Merge pull request #8328 from MicrosoftDocs/main

Publish main to live, Friday 10:30AM PDF, 5/26

windows/deployment/usmt/usmt-hard-link-migration-store.md

@@ -63,14 +63,14 @@ Keeping the hard-link migration store can result in extra disk space being consu
 
 For example, a company has decided to deploy Windows 10 on all of their computers. Each employee will keep the same computer, but the operating system on each computer will be updated.
 
-1. An administrator runs the  **ScanState** command-line tool on each computer, specifying the `/hardlink` command-line option. The  **ScanState** tool saves the user state to a hard-link migration store on each computer, improving performance by reducing file duplication, except in certain specific instances.
+1. An administrator runs the **ScanState** command-line tool on each computer, specifying the `/hardlink` command-line option. The **ScanState** tool saves the user state to a hard-link migration store on each computer, improving performance by reducing file duplication, except in certain specific instances.
 
     > [!NOTE]
-    > As a best practice, we recommend that you do not create your hard-link migration store until just before you perform the migration in order to migrate the latest versions of your files. You should not use your software applications on the computer after creating the migration store until you have finished migrating your files with  **LoadState**.
+    > As a best practice, we recommend that you do not create your hard-link migration store until just before you perform the migration in order to migrate the latest versions of your files. You should not use your software applications on the computer after creating the migration store until you have finished migrating your files with **LoadState**.
 
-2. On each computer, an administrator installs the company's standard operating environment (SOE), which includes Windows 7 and other applications the company currently uses.
+2. On each computer, an administrator installs the company's standard operating environment (SOE), which includes Windows 10 and other applications the company currently uses.
 
-3. An administrator runs the  **LoadState** command-line tool on each computer. The  **LoadState** tool restores user state back on each computer.
+3. An administrator runs the **LoadState** command-line tool on each computer. The **LoadState** tool restores user state back on each computer.
 
 > [!NOTE]
 > During the update of a domain-joined computer, the profiles of users whose SID cannot be resolved will not be migrated. When using a hard-link migration store, it could cause a data loss.
@@ -119,7 +119,7 @@ For more information, see [Migrate EFS files and certificates](usmt-migrate-efs-
 
 Files that are locked by an application or the operating system are handled differently when using a hard-link migration store.
 
-Files that are locked by the operating system can't remain in place and must be copied into the hard-link migration store. As a result, selecting many operating-system files for migration significantly reduces performance during a hard-link migration. As a best practice, we recommend that you don't migrate any files out of the `\Windows directory`, which minimizes performance-related issues.
+Files that are locked by the operating system can't remain in place and must be copied into the hard-link migration store. As a result, selecting many operating-system files for migration significantly reduces performance during a hard-link migration. As a best practice, we recommend that you don't migrate any files out of the `\Windows` directory, which minimizes performance-related issues.
 
 Files that are locked by an application are treated the same in hard-link migrations as in other scenarios when the volume shadow-copy service isn't being utilized. The volume shadow-copy service can't be used with hard-link migrations. However, by modifying the new **<HardLinkStoreControl>** section in the `Config.xml` file, it's possible to enable the migration of files locked by an application.
 
@@ -141,7 +141,7 @@ A new section in the `Config.xml` file allows optional configuration of some of
 > [!IMPORTANT]
 > You must use the `/nocompress` option with the `/HardLink` option.
 
