Merge branch 'main' into privacy-update-vb

2025-06-18 20:03:40 +00:00 · 2022-10-10 11:12:36 -07:00
parent 1c70d5ddc5 f98754617d
commit 6b96457fc9
15 changed files with 279 additions and 79 deletions
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@ -88,7 +88,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 |-----------------------------------------|-------------------|----------|------------------------------|
 | AirSecure                               | 8.0.0             | Win32    | AIR                          |
 | Alertus Desktop                         | 5.4.44.0          | Win32    | Alertus technologies         |
-| Brave Browser                           | 1.34.80           | Win32    | Brave                        |
+| Brave Browser                           | 106.0.5249.65     | Win32    | Brave                        |
 | Bulb Digital Portfolio                  | 0.0.7.0           | Store    | Bulb                         |
 | CA Secure Browser                       | 14.0.0            | Win32    | Cambium Development          |
 | Cisco Umbrella                          | 3.0.110.0         | Win32    | Cisco                        |
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@ -192,21 +192,28 @@ Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destinatio
 Write-Output "$(Get-TS): Mounting WinRE"
 Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
-# Add servicing stack update
+# Add servicing stack update (Step 1 from the table)
-# Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
+# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
-# This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update. 
+# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined 
 # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and 
 # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined 
 # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined 
 # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the 
 # combined cumulative update can be installed. 
-# Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
+# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
-# There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
-# This error should be caught and ignored, as the last step will be to apply the cumulative update 
+# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null  
 # (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
-Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Now, attempt the combined cumulative update.
 # There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should 
 # be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct 
 # packages installed.
 try
 {
-    Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null  
+    Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null  
 }
 Catch
 {
@ -221,6 +228,13 @@ Catch
    }
 }
 # The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
 # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
 # update. This second approach is commented out below.
 # Write-Output "$(Get-TS): Adding package $SSU_PATH"
 # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null  
 #
 # Optional: Add the language to recovery environment
 #
@ -301,21 +315,28 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
    Write-Output "$(Get-TS): Mounting WinPE"
    Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null  
-    # Add SSU
+    # Add servicing stack update (Step 9 from the table)
-    # Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
+    # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
-    # This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update. 
+    # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined 
    # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and 
    # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined 
    # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined 
    # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the 
    # combined cumulative update can be installed. 
-    # Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
+    # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
    # Write-Output "$(Get-TS): Adding package $SSU_PATH"
    # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null  
    # Now, attempt the combined cumulative update.
    # There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
    # This error should be caught and ignored, as the last step will be to apply the cumulative update 
    # (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
    Write-Output "$(Get-TS): Adding package $SSU_PATH"
    try
    {
-        Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
+        Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH | Out-Null  
    }
    Catch
    {
@ -330,6 +351,13 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
        }
    }
    # The second approach for Step 9 is for Windows releases that have not adopted the combined cumulative update
    # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
    # update. This second approach is commented out below.
    # Write-Output "$(Get-TS): Adding package $SSU_PATH"
    # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null 
    # Install lp.cab cab
    Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
    Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null  
@ -412,9 +440,29 @@ You can install Optional Components, along with the .NET feature, offline, but t
 # update Main OS
 #
-# Add servicing stack update
+# Add servicing stack update (Step 18 from the table)
-Write-Output "$(Get-TS): Adding package $SSU_PATH"
+
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
+# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
 # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
 # includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
 # cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully
 # rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published, 
 # and installed first before the combined cumulative update can be installed. 
 # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
 # Write-Output "$(Get-TS): Adding package $SSU_PATH"
 # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null  
 # Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
 Write-Output "$(Get-TS): Adding package $LCU_PATH"
 Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null  
 # The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
 # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
 # update. This second approach is commented out below.
 # Write-Output "$(Get-TS): Adding package $SSU_PATH"
 # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null  
 # Optional: Add language to main OS
 Write-Output "$(Get-TS): Adding package $OS_LP_PATH"
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg
@ -0,0 +1,3 @@
 <svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
  <path d="M6.75001 3.25C6.75001 2.55964 7.30966 2 8.00001 2C8.69037 2 9.25001 2.55964 9.25001 3.25C9.25001 3.94036 8.69037 4.5 8.00001 4.5C7.30966 4.5 6.75001 3.94036 6.75001 3.25ZM8.00001 1C6.75737 1 5.75001 2.00736 5.75001 3.25C5.75001 3.42769 5.77061 3.60057 5.80955 3.76638L4.1981 3.11531C3.38523 2.78689 2.45661 3.17707 2.12226 3.98751C1.78682 4.8006 2.17658 5.72824 2.9921 6.05773L5 6.86897L5 9.25304L3.18661 12.6635C2.77397 13.4396 3.06858 14.4032 3.84463 14.8158C4.62069 15.2285 5.58431 14.9339 5.99695 14.1578L8.00028 10.3901L10.0037 14.158C10.4163 14.934 11.3799 15.2286 12.156 14.816C12.9321 14.4034 13.2267 13.4397 12.814 12.6637L11 9.252V6.86897L13.0079 6.05773C13.8234 5.72824 14.2132 4.80059 13.8777 3.98751C13.5434 3.17707 12.6148 2.78689 11.8019 3.11531L10.1905 3.76636C10.2294 3.60055 10.25 3.42768 10.25 3.25C10.25 2.00736 9.24265 1 8.00001 1ZM3.04668 4.36889C3.17149 4.06635 3.52005 3.91989 3.82349 4.04249L7.25078 5.42721C7.73138 5.62138 8.2686 5.62138 8.74921 5.42721L12.1765 4.04249C12.4799 3.91989 12.8285 4.06635 12.9533 4.36889C13.077 4.66879 12.9341 5.00902 12.6333 5.13055L10.6254 5.94179C10.2474 6.09449 10 6.46133 10 6.86897V9.252C10 9.41571 10.0402 9.57692 10.1171 9.72147L11.9311 13.1332C12.0844 13.4216 11.9749 13.7797 11.6865 13.9331C11.3981 14.0864 11.04 13.9769 10.8866 13.6885L8.88322 9.92064C8.50711 9.21327 7.49344 9.21326 7.11733 9.92064L5.114 13.6883C4.96065 13.9768 4.60252 14.0863 4.31411 13.9329C4.02569 13.7795 3.9162 13.4214 4.06955 13.133L5.88295 9.72251C5.9598 9.57796 6 9.41675 6 9.25304V6.86897C6 6.46133 5.75256 6.09449 5.3746 5.94179L3.3667 5.13055C3.06591 5.00902 2.92295 4.66879 3.04668 4.36889Z" fill="#0078D4" />
 </svg>
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg
@ -0,0 +1,3 @@
 <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
  <path d="M1792 0q53 0 99 20t82 55 55 81 20 100q0 53-20 99t-55 82-81 55-100 20h-128v1280q0 53-20 99t-55 82-81 55-100 20H256q-53 0-99-20t-82-55-55-81-20-100q0-53 20-99t55-82 81-55 100-20V256q0-53 20-99t55-82 81-55T512 0h1280zM128 1792q0 27 10 50t27 40 41 28 50 10h930q-34-60-34-128t34-128H256q-27 0-50 10t-40 27-28 41-10 50zm1280 128q27 0 50-10t40-27 28-41 10-50V256q0-68 34-128H512q-27 0-50 10t-40 27-28 41-10 50v1280h1024q26 0 45 19t19 45q0 26-19 45t-45 19q-25 0-49 9t-42 28q-18 18-27 42t-10 49q0 27 10 50t27 40 41 28 50 10zm384-1536q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10q-27 0-50 10t-40 27-28 41-10 50v128h128zm-1280 0h896v128H512V384zm0 256h256v128H512V640zm0 256h256v128H512V896zm0 256h256v128H512v-128zm640-512q53 0 99 20t82 55 55 81 20 100q0 17-4 33t-4 31v539l-248-124-248 124V960q0-14-4-30t-4-34q0-53 20-99t55-82 81-55 100-20zm0 128q-27 0-50 10t-40 27-28 41-10 50q0 27 10 50t27 40 41 28 50 10q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10zm136 549v-204q-30 20-65 29t-71 10q-36 0-71-9t-65-30v204l136-68 136 68z" fill="#0078D4" />
 </svg>
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg
@ -0,0 +1,24 @@
 <svg id="a9ed4d43-c916-4b9a-b9ca-be76fbdc694c" xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
  <defs>
    <linearGradient id="aaede26b-698f-4a65-b6db-859d207e2da6" x1="8.05" y1="11.32" x2="8.05" y2="1.26" gradientUnits="userSpaceOnUse">
      <stop offset="0" stop-color="#0078d4" />
