From f2230eb075fee198f6aab1657e692f3955ea4d44 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Tue, 28 Nov 2023 09:37:49 -0800
Subject: [PATCH 01/11] win10-seeker-8503602-take2
---
windows/deployment/update/waas-configure-wufb.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 02ead324db..9bc7161f80 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -210,7 +210,7 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving
| MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
## Enable optional updates
-
+
In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Enable optional updates** policy.
To keep the timing of updates consistent, the **Enable optional updates** policy respects the [deferral period for quality updates](#configure-when-devices-receive-quality-updates). This policy allows you to choose if devices should receive CFRs in addition to the optional nonsecurity preview releases, or if the end-user can make the decision to install optional updates. This policy can change the behavior of the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**.
From 16df997cf5d5236feb79b38a5931f7faed936f49 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Tue, 28 Nov 2023 09:53:36 -0800
Subject: [PATCH 02/11] edits
---
.../deployment/update/waas-configure-wufb.md | 10 ++---
.../deployment/update/waas-wufb-csp-mdm.md | 38 +++++++++++--------
.../update/waas-wufb-group-policy.md | 6 ++-
3 files changed, 32 insertions(+), 22 deletions(-)
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 5188ae50b5..a2b53dccb5 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -16,7 +16,7 @@ appliesto:
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
-ms.date: 08/22/2023
+ms.date: 11/29/2023
---
# Configure Windows Update for Business
@@ -243,8 +243,8 @@ The following options are available for the policy:
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
-| GPO for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > **Enable optional updates**| \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
-| MDM for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: ./Device/Vendor/MSFT/Policy/Config/Update/**[AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent)** | \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
+| **GPO applies to**:
- Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351), and later versions
- Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed
**GPO location**: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > **Enable optional updates**| \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
+| **MDM applies to**:
- Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later versions
- Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed
**MDM location**: ./Device/Vendor/MSFT/Policy/Config/Update/**[AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent)** | \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
## Enable features that are behind temporary enterprise feature control
@@ -269,7 +269,7 @@ The following are quick-reference tables of the supported policy values for Wind
| GPO Key | Key type | Value |
| --- | --- | --- |
-| AllowOptionalContent *Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
+| AllowOptionalContent *Added in*:
- Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later
- Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed
| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
| AllowTemporaryEnterpriseFeatureControl *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled. Other value or absent: Features that are shipped turned off by default will remain off |
| BranchReadinessLevel | REG_DWORD | 2: Systems take feature updates for the Windows Insider build - Fast 4: Systems take feature updates for the Windows Insider build - Slow 8: Systems take feature updates for the Release Windows Insider build Other value or absent: Receive all applicable updates |
| DeferFeatureUpdates | REG_DWORD | 1: Defer feature updatesOther value or absent: Don't defer feature updates |
@@ -285,7 +285,7 @@ The following are quick-reference tables of the supported policy values for Wind
| MDM Key | Key type | Value |
| --- | --- | --- |
-| AllowOptionalContent *Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
+| AllowOptionalContent *Added in*:
- Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later
- Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed
| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
| AllowTemporaryEnterpriseFeatureControl *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled. Other value or absent: Features that are shipped turned off by default will remain off |
| BranchReadinessLevel | REG_DWORD |2: Systems take feature updates for the Windows Insider build - Fast 4: Systems take feature updates for the Windows Insider build - Slow 8: Systems take feature updates for the Release Windows Insider build 32: Systems take feature updates from General Availability Channel Note: Other value or absent: Receive all applicable updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days |
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index 187268cec0..b382e039b5 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 10/10/2023
+ms.date: 11/28/2023
---
# Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
@@ -49,17 +49,17 @@ Drivers are automatically enabled because they're beneficial to device systems.
#### I want to receive prerelease versions of the next feature update
-1. Ensure that you're enrolled in the Windows Insider Program for Business. This is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
+1. Ensure that you're enrolled in the Windows Insider Program for Business. Windows Insider is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
-1. For any of test devices you want to install prerelease builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set this to **Enable preview builds**.
+1. For any of test devices you want to install prerelease builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set the option to **Enable preview builds**.
1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using prerelease builds for validation.