-The following XML sample specifies that files locked by an application under the `\Users` directory can remain in place during the migration. It also specifies that locked files that aren't located in the `\Users` directory should result in the **File in Use** error. It's important to exercise caution when specifying the paths using the `<createhardlink>`** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete.
+The following XML sample specifies that files locked by an application under the `\Users` directory can remain in place during the migration. It also specifies that locked files that aren't located in the `\Users` directory should result in the **File in Use** error. It's important to exercise caution when specifying the paths using the **`<createhardlink>`** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete.
 
 ```xml
 <Policies>

windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md

@@ -9,7 +9,7 @@ ms.reviewer: jogeurte
 ms.author: jogeurte
 ms.manager: jsuther
 manager: aaroncz
-ms.date: 04/05/2023
+ms.date: 05/26/2023
 ms.technology: itpro-security
 ms.topic: article
 ms.localizationpriority: medium
@@ -27,7 +27,7 @@ ms.localizationpriority: medium
 > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
 > [!IMPORTANT]
-> Option **11 Disabled:Script Enforcement** is not supported on **Windows Server 2016** and should not be used on that platform. Doing so may result in unexpected script enforcement behaviors.
+> Option **11 Disabled:Script Enforcement** is not supported on **Windows Server 2016** or on **Windows 10 1607 LTSB** and should not be used on those platforms. Doing so will result in unexpected script enforcement behaviors.
 
 ## Script enforcement overview
 

windows/security/threat-protection/windows-defender-application-control/feature-availability.md

@@ -8,7 +8,7 @@ author: jgeurten
 ms.reviewer: aaroncz
 ms.author: jogeurte
 manager: aaroncz
-ms.date: 11/02/2022
+ms.date: 05/26/2023
 ms.custom: asr
 ms.topic: overview
 ---
@@ -31,6 +31,7 @@ ms.topic: overview
 | Management solutions   | <ul><li>[Intune](./deployment/deploy-windows-defender-application-control-policies-using-intune.md)</li><li>[Microsoft Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via software distribution)</li><li>[Group policy](./deployment/deploy-windows-defender-application-control-policies-using-group-policy.md) </li><li>[Script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script)</li></ul>  | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>Configuration Manager (custom policy deployment via software distribution only)</li><li>[Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> |
 | Per-User and Per-User group rules | Not available (policies are device-wide).  | Available on Windows 8+.  |
 | Kernel mode policies  | Available on Windows 10, Windows 11, and Windows Server 2016 or later. | Not available. |
+| [Rule option 11 - Disabled:Script Enforcement](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement)  | Available on all versions of Windows 10 except 1607 LTSB, Windows 11, and Windows Server 2019 and above. **Disabled:Script Enforcement** is not supported on **Windows Server 2016** or on **Windows 10 1607 LTSB** and should not be used on those platforms. Doing so will result in unexpected script enforcement behaviors. | MSI and Script rule collection is separately configurable. |
 | [Per-app rules](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules)  | Available on Windows 10, Windows 11, and Windows Server 2019 or later.  | Not available. |
 | [Managed Installer (MI)](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer)  | Available on Windows 10, Windows 11, and Windows Server 2019 or later. | Not available. |
 | [Reputation-Based intelligence](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph)     | Available on Windows 10, Windows 11, and Windows Server 2019 or later.  | Not available. |

windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md

@@ -13,7 +13,7 @@ author: jgeurten
 ms.reviewer: jsuther1974
 ms.author: vinpa
 manager: aaroncz
-ms.date: 05/09/2023
+ms.date: 05/26/2023
 ms.technology: itpro-security
 ms.topic: article
 ---
@@ -55,7 +55,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
 | **8 Required:EV Signers** | This option isn't currently supported. | No |
 | **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No |
 | **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a boot-critical driver fails during startup, the WDAC policy is placed in audit mode so that Windows loads. Administrators can validate the reason for the failure in the CodeIntegrity event log. | No |
-| **11 Disabled:Script Enforcement** | This option disables script enforcement options, covering PowerShell, Windows Based Script Host (wscript.exe), Windows Console Based Script Host (cscript.exe), HTA files run in Microsoft HTML Application Host (mshta.exe), and MSXML. For more information on script enforcement, see [Script enforcement with WDAC](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement). <br/> NOTE: This option isn't supported on Windows Server 2016 and shouldn't be used on that operating system. | No |
+| **11 Disabled:Script Enforcement** | This option disables script enforcement options, covering PowerShell, Windows Based Script Host (wscript.exe), Windows Console Based Script Host (cscript.exe), HTA files run in Microsoft HTML Application Host (mshta.exe), and MSXML. For more information on script enforcement, see [Script enforcement with WDAC](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement). <br/> NOTE: This option isn't supported on Windows Server 2016 or Windows 10 1607 LTSB and shouldn't be used on those operating systems. | No |
 | **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies also apply to Universal Windows applications. | No |
 | **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes |
 | **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft's Intelligent Security Graph (ISG). | Yes |