      <stop offset="0.82" stop-color="#5ea0ef" />
    </linearGradient>
    <linearGradient id="bc54987f-34ba-4701-8ce4-6eca10aff9e9" x1="8.05" y1="15.21" x2="8.05" y2="11.32" gradientUnits="userSpaceOnUse">
      <stop offset="0" stop-color="#1490df" />
      <stop offset="0.98" stop-color="#1f56a3" />
    </linearGradient>
    <linearGradient id="a5434fd8-c18c-472c-be91-f2aa070858b7" x1="8.05" y1="7.87" x2="8.05" y2="4.94" gradientUnits="userSpaceOnUse">
      <stop offset="0" stop-color="#d2ebff" />
      <stop offset="1" stop-color="#f0fffd" />
    </linearGradient>
  </defs>
  <title>Icon-intune-329</title>
  <rect x="0.5" y="1.26" width="15.1" height="10.06" rx="0.5" fill="url(#aaede26b-698f-4a65-b6db-859d207e2da6)" />
  <rect x="1.34" y="2.1" width="13.42" height="8.39" rx="0.28" fill="#fff" />
  <path d="M11.08,14.37c-1.5-.23-1.56-1.31-1.55-3h-3c0,1.74-.06,2.82-1.55,3a.87.87,0,0,0-.74.84h7.54A.88.88,0,0,0,11.08,14.37Z" fill="url(#bc54987f-34ba-4701-8ce4-6eca10aff9e9)" />
  <path d="M17.17,5.91H10.29a2.31,2.31,0,1,0,0,.92H11v9.58a.33.33,0,0,0,.33.33h5.83a.33.33,0,0,0,.33-.33V6.24A.33.33,0,0,0,17.17,5.91Z" fill="#32bedd" />
  <rect x="11.62" y="6.82" width="5.27" height="8.7" rx="0.12" fill="#fff" />
  <circle cx="8.05" cy="6.41" r="1.46" opacity="0.9" fill="url(#a5434fd8-c18c-472c-be91-f2aa070858b7)" />
  <path d="M14.88,10.82,13.76,9.7a.06.06,0,0,0-.1.05v.68a.06.06,0,0,1-.06.06H11v.83H13.6a.06.06,0,0,1,.06.06v.69a.06.06,0,0,0,.1,0L14.88,11A.12.12,0,0,0,14.88,10.82Z" fill="#0078d4" />
 </svg>
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg
@ -0,0 +1,20 @@
 <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
  <defs>
    <linearGradient id="a24f9983-911f-4df7-920f-f964c8c10f82" x1="9" y1="15.834" x2="9" y2="5.788" gradientUnits="userSpaceOnUse">
      <stop offset="0" stop-color="#32bedd" />
      <stop offset="0.175" stop-color="#32caea" />
      <stop offset="0.41" stop-color="#32d2f2" />
      <stop offset="0.775" stop-color="#32d4f5" />
    </linearGradient>
  </defs>
  <title>MsPortalFx.base.images-10</title>
  <g id="a7ef0482-71f2-4b7e-b916-b1c754245bf1">
    <g>
      <path d="M.5,5.788h17a0,0,0,0,1,0,0v9.478a.568.568,0,0,1-.568.568H1.068A.568.568,0,0,1,.5,15.266V5.788A0,0,0,0,1,.5,5.788Z" fill="url(#a24f9983-911f-4df7-920f-f964c8c10f82)" />
      <path d="M1.071,2.166H16.929a.568.568,0,0,1,.568.568V5.788a0,0,0,0,1,0,0H.5a0,0,0,0,1,0,0V2.734A.568.568,0,0,1,1.071,2.166Z" fill="#0078d4" />
      <path d="M4.292,7.153h.523a.167.167,0,0,1,.167.167v3.858a.335.335,0,0,1-.335.335H4.125a0,0,0,0,1,0,0V7.321a.167.167,0,0,1,.167-.167Z" transform="translate(-5.271 5.967) rotate(-45.081)" fill="#f2f2f2" />
      <path d="M4.32,9.647h.523a.167.167,0,0,1,.167.167v4.131a0,0,0,0,1,0,0H4.488a.335.335,0,0,1-.335-.335v-3.8a.167.167,0,0,1,.167-.167Z" transform="translate(-0.504 23.385) rotate(-135.081)" fill="#e6e6e6" />
      <rect x="7.221" y="12.64" width="4.771" height="1.011" rx="0.291" fill="#f2f2f2" />
    </g>
  </g>
 </svg>
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg
@ -0,0 +1,3 @@
 <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
  <path d="M1544 128q75 0 143 30t120 82 82 120 31 144v328q0 26-19 45t-45 19q-26 0-45-19t-19-45V507q0-50-20-95t-55-80-80-55-96-21H346q16 15 27 28t11 36q0 26-19 45t-45 19q-26 0-45-19L147 237q-19-19-19-45t19-45L275 19q19-19 45-19t45 19 19 45q0 23-11 36t-27 28h1198zm-57 896q0 24 22 43t50 39 50 46 23 63q0 21-12 51t-30 61-37 59-33 44q-31 37-79 37-20 0-42-8t-44-17-41-17-35-8q-15 0-24 6t-14 15-8 20-5 24l-17 91q-6 34-25 52t-45 27-55 10-57 2h-5q-27 0-58-1t-58-11-47-28-26-53l-20-116q-2-14-14-26t-28-12q-20 0-40 7t-42 17-43 17-43 8q-50 0-80-37-14-16-32-43t-35-59-29-61-12-52q0-39 22-64t50-45 49-38 23-43q0-25-22-43t-50-39-50-45-23-64q0-22 12-52t30-60 37-58 33-45q31-37 79-37 20 0 42 7t43 17 40 17 36 8q21 0 32-11t16-30 8-41 7-46 11-45 24-38q12-12 29-19t37-10 40-5 39-1h15q27 0 57 1t58 11 46 28 26 53l20 116q3 18 16 27t31 10q17 0 37-7t41-17 42-17 42-8q23 0 44 10t36 28q14 17 32 44t36 58 29 61 12 52q0 39-22 64t-50 45-49 38-23 43zm-128 0q0-37 12-64t31-50 45-42 52-42q-13-30-29-58t-36-54q-36 13-76 29t-80 16q-24 0-44-6t-42-18q-33-19-51-42t-27-51-13-59-11-67q-16-2-32-3t-33-1q-17 0-33 1t-32 3q-7 35-11 66t-14 58-28 52-51 43q-21 13-41 18t-45 6q-40 0-79-16t-76-30q-38 51-66 112 26 22 51 42t45 42 32 50 12 65q0 37-12 64t-31 50-45 42-52 42q13 30 29 58t36 54q35-13 74-29t79-16q32 0 61 10t52 30 39 46 22 58l17 99q17 2 32 3t33 1q17 0 33-1t33-3q5-30 9-59t13-57 24-52 43-43q23-15 48-23t53-9q18 0 38 5t40 12 39 15 37 14q38-51 66-112-26-22-51-42t-45-42-32-50-12-65zm-207 0q0 27-10 50t-27 40-41 28-50 10q-27 0-50-10t-41-27-27-40-10-51q0-27 10-50t27-40 41-28 50-10q26 0 49 10t41 27 28 41 10 50zm768 832q0 26-19 45l-128 128q-19 19-45 19t-45-19-19-45q0-23 11-36t27-28H504q-75 0-143-30t-120-82-82-120-31-144v-328q0-26 19-45t45-19q26 0 45 19t19 45v325q0 50 20 95t55 80 80 55 96 21h1195q-14-14-26-28t-12-36q0-26 19-45t45-19q26 0 45 19l128 128q19 19 19 45z" fill="#0078D4" />
 </svg>
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg
@ -0,0 +1,22 @@
 <svg id="b9b1f1bd-1131-4ac5-b607-ad500ee51398" data-name="fluent_icons" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="18" height="18" viewBox="0 0 18 18">
  <defs>
    <linearGradient id="b0b22e7a-bfc7-4dec-91e9-5f981ed97407" x1="8.55" y1="0.41" x2="8.48" y2="18.62" gradientUnits="userSpaceOnUse">
      <stop offset="0" stop-color="#76bc2d" />
      <stop offset="0.32" stop-color="#73b82c" />
      <stop offset="0.65" stop-color="#6cab29" />
      <stop offset="0.99" stop-color="#5e9724" />
      <stop offset="1" stop-color="#5e9624" />
    </linearGradient>
    <linearGradient id="e827adc5-7c19-488a-9b2c-abb70d46ae5e" x1="14.75" y1="5.9" x2="14.75" y2="1.1" gradientTransform="translate(18.1 -11.21) rotate(90)" gradientUnits="userSpaceOnUse">
      <stop offset="0" stop-color="#0078d4" />
      <stop offset="0.17" stop-color="#1c84dc" />
      <stop offset="0.38" stop-color="#3990e4" />
      <stop offset="0.59" stop-color="#4d99ea" />
      <stop offset="0.8" stop-color="#5a9eee" />
      <stop offset="1" stop-color="#5ea0ef" />
    </linearGradient>
  </defs>
  <title>Icon-general-18</title>
  <path d="M6.27,13.29h4.49v4.49H6.27ZM1,3.43V7.3h4.5V2.81H1.65A.63.63,0,0,0,1,3.43ZM1,17.16a.63.63,0,0,0,.63.62H5.52V13.29H1Zm0-4.62h4.5V8.05H1Zm10.49,5.24h3.87a.62.62,0,0,0,.62-.62V13.29H11.51ZM6.27,12.54h4.49V8.05H6.27Zm5.24-4.49v4.49H16V8.05ZM6.27,7.3h4.49V2.81H6.27Z" fill="url(#b0b22e7a-bfc7-4dec-91e9-5f981ed97407)" />
  <rect x="12.2" y="1.14" width="4.8" height="4.8" rx="0.25" transform="translate(5.14 15.21) rotate(-64.59)" fill="url(#e827adc5-7c19-488a-9b2c-abb70d46ae5e)" />
 </svg>
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg
@ -0,0 +1,3 @@
 <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 2048 2048" width="18" height="18" >
  <path d="M0 0h961v961H0V0zm1087 0h961v961h-961V0zM0 1087h961v961H0v-961zm1087 0h961v961h-961v-961z" fill="#0078D4" />
 </svg>
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
@ -8,7 +8,7 @@ ms.author: v-mathavale
 ms.reviewer: paoloma
 manager: aaroncz
 ms.localizationpriority: medium
-ms.date: 06/21/2022
+ms.date: 10/07/2022
 adobe-target: true
 appliesto:
 - ✅ <b>Windows 11, version 22H2</b>
@ -40,22 +40,36 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc
 ## Configure Enhanced Phishing Protection for your organization
-Enhanced Phishing Protection can be configured via Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service like Microsoft Intune. Follow the instructions below to configure your devices using either GPO or CSP.
+Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow the instructions below to configure your devices using either Microsoft Intune, GPO or CSP.
-#### [✅ **GPO**](#tab/gpo)
+#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 To configure devices using Microsoft Intune, create a [**Settings catalog** policy][MEM-2], and use the settings listed under the category **`SmartScreen > Enhanced Phishing Protection`**:
 |Setting|Description|
 |---------|---------|
 |Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.<li> If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.</li><li> If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.</li>|
 |Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate<li> If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.</li><li> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.|
 |Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.<li> If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.</li><li> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.|
 |Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.<li> If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.</li><li> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
 Assign the policy to a security group that contains as members the devices or users that you want to configure.
 #### [:::image type="icon" source="images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
 Enhanced Phishing Protection can be configured using the following Administrative Templates policy settings:
 |Setting|Description|
 |---------|---------|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.<br><br> If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.<br><br> If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.<li> If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.</li><li> If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.</li>|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate.<br><br> If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password. <br><br>If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate<li> If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.</li><li> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.<br><br> If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it. <br><br> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.<li> If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.</li><li> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.<br><br> If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.<br> <br> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.<li> If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.</li><li> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
-#### [✅ **CSP**](#tab/csp)
+#### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp)
-Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP](/windows/client-management/mdm/policy-csp-webthreatdefense).
+Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][WIN-1].
 | Setting                 | OMA-URI                                                                   | Data type |
 |-------------------------|---------------------------------------------------------------------------|-----------|
@ -70,9 +84,18 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP](
 By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.  
-To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
+To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings.
-#### [✅ **GPO**](#tab/gpo)
+#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 |Settings catalog element|Recommendation|
 |---------|---------|
 |Service Enabled|**Enable**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.|
 |Notify Malicious|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.|
 |Notify Password Reuse|**Enable**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
 |Notify Unsafe App|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
 #### [:::image type="icon" source="images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
 |Group Policy setting|Recommendation|
 |---------|---------|
@ -81,7 +104,7 @@ To better help you protect your organization, we recommend turning on and using
 |Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse|**Enable**: Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.|
 |Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.|
-#### [✅ **CSP**](#tab/csp)
+#### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp)
 |MDM setting|Recommendation|
 |---------|---------|
@ -99,3 +122,9 @@ To better help you protect your organization, we recommend turning on and using
 - [Threat protection](../index.md)
 - [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md)
 - [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)
 ------------
 [WIN-1]: /windows/client-management/mdm/policy-csp-webthreatdefense
 [MEM-2]: /mem/intune/configuration/settings-catalog
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@ -6,11 +6,11 @@ ms.prod: m365-security
 audience: ITPro
 ms.collection: M365-security-compliance
 author: jsuther1974
-ms.reviewer: jogeurte
+ms.reviewer: aaroncz
 ms.author: jogeurte
 ms.manager: jsuther
 manager: dansimp
-ms.date: 03/08/2022
+ms.date: 10/06/2022
 ms.technology: windows-sec
 ms.topic: article
 ms.localizationpriority: medium
@ -27,13 +27,15 @@ ms.localizationpriority: medium
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-This topic describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host.
+This article describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host.
 > [!NOTE]
 > To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool.
 ## Deploying policies for Windows 10 version 1903 and above
 You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
 1. Initialize the variables to be used by the script.
    ```powershell
@ -49,7 +51,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
   Copy-Item -Path $PolicyBinary -Destination $DestinationFolder -Force
   ```
-3. Repeat steps 1-2 as appropriate to deploy additional WDAC policies.
+3. Repeat steps 1-2 as appropriate to deploy more WDAC policies.
 4. Run RefreshPolicy.exe to activate and refresh all WDAC policies on the managed endpoint.
   ```powershell
@ -82,7 +84,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
 In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [Microsoft Endpoint Manager](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. 
-1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: 
+1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt: 
    ```powershell
   $MountPoint = 'C:\EFIMount'
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
@ -14,7 +14,7 @@ author: jsuther1974
 ms.reviewer: jogeurte
 ms.author: dansimp
 manager: dansimp
-ms.date: 06/27/2022
+ms.date: 10/06/2022
 ms.technology: windows-sec
 ---
@ -31,13 +31,17 @@ ms.technology: windows-sec
 >
 > Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.
-Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. The following procedure walks you through how to deploy a WDAC policy called **ContosoPolicy.bin** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**.
+Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. 
 You should now have a WDAC policy converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
 The following procedure walks you through how to deploy a WDAC policy called **SiPolicy.p7b** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**.
 To deploy and manage a Windows Defender Application Control policy with Group Policy:
 1. On a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC**
-2. Create a new GPO: right-click an OU and then click **Create a GPO in this domain, and Link it here**.
+2. Create a new GPO: right-click an OU and then select **Create a GPO in this domain, and Link it here**.
   > [!NOTE]
   > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control lifecycle policy management](../plan-windows-defender-application-control-management.md).
@ -46,15 +50,15 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
 3. Name the new GPO. You can choose any name.
-4. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
+4. Open the Group Policy Management Editor: right-click the new GPO, and then select **Edit**.
-5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
+5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then select **Edit**.
    ![Edit the Group Policy for Windows Defender Application Control.](../images/wdac-edit-gp.png)
 6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path.
-    In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with ContosoPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\ContosoPolicy.bin.
+    In this policy setting, you specify either the local path where the policy will exist on each client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, the path to SiPolicy.p7b using the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) would be %USERPROFILE%\Desktop\SiPolicy.p7b.
    > [!NOTE]
    > This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
@ -62,6 +66,6 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
    ![Group Policy called Deploy Windows Defender Application Control.](../images/dg-fig26-enablecode.png)
    > [!NOTE]
-    > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
+    > You may have noticed that the GPO setting references a .p7b file, but the file extension and name of the policy binary do not matter. Regardless of what you name your policy binary, they are all converted to SIPolicy.p7b when applied to the client computers running Windows 10. If you are deploying different WDAC policies to different sets of devices, you may want to give each of your WDAC policies a friendly name and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
 7. Close the Group Policy Management Editor, and then restart the Windows test computer. Restarting the computer updates the WDAC policy.
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
@ -6,10 +6,10 @@ ms.technology: itpro-security
 ms.localizationpriority: medium
 ms.collection: M365-security-compliance
 author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
 ms.author: vinpa
 manager: aaroncz
-ms.date: 06/27/2022
+ms.date: 10/06/2022
 ms.topic: how-to
 ---
@ -48,19 +48,17 @@ To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windo
 > [!NOTE]
 > Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](../deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy.
 You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
 ### Deploy custom WDAC policies on Windows 10 1903+
 Beginning with Windows 10 1903, custom OMA-URI policy deployment can use the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies.
 The steps to use Intune's custom OMA-URI functionality are:
-1. Know a generated policy's GUID, which can be found in the policy xml as `<PolicyID>`
+1. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
-2. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+2. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
 3. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
 4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
    - **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy`
    - **Data type**: Base64 (file)
    - **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@ -11,9 +11,10 @@ ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
 author: jgeurten
-ms.reviewer: isbrahm
+ms.reviewer: aaroncz
 ms.author: dansimp
 manager: dansimp
 ms.date: 10/07/2022
 ---
 # Microsoft recommended driver block rules
@ -25,36 +26,32 @@ manager: dansimp
 - Windows Server 2016 and above
 >[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes:
+Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers. When vulnerabilities in drivers are found, we work with our partners to ensure they're quickly patched and rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes:
 - Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel
 - Malicious behaviors (malware) or certificates used to sign malware
 - Behaviors that aren't malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel
-Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center
+Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article.
 ](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article.
 ## Microsoft vulnerable driver blocklist
 <!-- MAXADO-6286432 -->
-Microsoft adds the vulnerable versions of the drivers to our vulnerable driver blocklist, which is automatically enabled on devices when any of the listed conditions are met:
+With Windows 11 2022 update, the vulnerable driver blocklist  is enabled by default for all devices, and can be turned on or off via the [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2) app. The vulnerable driver blocklist is also enforced when either memory integrity (also known as hypervisor-protected code integrity or HVCI), Smart App Control, or S mode is active. Users can opt in to HVCI using the Windows Security app, and HVCI is on by-default for most new Windows 11 devices.
 | Condition | Windows 10 or 11 | Windows 11 22H2 or later |
 |--|:--:|:--:|
 | Device has [Hypervisor-protected code integrity (HVCI)](../device-guard/enable-virtualization-based-protection-of-code-integrity.md) enabled | :heavy_check_mark: | :heavy_check_mark: |
 | Device is in [S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85#WindowsVersion=Windows_11) | :heavy_check_mark: | :heavy_check_mark: |
 | Device has [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) enabled | :x: | :heavy_check_mark: |
 | Clean install of Windows | :x: | :heavy_check_mark: |
 > [!NOTE]
-> Microsoft vulnerable driver blocklist can also be enabled using [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2), but the option to disable it is grayed out when HVCI or Smart App Control is enabled, or when the device is in S mode. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can disable Microsoft vulnerable driver blocklist.
+> The option to turn Microsoft's vulnerable driver blocklist on or off using the [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2) app is grayed out when HVCI, Smart App Control, or S mode is enabled. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can turn off the Microsoft vulnerable driver blocklist.
 The blocklist is updated with each new major release of Windows. We plan to update the current blocklist for non-Windows 11 customers in an upcoming servicing release and will occasionally publish future updates through regular Windows servicing.
 Customers who always want the most up-to-date driver blocklist can also use Windows Defender Application Control (WDAC) to apply the latest recommended driver blocklist contained in this article. For your convenience, we've provided a download of the most up-to-date vulnerable driver blocklist along with instructions to apply it on your computer at the end of this article. Otherwise, you can use the XML provided below to create your own custom WDAC policies.
 ## Blocking vulnerable drivers using WDAC
-Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
+Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events.
 > [!IMPORTANT]
 > Microsoft also recommends enabling Attack Surface Reduction (ASR) rule [**Block abuse of exploited vulnerable signed drivers**](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) to prevent an application from writing a vulnerable signed driver to disk. The ASR rule doesn't block a driver already existing on the system from being loaded, however enabling **Microsoft vulnerable driver blocklist** or applying this WDAC policy prevents the existing driver from being loaded.
@ -78,6 +75,12 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
    <Rule>
      <Option>Enabled:Audit Mode</Option>
    </Rule>
    <Rule>
      <Option>Disabled:Script Enforcement</Option>
    </Rule>
    <Rule>
      <Option>Enabled:Update Policy No Reboot</Option>
    </Rule>
  </Rules>
  <!--EKUS-->
  <EKUs />
@ -401,7 +404,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
    <Deny ID="ID_DENY_MHYPROT2_1A" FriendlyName="mhyprot2.sys\B8B94C2646B62F6AC08F16514B6EFAA9866AA3C581E4C0435A7AEAFE569B2418 Hash Sha256" Hash="8CED17D1EE92AE72749AFDFE40F5029223D97F0F977E718BD5AB1242D1FF7CB5" />
    <Deny ID="ID_DENY_MHYPROT2_1B" FriendlyName="mhyprot2.sys\B8B94C2646B62F6AC08F16514B6EFAA9866AA3C581E4C0435A7AEAFE569B2418 Hash Page Sha1" Hash="1C843C256936E700CEDE3DD444E1B6714EFF4E8B" />
    <Deny ID="ID_DENY_MHYPROT2_1C" FriendlyName="mhyprot2.sys\B8B94C2646B62F6AC08F16514B6EFAA9866AA3C581E4C0435A7AEAFE569B2418 Hash Page Sha256" Hash="84516365771430545C4D7D950B0F0699EC1573F316EF787983081F027E8A1FC5" />
-	<Deny ID="ID_DENY_MHYPROT2_21" FriendlyName="mhyprot.sys\69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2 Hash Sha1" Hash="C771EA59F075170E952C393CFD6FC784B265027C" />
+    <Deny ID="ID_DENY_MHYPROT2_21" FriendlyName="mhyprot.sys\69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2 Hash Sha1" Hash="C771EA59F075170E952C393CFD6FC784B265027C" />
    <Deny ID="ID_DENY_MHYPROT2_22" FriendlyName="mhyprot.sys\69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2 Hash Sha256" Hash="39937D239220C1B779D7D55613DE2C0A48BD6E12E0214DA4C65992B96CF591DF" />
    <Deny ID="ID_DENY_MHYPROT2_23" FriendlyName="mhyprot.sys\69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2 Hash Page Sha1" Hash="CB44C6F0EE51CB4C5836499BC61DD6C1FBDF8AA1" />
    <Deny ID="ID_DENY_MHYPROT2_24" FriendlyName="mhyprot.sys\69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2 Hash Page Sha256" Hash="7ED26A593524A2A92FFCFB075A42BB4FA4775FFBF83AF98525244A4710886EAD" />
@ -1800,7 +1803,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
          <FileRuleRef RuleID="ID_DENY_MHYPROT2_1A" />
          <FileRuleRef RuleID="ID_DENY_MHYPROT2_1B" />
          <FileRuleRef RuleID="ID_DENY_MHYPROT2_1C" />
-		  <FileRuleRef RuleID="ID_DENY_MHYPROT2_21" />
+          <FileRuleRef RuleID="ID_DENY_MHYPROT2_21" />
          <FileRuleRef RuleID="ID_DENY_MHYPROT2_22" />
          <FileRuleRef RuleID="ID_DENY_MHYPROT2_23" />
          <FileRuleRef RuleID="ID_DENY_MHYPROT2_24" />
@ -2170,11 +2173,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
        <String>10.0.25210.0</String>
      </Value>
    </Setting>
    <Setting Provider="PolicyInfo" Key="NoRevalidationUponRefresh" ValueName="NoRevalidationUponRefreshValue">
      <Value>
        <Boolean>true</Boolean>
      </Value>
    </Setting>
  </Settings>
  <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
 </SiPolicy>
@ -2183,8 +2181,29 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
 </details>
 > [!NOTE]
-> The policy listed above contains **Allow All** rules. Microsoft recommends deploying this policy alongside an existing WDAC policy instead of merging it with the existing policy. If you must use a single policy, remove the **Allow All** rules before merging it with the existing policy. For more information, see [Create a WDAC Deny Policy](create-wdac-deny-policy.md#single-policy-considerations).
