check again.
+- Check if the app is encountering a [known limitation with ISG](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph#known-limitations-with-using-the-isg).
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
index 1cac513952..35aa964c26 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
@@ -10,10 +10,10 @@ ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: vinaypamnani-msft
-ms.reviewer: isbrahm
+ms.reviewer: jsuther
ms.author: vinpa
manager: aaroncz
-ms.date: 09/30/2020
+ms.date: 04/04/2023
ms.custom: asr
ms.technology: itpro-security
ms.topic: article
@@ -51,7 +51,7 @@ Prior to Windows 10 version 1709, Windows Defender Application Control was known
Windows Defender Application Control (WDAC) policies can be created on any client edition of Windows 10 build 1903+, or Windows 11, or on Windows Server 2016 and above.
-WDAC policies can be applied to devices running any edition of Windows 10, Windows 11, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 and Windows 11 Enterprise edition, or Windows Server 2016 and above, but can't deploy policies to devices running non-Enterprise SKUs of Windows 10.
+WDAC policies can be applied to devices running any edition of Windows 10, Windows 11, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies, but is limited to single-policy format policies that work on Windows Server 2016 and 2019.
For more information on which individual WDAC features are available on specific WDAC builds, see [WDAC feature availability](feature-availability.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
index 4a03e5ee20..5697c8f256 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
@@ -10,10 +10,10 @@ ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
-ms.date: 03/16/2020
+ms.date: 03/30/2023
ms.technology: itpro-security
ms.topic: article
---
@@ -29,22 +29,17 @@ ms.topic: article
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-After enabling you understand how to design and deploy your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they aren't behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature.
-
-## WDAC Events Overview
-
-Windows Defender Application Control generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC doesn't generate events when a binary is allowed; however, there's the option to enable events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured.
-
-WDAC events are generated under two locations:
-
- - Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
-
- - Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+You now understand how to design and deploy your Windows Defender Application Control (WDAC) policies. This guide explains how to understand the effects your policies have and how to troubleshoot when they aren't behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature.
## In this section
-| Topic | Description |
+| Article | Description |
| - | - |
-| [Understanding Application Control event IDs](event-id-explanations.md) | This topic explains the meaning of different WDAC event IDs. |
-| [Understanding Application Control event tags](event-tag-explanations.md) | This topic explains the meaning of different WDAC event tags. |
-| [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender for Endpoint. |
+| [Debugging and troubleshooting](/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting) | This article explains how to debug app and script failures with WDAC. |
+| [Understanding Application Control event IDs](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations) | This article explains the meaning of different WDAC event IDs. |
+| [Understanding Application Control event tags](/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations) | This article explains the meaning of different WDAC event tags. |
+| [Query WDAC events with Advanced hunting](/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting) | This article covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender for Endpoint. |
+| [Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues) | This article describes some WDAC Admin Tips & Known Issues. |
+| [Managed installer and ISG technical reference and troubleshooting guide](/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer) | This article provides technical details and debugging steps for managed installer and ISG. |
+| [CITool.exe technical reference](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands) | This article explains how to use CITool.exe. |
+| [Inbox WDAC policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) | This article describes the WDAC policies that ship with Windows and when they're active. |
diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md
index f00940e722..6728e2b1bd 100644
--- a/windows/whats-new/deprecated-features-resources.md
+++ b/windows/whats-new/deprecated-features-resources.md
@@ -9,7 +9,9 @@ author: mestew
ms.author: mstewart
manager: aaroncz
ms.topic: reference
-ms.collection: highpri, tier1
+ms.collection:
+ - highpri
+ - tier1
---
# Resources for deprecated features
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 331770192b..84ceba70f7 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -8,8 +8,10 @@ ms.localizationpriority: medium
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.topic: article
-ms.collection: highpri, tier1
+ms.topic: conceptual
+ms.collection:
+ - highpri
+ - tier1
---
# Deprecated features for Windows client
diff --git a/windows/whats-new/feature-lifecycle.md b/windows/whats-new/feature-lifecycle.md
index d97cc8895b..d987cfd951 100644
--- a/windows/whats-new/feature-lifecycle.md
+++ b/windows/whats-new/feature-lifecycle.md
@@ -9,7 +9,9 @@ ms.author: mstewart
ms.topic: article
ms.technology: itpro-fundamentals
ms.date: 10/28/2022
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
---
# Windows client features lifecycle
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index d1f1ec51df..c988c8ebb4 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -11,6 +11,7 @@ metadata:
ms.topic: landing-page
ms.collection:
- highpri
+ - tier1
author: aczechowski
ms.author: aaroncz
manager: dougeby
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index 78b5590c17..e294bee159 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -6,8 +6,7 @@ author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: low
-ms.topic: article
-ms.collection: highpri, tier1
+ms.topic: overview
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 14d7f14fa9..d3e3ac864f 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -6,10 +6,9 @@ description: New and updated IT Pro content about new features in Windows 10 Ent
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
-ms.topic: article
-ms.collection: highpri, tier1
+ms.topic: conceptual
ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
+ms.date: 04/05/2023
---
# What's new in Windows 10 Enterprise LTSC 2019
@@ -36,7 +35,8 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use
## Microsoft Intune
-Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. However, Windows 10 update rings device profiles don't support LTSC releases. For installing software updates, use the [policy configuration service provider (CSP)](/windows/client-management/mdm/policy-csp-update), Windows Server Update Services (WSUS), or Microsoft Configuration Manager.
+Microsoft Intune supports Windows 10 Enterprise LTSC 2019 with the following exception:
+- [Update rings](/mem/intune/protect/windows-10-update-rings) can't be used for feature updates since they aren't supported by Windows Update for Business. Update rings can be used for quality updates for Windows 10 Enterprise LTSC 2019 clients.
## Security
@@ -201,7 +201,7 @@ Windows Hello for Business now supports FIDO 2.0 authentication for Azure AD Joi
- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign-in, and will notify Dynamic lock users if Dynamic lock has stopped working because their device Bluetooth is off.
-- You can set up Windows Hello from lock screen for Microsoft accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
+- You can set up Windows Hello from lock screen for Microsoft accounts. We've made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync) for secondary account SSO for a particular identity provider.
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index ccc6db0ea1..614576055a 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -6,18 +6,17 @@ description: New and updated IT Pro content about new features in Windows 10 Ent
ms.prod: windows-client
author: mestew
ms.localizationpriority: high
-ms.topic: article
-ms.collection: highpri, tier1
+ms.topic: conceptual
ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
+ms.date: 04/05/2023
---
# What's new in Windows 10 Enterprise LTSC 2021
**Applies to**
-- Windows 10 Enterprise LTSC 2021
+- Windows 10 Enterprise LTSC 2021
-This article lists new and updated features and content that is of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
+This article lists new and updated features and content that is of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
> [!NOTE]
> Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2.
@@ -76,11 +75,11 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](
### Virus and threat protection
-[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URL’s and IP addresses.
-[Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
- - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
- - [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
-[Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
+[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URL's and IP addresses.
+[Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) - Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
+ - Integrity enforcement capabilities - Enable remote runtime attestation of Windows 10 platform.
+ - [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities - Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
+[Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) - In addition to Windows 10, Microsoft Defender for Endpoint's functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
**Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
@@ -105,7 +104,7 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](
[Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements include:
- Standalone users can install and configure their Windows Defender Application Guard settings without needing to change registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
- - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the Application Guard Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+ - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard's browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the Application Guard Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
To try this extension:
1. Configure Application Guard policies on your device.
@@ -129,7 +128,7 @@ Application Guard performance is improved with optimized document opening times:
[Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control (WDAC) added many new features that light up key scenarios and provide feature parity with AppLocker.
- - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side by side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
+ - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side by side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new 'supplemental' policy.
- [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that aren't user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for unknown admins. If a file is found to be user writeable, the executable is blocked from running unless it's authorized by something other than a path rule like a signer or hash rule.
This functionality brings WDAC to parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that isn't available with AppLocker.
- [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control (WDAC) enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
@@ -171,7 +170,8 @@ An in-place upgrade wizard is available in Configuration Manager. For more infor
#### Microsoft Intune
-Microsoft Intune supports Windows 10 Enterprise LTSC 2021, except for [Windows Update Rings](/mem/intune/configuration/device-profile-create#create-the-profile) in device profiles.
+Microsoft Intune supports Windows 10 Enterprise LTSC 2021 with the following exception:
+- [Update rings](/mem/intune/protect/windows-10-update-rings) can't be used for feature updates since they aren't supported by Windows Update for Business. Update rings can be used for quality updates for Windows 10 Enterprise LTSC 2021 clients.
A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action).
diff --git a/windows/whats-new/removed-features.md b/windows/whats-new/removed-features.md
index d0825bcd12..0cfa8fb10e 100644
--- a/windows/whats-new/removed-features.md
+++ b/windows/whats-new/removed-features.md
@@ -6,10 +6,12 @@ ms.localizationpriority: medium
author: mestew
ms.author: mstewart
manager: aaroncz
-ms.topic: article
+ms.topic: conceptual
ms.technology: itpro-fundamentals
ms.date: 01/05/2023
-ms.collection: highpri, tier1
+ms.collection:
+ - highpri
+ - tier1
---
# Features and functionality removed in Windows client
@@ -38,6 +40,7 @@ The following features and functionalities have been removed from the installed
|Feature | Details and mitigation | Support removed |
| ----------- | --------------------- | ------ |
+| Update Compliance | Update Compliance, a cloud-based service for the Windows client, is retired. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | March 31, 2023 |
| Store uploader tool | Support has been removed for the store uploader tool. This tool is included in the Windows SDK only. The endpoint for the tool has been removed from service and the files will be removed from the SDK in the next release. | November, 2022 |
| Internet Explorer 11 | The Internet Explorer 11 desktop application is [retired and out of support](https://aka.ms/IEJune15Blog) as of June 15, 2022 for certain versions of Windows 10. You can still access older, legacy sites that require Internet Explorer with Internet Explorer mode in Microsoft Edge. [Learn how](https://aka.ms/IEmodewebsite). The Internet Explorer 11 desktop application will progressively redirect to the faster, more secure Microsoft Edge browser, and will ultimately be disabled via Windows Update. [Disable IE today](/deployedge/edge-ie-disable-ie11). | June 15, 2022 |
| XDDM-based remote display driver | Support for Windows 2000 Display Driver Model (XDDM) based remote display drivers is removed in this release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, see [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 21H1 |
diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md
index 078b022d66..3030181ea5 100644
--- a/windows/whats-new/whats-new-windows-10-version-20H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-20H2.md
@@ -7,7 +7,9 @@ ms.author: mstewart
manager: aaroncz
ms.localizationpriority: high
ms.topic: article
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md
index 77d6e3c52f..af47ae3987 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H1.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H1.md
@@ -7,7 +7,9 @@ ms.author: mstewart
manager: aaroncz
ms.localizationpriority: high
ms.topic: article
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
index c6aaf4368c..0e8808f228 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -7,7 +7,9 @@ ms.author: mstewart
author: mestew
ms.localizationpriority: medium
ms.topic: article
-ms.collection: highpri, tier2
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
@@ -35,7 +37,7 @@ To learn more about the status of the November 2021 Update rollout, known issues
Windows 10, version 21H2 feature updates are installed annually using the General Availability Channel. Previous feature updates were installed using the General Availability Channel. For more information on this change, see the [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/?p=176473).
-Quality updates are still installed monthly on patch Tuesday.
+Quality updates are still installed monthly on the second Tuesday of the month.
For more information, see:
diff --git a/windows/whats-new/whats-new-windows-10-version-22H2.md b/windows/whats-new/whats-new-windows-10-version-22H2.md
index 99199e8037..e1ecaecbb0 100644
--- a/windows/whats-new/whats-new-windows-10-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-22H2.md
@@ -7,9 +7,11 @@ ms.author: mstewart
author: mestew
manager: aaroncz
ms.localizationpriority: medium
-ms.topic: article
+ms.topic: conceptual
ms.date: 10/18/2022
-ms.collection: highpri, tier1
+ms.collection:
+ - highpri
+ - tier2
---
# What's new in Windows 10, version 22H2
@@ -31,7 +33,7 @@ To learn more about the status of the Windows 10, version 22H2 rollout, known is
For more information about updated tools to support this release, see [IT tools to support Windows 10, version 22H2](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-22h2/ba-p/3655750).
-The Windows 10, version 22H2 feature update is installed as part of the general availability channel. Quality updates are still installed monthly on patch Tuesday.
+The Windows 10, version 22H2 feature update is installed as part of the general availability channel. Quality updates are still installed monthly on the second Tuesday of the month.
For more information, see:
diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md
index 9879efdeab..bb565c5358 100644
--- a/windows/whats-new/whats-new-windows-11-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-11-version-22H2.md
@@ -6,8 +6,10 @@ ms.prod: windows-client
ms.author: mstewart
author: mestew
ms.localizationpriority: medium
-ms.topic: article
-ms.collection: highpri, tier1
+ms.topic: conceptual
+ms.collection:
+ - highpri
+ - tier2
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md
index 93f8c35444..df91262622 100644
--- a/windows/whats-new/windows-11-overview.md
+++ b/windows/whats-new/windows-11-overview.md
@@ -9,7 +9,9 @@ ms.date: 09/20/2022
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: overview
-ms.collection: highpri, tier1
+ms.collection:
+ - highpri
+ - tier1
---
# Windows 11 overview
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index d61ccbad1a..ce4a6efa32 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -6,8 +6,10 @@ author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: high
-ms.topic: article
-ms.collection: highpri, tier1
+ms.topic: conceptual
+ms.collection:
+ - highpri
+ - tier1
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index 46740f84c3..9a0cdaf844 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -6,8 +6,10 @@ author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: high
-ms.topic: article
-ms.collection: highpri, tier1
+ms.topic: conceptual
+ms.collection:
+ - highpri
+ - tier1
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
---
diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md
index f264fb396a..74230a9b73 100644
--- a/windows/whats-new/windows-11-requirements.md
+++ b/windows/whats-new/windows-11-requirements.md
@@ -6,8 +6,10 @@ author: mestew
ms.author: mstewart
ms.prod: windows-client
ms.localizationpriority: medium
-ms.topic: article
-ms.collection: highpri, tier1
+ms.topic: conceptual
+ms.collection:
+ - highpri
+ - tier1
ms.technology: itpro-fundamentals
ms.date: 02/13/2023
---