-1. Additionally, you can defer prerelease feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
+1. Additionally, you can defer prerelease feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This schedule helps ensure that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
#### I want to manage which released feature update my devices receive
-A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you won't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
+A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you don't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
- To defer a feature update: [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays)
- To pause a feature update: [Update/PauseFeatureUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdatesstarttime)
@@ -72,7 +72,7 @@ In this example, there are three rings for quality updates. The first ring ("pil

-When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.
+When the quality update is released, it's offered to devices in the pilot ring the next time they scan for updates.
##### Five days later
The devices in the fast ring are offered the quality update the next time they scan for updates.
@@ -80,11 +80,11 @@ The devices in the fast ring are offered the quality update the next time they s

##### Ten days later
-Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.
+Ten days after the quality update is released, it's offered to the devices in the slow ring the next time they scan for updates.

-If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.
+If no problems occur, all of the devices that scan for updates are offered the quality update within ten days of its release, in three waves.
##### What if a problem occurs with the update?
@@ -109,13 +109,13 @@ If you need a device to stay on a version beyond the point when deferrals on the
#### I want to manage when devices download, install, and restart after updates
-We recommended that you allow to update automatically--this is the default behavior. If you don't set an automatic update policy, the device will attempt to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.
+We recommended that you allow to update automatically, which is the default behavior. If you don't set an automatic update policy, the device attempts to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.
For more granular control, you can set the maximum period of active hours the user can set with [Update/ActiveHoursMaxRange](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange). You could also set specific start and end times for active ours with [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) and [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart).
It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates aren't disabled and provides a better experience when users can set their own active hours.
-To update outside of the active hours, use [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) with Option 2 (which is the default setting). For even more granular control, consider using automatic updates to schedule the install time, day, or week. To do this, use Option 3, and then set the following policies as appropriate for your plan:
+To update outside of the active hours, use [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) with Option 2 (which is the default setting). For even more granular control, consider using automatic updates to schedule the install time, day, or week. To use a schedule, use Option 3, and then set the following policies as appropriate for your plan:
- [Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
- [Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek)
@@ -132,7 +132,7 @@ If you don't want to allow any automatic updates prior to the deadline, set [Upd
#### I want to keep devices secure and compliant with update deadlines
-We recommend that you use set specific deadlines for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. This works by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart. Use these settings:
+We recommend that you use set specific deadlines for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. Deadlines work by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart. Use these settings:
- [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates ](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
@@ -140,7 +140,7 @@ We recommend that you use set specific deadlines for feature and quality updates
- [Update/ConfigureDeadlineGracePeriodForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates)
- [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
-These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
+These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point, the device automatically schedules a restart regardless of active hours.
These notifications are what the user sees depending on the settings you choose:
@@ -172,7 +172,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
There are additional settings that affect the notifications.
-We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
+We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
**0** (default) - Use the default Windows Update notifications
**1** - Turn off all notifications, excluding restart warnings
@@ -185,10 +185,10 @@ Still more options are available in [Update/ScheduleRestartWarning](/windows/cli
#### I want to manage the update settings a user can access
-Every Windows device provides users with a variety of controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
+Every Windows device provides users with various controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using [Update/SetDisablePauseUXAccess](/windows/client-management/mdm/policy-csp-update#update-setdisablepauseuxaccess).
-When you disable this setting, users will see **Some settings are managed by your organization** and the update pause settings are greyed out.
+When you disable this setting, users see **Some settings are managed by your organization** and the update pause settings are greyed out.
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess).
@@ -205,3 +205,11 @@ The features that are turned off by default from servicing updates will be enabl
- **0** (default): Allowed. All features in the latest monthly cumulative update are enabled.
- When the policy is set to **0**, all features that are currently turned off will turn on when the device next reboots
- **1** - Not allowed. Features that are shipped turned off by default will remain off
+
+#### I want to enable optional updates
+
+*Applies to:*
+- Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later
+- Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed
+
+In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using [AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent). For more information about optional content, see [Enable optional updates](waas-configure-wufb.md#enable-optional-updates).
\ No newline at end of file
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 372a36d6df..c23dc04544 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -17,7 +17,7 @@ appliesto:
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
-ms.date: 10/10/2023
+ms.date: 11/29/2023
---
# Walkthrough: Use Group Policy to configure Windows Update for Business
@@ -202,7 +202,9 @@ If you use Windows Server Update Server (WSUS), you can prevent users from scann
#### I want to enable optional updates
-(*Starting in Windows 11, version 22H2 or later*)
+*Applies to:*
+- Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later
+- Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed
In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > Enable optional updates** policy.
From f1ea8481f5cfbd86c9b60923ca40a61e42093f71 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 30 Nov 2023 13:37:11 -0800
Subject: [PATCH 03/11] metadata
---
windows/deployment/update/waas-configure-wufb.md | 2 +-
windows/deployment/update/waas-wufb-csp-mdm.md | 2 +-
windows/deployment/update/waas-wufb-group-policy.md | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index a2b53dccb5..2a1baa5255 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -16,7 +16,7 @@ appliesto:
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
-ms.date: 11/29/2023
+ms.date: 11/30/2023
---
# Configure Windows Update for Business
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index b382e039b5..cc945db4c2 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 11/28/2023
+ms.date: 11/30/2023
---
# Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index c23dc04544..22c937a71a 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -17,7 +17,7 @@ appliesto:
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
-ms.date: 11/29/2023
+ms.date: 11/30/2023
---
# Walkthrough: Use Group Policy to configure Windows Update for Business
From 02001cdc71e1cfca805d040d7fff61affbd9f690 Mon Sep 17 00:00:00 2001
From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com>
Date: Fri, 1 Dec 2023 13:22:15 -0800
Subject: [PATCH 04/11] Update md-app-guard-browser-extension.md
---
.../md-app-guard-browser-extension.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
index b5b54f3574..79a92c0c24 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
@@ -19,7 +19,7 @@ Microsoft Defender Application Guard Extension defends devices in your organizat
## Prerequisites
-Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1803 or later:
+Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1809 or later:
- Windows 10 Professional
- Windows 10 Enterprise
@@ -84,4 +84,4 @@ Unexpected response while processing trusted state | The extension was able to c
## Related articles
- [Microsoft Defender Application Guard overview](md-app-guard-overview.md)
-- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)
\ No newline at end of file
+- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)
From b08b3027a8d2b15325abb8e09a90e9fef56e0988 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 1 Dec 2023 18:40:06 -0500
Subject: [PATCH 05/11] added zone pivots to more docsets
---
.openpublishing.publish.config.json | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 71e1376860..0015a87b88 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -91,6 +91,7 @@
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
+ "ZonePivotGroups": "Toc",
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
@@ -107,6 +108,7 @@
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
+ "ZonePivotGroups": "Toc",
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
@@ -123,6 +125,7 @@
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
+ "ZonePivotGroups": "Toc",
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
@@ -139,6 +142,7 @@
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
+ "ZonePivotGroups": "Toc",
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
@@ -171,6 +175,7 @@
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
+ "ZonePivotGroups": "Toc",
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
@@ -187,6 +192,7 @@
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
+ "ZonePivotGroups": "Toc",
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
From 30f4bf66ef34d7a06856aec0c81c815b710e9383 Mon Sep 17 00:00:00 2001
From: Tony Narlock
Date: Sun, 3 Dec 2023 13:54:08 -0600
Subject: [PATCH 06/11] chore: Typo fix whats-new-windows-11-version-23h2.md
manged -> managed
---
windows/whats-new/whats-new-windows-11-version-23h2.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/whats-new/whats-new-windows-11-version-23h2.md b/windows/whats-new/whats-new-windows-11-version-23h2.md
index a6c474e939..cedaafdfd2 100644
--- a/windows/whats-new/whats-new-windows-11-version-23h2.md
+++ b/windows/whats-new/whats-new-windows-11-version-23h2.md
@@ -36,7 +36,7 @@ To learn more about the status of the update rollout, known issues, and new info
[Temporary enterprise feature control](temporary-enterprise-feature-control.md) temporarily turns off certain features that were introduced during monthly cumulative updates for managed Windows 11, version 22H2 devices. For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.
-When a manged Windows 11, version 22H2 device installs [version 23H2](https://support.microsoft.com/kb/5027397), the following features will no longer under be under temporary enterprise feature control:
+When a managed Windows 11, version 22H2 device installs [version 23H2](https://support.microsoft.com/kb/5027397), the following features will no longer under be under temporary enterprise feature control:
| Feature | KB article where the feature was introduced |
|---|---|
From 77a9a9d0a2c702aa78756157022a53ce91906794 Mon Sep 17 00:00:00 2001
From: Tony Narlock
Date: Mon, 4 Dec 2023 03:44:28 -0600
Subject: [PATCH 07/11] Update
windows/whats-new/whats-new-windows-11-version-23h2.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/whats-new/whats-new-windows-11-version-23h2.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/whats-new/whats-new-windows-11-version-23h2.md b/windows/whats-new/whats-new-windows-11-version-23h2.md
index cedaafdfd2..7a178b1852 100644
--- a/windows/whats-new/whats-new-windows-11-version-23h2.md
+++ b/windows/whats-new/whats-new-windows-11-version-23h2.md
@@ -36,7 +36,7 @@ To learn more about the status of the update rollout, known issues, and new info
[Temporary enterprise feature control](temporary-enterprise-feature-control.md) temporarily turns off certain features that were introduced during monthly cumulative updates for managed Windows 11, version 22H2 devices. For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.
-When a managed Windows 11, version 22H2 device installs [version 23H2](https://support.microsoft.com/kb/5027397), the following features will no longer under be under temporary enterprise feature control:
+When a managed Windows 11, version 22H2 device installs [version 23H2](https://support.microsoft.com/kb/5027397), the following features will no longer be under temporary enterprise feature control:
| Feature | KB article where the feature was introduced |
|---|---|
From 2e008676dc6e7e7479a491513ca921613caa14da Mon Sep 17 00:00:00 2001
From: Rachel Price <52579263+raprice@users.noreply.github.com>
Date: Wed, 18 Oct 2023 14:28:39 -0700
Subject: [PATCH 08/11] updates
---
education/breadcrumb/toc.yml | 1 +
windows/hub/breadcrumb/toc.yml | 30 +++++++++++++++++++++++++++---
2 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/education/breadcrumb/toc.yml b/education/breadcrumb/toc.yml
index 211570e4b0..3ccb28392f 100644
--- a/education/breadcrumb/toc.yml
+++ b/education/breadcrumb/toc.yml
@@ -1,3 +1,4 @@
+items:
- name: Windows
tocHref: /windows/
topicHref: /windows/index
diff --git a/windows/hub/breadcrumb/toc.yml b/windows/hub/breadcrumb/toc.yml
index 211570e4b0..cb49bed653 100644
--- a/windows/hub/breadcrumb/toc.yml
+++ b/windows/hub/breadcrumb/toc.yml
@@ -1,3 +1,27 @@
-- name: Windows
- tocHref: /windows/
- topicHref: /windows/index
+items:
+ - name: Docs
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Windows
+ tocHref: /windows/
+ topicHref: /windows/resources/
+ items:
+ - name: What's new
+ tocHref: /windows/whats-new/
+ topicHref: /windows/whats-new/
+ - name: Configuration
+ tocHref: /windows/configuration/
+ topicHref: /windows/configuration/
+ - name: Deployment
+ tocHref: /windows/deployment/
+ topicHref: /windows/deployment/
+ - name: Client management
+ tocHref: /windows/client-management/
+ topicHref: /windows/client-management/
+ - name: Privacy
+ tocHref: /windows/privacy/
+ topicHref: /windows/privacy/
+ - name: Security
+ tocHref: /windows/security/
+ topicHref: /windows/security/
\ No newline at end of file
From 5cb8b7b9131672bc1eaba03e41183543fc6be2d8 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 4 Dec 2023 10:04:20 -0500
Subject: [PATCH 09/11] tip rewording and Acrolinx
---
.../remote-credential-guard.md | 21 +++++++++++--------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 2b0d64ce57..1d0c6679ba 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -2,7 +2,7 @@
title: Remote Credential Guard
description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device.
ms.topic: how-to
-ms.date: 11/17/2023
+ms.date: 12/04/2023
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -33,7 +33,7 @@ Using a Remote Desktop session without Remote Credential Guard has the following
The security benefits of Remote Credential Guard include:
- Credentials aren't sent to the remote host
-- During the remote session you can connect to other systems using SSO
+- During the remote session, you can connect to other systems using SSO
- An attacker can act on behalf of the user only when the session is ongoing
The security benefits of [Restricted Admin mode][TECH-1] include:
@@ -67,14 +67,14 @@ The remote host:
The client device:
- Must be running the Remote Desktop Windows application. The Remote Desktop Universal Windows Platform (UWP) application doesn't support Remote Credential Guard
-- Must use Kerberos authentication to connect to the remote host. If the client can't connect to a domain controller, then RDP attempts to fall back to NTLM. Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk
+- Must use Kerberos authentication to connect to the remote host. If the client can't connect to a domain controller, then RDP attempts to fall back to NTLM. Remote Credential Guard doesn't allow NTLM fallback because it would expose credentials to risk
[!INCLUDE [remote-credential-guard](../../../includes/licensing/remote-credential-guard.md)]
## Enable delegation of nonexportable credentials on the remote hosts
This policy is required on the remote hosts to support Remote Credential Guard and Restricted Admin mode. It allows the remote host to delegate nonexportable credentials to the client device.\
-If you disable or don't configure this setting, Restricted Admin and Remote Credential Guard mode aren't supported. User will always need to pass their credentials to the host, exposing users to the risk of credential theft from attackers on the remote host.
+If you disable or don't configure this setting, Restricted Admin and Remote Credential Guard mode aren't supported. Users must pass their credentials to the host, exposing them to the risk of credential theft from attackers on the remote host.
To enable delegation of nonexportable credentials on the remote hosts, you can use:
@@ -130,10 +130,13 @@ reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin
To enable Remote Credential Guard on the clients, you can configure a policy that prevents the delegation of credentials to the remote hosts.
> [!TIP]
-> If you don't want to configure your clients to enforce Remote Credential Guard, and if you are an administrator of the remote host, you can use the following command to use Remote Credential Guard for a specific RDP session:
+> If you don't want to configure your clients to enforce Remote Credential Guard, you can use the following command to use Remote Credential Guard for a specific RDP session:
+>
> ```cmd
> mstsc.exe /remoteGuard
> ```
+>
+> If the server hosts the RDS Host role, then the command works only if the user is an administrator of the remote host.
The policy can have different values, depending on the level of security you want to enforce:
@@ -203,17 +206,17 @@ To further harden security, we also recommend that you implement Windows Local A
For more information about LAPS, see [What is Windows LAPS][LEARN-1].
-## Additional considerations
+## Considerations
-Here are some additional considerations for Remote Credential Guard:
+Here are some considerations for Remote Credential Guard:
-- Remote Credential Guard doesn't support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied
+- Remote Credential Guard doesn't support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access is denied
- Remote Credential Guard can be used only when connecting to a device that is joined to an Active Directory domain. It can't be used when connecting to remote devices joined to Microsoft Entra ID
- Remote Credential Guard can be used from a Microsoft Entra joined client to connect to an Active Directory joined remote host, as long as the client can authenticate using Kerberos
- Remote Credential Guard only works with the RDP protocol
- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own
- The server and client must authenticate using Kerberos
-- Remote Credential Guard is only supported for direct connections to the target machines and not for the ones via Remote Desktop Connection Broker and Remote Desktop Gateway
+- Remote Credential Guard is only supported for direct connections to the target machines. It isn't support for connections via Remote Desktop Connection Broker and Remote Desktop Gateway
From 268ce99d70e0d1de94b82f42d0c120a00de5b569 Mon Sep 17 00:00:00 2001
From: Tony Narlock
Date: Sun, 3 Dec 2023 18:01:02 -0600
Subject: [PATCH 10/11] Fix typo in configure-wdac-managed-installer
---
.../operations/configure-wdac-managed-installer.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md
index 44d5693f5a..10af498ac0 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md
@@ -1,6 +1,6 @@
---
title: Managed installer and ISG technical reference and troubleshooting guide
-description: Explains how to configure a custom Manged Installer.
+description: Explains how to configure a custom Managed Installer.
ms.localizationpriority: medium
ms.date: 11/11/2022
ms.topic: article
From a9ad0df5c67e618c199d7a6553083f9fb657d994 Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Mon, 4 Dec 2023 11:17:30 -0800
Subject: [PATCH 11/11] fix build suggestion
---
.../operations/configure-wdac-managed-installer.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md
index 10af498ac0..98e2c42da8 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md
@@ -1,9 +1,9 @@
---
title: Managed installer and ISG technical reference and troubleshooting guide
-description: Explains how to configure a custom Managed Installer.
+description: A technical reference and troubleshooting guide for managed installer and Intelligent Security Graph (ISG).
ms.localizationpriority: medium
ms.date: 11/11/2022
-ms.topic: article
+ms.topic: troubleshooting
---
# Managed installer and ISG technical reference and troubleshooting guide