diff --git a/.gitignore b/.gitignore
index 8195f14f24..23057defcc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,6 +14,7 @@ common/
.openpublishing.build.mdproj
.openpublishing.buildcore.ps1
packages.config
+settings.json
# User-specific files
.vs/
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index c25b0dbb9a..4bfabc7ffe 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -22,6 +22,8 @@
href: understand-windows-defender-application-control-policy-design-decisions.md
- name: Understand WDAC policy rules and file rules
href: select-types-of-rules-to-create.md
+ - name: Understand WDAC secure settings
+ href: understanding-wdac-policy-settings.md
items:
- name: Allow apps installed by a managed installer
href: configure-authorized-apps-deployed-with-a-managed-installer.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml
index fb59f7473b..2f70a0b792 100644
--- a/windows/security/threat-protection/windows-defender-application-control/index.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/index.yml
@@ -71,6 +71,8 @@ landingContent:
links:
- text: Understanding policy and file rules
url: select-types-of-rules-to-create.md
+ - text: Understanding WDAC secure settings
+ url: understanding-wdac-policy-settings.md
- linkListType: how-to-guide
links:
- text: Allow managed installer and configure managed installer rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
new file mode 100644
index 0000000000..fd7b1f528e
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
@@ -0,0 +1,76 @@
+---
+title: Understanding Windows Defender Application Control (WDAC) secure settings
+description: Learn about secure settings in Windows Defender Application Control.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: jgeurten
+ms.author: dansimp
+manager: dansimp
+ms.date: 10/11/2021
+ms.technology: mde
+---
+
+# Understanding WDAC Policy Settings
+Windows Defender Application Control (WDAC) Policies expose a Settings section where policy authors can define arbitrary secure settings. Secure Settings provide local admin tamper-free settings for secure boot enabled systems, with policy signing enabled. Settings consist of a Provider, Key, and ValueName, as well as a setting value. Setting values can be of type boolean, ulong, binary, and string. Applications can query for policy settings using WldpQuerySecurityPolicy.
+
+An example settings section of a WDAC Policy:
+```xml
+
+
+
+ true
+
+
+
+```
+
+### Example Scenario
+An application that may want to restrict its capabilities, when used on a system with an active WDAC policy. Application authors can define a WDAC policy, setting their application queries, in order to disable certain features. For example, if Contoso’s Foo Application wants to disable a risky feature, such as macro execution, they can define a WDAC policy setting, and query for it at runtime. Contoso can then instruct IT administrators to configure the setting in their WDAC policy, if they don’t want Foo Application to execute macros on a system with a WDAC policy.
+
+
+### WldpQuerySecurityPolicy
+API that queries the secure settings of a WDAC policy.
+
+### Syntax
+``` C++
+HRESULT WINAPI WldpQuerySecurityPolicy(
+ _In_ const UNICODE_STRING * Provider,
+ _In_ const UNICODE_STRING * Key,
+ _In_ const UNICODE_STRING * ValueName,
+ _Out_ PWLDP_SECURE_SETTING_VALUE_TYPE ValueType,
+ _Out_writes_bytes_opt_(*ValueSize) PVOID Value,
+ _Inout_ PULONG ValueSize)
+```
+
+### Parameters
+Provider [in]
+Setting Provider name.
+
+#### Key [in]
+Key name of the Key-Value pair under Setting Provider "Provider".
+
+#### ValueName [in]
+The value name of the "Key-Value" pair.
+
+#### ValueType [in, out]
+Pointer to receive the value type.
+
+#### Value [in, out]
+Pointer to a buffer to receive the value. The buffer should be of size “ValueSize”. If this value is NULL, this function will return the required buffer size for Value.
+
+#### ValueSize [in, out]
+On input, it indicates the buffer size of "Value". On successful return, it indicates the size of data written to Value buffer.
+
+#### Return Value
+This method returns S_OK if successful or a failure code otherwise.
+
+#### Remarks
+See [WDAC Policy Settings] for more information on WDAC policy settings.
diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md
index d87f9d1dcc..23ab9c183a 100644
--- a/windows/security/threat-protection/windows-platform-common-criteria.md
+++ b/windows/security/threat-protection/windows-platform-common-criteria.md
@@ -9,7 +9,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 3/20/2019
+ms.date: 1/14/2022
ms.reviewer:
ms.technology: windows-sec
---
@@ -22,6 +22,14 @@ Microsoft is committed to optimizing the security of its products and services.
The product releases below are currently certified against the cited Protection Profile, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/). The Security Target describes the product edition(s) in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation. The Administrative Guide provides guidance on configuring the product to match the evaluated configuration. The Certification Report or Validation Report documents the results of the evaluation by the validation team, with the Assurance Activity Report providing details on the evaluator's actions.
+### Microsoft Windows 10, Windows Server version 2004 (May 2020 Update); Microsoft Windows Server Core Datacenter (Azure Frabic Controller); Microsoft Windows Server Core Datacenter (Azure Stack)
+Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients.
+
+- [Security Target](https://download.microsoft.com/download/a/5/6/a5650848-e86a-4554-bb13-1ad6ff2d45d2/Windows%2010%202004%20GP%20OS%20Security%20Target.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/4/a/6/4a66a459-3c73-4c34-84bb-92cb20301206/Windows%2010%202004%20GP%20OS%20Administrative%20Guide.pdf)
+- [Validation Report](https://download.microsoft.com/download/1/c/b/1cb65e32-f87d-41dd-bc29-88dc943fad9d/Windows%2010%202004%20GP%20OS%20Validation%20Reports.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/3/2/4/324562b6-0917-4708-8f9d-8d2d12859839/Windows%2010%202004%20GP%20OS%20Assurance%20Activity%20Report-Public%20.pdf)
+
### Microsoft Windows Server, Windows 10 version 1909 (November 2019 Update), Microsoft Windows Server 2019 (version 1809) Hyper-V
Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization.