From 24120f589e9709b5fbd16ff37fc4d148f7297512 Mon Sep 17 00:00:00 2001
From: v-tappelgate <91994953+v-tappelgate@users.noreply.github.com>
Date: Wed, 25 May 2022 12:00:33 -0700
Subject: [PATCH 001/142] v-tappelgate-CI-163997
Metadata fix for [CI 163997](https://dev.azure.com/contentidea/ContentIdea/_workitems/edit/163997)
---
.../bitlocker/ts-bitlocker-network-unlock-issues.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
index df10782087..d10158fc36 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
@@ -4,7 +4,7 @@ description: Describes several known issues that you may encounter while using n
ms.technology: windows-sec
ms.prod: m365-security
ms.localizationpriority: medium
-author: Teresa-Motiv
+author: v-tappelgate
ms.author: v-tappelgate
manager: kaushika
ms.reviewer: kaushika
From c51041b06b7d7f0baee15f3c046519363747e5e7 Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Wed, 25 May 2022 14:29:25 -0700
Subject: [PATCH 002/142] Update remotewipe-csp.md
---
windows/client-management/mdm/remotewipe-csp.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 0771489578..b26beb9800 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -40,7 +40,7 @@ RemoteWipe
--------Status
```
**doWipe**
-Specifies that a remote wipe of the device should be performed. The return status code indicates whether the device accepted the Exec command.
+Specifies that a remote wipe of the device should be performed. A remote wipe is the equivalent of running "Reset this PC > Remove everything" from the Settings app. The return status code indicates whether the device accepted the Exec command.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
@@ -56,9 +56,9 @@ Supported operation is Exec.
The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command.
**doWipeProtected**
-Added in Windows 10, version 1703. Exec on this node performs a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command.
+Added in Windows 10, version 1703. Exec on this node performs a remote wipe on the device and fully clean the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command.
-The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done.
+The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done. Because doWipeProtected will keep trying to reset the device until it's done, use doWipeProtected in lost/stolen device scenarios.
Supported operation is Exec.
From 6b921fcebdd66d577717d10392f442e5de9abc69 Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Tue, 31 May 2022 09:14:40 -0700
Subject: [PATCH 003/142] Update remotewipe-csp.md
---
windows/client-management/mdm/remotewipe-csp.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index b26beb9800..9e7ad1053b 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -40,14 +40,14 @@ RemoteWipe
--------Status
```
**doWipe**
-Specifies that a remote wipe of the device should be performed. A remote wipe is the equivalent of running "Reset this PC > Remove everything" from the Settings app. The return status code indicates whether the device accepted the Exec command.
+Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the reset will not automatically be retried.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
Supported operation is Exec.
**doWipePersistProvisionedData**
-Specifies that provisioning data should be backed up to a persistent location, and then a remote wipe of the device should be performed.
+Specifies that provisioning data should be backed up to a persistent location, and then a remote doWipe reset of the device should be started.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
@@ -56,14 +56,14 @@ Supported operation is Exec.
The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command.
**doWipeProtected**
-Added in Windows 10, version 1703. Exec on this node performs a remote wipe on the device and fully clean the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command.
+Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command.
The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done. Because doWipeProtected will keep trying to reset the device until it's done, use doWipeProtected in lost/stolen device scenarios.
Supported operation is Exec.
**doWipePersistUserData**
-Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
+Added in Windows 10, version 1709. Exec on this node will perform a doWipe remote reset on the device, and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
**AutomaticRedeployment**
Added in Windows 10, version 1809. Node for the Autopilot Reset operation.
From 65fd817caa8451859fb44fdf8a6e728a6666d5bb Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Tue, 31 May 2022 09:18:02 -0700
Subject: [PATCH 004/142] Update remotewipe-csp.md
---
windows/client-management/mdm/remotewipe-csp.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 9e7ad1053b..b76855bf76 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -24,7 +24,7 @@ The table below shows the applicability of Windows:
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
-The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen.
+The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely reset a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely reset after being lost or stolen.
The following example shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server.
```
From 6159c3367bb3c5745dc3a6962daa0ca81f34fc85 Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Mon, 6 Jun 2022 18:57:23 +0300
Subject: [PATCH 005/142] M365 Business Premium update path
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10407
---
windows/deployment/windows-10-subscription-activation.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 2b534e585f..42fc531050 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -30,6 +30,8 @@ Windows 10 Pro supports the Subscription Activation feature, enabling users to
With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**.
+If you have devices that are licensed for Windows 7, 8, and 8.1 Professional, Microsoft 365 Business Premium provides an upgrade to Windows 10 Pro, which is the prerequisite for deploying [Windows 10 Business](https://docs.microsoft.com/en-us/microsoft-365/business-premium/microsoft-365-business-faqs?view=o365-worldwide#what-is-windows-10-business).
+
The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices.
See the following topics:
From be82ff62eac57144df9429d6bee8bc43bf5c305b Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Mon, 6 Jun 2022 10:32:03 -0700
Subject: [PATCH 006/142] Update remotewipe-csp.md
---
.../client-management/mdm/remotewipe-csp.md | 20 +++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index b76855bf76..c00be2ffd3 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -34,20 +34,23 @@ RemoteWipe
----doWipePersistProvisionedData
----doWipeProtected
----doWipePersistUserData
+----doWipeCloud
+----doWipeCloudPersistUserData
+----doWipeCloudPersistProvisionedData
----AutomaticRedeployment
--------doAutomaticRedeployment
--------LastError
--------Status
```
**doWipe**
-Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the reset will not automatically be retried.
+Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with Clean Data set to No and Delete Files set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, depending on how far the reset progressed, the PC can roll back to the pre-reset state.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
Supported operation is Exec.
**doWipePersistProvisionedData**
-Specifies that provisioning data should be backed up to a persistent location, and then a remote doWipe reset of the device should be started.
+Specifies that provisioning packages in ProgramData\Microsoft\Provisioning folder will be retained and applied to the OS after the reset.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
@@ -58,12 +61,21 @@ The information that was backed up will be restored and applied to the device wh
**doWipeProtected**
Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command.
-The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done. Because doWipeProtected will keep trying to reset the device until it's done, use doWipeProtected in lost/stolen device scenarios.
+The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, if a reset that uses doWipeProtected is interrupted, upon restart it will clean the PC's disk partitions. Because doWipeProtected will clean the partitions in case of failure or interruption, use doWipeProtected in lost/stolen device scenarios.
Supported operation is Exec.
**doWipePersistUserData**
-Added in Windows 10, version 1709. Exec on this node will perform a doWipe remote reset on the device, and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
+Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting “Keep my files” when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command.
+
+**DoWipeCloud**
+Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment.
+
+**DoWipeCloudPersistUserData**
+Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment.
+
+**DoWipeCloudPersistProvisionedData**
+Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment.
**AutomaticRedeployment**
Added in Windows 10, version 1809. Node for the Autopilot Reset operation.
From 5a0922f0aaddacf3b0abddbfb7822d9cf644326e Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Mon, 6 Jun 2022 10:36:14 -0700
Subject: [PATCH 007/142] Update remotewipe-csp.md
---
windows/client-management/mdm/remotewipe-csp.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index c00be2ffd3..71cbd89d31 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -43,14 +43,14 @@ RemoteWipe
--------Status
```
**doWipe**
-Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with Clean Data set to No and Delete Files set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, depending on how far the reset progressed, the PC can roll back to the pre-reset state.
+Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, depending on how far the reset progressed, the PC can roll back to the pre-reset state.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
Supported operation is Exec.
**doWipePersistProvisionedData**
-Specifies that provisioning packages in ProgramData\Microsoft\Provisioning folder will be retained and applied to the OS after the reset.
+Specifies that provisioning packages in the `%SystemDrive%\ProgramData\Microsoft\Provisioning` folder will be retained and then applied to the OS after the reset.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
@@ -66,7 +66,7 @@ The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which
Supported operation is Exec.
**doWipePersistUserData**
-Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting “Keep my files” when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command.
+Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command.
**DoWipeCloud**
Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment.
From 4dd6d377b583e71ce35a3d0526fcab5d2d5e822a Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Tue, 7 Jun 2022 08:51:06 +0300
Subject: [PATCH 008/142] Update
windows/deployment/windows-10-subscription-activation.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/deployment/windows-10-subscription-activation.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 42fc531050..a9a1139765 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -30,7 +30,7 @@ Windows 10 Pro supports the Subscription Activation feature, enabling users to
With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**.
-If you have devices that are licensed for Windows 7, 8, and 8.1 Professional, Microsoft 365 Business Premium provides an upgrade to Windows 10 Pro, which is the prerequisite for deploying [Windows 10 Business](https://docs.microsoft.com/en-us/microsoft-365/business-premium/microsoft-365-business-faqs?view=o365-worldwide#what-is-windows-10-business).
+If you have devices that are licensed for Windows 7, 8, and 8.1 Professional, Microsoft 365 Business Premium provides an upgrade to Windows 10 Pro, which is the prerequisite for deploying [Windows 10 Business](/microsoft-365/business-premium/microsoft-365-business-faqs?view=o365-worldwide#what-is-windows-10-business).
The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices.
From 31a2c426943eae7b1369558d564d8dfef0d824c9 Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Wed, 8 Jun 2022 09:50:49 +0200
Subject: [PATCH 009/142] #10340
#10340 the feedback was about stressing that a step is not needed for Windows Server 2019. I discovered that this is already mentioned in the article, so I made that statement bold to make it stand out.
---
.../hello-for-business/hello-cert-trust-validate-ad-prereq.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 53a69d9ca8..35d754ebe4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -25,7 +25,9 @@ ms.reviewer:
- On-premises deployment
- Certificate trust
-The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the **Updating the Schema** and **Create the KeyCredential Admins Security Global Group** steps.
+The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
+
+**If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the 'Updating the Schema' and 'Create the KeyCredential Admins Security Global Group' steps below.**
Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role.
From fe0b1343e3c29d31b131c78396dd6c9584f67566 Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Wed, 8 Jun 2022 10:11:58 +0200
Subject: [PATCH 010/142] #10356
#10356 I followed the discussion on the original post and I implemented these changes accordingly
---
.../hello-for-business/hello-cert-trust-policy-settings.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 18e5489911..dc18e09acc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -60,7 +60,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H
3. Right-click **Group Policy object** and select **New**.
4. Type *Enable Windows Hello for Business* in the name box and click **OK**.
5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
-6. In the navigation pane, expand **Policies** under **User Configuration**.
+6. In the navigation pane, expand **Policies** under **User Configuration** (this the only option for for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**).
7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**.
@@ -70,7 +70,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H
1. Start the **Group Policy Management Console** (gpmc.msc).
2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
-4. In the navigation pane, expand **Policies** under **User Configuration**.
+4. In the navigation pane, expand **Policies** under **User Configuration** (this the only option for for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**).
5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**.
6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**.
7. Select **Enabled** from the **Configuration Model** list.
From 14d52784f84f4299207d60613f2914945f51575a Mon Sep 17 00:00:00 2001
From: Florian Stosse
Date: Wed, 8 Jun 2022 17:05:19 +0200
Subject: [PATCH 011/142] Fix indentation in XML code block
---
.../microsoft-recommended-block-rules.md | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 0fbd505f00..ddc280cfb4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -162,7 +162,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
-
+
@@ -877,7 +877,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
-
+
@@ -905,10 +905,10 @@ Select the correct version of each .dll for the Windows release you plan to supp
+
+
+
+ -->
From 8422c4ed7ae744192f99f7ccfb881260fedddc0e Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Wed, 8 Jun 2022 21:28:21 +0530
Subject: [PATCH 012/142] added curly brackets
as per user report #10583, I added curly brackets. but i could not able add the correct screenshot.
---
.../hello-for-business/passwordless-strategy.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 8ca6538d48..74765dffac 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -251,7 +251,7 @@ You can use Group Policy to deploy an administrative template policy setting to
:::image type="content" source="images/passwordless/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'.":::
-The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `60b78e88-ead8-445c-9cfd-0b87f74ea6cd`.
+The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`.
:::image type="content" source="images/passwordless/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'.":::
From 76a1a78899f4f14af0caa4ad18efd3fb9fa2524e Mon Sep 17 00:00:00 2001
From: Mark Renoden
Date: Fri, 10 Jun 2022 11:10:50 +1000
Subject: [PATCH 013/142] Update hello-hybrid-cloud-trust.md
Adding a clarification for the 2016+ Domain Controller requirements.
---
.../hello-for-business/hello-hybrid-cloud-trust.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
index a86fb2633a..cfc435c989 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
@@ -48,6 +48,8 @@ When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server objec
More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview).
+If using the hybrid cloud trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Read-Write Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
+
## Prerequisites
| Requirement | Notes |
From 6519ec617ac73aa271cc60b156a0717497feed97 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 10 Jun 2022 11:22:24 +0500
Subject: [PATCH 014/142] Update
use-windows-defender-application-control-with-dynamic-code-security.md
---
...defender-application-control-with-dynamic-code-security.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
index b1ace98992..ecf7941e63 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
@@ -24,7 +24,7 @@ Historically, Windows Defender Application Control (WDAC) has restricted the set
Security researchers have found that some .NET applications may be used to circumvent those controls by using .NET’s capabilities to load libraries from external sources or generate new code on the fly.
Beginning with Windows 10, version 1803, or Windows 11, WDAC features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime.
-When the Dynamic Code Security option is enabled, WDAC policy is applied to libraries that .NET loads from external sources.
+When the Dynamic Code Security option is enabled, WDAC policy is applied to libraries that .NET loads from external sources (any non-local sources, such as Internet or network share).
Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with.
Dynamic Code Security is not enabled by default because existing policies may not account for externally loaded libraries.
@@ -39,4 +39,4 @@ To enable Dynamic Code Security, add the following option to the `` secti
-```
\ No newline at end of file
+```
From 55e8d06d7f24e423d0b58077342beb178737c5fe Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 10 Jun 2022 11:58:59 +0500
Subject: [PATCH 015/142] Update system-failure-recovery-options.md
---
.../system-failure-recovery-options.md | 60 ++++++++++++++++++-
1 file changed, 59 insertions(+), 1 deletion(-)
diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md
index 777b9fa6ec..5ea73e75a2 100644
--- a/windows/client-management/system-failure-recovery-options.md
+++ b/windows/client-management/system-failure-recovery-options.md
@@ -184,6 +184,63 @@ To specify that you don't want to overwrite any previous kernel or complete memo
- Set the **Overwrite** DWORD value to **0**.
+#### Automatic Memory Dump
+
+The default option. An Automatic Memory Dump contains the same information as a Kernel Memory Dump. The difference between the two is in the way that Windows sets the size of the system paging file. If the system paging file size is set to **System managed size**, and the kernel-mode crash dump is set to **Automatic Memory Dump**, then Windows can set the size of the paging file to less than the size of RAM. In this case, Windows sets the size of the paging file large enough to ensure that a kernel memory dump can be captured most of the time.
+
+If the computer crashes and the paging file is not large enough to capture a kernel memory dump, Windows increases the size of the paging file to at least the size of RAM. For more details, see [Automatic Memory Dump](/windows-hardware/drivers/debugger/automatic-memory-dump).
+
+To specify that you want to use a automatic memory dump file, run the following command or modify the registry value:
+
+- ```cmd
+ wmic recoveros set DebugInfoType = 7
+ ```
+
+- Set the **CrashDumpEnabled** DWORD value to **7**.
+
+To specify that you want to use a file as your memory dump file, run the following command or modify the registry value:
+
+- ```cmd
+ wmic recoveros set DebugFilePath =
+ ```
+
+- Set the **DumpFile** Expandable String Value to \.
+
+To specify that you don't want to overwrite any previous kernel or complete memory dump files, run the following command or modify the registry value:
+
+- ```cmd
+ wmic recoveros set OverwriteExistingDebugFile = 0
+ ```
+
+- Set the **Overwrite** DWORD value to **0**.
+
+#### Active Memory Dump
+
+An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a complete memory dump.
+
+This dump file does include any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages and various other types of memory that are not likely to be useful during debugging. For more details, see [Active Memory Dump](windows-hardware/drivers/debugger/active-memory-dump).
+
+To specify that you want to use an active memory dump file, modify the registry value:
+
+- Set the **CrashDumpEnabled** DWORD value to **1**.
+- Set the **FilterPages** DWORD value to **1**.
+
+To specify that you want to use a file as your memory dump file, run the following command or modify the registry value:
+
+- ```cmd
+ wmic recoveros set DebugFilePath =
+ ```
+
+- Set the DumpFile Expandable String Value to \.
+
+To specify that you don't want to overwrite any previous kernel or complete memory dump files, run the following command or modify the registry value:
+
+- ```cmd
+ wmic recoveros set OverwriteExistingDebugFile = 0
+ ```
+
+- Set the **Overwrite** DWORD value to **0**.
+
>[!Note]
>If you contact Microsoft Support about a Stop error, you might be asked for the memory dump file that is generated by the Write Debugging Information option.
@@ -192,6 +249,7 @@ To view system failure and recovery settings for your local computer, type **wmi
>[!Note]
>To successfully use these Wmic.exe command line examples, you must be logged on by using a user account that has administrative rights on the computer. If you are not logged on by using a user account that has administrative rights on the computer, use the **/user:user_name** and **/password:password** switches.
+
### Tips
- To take advantage of the dump file feature, your paging file must be on the boot volume. If you've moved the paging file to another volume, you must move it back to the boot volume before you use this feature.
@@ -202,4 +260,4 @@ To view system failure and recovery settings for your local computer, type **wmi
## References
-[Varieties of Kernel-Mode Dump Files](/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files)
\ No newline at end of file
+[Varieties of Kernel-Mode Dump Files](/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files)
From 6208eafa2a95d677e4dc4786e0f323cda7e73ca3 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 10 Jun 2022 13:23:58 +0500
Subject: [PATCH 016/142] Update hello-feature-dynamic-lock.md
---
.../hello-for-business/hello-feature-dynamic-lock.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 7025fb4173..6f5edfb03b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -25,6 +25,9 @@ ms.reviewer:
Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
+>[!IMPORTANT]
+>The feature only locks the computer if Bluetooth signal falls and the system is idle. If the system is not idle (for example, intruder got access **before** Bluetooth signal falls below the limit), it will not be locked. Therefor, dynamic lock is an additional barrier, it does not replace the need to lock the computer by user, it only reduces the probability of someone gaining access if user forgets to lock it.
+
You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**.
The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
From a16337c48f4ef972dc3b6c937b503f685b879688 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sun, 12 Jun 2022 15:03:13 +0500
Subject: [PATCH 017/142] Update
windows/client-management/system-failure-recovery-options.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/system-failure-recovery-options.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md
index 5ea73e75a2..8758e25c63 100644
--- a/windows/client-management/system-failure-recovery-options.md
+++ b/windows/client-management/system-failure-recovery-options.md
@@ -186,7 +186,7 @@ To specify that you don't want to overwrite any previous kernel or complete memo
#### Automatic Memory Dump
-The default option. An Automatic Memory Dump contains the same information as a Kernel Memory Dump. The difference between the two is in the way that Windows sets the size of the system paging file. If the system paging file size is set to **System managed size**, and the kernel-mode crash dump is set to **Automatic Memory Dump**, then Windows can set the size of the paging file to less than the size of RAM. In this case, Windows sets the size of the paging file large enough to ensure that a kernel memory dump can be captured most of the time.
+This is the default option. An Automatic Memory Dump contains the same information as a Kernel Memory Dump. The difference between the two is in the way that Windows sets the size of the system paging file. If the system paging file size is set to **System managed size**, and the kernel-mode crash dump is set to **Automatic Memory Dump**, then Windows can set the size of the paging file to less than the size of RAM. In this case, Windows sets the size of the paging file large enough to ensure that a kernel memory dump can be captured most of the time.
If the computer crashes and the paging file is not large enough to capture a kernel memory dump, Windows increases the size of the paging file to at least the size of RAM. For more details, see [Automatic Memory Dump](/windows-hardware/drivers/debugger/automatic-memory-dump).
From f796ba6826e724296c97c01156087fa500963e5b Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sun, 12 Jun 2022 15:03:23 +0500
Subject: [PATCH 018/142] Update
windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-feature-dynamic-lock.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 6f5edfb03b..cd2812800e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -25,8 +25,8 @@ ms.reviewer:
Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
->[!IMPORTANT]
->The feature only locks the computer if Bluetooth signal falls and the system is idle. If the system is not idle (for example, intruder got access **before** Bluetooth signal falls below the limit), it will not be locked. Therefor, dynamic lock is an additional barrier, it does not replace the need to lock the computer by user, it only reduces the probability of someone gaining access if user forgets to lock it.
+> [!IMPORTANT]
+> The feature only locks the computer if the Bluetooth signal falls and the system is idle. If the system is not idle (for example, the intruder got access **before** the Bluetooth signal falls below the limit), it will not be locked. Therefore, the dynamic lock feature is an additional barrier, it does not replace the need to lock the computer by the user, it only reduces the probability of someone gaining access if the user forgets to lock it.
You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**.
From 165ca3756c3e03ed6f75fd8a60654ad8a9d364a5 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sun, 12 Jun 2022 15:03:28 +0500
Subject: [PATCH 019/142] Update
windows/client-management/system-failure-recovery-options.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/system-failure-recovery-options.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md
index 8758e25c63..a69c702060 100644
--- a/windows/client-management/system-failure-recovery-options.md
+++ b/windows/client-management/system-failure-recovery-options.md
@@ -216,7 +216,7 @@ To specify that you don't want to overwrite any previous kernel or complete memo
#### Active Memory Dump
-An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a complete memory dump.
+An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a Complete Memory Dump.
This dump file does include any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages and various other types of memory that are not likely to be useful during debugging. For more details, see [Active Memory Dump](windows-hardware/drivers/debugger/active-memory-dump).
From feabf31b3a21c580174a37b7f3c1e9d4900a7a17 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sun, 12 Jun 2022 15:03:32 +0500
Subject: [PATCH 020/142] Update
windows/client-management/system-failure-recovery-options.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/system-failure-recovery-options.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md
index a69c702060..3f77ed5794 100644
--- a/windows/client-management/system-failure-recovery-options.md
+++ b/windows/client-management/system-failure-recovery-options.md
@@ -190,7 +190,7 @@ This is the default option. An Automatic Memory Dump contains the same informati
If the computer crashes and the paging file is not large enough to capture a kernel memory dump, Windows increases the size of the paging file to at least the size of RAM. For more details, see [Automatic Memory Dump](/windows-hardware/drivers/debugger/automatic-memory-dump).
-To specify that you want to use a automatic memory dump file, run the following command or modify the registry value:
+To specify that you want to use an automatic memory dump file, run the following command or modify the registry value:
- ```cmd
wmic recoveros set DebugInfoType = 7
From 670514fa1b5c2eb7750148d930f5284f6818408f Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sun, 12 Jun 2022 15:03:38 +0500
Subject: [PATCH 021/142] Update
windows/client-management/system-failure-recovery-options.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/system-failure-recovery-options.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md
index 3f77ed5794..b1cbad90d2 100644
--- a/windows/client-management/system-failure-recovery-options.md
+++ b/windows/client-management/system-failure-recovery-options.md
@@ -218,7 +218,7 @@ To specify that you don't want to overwrite any previous kernel or complete memo
An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a Complete Memory Dump.
-This dump file does include any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages and various other types of memory that are not likely to be useful during debugging. For more details, see [Active Memory Dump](windows-hardware/drivers/debugger/active-memory-dump).
+This dump file includes any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file-backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages, and various other types of memory that are not likely to be useful during debugging. For more details, see [Active Memory Dump](windows-hardware/drivers/debugger/active-memory-dump).
To specify that you want to use an active memory dump file, modify the registry value:
From 18551c254f1571b2333af303c2a5d86ea8712114 Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Sun, 12 Jun 2022 15:25:10 +0200
Subject: [PATCH 022/142] Update
windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-cert-trust-policy-settings.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index dc18e09acc..8c6cd85e3c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -60,7 +60,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H
3. Right-click **Group Policy object** and select **New**.
4. Type *Enable Windows Hello for Business* in the name box and click **OK**.
5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
-6. In the navigation pane, expand **Policies** under **User Configuration** (this the only option for for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**).