+> The policy listed above contains **Allow All** rules. Microsoft recommends deploying this policy alongside an existing WDAC policy instead of merging it with the existing policy. If you must use a single policy, remove the **Allow All** rules before merging it with the existing policy. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations).
 ## Steps to download and apply the vulnerable driver blocklist binary
 If you prefer to apply the vulnerable driver blocklist exactly as shown above, follow these steps:
 1. Download the [WDAC policy refresh tool](https://aka.ms/refreshpolicy)
 2. Download and extract the [vulnerable driver blocklist binaries](https://aka.ms/VulnerableDriverBlockList)
 3. Select either the audit only version or the enforced version and rename the file to SiPolicy.p7b
 4. Copy SiPolicy.p7b to %windir%\system32\CodeIntegrity
 5. Run the WDAC policy refresh tool you downloaded in Step 1 above to activate and refresh all WDAC policies on your computer
 To check that the policy was successfully applied on your computer:
 1. Open Event Viewer
 2. Browse to **Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational**
 3. Select **Filter Current Log...**
 4. Replace "&lt;All Event IDs&gt;" with "3099" and select OK
 5. Look for a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and Id PolicyInfo settings found at the bottom of the blocklist WDAC Policy XML in this article. NOTE: Your computer may have more than one 3099 event if other WDAC policies are also present.
 > [!NOTE]
 > If any vulnerable drivers are already running that would be blocked by the policy, you must reboot your computer for those drivers to be blocked. Running processes aren't shutdown when activating a new WDAC policy without reboot.
 ## More information
- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)
+- [Merge Windows Defender Application Control policies](/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies)
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
@ -9,7 +9,7 @@ author: jgeurten
 ms.reviewer: aaroncz
 ms.author: jogeurte
 manager: jsuther
-ms.date: 06/27/2022
+ms.date: 10/06/2022
 ms.topic: overview
 ---
@ -26,9 +26,31 @@ ms.topic: overview
 You should now have one or more Windows Defender Application Control (WDAC) policies ready to deploy. If you haven't yet completed the steps described in the [WDAC Design Guide](windows-defender-application-control-design-guide.md), do so now before proceeding.
 ## Convert your WDAC policy XML to binary
 Before you deploy your WDAC policies, you must first convert the XML to its binary form. You can do this using the following PowerShell example. You must set the $WDACPolicyXMLFile variable to point to your WDAC policy XML file.
   ```powershell
    ## Update the path to your WDAC policy XML
    $WDACPolicyXMLFile = $env:USERPROFILE"\Desktop\MyWDACPolicy.xml"
    [xml]$WDACPolicy = Get-Content -Path $WDACPolicyXMLFile
    if (($WDACPolicy.SiPolicy.PolicyID) -ne $null) ## Multiple policy format (For Windows builds 1903+ only, including Server 2022)
    {
        $PolicyID = $WDACPolicy.SiPolicy.PolicyID
        $PolicyBinary = $PolicyID+".cip"
    }
    else ## Single policy format (Windows Server 2016 and 2019, and Windows 10 1809 LTSC)
    {
        $PolicyBinary = "SiPolicy.p7b"
    }
    ## Binary file will be written to your desktop
    ConvertFrom-CIPolicy -XmlFilePath $WDACPolicyXMLFile -BinaryFilePath $env:USERPROFILE\Desktop\$PolicyBinary
   ```
 ## Plan your deployment
-As with any significant change to your environment, implementing application control can have unintended consequences. To ensure the best chance for success, you should follow safe deployment practices and plan your deployment carefully. Decide what devices you'll manage with Windows Defender Application Control and split them into deployment rings so you can control the scale of the deployment and respond if anything goes wrong. Define the success criteria that will determine when it's safe to continue from one ring to the next.
+As with any significant change to your environment, implementing application control can have unintended consequences. To ensure the best chance for success, you should follow safe deployment practices and plan your deployment carefully. Identify the devices you'll manage with WDAC and split them into deployment rings. This way, you can control the speed and scale of the deployment and respond if anything goes wrong. Define the success criteria that will determine when it's safe to continue from one ring to the next.
 All Windows Defender Application Control policy changes should be deployed in audit mode before proceeding to enforcement. Carefully monitor events from devices where the policy has been deployed to ensure the block events you observe match your expectation before broadening the deployment to other deployment rings. If your organization uses Microsoft Defender for Endpoint, you can use the Advanced Hunting feature to centrally monitor WDAC-related events. Otherwise, we recommend using an event log forwarding solution to collect relevant events from your managed endpoints.