+6. In the navigation pane, expand **Policies** under **User Configuration** (this is the only option for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**).
7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**.
From 66e81da09ddfc8d17f485cdaf3672a1a4afedae7 Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Sun, 12 Jun 2022 15:25:18 +0200
Subject: [PATCH 023/142] Update
windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-cert-trust-policy-settings.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 8c6cd85e3c..8e344e9b31 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -70,7 +70,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H
1. Start the **Group Policy Management Console** (gpmc.msc).
2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
-4. In the navigation pane, expand **Policies** under **User Configuration** (this the only option for for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**).
+4. In the navigation pane, expand **Policies** under **User Configuration** (this is the only option for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**).
5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**.
6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**.
7. Select **Enabled** from the **Configuration Model** list.
From 19119c4179ba728216eb1cd7508f5db8d0fc6095 Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 14 Jun 2022 15:05:52 +0200
Subject: [PATCH 024/142] #10364
#10364
---
.../applocker/script-rules-in-applocker.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index 48095da0ce..0daa8696c8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -29,6 +29,7 @@ ms.technology: windows-sec
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+
This topic describes the file formats and available default rules for the script rule collection.
AppLocker defines script rules to include only the following file formats:
@@ -46,6 +47,9 @@ The following table lists the default rules that are available for the script ru
| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: %windir%\*|
| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: %programfiles%\*|
+>[!NOTE]
+>Windows Defender Application Control cannot be used to block Powershell scripts. Applocker just forces Powershell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event - which literally states the script will be blocked. After which the script runs.
+
## Related topics
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
From b54238312d20f7a29714179d9536fe1bfabd07dc Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 14 Jun 2022 15:24:06 +0200
Subject: [PATCH 025/142] #10384
#10384
---
...ty-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index f53a1e1665..a4973e313a 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -25,6 +25,9 @@ ms.technology: windows-sec
Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting.
+
+>[!NOTE]
+>To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](https://github.com/MicrosoftDocs/windowsserverdocs/edit/main/WindowsServerDocs/remote/remote-desktop-services/clients/remote-desktop-allow-access.md)
## Reference
The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system.
From 8c08b60f3ed7a16b4f5dfe6ee98e193671a3a74a Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 14 Jun 2022 15:26:06 +0200
Subject: [PATCH 026/142] Update
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-cert-trust-validate-ad-prereq.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 35d754ebe4..22b2eb2e66 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -25,7 +25,7 @@ ms.reviewer:
- On-premises deployment
- Certificate trust
-The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
+The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
**If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the 'Updating the Schema' and 'Create the KeyCredential Admins Security Global Group' steps below.**
From 1b41f5d390694de82096210c25d07d97d39af19b Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 14 Jun 2022 15:26:53 +0200
Subject: [PATCH 027/142] Update
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-cert-trust-validate-ad-prereq.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 22b2eb2e66..e1bb8e2f6e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -27,7 +27,8 @@ ms.reviewer:
The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
-**If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the 'Updating the Schema' and 'Create the KeyCredential Admins Security Global Group' steps below.**
+> [!NOTE]
+> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow.**
Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role.
From cb967191c257d57de2b1145cf2c732f4f72443af Mon Sep 17 00:00:00 2001
From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com>
Date: Wed, 15 Jun 2022 18:40:23 +0200
Subject: [PATCH 028/142] Set Policy Driven Update path's are wrong
All Updates SetPolicyDrivenUpdateSource path's are wrong - there needs an "Updates" added to the settings name.
Verified under 21H2 -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Update
---
.../mdm/policy-csp-update.md | 34 +++++++++----------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 4c9d94d790..b06a5e7de2 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3478,7 +3478,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForDriver**
+**Update/SetPolicyDrivenUpdateSourceForDriverUpdates**
The table below shows the applicability of Windows:
@@ -3508,9 +3508,9 @@ The table below shows the applicability of Windows:
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
-- SetPolicyDrivenUpdateSourceForFeature
-- SetPolicyDrivenUpdateSourceForQuality
-- SetPolicyDrivenUpdateSourceForOther
+- SetPolicyDrivenUpdateSourceForFeatureUpdates
+- SetPolicyDrivenUpdateSourceForQualityUpdates
+- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
@@ -3536,7 +3536,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForFeature**
+**Update/SetPolicyDrivenUpdateSourceForFeatureUpdates**
The table below shows the applicability of Windows:
@@ -3566,9 +3566,9 @@ The table below shows the applicability of Windows:
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
-- SetPolicyDrivenUpdateSourceForQuality
-- SetPolicyDrivenUpdateSourceForDriver
-- SetPolicyDrivenUpdateSourceForOther
+- SetPolicyDrivenUpdateSourceForQualityUpdates
+- SetPolicyDrivenUpdateSourceForDriverUpdates
+- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
@@ -3594,7 +3594,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForOther**
+**Update/SetPolicyDrivenUpdateSourceForOtherUpdates**
The table below shows the applicability of Windows:
@@ -3624,9 +3624,9 @@ The table below shows the applicability of Windows:
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
-- SetPolicyDrivenUpdateSourceForFeature
-- SetPolicyDrivenUpdateSourceForQuality
-- SetPolicyDrivenUpdateSourceForDriver
+- SetPolicyDrivenUpdateSourceForFeatureUpdates
+- SetPolicyDrivenUpdateSourceForQualityUpdates
+- SetPolicyDrivenUpdateSourceForDriverUpdates
>[!NOTE]
>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
@@ -3652,7 +3652,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForQuality**
+**Update/SetPolicyDrivenUpdateSourceForQualityUpdates**
The table below shows the applicability of Windows:
@@ -3682,9 +3682,9 @@ The table below shows the applicability of Windows:
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
-- SetPolicyDrivenUpdateSourceForFeature
-- SetPolicyDrivenUpdateSourceForDriver
-- SetPolicyDrivenUpdateSourceForOther
+- SetPolicyDrivenUpdateSourceForFeatureUpdates
+- SetPolicyDrivenUpdateSourceForDriverUpdates
+- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
@@ -4013,4 +4013,4 @@ ADMX Info:
## Related topics
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
From 066609bfd10c47e1cc23c0e9f68e708138f09925 Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Wed, 15 Jun 2022 11:30:26 -0700
Subject: [PATCH 029/142] Update remotewipe-csp.md
---
windows/client-management/mdm/remotewipe-csp.md | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 71cbd89d31..2888082127 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -43,14 +43,14 @@ RemoteWipe
--------Status
```
**doWipe**
-Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, depending on how far the reset progressed, the PC can roll back to the pre-reset state.
+Exec on this node starts a remote reset of the device. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the PC will attempt to roll-back to a the pre-reset state. If the PC can't be rolled-back, the recovery environment will take no additional actions and the PC could be in an unusable state and Windows will have to be reinstalled.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
Supported operation is Exec.
**doWipePersistProvisionedData**
-Specifies that provisioning packages in the `%SystemDrive%\ProgramData\Microsoft\Provisioning` folder will be retained and then applied to the OS after the reset.
+Exec on this node specifies that provisioning packages in the `%SystemDrive%\ProgramData\Microsoft\Provisioning` folder will be retained and then applied to the OS after the reset.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
@@ -59,7 +59,7 @@ Supported operation is Exec.
The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command.
**doWipeProtected**
-Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command.
+Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command, but not whether the reset was successful.
The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, if a reset that uses doWipeProtected is interrupted, upon restart it will clean the PC's disk partitions. Because doWipeProtected will clean the partitions in case of failure or interruption, use doWipeProtected in lost/stolen device scenarios.
@@ -69,13 +69,13 @@ Supported operation is Exec.
Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command.
**DoWipeCloud**
-Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment.
+Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
**DoWipeCloudPersistUserData**
-Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment.
+Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
**DoWipeCloudPersistProvisionedData**
-Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment.
+Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
**AutomaticRedeployment**
Added in Windows 10, version 1809. Node for the Autopilot Reset operation.
From fb363499e1141883d3695d30d55cc6d95138d517 Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Wed, 15 Jun 2022 11:35:26 -0700
Subject: [PATCH 030/142] Update remotewipe-csp.md
---
windows/client-management/mdm/remotewipe-csp.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 2888082127..0640cf4d61 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -69,12 +69,15 @@ Supported operation is Exec.
Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command.
**DoWipeCloud**
+
Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
**DoWipeCloudPersistUserData**
+
Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
**DoWipeCloudPersistProvisionedData**
+
Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
**AutomaticRedeployment**
From 56572199ae847849f2b70e054d13a6731e205359 Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Wed, 15 Jun 2022 12:14:07 -0700
Subject: [PATCH 031/142] spaces
---
windows/client-management/mdm/remotewipe-csp.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 0640cf4d61..9b8ae699d8 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -27,6 +27,7 @@ The table below shows the applicability of Windows:
The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely reset a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely reset after being lost or stolen.
The following example shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server.
+
```
./Vendor/MSFT
RemoteWipe
@@ -42,6 +43,7 @@ RemoteWipe
--------LastError
--------Status
```
+
**doWipe**
Exec on this node starts a remote reset of the device. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the PC will attempt to roll-back to a the pre-reset state. If the PC can't be rolled-back, the recovery environment will take no additional actions and the PC could be in an unusable state and Windows will have to be reinstalled.
From 474bde92dcfbcb73e1f87e5c2c70dc8be1db16d6 Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Wed, 15 Jun 2022 12:17:18 -0700
Subject: [PATCH 032/142] Update remotewipe-csp.md
---
windows/client-management/mdm/remotewipe-csp.md | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 9b8ae699d8..88c970beb9 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -70,18 +70,6 @@ Supported operation is Exec.
**doWipePersistUserData**
Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command.
-**DoWipeCloud**
-
-Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
-
-**DoWipeCloudPersistUserData**
-
-Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
-
-**DoWipeCloudPersistProvisionedData**
-
-Added in Windows 11, version 22H2. Performs a DoWipe remote reset, but downloads the OS payload from Windows update instead of using the local PC’s Windows Component store. The payload downloaded from Microsoft update will be used to reset the PC to the same version of Windows as it was pre-reset.
-
**AutomaticRedeployment**
Added in Windows 10, version 1809. Node for the Autopilot Reset operation.
From fd097900698f34d59451aea4f3633088cbc32678 Mon Sep 17 00:00:00 2001
From: themar-msft <33436507+themar-msft@users.noreply.github.com>
Date: Wed, 15 Jun 2022 14:02:47 -0700
Subject: [PATCH 033/142] Update remotewipe-csp.md
---
windows/client-management/mdm/remotewipe-csp.md | 3 ---
1 file changed, 3 deletions(-)
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 88c970beb9..4eb9ed7a1d 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -35,9 +35,6 @@ RemoteWipe
----doWipePersistProvisionedData
----doWipeProtected
----doWipePersistUserData
-----doWipeCloud
-----doWipeCloudPersistUserData
-----doWipeCloudPersistProvisionedData
----AutomaticRedeployment
--------doAutomaticRedeployment
--------LastError
From c20c99a86a0e3ee86a6b3ffff72c6b75593e2ff0 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 15 Jun 2022 14:27:05 -0700
Subject: [PATCH 034/142] Update policy-csp-update.md
---
windows/client-management/mdm/policy-csp-update.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index b06a5e7de2..cce978a298 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
-ms.date: 03/18/2022
+ms.date: 06/15/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
From 6d075ad8eb48607df0038b9de7a12fc20bd3f4f7 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 15 Jun 2022 14:33:16 -0700
Subject: [PATCH 035/142] Update
network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
---
...estrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index a4973e313a..9453c4b573 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 06/15/2022
ms.technology: windows-sec
---
@@ -26,8 +26,9 @@ ms.technology: windows-sec
Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting.
->[!NOTE]
->To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](https://github.com/MicrosoftDocs/windowsserverdocs/edit/main/WindowsServerDocs/remote/remote-desktop-services/clients/remote-desktop-allow-access.md)
+> [!NOTE]
+> To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access)
+
## Reference
The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system.
From 1c082992e615bdf995feec9306d0086ef644dbd9 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 15 Jun 2022 14:36:26 -0700
Subject: [PATCH 036/142] Update script-rules-in-applocker.md
---
.../applocker/script-rules-in-applocker.md | 30 +++++++++----------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index 0daa8696c8..a39cc39fd3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 06/15/2022
ms.technology: windows-sec
---
@@ -26,30 +26,30 @@ ms.technology: windows-sec
- Windows 11
- Windows Server 2016 and above
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-This topic describes the file formats and available default rules for the script rule collection.
+This article describes the file formats and available default rules for the script rule collection.
AppLocker defines script rules to include only the following file formats:
-- .ps1
-- .bat
-- .cmd
-- .vbs
-- .js
+- `.ps1`
+- `.bat`
+- `.cmd`
+- `.vbs`
+- `.js`
The following table lists the default rules that are available for the script rule collection.
| Purpose | Name | User | Rule condition type |
| - | - | - | - |
-| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: *|
-| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: %windir%\*|
-| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: %programfiles%\*|
+| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: `*\` |
+| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: `%windir%\*` |
+| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`|
->[!NOTE]
->Windows Defender Application Control cannot be used to block Powershell scripts. Applocker just forces Powershell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event - which literally states the script will be blocked. After which the script runs.
+> [!NOTE]
+> Windows Defender Application Control cannot be used to block Powershell scripts. Applocker just forces Powershell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event - which literally states the script will be blocked. After which the script runs.
-## Related topics
+## Related articles
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
From dffa3bc0c690f37e84768882928ceb21819a00f1 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 15 Jun 2022 14:37:23 -0700
Subject: [PATCH 037/142] Update script-rules-in-applocker.md
---
.../applocker/script-rules-in-applocker.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index a39cc39fd3..14bf0eec35 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -48,7 +48,7 @@ The following table lists the default rules that are available for the script ru
| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`|
> [!NOTE]
-> Windows Defender Application Control cannot be used to block Powershell scripts. Applocker just forces Powershell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event - which literally states the script will be blocked. After which the script runs.
+> Windows Defender Application Control cannot be used to block PowerShell scripts. Applocker just forces PowerShell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs.
## Related articles
From a317f8cb080e88fd35fa7daccf51ca6eaa9cff7b Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 15 Jun 2022 14:40:56 -0700
Subject: [PATCH 038/142] Update
use-windows-defender-application-control-with-dynamic-code-security.md
---
...s-defender-application-control-with-dynamic-code-security.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
index 6b32d76c52..3720558b80 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 09/23/2021
+ms.date: 06/15/2022
ms.technology: windows-sec
---
From 46e8636041b5f7d37ba9f0a16d005fdb1ba0b836 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Thu, 16 Jun 2022 05:58:39 +0500
Subject: [PATCH 039/142] Update policy-csp-newsandinterests.md
---
.../mdm/policy-csp-newsandinterests.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md
index 5d8350eed5..6eb42f6671 100644
--- a/windows/client-management/mdm/policy-csp-newsandinterests.md
+++ b/windows/client-management/mdm/policy-csp-newsandinterests.md
@@ -34,11 +34,11 @@ manager: dansimp
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
-|Pro|Yes|Yes|
+|Pro|No|Yes|
|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
@@ -83,4 +83,4 @@ ADMX Info:
## Related topics
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
From f622faf1f8130332b2c5da457dd5b01295398c7d Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Thu, 16 Jun 2022 06:49:21 +0500
Subject: [PATCH 040/142] Update
interactive-logon-do-not-require-ctrl-alt-del.md
---
.../interactive-logon-do-not-require-ctrl-alt-del.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
index 4131998946..867bda657e 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -36,6 +36,9 @@ Microsoft developed this feature to make it easier for users with certain types
A malicious user might install malware that looks like the standard logon dialog box for the Windows operating system, and capture a user's password. The attacker can then log on to the compromised account with whatever level of user rights that user has.
+>[!NOTE]
+>When the policy is defined, registry value **DisableCAD** located in **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System** is created. To revert the changes made by this policy, it is not enough to set its value to **Not defined**, this registry value need to be removed as well.
+
### Possible values
- Enabled
From 309b18cc5b7ede21c2f6e2fe776d4832ff50d6eb Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 17 Jun 2022 09:58:39 +0500
Subject: [PATCH 041/142] Update edit-an-applocker-policy.md
---
.../applocker/edit-an-applocker-policy.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
index 811e3ab499..7c697728f5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
@@ -40,7 +40,9 @@ There are three methods you can use to edit an AppLocker policy:
- [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo)
## Editing an AppLocker policy by using Mobile Device Management (MDM)
+If you deployed AppLocker policy using the AppLocker configuration service provider, you can edit the policies in your MDM solution by altering the content in the string value of policy node.
+For more information, see the [AppLocker CSP](/windows/client-management/mdm/applocker-csp).
## Editing an AppLocker policy by using Group Policy
From 50e6636ce877b0d0c658c71a17ef2bfc274718bf Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 17 Jun 2022 14:59:30 +0500
Subject: [PATCH 042/142] Update kernel-dma-protection-for-thunderbolt.md
---
.../kernel-dma-protection-for-thunderbolt.md | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 1d0b0ea803..400250bf8d 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -92,7 +92,10 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to
- Reboot system into Windows.
>[!NOTE]
- > **Hyper-V - Virtualization Enabled in Firmware** is not available when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is displayed. This means that **Hyper-V - Virtualization Enabled in Firmware** is set to Yes and the **Hyper-V** Windows feature is enabled. Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
+ > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown on the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
+
+ >[!NOTE]
+ > Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.
From 4bc96cd544f814598bb6dc2ab7fae500c5e29691 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 17 Jun 2022 15:01:19 +0500
Subject: [PATCH 043/142] Update
windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../interactive-logon-do-not-require-ctrl-alt-del.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
index 867bda657e..028bd47b3f 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -36,8 +36,8 @@ Microsoft developed this feature to make it easier for users with certain types
A malicious user might install malware that looks like the standard logon dialog box for the Windows operating system, and capture a user's password. The attacker can then log on to the compromised account with whatever level of user rights that user has.
->[!NOTE]
->When the policy is defined, registry value **DisableCAD** located in **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System** is created. To revert the changes made by this policy, it is not enough to set its value to **Not defined**, this registry value need to be removed as well.
+> [!NOTE]
+> When the policy is defined, registry value **DisableCAD** located in **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System** is created. To revert the changes made by this policy, it is not enough to set its value to **Not defined**, this registry value needs to be removed as well.
### Possible values
From feb179fa52f5a26b848e00cf31c29dd10bd6b16d Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 17 Jun 2022 15:02:30 +0500
Subject: [PATCH 044/142] Update
windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../applocker/edit-an-applocker-policy.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
index 7c697728f5..b96a2525dd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
@@ -40,7 +40,7 @@ There are three methods you can use to edit an AppLocker policy:
- [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo)
## Editing an AppLocker policy by using Mobile Device Management (MDM)
-If you deployed AppLocker policy using the AppLocker configuration service provider, you can edit the policies in your MDM solution by altering the content in the string value of policy node.
+If you deployed the AppLocker policy using the AppLocker configuration service provider, you can edit the policies in your MDM solution by altering the content in the string value of the policy node.
For more information, see the [AppLocker CSP](/windows/client-management/mdm/applocker-csp).
From 169ea53d8cd1f089ba8abcdfc0d30637d1ef47eb Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Fri, 17 Jun 2022 17:28:07 +0300
Subject: [PATCH 045/142] add more info about localization
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10485
---
.../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 0d89ad7be7..eaee452ae3 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -560,6 +560,9 @@ Some properties to use in the MDT Production rules file are as follows:
- **USMTMigFiles(\*).** List of USMT templates (controlling what to backup and restore).
- **EventService.** Activates logging information to the MDT monitoring web service.
+>[!NOTE]
+>For more details about localization support, please check the [MDT sample guide](https://docs.microsoft.com/en-us/mem/configmgr/mdt/samples-guide#fully-automated-lti-deployment-for-a-refresh-computer-scenario). You can find a list of Language Codes [here](https://docs.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a) and a list of Time Zone Index Values [here](https://docs.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a).
+
### Optional deployment share configuration
If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, as well as troubleshoot Windows itself.
From cd92ea62a5d5291ffadbaa6a8666b9c240ecf162 Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Fri, 17 Jun 2022 17:50:41 +0300
Subject: [PATCH 046/142] add note
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10496
---
windows/deployment/update/waas-configure-wufb.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 1918ed5246..300c877a7f 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -25,6 +25,8 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+> Note that Windows Server Operating System (outside of HCI) **does not** get Feature Updates from Windows Update, so only the quality update policies apply.
+
You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
> [!IMPORTANT]
From c28edafe56d4c3b4616745b121207b3e91b3a234 Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Fri, 17 Jun 2022 18:27:08 +0300
Subject: [PATCH 047/142] update table
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10499
---
.../upgrade/windows-10-edition-upgrades.md | 22 +++++++++++--------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index fee71f1399..4ade882a85 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -147,15 +147,19 @@ S = Supported; Not considered a downgrade or an upgrade
**Destination Edition: (Starting)**
-|Edition|Home|Pro|Pro for Workstations|Pro Education|Education|Enterprise LTSC|Enterprise|
-|--- |--- |--- |--- |--- |--- |--- |--- |
-|Home||||||||
-|Pro||||||||
-|Pro for Workstations||||||||
-|Pro Education||||||||
-|Education||✔|✔|✔|||S|
-|Enterprise LTSC||||||||
-|Enterprise||✔|✔|✔|S|||
+ (green checkmark) = Supported downgrade path
+ (blue checkmark) = Not considered a downgrade or an upgrade
+ (X) = not supported or not a downgrade
+
+| **Edition** | **Home** | **Pro** | **Pro for Workstations** | **Pro Education** | **Education** | **Enterprise LTSC** | **Enterprise** |
+|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |--------------------------------------------- |
+| **Home** |  |  |  |  |  |  |  |
+| **Pro** |  |  |  |  |  |  |  |
+| **Pro for Workstations** |  |  |  |  |  |  |  |
+| **Pro Education** |  |  |  |  |  |  |  |
+| **Education** |  |  |  |  |  |  |  |
+| **Enterprise LTSC** |  |  |  |  |  |  |  |
+| **Enterprise** |  |  |  |  |  |  |  |
> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above.
From 550ba579b43cbd2c7b38d660b969d5e6a13a5e54 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Sat, 18 Jun 2022 08:31:13 +0530
Subject: [PATCH 048/142] added latest adobe version
this is my own PR , I added the latest version 2200120142 of adobe reader in this article.
main article link
**https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt**
---
.../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 0d89ad7be7..2adf9acbd1 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -139,8 +139,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica
On **MDT01**:
-1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120117_en_US.exe) to **D:\\setup\\adobe** on MDT01.
-2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120117_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
+1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120142_en_US.exe) to **D:\\setup\\adobe** on MDT01.
+2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120142_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
4. Right-click the **Applications** node, and create a new folder named **Adobe**.
From a710084b28d6ff1b8c2d7960c9a91a51d23dda59 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sat, 18 Jun 2022 10:30:14 +0500
Subject: [PATCH 049/142] Update
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../kernel-dma-protection-for-thunderbolt.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 400250bf8d..6a487163f9 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -92,7 +92,7 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to
- Reboot system into Windows.
>[!NOTE]
- > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown on the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
+ > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
>[!NOTE]
> Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
From 744379863d5164ea3c894ca9f43f2815116cac9a Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sat, 18 Jun 2022 10:30:26 +0500
Subject: [PATCH 050/142] Update
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../kernel-dma-protection-for-thunderbolt.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 6a487163f9..80250e13f2 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -94,7 +94,7 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to
>[!NOTE]
> If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
- >[!NOTE]
+ > [!NOTE]
> Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.
From e3b3a40d6ff1b08902a20f607297e2fb642c1080 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sat, 18 Jun 2022 10:31:32 +0500
Subject: [PATCH 051/142] Update
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../kernel-dma-protection-for-thunderbolt.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 80250e13f2..4460e09f34 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -91,7 +91,7 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to
- Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
- Reboot system into Windows.
- >[!NOTE]
+ > [!NOTE]
> If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES.
> [!NOTE]
From c92a5e0e6927081ff6c4f963d4beee47521bb90a Mon Sep 17 00:00:00 2001
From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com>
Date: Mon, 20 Jun 2022 09:11:34 +0200
Subject: [PATCH 052/142] Update
windows/client-management/mdm/policy-csp-update.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/mdm/policy-csp-update.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index cce978a298..77f35e5754 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3687,7 +3687,7 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
From 845f03172dc8cfbb78731eff710342ad47f9b818 Mon Sep 17 00:00:00 2001
From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com>
Date: Mon, 20 Jun 2022 09:11:42 +0200
Subject: [PATCH 053/142] Update
windows/client-management/mdm/policy-csp-update.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/mdm/policy-csp-update.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 77f35e5754..2ab0e8e657 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3571,7 +3571,7 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
From 3d016d5abd51705d4912cb852840328a6c84c8b5 Mon Sep 17 00:00:00 2001
From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com>
Date: Mon, 20 Jun 2022 09:11:50 +0200
Subject: [PATCH 054/142] Update
windows/client-management/mdm/policy-csp-update.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/mdm/policy-csp-update.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 2ab0e8e657..04dd37b084 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3629,7 +3629,7 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForDriverUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
From aca0ce5659c2e9eb95dfd090261b1062c6fe0ab1 Mon Sep 17 00:00:00 2001
From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com>
Date: Mon, 20 Jun 2022 09:11:57 +0200
Subject: [PATCH 055/142] Update
windows/client-management/mdm/policy-csp-update.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/mdm/policy-csp-update.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 04dd37b084..69a315b2b4 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3513,7 +3513,7 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
From cb60adb6ec249e8505f14e6ec3efe0c4f247429b Mon Sep 17 00:00:00 2001
From: Jitin Mathew
Date: Mon, 20 Jun 2022 19:41:45 +0530
Subject: [PATCH 056/142] Updated-6020449-B2
Bulk metadata update.
---
.../identity-protection/access-control/access-control.md | 4 ----
.../access-control/active-directory-accounts.md | 4 ----
.../access-control/active-directory-security-groups.md | 4 ----
.../access-control/dynamic-access-control.md | 4 ----
.../identity-protection/access-control/local-accounts.md | 4 ----
.../access-control/microsoft-accounts.md | 4 ----
.../access-control/security-identifiers.md | 4 ----
.../access-control/security-principals.md | 4 ----
.../identity-protection/access-control/service-accounts.md | 4 ----
.../access-control/special-identities.md | 4 ----
.../credential-guard/additional-mitigations.md | 4 ----
.../credential-guard/credential-guard-considerations.md | 4 ----
.../credential-guard/credential-guard-how-it-works.md | 4 ----
.../credential-guard/credential-guard-known-issues.md | 4 ----
.../credential-guard/credential-guard-manage.md | 4 ----
.../credential-guard-not-protected-scenarios.md | 4 ----
.../credential-guard/credential-guard-protection-limits.md | 4 ----
.../credential-guard/credential-guard-requirements.md | 4 ----
.../credential-guard/credential-guard-scripts.md | 4 ----
.../credential-guard/credential-guard.md | 5 -----
.../credential-guard/dg-readiness-tool.md | 4 ----
.../identity-protection/hello-for-business/WebAuthnAPIs.md | 4 ----
.../hello-for-business/feature-multifactor-unlock.md | 5 -----
.../hello-for-business/hello-aad-join-cloud-only-deploy.md | 5 -----
.../hello-for-business/hello-adequate-domain-controllers.md | 5 -----
.../hello-for-business/hello-and-password-changes.md | 5 -----
.../hello-for-business/hello-biometrics-in-enterprise.md | 6 ------
.../hello-for-business/hello-cert-trust-adfs.md | 5 -----
.../hello-for-business/hello-cert-trust-policy-settings.md | 5 -----
.../hello-cert-trust-validate-ad-prereq.md | 5 -----
.../hello-cert-trust-validate-deploy-mfa.md | 5 -----
.../hello-for-business/hello-cert-trust-validate-pki.md | 5 -----
.../hello-for-business/hello-deployment-cert-trust.md | 5 -----
.../hello-for-business/hello-deployment-guide.md | 5 -----
.../hello-for-business/hello-deployment-issues.md | 5 -----
.../hello-for-business/hello-deployment-key-trust.md | 5 -----
.../hello-for-business/hello-deployment-rdp-certs.md | 5 -----
.../hello-for-business/hello-errors-during-pin-creation.md | 6 ------
.../hello-for-business/hello-event-300.md | 6 ------
.../hello-for-business/hello-feature-conditional-access.md | 5 -----
.../hello-for-business/hello-feature-dual-enrollment.md | 5 -----
.../hello-for-business/hello-feature-dynamic-lock.md | 5 -----
.../hello-for-business/hello-feature-pin-reset.md | 5 -----
.../hello-for-business/hello-feature-remote-desktop.md | 5 -----
.../hello-for-business/hello-how-it-works-authentication.md | 4 ----
.../hello-for-business/hello-how-it-works-provisioning.md | 4 ----
.../hello-for-business/hello-how-it-works-technology.md | 4 ----
.../hello-for-business/hello-how-it-works.md | 4 ----
.../hello-for-business/hello-hybrid-aadj-sso-base.md | 5 -----
.../hello-for-business/hello-hybrid-aadj-sso-cert.md | 5 -----
.../hello-for-business/hello-hybrid-aadj-sso.md | 5 -----
.../hello-for-business/hello-hybrid-cert-new-install.md | 5 -----
.../hello-for-business/hello-hybrid-cert-trust-devreg.md | 5 -----
.../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 5 -----
.../hello-for-business/hello-hybrid-cert-trust.md | 5 -----
.../hello-for-business/hello-hybrid-cert-whfb-provision.md | 5 -----
.../hello-hybrid-cert-whfb-settings-ad.md | 5 -----
.../hello-hybrid-cert-whfb-settings-adfs.md | 5 -----
.../hello-hybrid-cert-whfb-settings-dir-sync.md | 5 -----
.../hello-hybrid-cert-whfb-settings-pki.md | 5 -----
.../hello-hybrid-cert-whfb-settings-policy.md | 5 -----
.../hello-for-business/hello-hybrid-cert-whfb-settings.md | 5 -----
.../hello-for-business/hello-hybrid-cloud-trust.md | 5 -----
.../hello-for-business/hello-hybrid-key-new-install.md | 5 -----
.../hello-for-business/hello-hybrid-key-trust-devreg.md | 5 -----
.../hello-for-business/hello-hybrid-key-trust-dirsync.md | 5 -----
.../hello-for-business/hello-hybrid-key-trust-prereqs.md | 5 -----
.../hello-for-business/hello-hybrid-key-trust.md | 5 -----
.../hello-for-business/hello-hybrid-key-whfb-provision.md | 5 -----
.../hello-for-business/hello-hybrid-key-whfb-settings-ad.md | 5 -----
.../hello-hybrid-key-whfb-settings-dir-sync.md | 5 -----
.../hello-hybrid-key-whfb-settings-pki.md | 5 -----
.../hello-hybrid-key-whfb-settings-policy.md | 5 -----
.../hello-for-business/hello-hybrid-key-whfb-settings.md | 5 -----
.../hello-for-business/hello-identity-verification.md | 6 ------
.../hello-for-business/hello-key-trust-adfs.md | 5 -----
.../hello-for-business/hello-key-trust-policy-settings.md | 5 -----
.../hello-key-trust-validate-ad-prereq.md | 5 -----
.../hello-key-trust-validate-deploy-mfa.md | 5 -----
.../hello-for-business/hello-key-trust-validate-pki.md | 5 -----
.../hello-for-business/hello-manage-in-organization.md | 6 ------
.../hello-for-business/hello-overview.md | 5 -----
.../hello-for-business/hello-planning-guide.md | 5 -----
.../hello-for-business/hello-prepare-people-to-use.md | 6 ------
.../identity-protection/hello-for-business/hello-videos.md | 5 -----
.../hello-why-pin-is-better-than-password.md | 6 ------
.../hello-for-business/microsoft-compatible-security-key.md | 5 -----
.../hello-for-business/reset-security-key.md | 5 -----
.../hello-for-business/retired/hello-how-it-works.md | 3 ---
.../smart-cards/smart-card-and-remote-desktop-services.md | 4 ----
.../smart-cards/smart-card-architecture.md | 4 ----
.../smart-card-certificate-propagation-service.md | 4 ----
.../smart-card-certificate-requirements-and-enumeration.md | 4 ----
.../smart-cards/smart-card-debugging-information.md | 4 ----
.../identity-protection/smart-cards/smart-card-events.md | 4 ----
.../smart-card-group-policy-and-registry-settings.md | 4 ----
.../smart-card-how-smart-card-sign-in-works-in-windows.md | 4 ----
.../smart-cards/smart-card-removal-policy-service.md | 4 ----
.../smart-card-smart-cards-for-windows-service.md | 4 ----
99 files changed, 465 deletions(-)
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 2ba26987bb..2dfc4dc841 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -2,10 +2,6 @@
title: Access Control Overview (Windows 10)
description: Access Control Overview
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index f2d6c64736..404f1abb50 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -2,10 +2,6 @@
title: Active Directory Accounts (Windows 10)
description: Active Directory Accounts
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 2ec117c8b9..7a469d0fc0 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -2,10 +2,6 @@
title: Active Directory Security Groups
description: Active Directory Security Groups
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/dynamic-access-control.md b/windows/security/identity-protection/access-control/dynamic-access-control.md
index c68a4e721f..b19feb4975 100644
--- a/windows/security/identity-protection/access-control/dynamic-access-control.md
+++ b/windows/security/identity-protection/access-control/dynamic-access-control.md
@@ -2,10 +2,6 @@
title: Dynamic Access Control Overview (Windows 10)
description: Learn about Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 655ef0f5b4..654b12daed 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -2,10 +2,6 @@
title: Local Accounts (Windows 10)
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md
index 992afda9d6..7d9575a8f4 100644
--- a/windows/security/identity-protection/access-control/microsoft-accounts.md
+++ b/windows/security/identity-protection/access-control/microsoft-accounts.md
@@ -2,10 +2,6 @@
title: Microsoft Accounts (Windows 10)
description: Microsoft Accounts
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index 8564378d9c..eebc241c56 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -2,10 +2,6 @@
title: Security identifiers (Windows 10)
description: Security identifiers
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md
index d6bdc4569e..3120899040 100644
--- a/windows/security/identity-protection/access-control/security-principals.md
+++ b/windows/security/identity-protection/access-control/security-principals.md
@@ -2,10 +2,6 @@
title: Security Principals (Windows 10)
description: Security Principals
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md
index 2614ab30e4..cd6db0f4f7 100644
--- a/windows/security/identity-protection/access-control/service-accounts.md
+++ b/windows/security/identity-protection/access-control/service-accounts.md
@@ -2,10 +2,6 @@
title: Service Accounts (Windows 10)
description: Service Accounts
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
index db7379ba1f..82f5cbbcda 100644
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@@ -3,10 +3,6 @@ title: Special Identities (Windows 10)
description: Special Identities
ms.prod: m365-security
ms.technology: windows-sec
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index 9ca5657e1d..5be4c34c1e 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -2,11 +2,7 @@
title: Additional mitigations
description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
index f9dce14935..2634efbb7e 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@@ -2,11 +2,7 @@
title: Advice while using Windows Defender Credential Guard (Windows)
description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index 0d09f98a43..4af6dabc3f 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -2,11 +2,7 @@
title: How Windows Defender Credential Guard works
description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index 7d71cc00ce..0d96d6c124 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -2,11 +2,7 @@
title: Windows Defender Credential Guard - Known issues (Windows)
description: Windows Defender Credential Guard - Known issues in Windows Enterprise
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index b63bf80703..1091223def 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -2,11 +2,7 @@
title: Manage Windows Defender Credential Guard (Windows)
description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: v-tappelgate
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
index 170018c2c2..fba979bcbb 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -2,11 +2,7 @@
title: Windows Defender Credential Guard protection limits & mitigations (Windows)
description: Scenarios not protected by Windows Defender Credential Guard in Windows, and additional mitigations you can use.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
index 9cab64d757..ca22714733 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@@ -2,11 +2,7 @@
title: Windows Defender Credential Guard protection limits (Windows)
description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 4762a25d8b..cd0217dffe 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -2,11 +2,7 @@
title: Windows Defender Credential Guard Requirements (Windows)
description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
index 709bc9de64..ac96f2cc37 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
@@ -2,11 +2,7 @@
title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows)
description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dulcemontemayor
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index 4153f5223b..1541b47dfd 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -1,14 +1,9 @@
---
title: Protect derived domain credentials with Windows Defender Credential Guard (Windows)
description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
-ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
index a3c6d35840..1128ef5604 100644
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@@ -2,11 +2,7 @@
title: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
description: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool script
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: SteveSyfuhs
ms.author: stsyfuhs
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
index 9b8365686e..af4b0207cd 100644
--- a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
+++ b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
@@ -2,10 +2,6 @@
title: WebAuthn APIs
description: Learn how to use WebAuthn APIs to enable password-less authentication for your sites and apps.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index bb8984236d..46c5ce15d2 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -1,12 +1,7 @@
---
title: Multi-factor Unlock
description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index 0ea88cb07e..a22fdc4c4b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -1,12 +1,7 @@
---
title: Azure Active Directory join cloud only deployment
description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device.
-keywords: identity, Hello, Active Directory, cloud,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index cbaecf9da3..201f155223 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -1,12 +1,7 @@
---
title: Having enough Domain Controllers for Windows Hello for Business deployments
description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
index ce4fee62d1..409d7ad594 100644
--- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
+++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
@@ -1,13 +1,8 @@
---
title: Windows Hello and password changes (Windows)
description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
-ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index fb5244ee95..1b7fc74348 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -1,13 +1,7 @@
---
title: Windows Hello biometrics in the enterprise (Windows)
description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
-ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc
-keywords: Windows Hello, enterprise biometrics
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index c9023f3eab..7c1152e8bf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -1,12 +1,7 @@
---
title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business)
description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 18e5489911..d1a9db8854 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -1,12 +1,7 @@
---
title: Configure Windows Hello for Business Policy settings - certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 53a69d9ca8..13a1157148 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -1,12 +1,7 @@
---
title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business)
description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index baa09b6712..865759bf10 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -1,12 +1,7 @@
---
title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
description: How to Validate and Deploy Multi-factor Authentication (MFA) Services for Windows Hello for Business with certificate trust
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 1972c3d210..d6356353aa 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -1,12 +1,7 @@
---
title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business)
description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
index ca84dfc5d4..278560bbc5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment
description: A guide to on premises, certificate trust Windows Hello for Business deployment.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 1a167b69c6..afe7fdf157 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Deployment Overview
description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index 0b7c8c940f..47d8b38c53 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -1,13 +1,8 @@
---
title: Windows Hello for Business Deployment Known Issues
description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues
-keywords: identity, PIN, biometric, Hello, passport
params: siblings_only
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
index 0798dee5a2..280f51120d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Deployment Guide - On Premises Key Deployment
description: A guide to on premises, key trust Windows Hello for Business deployment.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 2ce62675f6..5df469ff3e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -1,12 +1,7 @@
---
title: Deploying Certificates to Key Trust Users to Enable RDP
description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 194607bd44..631d982e36 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -1,13 +1,7 @@
---
title: Windows Hello errors during PIN creation (Windows)
description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step.
-ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
-keywords: PIN, error, create a work PIN
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md
index c5e10be931..3e481d0f4d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-event-300.md
+++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md
@@ -1,14 +1,8 @@
---
title: Event ID 300 - Windows Hello successfully created (Windows)
description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
-ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04
ms.reviewer:
-keywords: ngc
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
index ac9768add5..5dac00754e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
@@ -1,12 +1,7 @@
---
title: Conditional Access
description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
index 066da6e651..445df8f5a8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@@ -1,12 +1,7 @@
---
title: Dual Enrollment
description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, dual enrollment,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 7025fb4173..93301a4171 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -1,12 +1,7 @@
---
title: Dynamic lock
description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 4158e8838a..2ee149c236 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -1,12 +1,7 @@
---
title: Pin Reset
description: Learn how Microsoft PIN reset services enables you to help users recover who have forgotten their PIN.
-keywords: identity, PIN, Hello, passport, WHFB, hybrid, cert-trust, device, reset
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index fc797a8b6e..b622e6277f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -1,12 +1,7 @@
---
title: Remote Desktop
description: Learn how Windows Hello for Business supports using biometrics with remote desktop
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index 443d3adc15..76b94b5ddb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -2,10 +2,6 @@
title: How Windows Hello for Business works - Authentication
description: Learn about the authentication flow for Windows Hello for Business.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 96b5a3b434..c81ed991e1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -2,10 +2,6 @@
title: How Windows Hello for Business works - Provisioning
description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index a7e607516e..bd667aac11 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -2,10 +2,6 @@
title: How Windows Hello for Business works - Technology and Terms
description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 23efa578c0..768b3a0e02 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -2,10 +2,6 @@
title: How Windows Hello for Business works
description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index 2029789901..51f303b2ba 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -1,12 +1,7 @@
---
title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business
description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them.
-keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 807592de85..65b35c88d1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -1,12 +1,7 @@
---
title: Using Certificates for AADJ On-premises Single-sign On single sign-on
description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps.
-keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index 6d2ac37a80..1acba0f5b3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -1,12 +1,7 @@
---
title: Azure AD Join Single Sign-on Deployment
description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business.
-keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
index 6de21388aa..546fe98a8e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business)
description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on.
-keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index c45b19aa4d..2d15af954c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -1,12 +1,7 @@
---
title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business
description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index 6432ef517b..edba57fd05 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Prerequisites
description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index bec180c498..f9c3cf3feb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -1,12 +1,7 @@
---
title: Hybrid Certificate Trust Deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index f3d6ed1281..f6e69dad32 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business)
description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
index 94462ebe1d..f8b0c788c1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD)
description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB, ad
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index 93dcb39b92..ed13229f6a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -1,12 +1,7 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS)
description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB, adfs
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index 7ef3176f22..3dea044165 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch
description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index e6408a1ce4..0a7da03055 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -1,12 +1,7 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI)
description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
index a7bc32dc4c..bba12adf27 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@@ -1,12 +1,7 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy
description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
index dcffcfc154..ec22d31a65 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business)
description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
index f8d135a315..11fa549fa2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
@@ -1,12 +1,7 @@
---
title: Hybrid Cloud Trust Deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 4f8c8153c4..66a720d026 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation
description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations.
-keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
index 90cbd52d95..4d064c210c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@@ -1,12 +1,7 @@
---
title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, device, registration
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
index 705b84df66..299e93c00c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
@@ -1,12 +1,7 @@
---
title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business
description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, directory, synchronization, AADConnect
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 90aaa2b968..0850fae7f7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business)
description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: mapalko
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index db6d3e0a33..833968247b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -1,12 +1,7 @@
---
title: Hybrid Key Trust Deployment (Windows Hello for Business)
description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index c7dd159a00..925d6d12e8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business)
description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
index 46ba983c83..bbdde28351 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
@@ -1,12 +1,7 @@
---
title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD)
description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, ad, key trust, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index b964f460e9..0ed4142f70 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization
description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization
-keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect, Windows Hello, AD Connect, key trust, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 418298f89e..a43a8e5673 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined key trust Windows Hello for Business
description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI, Windows Hello, key trust, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index d98732f5c2..26b31e209b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
description: Configuring Hybrid key trust Windows Hello for Business - Group Policy
-keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, key trust, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index 38b7194d9c..29c29de56f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings
description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 4135615f1c..185768fe63 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -1,13 +1,7 @@
---
title: Windows Hello for Business Deployment Prerequisite Overview
description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
-ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index d608421337..d2c141ca3a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -1,12 +1,7 @@
---
title: Prepare & Deploy Windows Active Directory Federation Services with key trust (Windows Hello for Business)
description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business using key trust.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index b67d63f1b7..5baf31a055 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -1,12 +1,7 @@
---
title: Configure Windows Hello for Business Policy settings - key trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index 2ba08c716b..c8227d9536 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -1,13 +1,8 @@
---
title: Key registration for on-premises deployment of Windows Hello for Business
description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
author: GitPrakhar13
-audience: ITPro
ms.author: prsriva
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index e0d299b2df..968ae0d5b0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -1,12 +1,7 @@
---
title: Validate and Deploy MFA for Windows Hello for Business with key trust
description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with key trust
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index debf3022c5..809720fdba 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -1,12 +1,7 @@
---
title: Validate Public Key Infrastructure - key trust model (Windows Hello for Business)
description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a key trust model.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 4b44e661ec..c38b18d8a2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -1,13 +1,7 @@
---
title: Manage Windows Hello in your organization (Windows)
description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
-ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
-keywords: identity, PIN, biometric, Hello
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 86a2a82c99..12ccee58a9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -2,12 +2,7 @@
title: Windows Hello for Business Overview (Windows)
ms.reviewer: An overview of Windows Hello for Business
description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 7436890316..3212485067 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -1,12 +1,7 @@
---
title: Planning a Windows Hello for Business Deployment
description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 8ab37765f1..6b57daee9c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -1,14 +1,8 @@
---
title: Prepare people to use Windows Hello (Windows)
description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
-ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B
ms.reviewer:
-keywords: identity, PIN, biometric, Hello
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
index 013f236742..ab3bdc0500 100644
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Videos
description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
-keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 6c4c54aee9..ef30d59ed1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -1,13 +1,7 @@
---
title: Why a PIN is better than an online password (Windows)
description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password .
-ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212
-keywords: pin, security, password, hello
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
index 556f49c888..75645f288d 100644
--- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
@@ -1,12 +1,7 @@
---
title: Microsoft-compatible security key
description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key.
-keywords: FIDO2, security key, CTAP, Hello, WHFB
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md
index 99df1a799a..e2f9b9e978 100644
--- a/windows/security/identity-protection/hello-for-business/reset-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md
@@ -1,12 +1,7 @@
---
title: Reset-security-key
description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key
-keywords: FIDO2, security key, CTAP, Microsoft-compatible security key
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index 7a06722124..030af93d47 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -2,9 +2,6 @@
title: How Windows Hello for Business works (Windows)
description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: mapalko
ms.localizationpriority: high
ms.author: mapalko
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 99de6899d4..101b50087d 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -2,10 +2,6 @@
title: Smart Card and Remote Desktop Services (Windows)
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 3ce6180ae9..ddc63b2e02 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -2,10 +2,6 @@
title: Smart Card Architecture (Windows)
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index 1ad9d49a24..ad0699cf6a 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -2,10 +2,6 @@
title: Certificate Propagation Service (Windows)
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index eea206d53d..701f3dccd8 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -2,10 +2,6 @@
title: Certificate Requirements and Enumeration (Windows)
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index f557a5a713..50881d1ef8 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -2,10 +2,6 @@
title: Smart Card Troubleshooting (Windows)
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index 0d7a79fdac..9585fdfb5e 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -2,10 +2,6 @@
title: Smart Card Events (Windows)
description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index a74dfed7b2..897140b630 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -2,10 +2,6 @@
title: Smart Card Group Policy and Registry Settings (Windows)
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index d6656c1427..9fb023c25f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -2,10 +2,6 @@
title: How Smart Card Sign-in Works in Windows
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 77c8c9d18b..5757f75aa1 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -2,10 +2,6 @@
title: Smart Card Removal Policy Service (Windows)
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index 0d26cf1289..0345ccac67 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -2,10 +2,6 @@
title: Smart Cards for Windows Service (Windows)
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
From 52eed4d4f58de413208183ef9ec36484f3be2334 Mon Sep 17 00:00:00 2001
From: Jitin Mathew
Date: Mon, 20 Jun 2022 20:08:03 +0530
Subject: [PATCH 057/142] Updated-6020449-B2
Articles updated to meet Acrolinx requirements.
---
.../credential-guard-considerations.md | 24 +++++++++----------
.../credential-guard-how-it-works.md | 6 ++---
.../credential-guard-protection-limits.md | 12 +++++-----
3 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
index 2634efbb7e..7b1cc141be 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@@ -22,27 +22,27 @@ ms.reviewer:
Passwords are still weak. We recommend that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
-Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported.
+Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, aren't supported.
## Wi-fi and VPN Considerations
-When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You will be forced to enter your credentials to use these protocols and cannot save the credentials for future use. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.
+When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use. If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.
## Kerberos Considerations
When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. Use constrained or resource-based Kerberos delegation instead.
## 3rd Party Security Support Providers Considerations
-Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it does not allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package) on MSDN.
+Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package) on MSDN.
## Upgrade Considerations
As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, subsequent releases of Windows 10 with Windows Defender Credential Guard running may impact scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard.
### Saved Windows Credentials Protected
-Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites are not protected since the applications require your cleartext password. If the application does not need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
-* Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed."
+Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites aren't protected since the applications require your cleartext password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
+* Windows credentials saved by Remote Desktop Client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed."
* Applications that extract Windows credentials fail.
-* When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials.
+* When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you can't restore those credentials.
## Clearing TPM Considerations
Virtualization-based Security (VBS) uses the TPM to protect its key. So when the TPM is cleared then the TPM protected key used to encrypt VBS secrets is lost.
@@ -57,17 +57,17 @@ As a result Credential Guard can no longer decrypt protected data. VBS creates a
> Credential Guard obtains the key during initialization. So the data loss will only impact persistent data and occur after the next system startup.
### Windows credentials saved to Credential Manager
-Since Credential Manager cannot decrypt saved Windows Credentials, they are deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard.
+Since Credential Manager can't decrypt saved Windows Credentials, they're deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard.
### Domain-joined device’s automatically provisioned public key
Beginning with Windows 10 and Windows Server 2016, domain-devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
-Since Credential Guard cannot decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it cannot authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
### Breaking DPAPI on domain-joined devices
-On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery is not possible.
+On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery isn't possible.
>[!IMPORTANT]
> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior.
@@ -75,11 +75,11 @@ Auto VPN configuration is protected with user DPAPI. User may not be able to use
If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following.
-Domain user sign-in on a domain-joined device after clearing a TPM for as long as there is no connectivity to a domain controller:
+Domain user sign-in on a domain-joined device after clearing a TPM for as long as there's no connectivity to a domain controller:
|Credential Type | Windows version | Behavior
|---|---|---|
-| Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI does not work at all. |
+| Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. |
| Password | Windows 10 v1709 or later | If the user signed-in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected.
| Password | Windows 10 v1703 | If the user signed-in with a password prior to clearing the TPM, then they can sign-in with that password and are unaffected.
| Password | Windows 10 v1607 or earlier | Existing user DPAPI protected data is unusable. User DPAPI is able to protect new data.
@@ -87,7 +87,7 @@ Domain user sign-in on a domain-joined device after clearing a TPM for as long a
Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted.
#### Impact of DPAPI failures on Windows Information Protection
-When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook 2016 is unable to start and work protected documents cannot be opened. If DPAPI is working, then newly created work data is protected and can be accessed.
+When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook 2016 is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed.
**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index 4af6dabc3f..787063e450 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -21,13 +21,13 @@ ms.reviewer:
- Windows Server 2019
-Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
-When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which are not protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, are not to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
+When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, aren't to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
-When Windows Defender Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
+When Windows Defender Credential Guard is enabled, Kerberos doesn't allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
Here's a high-level overview on how the LSA is isolated by using Virtualization-based security:
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
index ca22714733..1b47f91c82 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@@ -24,18 +24,18 @@ Some ways to store credentials are not protected by Windows Defender Credential
- Software that manages credentials outside of Windows feature protection
- Local accounts and Microsoft Accounts
-- Windows Defender Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
+- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server 2016 domain controllers. It also doesn't protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
- Key loggers
- Physical attacks
-- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
+- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
- Third-party security packages
- Digest and CredSSP credentials
- When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
-- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.-
-- Kerberos service tickets are not protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is.
-- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
+- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well.-
+- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is.
+- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host.
- Windows logon cached password verifiers (commonly called "cached credentials")
-do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
+don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available.
## See also
From 7be4b3671d0919269331d31a3c1fe7d700fc544f Mon Sep 17 00:00:00 2001
From: "Carlos Mayol (MSFT)"
Date: Mon, 20 Jun 2022 18:29:55 -0400
Subject: [PATCH 058/142] Update
enable-virtualization-based-protection-of-code-integrity.md
Add GMET along with MBEC
Using acronym instead of full name to align with other features references in the code
---
...nable-virtualization-based-protection-of-code-integrity.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 4a0981cf1f..5d9db2a678 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -223,7 +223,7 @@ Value | Description
**4.** | If present, Secure Memory Overwrite is available.
**5.** | If present, NX protections are available.
**6.** | If present, SMM mitigations are available.
-**7.** | If present, Mode Based Execution Control is available.
+**7.** | If present, MBEC/GMET is available.
**8.** | If present, APIC virtualization is available.
#### InstanceIdentifier
@@ -243,7 +243,7 @@ Value | Description
**4.** | If present, Secure Memory Overwrite is needed.
**5.** | If present, NX protections are needed.
**6.** | If present, SMM mitigations are needed.
-**7.** | If present, Mode Based Execution Control is needed.
+**7.** | If present, MBEC/GMET is needed.
#### SecurityServicesConfigured
From 343e3e03271253e6f4862c60d2a8012164c71577 Mon Sep 17 00:00:00 2001
From: msarcletti <56821677+msarcletti@users.noreply.github.com>
Date: Tue, 21 Jun 2022 09:20:55 +0200
Subject: [PATCH 059/142] Update filter-origin-documentation.md
Changed the internal Windows code name 'Iron' to publicly known names Windows Server 2022 and Windows 11 (although 11 is Co already)
---
.../windows-firewall/filter-origin-documentation.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
index ad4e1359c3..9ecf89d162 100644
--- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
+++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
@@ -48,7 +48,7 @@ The blocking filters can be categorized under these filter origins:
g. Windows Service Hardening (WSH) default
-The next section describes the improvements made to audits 5157 and 5152, and how the above filter origins are used in these events. These improvements were added in Iron release.
+The next section describes the improvements made to audits 5157 and 5152, and how the above filter origins are used in these events. These improvements were added in the Windows Server 2022 and Windows 11 releases.
## Improved firewall audit
From 84a24e22fe5813735ed70afe737ceb54391e1e11 Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 21 Jun 2022 12:09:09 +0200
Subject: [PATCH 060/142] #10420
#10420
---
...trict-ntlm-audit-ntlm-authentication-in-this-domain.md | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
index bdbf0e528d..725d0aaed2 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
@@ -47,9 +47,13 @@ When you enable this audit policy, it functions in the same way as the **Network
The domain controller will log events for NTLM authentication logon attempts that use domain accounts when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts**.
-- Not defined
+- **Enable for domain servers**
- This is the same as **Disable** and results in no auditing of NTLM traffic.
+ The domain controller will log events for NTLM authentication requests to all servers in the domain when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain servers**.
+
+- **Enable all**
+
+ The domain controlleron which this policy is set will log all events for incoming NTLM traffic.
### Best practices
From 5a171c035ff28ce31c70fd203886eeaa7dc5badb Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 21 Jun 2022 12:10:35 +0200
Subject: [PATCH 061/142] Update
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-cert-trust-validate-ad-prereq.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index e1bb8e2f6e..9174af8148 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -28,7 +28,7 @@ ms.reviewer:
The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
> [!NOTE]
-> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow.**
+> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow.
Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role.
From eea3f1f959aebf019324d8c95d4975c8a4c6b5e3 Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 21 Jun 2022 12:13:34 +0200
Subject: [PATCH 062/142] Update
windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../applocker/script-rules-in-applocker.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index 14bf0eec35..aee609a7fd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -48,7 +48,7 @@ The following table lists the default rules that are available for the script ru
| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`|
> [!NOTE]
-> Windows Defender Application Control cannot be used to block PowerShell scripts. Applocker just forces PowerShell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs.
+> Windows Defender Application Control cannot be used to block PowerShell scripts. AppLocker just forces PowerShell scripts to be run in Constrained Language mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs.
## Related articles
From 7ba112e7445142bc6fd2b9e2a8023fbb7259c94b Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Tue, 21 Jun 2022 12:14:03 +0200
Subject: [PATCH 063/142] Update
windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
...ity-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index 9453c4b573..f4c0cda9aa 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -27,7 +27,7 @@ Describes the best practices, location, values, management aspects, and security
> [!NOTE]
-> To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access)
+> To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access).
## Reference
From 8015224337f81b26139f27c438ffcaa9f5162e1a Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Wed, 22 Jun 2022 10:40:44 +0500
Subject: [PATCH 064/142] Update hello-hybrid-aadj-sso-cert.md
---
.../hello-hybrid-aadj-sso-cert.md | 134 +-----------------
1 file changed, 7 insertions(+), 127 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 807592de85..039b8d9442 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -814,143 +814,23 @@ Sign-in the NDES server with access equivalent to _local administrator_.
The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune.
-### Download Intune Certificate Connector
-
-Sign-in a workstation with access equivalent to a _domain user_.
-
-1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
-
-2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**.
-
-3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section.
-
- 
-
-4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
-
-5. Sign-out of the Microsoft Endpoint Manager admin center.
-
-### Install the Intune Certificate Connector
-
-Sign-in the NDES server with access equivalent to _domain administrator_.
-
-1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server.
-
-2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server.
-
-3. On the **Microsoft Intune** page, click **Next**.
-
- 
-
-4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation.
-
-5. On the **Destination Folder** page, click **Next**.
-
-6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**.
-
- 
-
-7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**.
-
- 
-
- > [!NOTE]
- > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page.
-
-8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
-
-9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
-
- 
-
- > [!NOTE]
- > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder.
-
-10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task.
-
- 
-
-### Configure the Intune Certificate Connector
-
-Sign-in the NDES server with access equivalent to _domain administrator_.
-
-1. The **NDES Connector** user interface should be open from the last task.
-
- > [!NOTE]
- > If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**.
-
-2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply**
-
- 
-
-3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
-
- 
-
- > [!IMPORTANT]
- > The user account must have a valid Intune license assigned. If the user account does not have a valid Intune license, the sign-in fails.
-
-4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task.
-
+To learn how to download, install and configure Intune Certificate Connector, please see [Install the Certificate Connector for Microsoft Intune](/mem/intune/protect/certificate-connector-install)
### Configure the NDES Connector for certificate revocation (**Optional**)
-Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted).
+Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted). You need to select **Certificate revocation** option during the connector configuration to enable automatic certificate revocation for certificates issued from a Microsoft Active Directory Certification Authority. Additionally, you need to enable the NDES Service account for revocation.
-#### Enabling the NDES Service account for revocation
+1. Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_.
-Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_.
+2. Start the **Certification Authority** management console.
-1. Start the **Certification Authority** management console.
+3. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
-2. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
-
-3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**.
+4. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**.
-4. Close the **Certification Authority**
-
-#### Enable the NDES Connector for certificate revocation
-
-Sign-in the NDES server with access equivalent to _domain administrator_.
-
-1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**).
-
-2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**.
-
- 
-
-3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**.
-
-### Test the NDES Connector
-
-Sign-in the NDES server with access equivalent to _domain admin_.
-
-1. Open a command prompt.
-
-2. Type the following command to confirm the NDES Connector's last connection time is current.
-
- ```console
- reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus
- ```
-
-3. Close the command prompt.
-
-4. Open **Internet Explorer**.
-
-5. In the navigation bar, type:
-
- ```console
- https://[fqdnHostName]/certsrv/mscep/mscep.dll
- ```
-
- where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
- A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
-
- 
-
-6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**.
+5. Close the **Certification Authority**
## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile
From 8f8cf37bef0b2ca336a43dfbc966bf6558986815 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Wed, 22 Jun 2022 11:49:23 +0500
Subject: [PATCH 065/142] Update
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 039b8d9442..46c270d038 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -814,7 +814,7 @@ Sign-in the NDES server with access equivalent to _local administrator_.
The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune.
-To learn how to download, install and configure Intune Certificate Connector, please see [Install the Certificate Connector for Microsoft Intune](/mem/intune/protect/certificate-connector-install)
+To learn how to download, install, and configure the Intune Certificate Connector, see [Install the Certificate Connector for Microsoft Intune](/mem/intune/protect/certificate-connector-install).
### Configure the NDES Connector for certificate revocation (**Optional**)
From 1ea5b2501aa5f22490e82f44bd38cda09c54707e Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Wed, 22 Jun 2022 11:49:44 +0500
Subject: [PATCH 066/142] Update
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 46c270d038..669112c0b6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -818,7 +818,7 @@ To learn how to download, install, and configure the Intune Certificate Connecto
### Configure the NDES Connector for certificate revocation (**Optional**)
-Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted). You need to select **Certificate revocation** option during the connector configuration to enable automatic certificate revocation for certificates issued from a Microsoft Active Directory Certification Authority. Additionally, you need to enable the NDES Service account for revocation.
+Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users are removed, deleted, or the profile is deleted). You need to select the **Certificate revocation** option during the connector configuration to enable automatic certificate revocation for certificates issued from a Microsoft Active Directory Certification Authority. Additionally, you need to enable the NDES Service account for revocation.
1. Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_.
From 2ff4cee88eb5dc58e01c953dcdcc8e51c7616f69 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Wed, 22 Jun 2022 11:49:52 +0500
Subject: [PATCH 067/142] Update
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 669112c0b6..dd04ba4432 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -820,7 +820,7 @@ To learn how to download, install, and configure the Intune Certificate Connecto
Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users are removed, deleted, or the profile is deleted). You need to select the **Certificate revocation** option during the connector configuration to enable automatic certificate revocation for certificates issued from a Microsoft Active Directory Certification Authority. Additionally, you need to enable the NDES Service account for revocation.
-1. Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_.
+1. Sign in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_.
2. Start the **Certification Authority** management console.
From 49233a2e2d248cf9d3ee875a6dc750bbad073be2 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Wed, 22 Jun 2022 11:50:03 +0500
Subject: [PATCH 068/142] Update
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index dd04ba4432..83e3036f24 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -826,7 +826,7 @@ Optionally (not required), you can configure the Intune connector for certificat
3. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
-4. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**.
+4. Select the **Security** tab, then select **Add**. In the **Enter the object names to select** box, enter **NDESSvc** (or the name you gave the NDES Service account). Select *Check Names*, then select **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Select **OK**.
From 57f0b32ca0563192b33bda4ee63702b0ea2319fe Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Wed, 22 Jun 2022 12:35:57 +0500
Subject: [PATCH 069/142] Update
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 83e3036f24..54afa073cc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -830,7 +830,7 @@ Optionally (not required), you can configure the Intune connector for certificat
-5. Close the **Certification Authority**
+5. Close the **Certification Authority**.
## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile
From d01bd7c022fcea77d35cfcad4f4c38bdb5a9944d Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Wed, 22 Jun 2022 12:36:04 +0500
Subject: [PATCH 070/142] Update
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 54afa073cc..cb173a70b7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -826,7 +826,7 @@ Optionally (not required), you can configure the Intune connector for certificat
3. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
-4. Select the **Security** tab, then select **Add**. In the **Enter the object names to select** box, enter **NDESSvc** (or the name you gave the NDES Service account). Select *Check Names*, then select **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Select **OK**.
+4. Select the **Security** tab, then select **Add**. In the **Enter the object names to select** box, enter **NDESSvc** (or the name you gave the NDES Service account). Select *Check Names*, then select **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Select **OK**.
From 1bc0d4e2b39eb288f9c674928782a62197dcb40b Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Thu, 23 Jun 2022 10:03:30 +0300
Subject: [PATCH 071/142] Update
windows/deployment/update/waas-configure-wufb.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/deployment/update/waas-configure-wufb.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 300c877a7f..88af669727 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -25,7 +25,8 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-> Note that Windows Server Operating System (outside of HCI) **does not** get Feature Updates from Windows Update, so only the quality update policies apply.
+> [!NOTE]
+> Windows Server Operating System (outside of HCI) **does not** get Feature Updates from Windows Update, so only the quality update policies apply.
You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
From c779e877828a34a83f990c7a31762d5d19670d6d Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Thu, 23 Jun 2022 10:04:01 +0300
Subject: [PATCH 072/142] Update
windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index eaee452ae3..eaa3a170c1 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -560,8 +560,8 @@ Some properties to use in the MDT Production rules file are as follows:
- **USMTMigFiles(\*).** List of USMT templates (controlling what to backup and restore).
- **EventService.** Activates logging information to the MDT monitoring web service.
->[!NOTE]
->For more details about localization support, please check the [MDT sample guide](https://docs.microsoft.com/en-us/mem/configmgr/mdt/samples-guide#fully-automated-lti-deployment-for-a-refresh-computer-scenario). You can find a list of Language Codes [here](https://docs.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a) and a list of Time Zone Index Values [here](https://docs.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a).
+> [!NOTE]
+> For more details about localization support, see the [MDT sample guide](/mem/configmgr/mdt/samples-guide#fully-automated-lti-deployment-for-a-refresh-computer-scenario). You can find a list of Language Codes [here](/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a) and a list of Time Zone Index Values [here](/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a).
### Optional deployment share configuration
From 792731fa5265825a6dcf1ad7fe99a062fb87c0f0 Mon Sep 17 00:00:00 2001
From: Michael Nady
Date: Thu, 23 Jun 2022 13:41:12 +0200
Subject: [PATCH 073/142] #10456
#10456 wants to clarify the level of the logon command account, and assumed it must be an Administrator, so I added this info.
---
.../windows-sandbox/windows-sandbox-configure-using-wsb-file.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index 94adc3d7c8..d7fd288b24 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -112,7 +112,7 @@ An array of folders, each representing a location on the host machine that will
### Logon command
-Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account.
+Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account. The container user account should be an Administrator.
```xml
From 6038a000bc6cfb60a7988094e9048adc19c637a8 Mon Sep 17 00:00:00 2001
From: Jordan Geurten
Date: Thu, 23 Jun 2022 15:06:05 -0400
Subject: [PATCH 074/142] Initial commit of MEMCM doc supplement work
---
.../deploy-appid-tagging-policies.md | 2 +-
.../TOC.yml | 4 +-
.../create-wdac-deny-policy.md | 2 +-
.../deploy-wdac-policies-with-memcm.md | 51 ++++++++++++++++++
...ion-control-policies-using-group-policy.md | 0
...plication-control-policies-using-intune.md | 0
.../feature-availability.md | 2 +-
.../images/memcm/memcm-confirm-wdac-rule.jpg | Bin 0 -> 52909 bytes
.../memcm/memcm-create-wdac-policy-2.jpg | Bin 0 -> 155649 bytes
.../images/memcm/memcm-create-wdac-policy.jpg | Bin 0 -> 152383 bytes
.../images/memcm/memcm-create-wdac-rule-2.jpg | Bin 0 -> 276511 bytes
.../images/memcm/memcm-create-wdac-rule-3.jpg | Bin 0 -> 121563 bytes
.../images/memcm/memcm-create-wdac-rule.jpg | Bin 0 -> 62257 bytes
.../images/memcm/memcm-deploy-wdac-2.jpg | Bin 0 -> 43638 bytes
.../images/memcm/memcm-deploy-wdac-3.jpg | Bin 0 -> 45121 bytes
.../images/memcm/memcm-deploy-wdac-4.jpg | Bin 0 -> 42437 bytes
.../images/memcm/memcm-deploy-wdac.jpg | Bin 0 -> 116300 bytes
.../index.yml | 4 +-
.../pdfs/WDAC-Deploy-WDAC-using-MEMCM.pdf | Bin 0 -> 2629620 bytes
...r-application-control-against-tampering.md | 2 +-
...er-application-control-deployment-guide.md | 4 +-
21 files changed, 61 insertions(+), 10 deletions(-)
rename windows/security/threat-protection/windows-defender-application-control/{ => deployment}/deploy-windows-defender-application-control-policies-using-group-policy.md (100%)
rename windows/security/threat-protection/windows-defender-application-control/{ => deployment}/deploy-windows-defender-application-control-policies-using-intune.md (100%)
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-confirm-wdac-rule.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy-2.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-policy.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-2.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule-3.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-create-wdac-rule.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-2.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-3.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac-4.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/images/memcm/memcm-deploy-wdac.jpg
create mode 100644 windows/security/threat-protection/windows-defender-application-control/pdfs/WDAC-Deploy-WDAC-using-MEMCM.pdf
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
index a8ac5aafd1..f7cb9dee92 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
@@ -38,7 +38,7 @@ Similar to WDAC Application Control policies, WDAC AppId Tagging policies can be
## Deploy AppId Tagging Policies with MDM
-Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
+Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
## Deploy AppId Tagging Policies with MEMCM
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index 2f007e159d..5d7d191d40 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -73,13 +73,13 @@
href: windows-defender-application-control-deployment-guide.md
items:
- name: Deploy WDAC policies with MDM
- href: deploy-windows-defender-application-control-policies-using-intune.md
+ href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
- name: Deploy WDAC policies with MEMCM
href: deployment/deploy-wdac-policies-with-memcm.md
- name: Deploy WDAC policies with script
href: deployment/deploy-wdac-policies-with-script.md
- name: Deploy WDAC policies with Group Policy
- href: deploy-windows-defender-application-control-policies-using-group-policy.md
+ href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
- name: Audit WDAC policies
href: audit-windows-defender-application-control-policies.md
- name: Merge WDAC policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
index 3203610df6..e4b820e7ed 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
@@ -159,4 +159,4 @@ Policies should be thoroughly evaluated and first rolled out in audit mode befor
3. Scripting [Deploy Windows Defender Application Control (WDAC) policies using script (Windows)](deployment/deploy-wdac-policies-with-script.md)
-4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deploy-windows-defender-application-control-policies-using-group-policy.md)
+4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
index 1ac9e541d2..b9f7dfe7c2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
@@ -41,8 +41,59 @@ MEMCM includes native support for WDAC, which allows you to configure Windows 10
Note that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
+### Create a WDAC Policy in MEMCM
+
+1. Select **Asset and Compliance** > **Endpoint Protection** > **Windows Defender Application Control** > **Create Application Control Policy**
+
+
+
+2. Enter the name of the policy > **Next**
+3. Enable **Enforce a restart of devices so that this policy can be enforced for all processes**
+4. Select the mode which you want the policy to run (Enforcement enabled / Audit Only)
+5. Click **Next**
+
+
+
+6. Click **Add** to begin creating rules for trusted software
+
+
+
+7. Select **File** or **Folder** to create a path rule > **Browse**
+
+
+
+8. Select the executable or folder for your path rule > **OK**
+
+
+
+9. Select **OK** to add the rule to the table of trusted files or folder
+10. Select **Next** to navigate to the summary page > **Close**
+
+
+
+### Deploy the WDAC Policy in MEMCM
+
+1. Right-click the newly created policy > **Deploy Application Control Policy**
+
+
+
+2. Select **Browse**
+
+
+
+3. Select the Device Collection you created earlier > **OK**
+
+
+
+4. Change the schedule > **OK**
+
+
+
+
For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager).
+The entire WDAC in MEMCM Lab Paper is available for download [here](../pdfs/WDAC-Deploy-WDAC-using-MEMCM.pdf).
+
## Deploy custom WDAC policies using Packages/Programs or Task Sequences
Using MEMCM's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in MEMCM too limiting. To define your own circle-of-trust, you can use MEMCM to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
rename to windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
rename to windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index 5b024e8790..081fd263a5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -34,7 +34,7 @@ ms.technology: windows-sec
|-------------|------|-------------|
| Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later | Available on Windows 8 or later |
| SKU availability | Cmdlets are available on all SKUs on 1909+ builds. For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices. Policies deployed through MDM are effective on all SKUs. |
-| Management solutions |
[Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)
[Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
[Intune](./deployment/deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)
[Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)